[Resolvido!] Análise de LOG - IEXPLORER.EXE

[Marcelo de Andrade 2]

Olá, boa noite pessoal.

 

Estou com um problema que começou na noite de sábado. Meu PC de tempo em tempo "desliga" o som wave nos controles de áudio, ele vai até o volume "zero" e tenho de ficar aumentando ele novamente, e abrindo alguns pop-ups. Fui pesquisar a fundo o PC e agora existe nos processos o :

IEXPLORER.EXE

Sendo que não utilizo o IE e ele já está desativado.

 

Fiz o scan com o Avira free, Ad-Aware e SpyBot e não encontrou nada.

 

LOG do HijackThis

 

 

Logfile of Trend Micro HijackThis v2.0.4Scan saved at 20:35:10, on 5/7/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Avira\AntiVir Desktop\sched.exeC:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\Arquivos de programas\Lavasoft\Ad-Aware\AAWTray.exeC:\Arquivos de programas\Skype\Toolbars\Shared\SkypeNames2.exeC:\Arquivos de programas\Garena\Garena.exeC:\Arquivos de programas\Lavasoft\Ad-Aware\Ad-Aware.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exe\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXEC:\Arquivos de programas\Mozilla Firefox\plugin-container.exeC:\Documents and Settings\Marcelo\Meus documentos\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.259&LastError=12007R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osbootO4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/mjss/MJSS.cab109791.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLLO22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Avira AntiVir Programador (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe--End of file - 6142 bytes

 

 

 

Log do combofix ( Não sei se já deveria ter usado, mas usei )

 

 

ComboFix 10-07-04.01 - Marcelo 05/07/2010  20:13:03.1.2 - x86Executando de: c:\documents and settings\Marcelo\Meus documentos\ComboFix.exeAV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} * Criado um novo ponto de restauração.((((((((((((((((   Arquivos/Ficheiros criados de 2010-06-05 to 2010-07-05  )))))))))))))))))))))))))))).2010-07-05 23:13 . 2010-07-05 00:08	15880	----a-w-	c:\windows\system32\lsdelete.exe2010-07-05 00:08 . 2010-07-05 00:06	64288	----a-w-	c:\windows\system32\drivers\Lbd.sys2010-07-05 00:08 . 2010-07-05 00:08	95024	----a-w-	c:\windows\system32\drivers\SBREDrv.sys2010-07-04 23:55 . 2010-07-04 23:55	--------	dc-h--w-	c:\documents and settings\All Users\Dados de aplicativos\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}2010-07-04 23:55 . 2010-02-04 15:53	2954656	-c--a-w-	c:\documents and settings\All Users\Dados de aplicativos\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe2010-07-04 23:55 . 2010-07-05 00:08	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\Lavasoft2010-07-04 23:55 . 2010-07-04 23:55	--------	d-----w-	c:\arquivos de programas\Lavasoft2010-07-04 23:50 . 2010-07-05 00:34	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy2010-07-04 23:50 . 2010-07-04 23:50	--------	d-----w-	c:\arquivos de programas\Spybot - Search & Destroy2010-07-04 15:34 . 2010-07-04 23:34	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\QuickScan2010-07-04 15:33 . 2010-05-31 19:34	702120	----a-w-	c:\documents and settings\Marcelo\Dados de aplicativos\Mozilla\Firefox\Profiles\jukmpvag.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll2010-07-04 15:33 . 2010-05-31 19:34	868456	----a-w-	c:\documents and settings\Marcelo\Dados de aplicativos\Mozilla\Firefox\Profiles\jukmpvag.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll2010-07-02 22:55 . 2010-07-02 22:55	--------	d-----r-	c:\documents and settings\LocalService\Favoritos2010-07-02 02:01 . 2010-07-02 02:01	--------	d-----r-	c:\documents and settings\NetworkService\Favoritos2010-07-01 00:35 . 2010-07-01 00:35	45056	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll2010-07-01 00:35 . 2010-07-01 00:35	45056	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll2010-07-01 00:35 . 2010-07-01 00:35	45056	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll2010-07-01 00:35 . 2010-07-01 00:35	14848	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll2010-07-01 00:35 . 2010-07-01 00:35	40960	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll2010-07-01 00:35 . 2010-07-01 00:35	341600	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll2010-07-01 00:35 . 2010-07-01 00:35	--------	d-----w-	c:\arquivos de programas\Arquivos comuns\xing shared2010-06-29 16:37 . 2010-06-29 18:33	--------	d-----w-	C:\WarS 5.0.12010-06-29 16:31 . 2010-06-29 18:33	--------	d-----w-	c:\arquivos de programas\eWarCompanhias2010-06-29 00:33 . 2010-06-29 00:33	98304	----a-w-	c:\windows\system32\CmdLineExt.dll2010-06-28 13:40 . 2010-06-28 13:40	--------	d-----w-	c:\arquivos de programas\LucasArts2010-06-28 13:40 . 2010-06-28 13:40	--------	d-s---w-	c:\arquivos de programas\Xfire2010-06-28 13:40 . 2010-06-28 13:40	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\Xfire2010-06-25 13:42 . 2010-06-29 19:25	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\BitTorrent2010-06-25 13:42 . 2010-06-25 13:45	--------	d-----w-	c:\arquivos de programas\BitTorrent2010-06-24 22:10 . 2010-03-15 09:31	165376	----a-w-	c:\windows\system32\unrar.dll2010-06-24 22:10 . 2006-04-02 12:47	630784	----a-w-	c:\windows\system32\vp7vfw.dll2010-06-24 22:10 . 2004-05-18 18:16	39936	----a-w-	c:\windows\system32\huffyuv.dll2010-06-24 22:10 . 2004-01-25 16:18	217088	----a-w-	c:\windows\system32\yv12vfw.dll2010-06-24 22:10 . 2010-06-02 08:00	108032	----a-w-	c:\windows\system32\ff_vfw.dll2010-06-24 22:10 . 2009-05-29 21:37	205824	----a-w-	c:\windows\system32\xvidvfw.dll2010-06-24 22:10 . 2009-05-29 21:31	881664	----a-w-	c:\windows\system32\xvidcore.dll2010-06-24 20:57 . 2010-02-03 18:56	26176	---ha-w-	c:\windows\system32\drivers\hamachi.sys2010-06-24 14:49 . 2010-06-02 19:06	83360	----a-w-	c:\windows\system32\LMIRfsClientNP.dll2010-06-24 14:49 . 2010-06-02 19:06	53632	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll2010-06-24 14:49 . 2010-06-02 19:06	29568	----a-w-	c:\windows\system32\LMIport.dll2010-06-24 14:49 . 2010-01-27 15:22	47640	----a-w-	c:\windows\system32\drivers\LMIRfsDriver.sys2010-06-24 14:49 . 2010-06-02 19:06	87424	----a-w-	c:\windows\system32\LMIinit.dll2010-06-24 03:25 . 2010-06-24 03:25	--------	d-----w-	c:\arquivos de programas\Arquivos comuns\Blizzard Entertainment2010-06-15 16:04 . 2010-06-15 16:04	--------	d-----w-	c:\arquivos de programas\Softnyx2010-06-15 01:30 . 2010-06-15 01:30	--------	d-----w-	C:\Team172010-06-15 01:30 . 1997-08-26 15:06	315904	----a-w-	c:\windows\IsUninst.exe2010-06-15 01:30 . 2010-06-15 01:30	--------	d-----w-	c:\documents and settings\Marcelo\WINDOWS2010-06-14 12:17 . 2010-06-14 12:17	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\nView_Profiles2010-06-14 11:46 . 2010-06-15 00:02	--------	d-----w-	C:\Nexon2010-06-14 11:46 . 2010-06-14 11:46	98304	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll2010-06-14 11:46 . 2010-06-14 11:46	765952	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\NGMDll.dll2010-06-14 11:46 . 2010-06-14 11:46	401408	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\NGMResource.dll2010-06-14 11:46 . 2010-06-14 11:46	258352	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\unicows.dll2010-06-14 11:46 . 2010-06-14 11:46	172032	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\NGM.exe2010-06-14 11:46 . 2010-06-14 11:46	126976	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\nxgameus.dll2010-06-14 11:46 . 2010-06-14 11:46	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\NexonUS2010-06-13 19:03 . 2010-06-13 19:03	--------	d-----w-	C:\gPotato2010-06-13 16:26 . 2010-06-13 16:26	--------	d-----w-	c:\arquivos de programas\Pando Networks2010-06-12 19:34 . 2010-06-24 22:14	--------	d-----w-	C:\Counter-Strike 2D2010-06-12 19:17 . 2010-06-12 19:21	87	----a-w-	c:\documents and settings\Marcelo\jagex_runescape_preferences2.dat2010-06-12 19:17 . 2010-06-12 19:17	0	----a-w-	c:\documents and settings\Marcelo\jagex__preferences3.dat2010-06-12 19:14 . 2010-06-12 19:18	45	----a-w-	c:\documents and settings\Marcelo\jagex_runescape_preferences.dat2010-06-12 19:13 . 2010-06-12 19:14	--------	d-----w-	c:\windows\.jagex_cache_322010-06-12 14:05 . 2010-07-01 00:35	45056	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll2010-06-12 14:05 . 2010-07-01 00:35	49152	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll2010-06-12 14:05 . 2010-07-01 00:35	308808	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll2010-06-12 14:05 . 2010-07-01 00:35	--------	d-----w-	c:\arquivos de programas\Real2010-06-12 14:05 . 2010-06-12 14:05	--------	d-----w-	c:\arquivos de programas\Arquivos comuns\Real2010-06-10 19:01 . 2010-06-15 00:04	--------	d-----w-	c:\arquivos de programas\VDownloader2010-06-10 18:32 . 2009-11-25 14:19	56816	----a-w-	c:\windows\system32\drivers\avgntflt.sys2010-06-10 18:32 . 2009-03-30 12:33	96104	----a-w-	c:\windows\system32\drivers\avipbb.sys2010-06-10 18:32 . 2009-02-13 14:29	22360	----a-w-	c:\windows\system32\drivers\avgntmgr.sys2010-06-10 18:32 . 2009-02-13 14:17	45416	----a-w-	c:\windows\system32\drivers\avgntdd.sys2010-06-10 18:32 . 2010-06-10 18:32	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\Avira2010-06-10 18:32 . 2010-06-10 18:32	--------	d-----w-	c:\arquivos de programas\Avira2010-06-10 18:20 . 2010-04-29 18:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys2010-06-10 18:20 . 2010-06-10 18:20	--------	d-----w-	c:\arquivos de programas\Malwarebytes' Anti-Malware2010-06-10 18:20 . 2010-04-29 18:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys2010-06-08 22:51 . 2009-03-28 22:52	94208	----a-w-	c:\documents and settings\Marcelo\Dados de aplicativos\Soldat\Battleye\BEServer.dll2010-06-08 22:51 . 2009-03-28 22:52	102400	----a-w-	c:\documents and settings\Marcelo\Dados de aplicativos\Soldat\Battleye\BEClient.dll2010-06-08 22:51 . 2010-06-08 22:51	0	----a-r-	C:\logwmemory.bin2010-06-08 22:50 . 2010-06-08 22:50	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\Soldat2010-06-07 13:57 . 2010-06-15 01:56	--------	d-----w-	c:\arquivos de programas\EuroGunz v8.5.8.22010-06-06 05:22 . 2010-06-25 13:45	--------	d-----w-	c:\arquivos de programas\SFO2010-06-06 05:10 . 1998-06-18 03:00	89360	----a-w-	c:\windows\system32\VB5DB.DLL.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-07-05 23:11 . 2010-03-22 02:39	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\Skype2010-07-05 22:52 . 2010-03-23 00:49	--------	d-----w-	c:\arquivos de programas\Garena2010-07-05 22:31 . 2010-03-23 01:48	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\skypePM2010-07-04 15:17 . 2010-04-05 02:03	1	----a-w-	c:\documents and settings\Marcelo\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys2010-07-04 15:02 . 2010-04-04 20:44	--------	d-----w-	c:\arquivos de programas\Teamspeak2_RC22010-07-04 00:34 . 2010-06-03 02:40	--------	d-----w-	c:\arquivos de programas\JDownloader2010-07-01 00:34 . 2010-03-22 01:33	499712	----a-w-	c:\windows\system32\msvcp71.dll2010-07-01 00:34 . 2010-03-22 01:33	348160	----a-w-	c:\windows\system32\msvcr71.dll2010-06-28 13:40 . 2010-03-22 01:21	--------	d--h--w-	c:\arquivos de programas\InstallShield Installation Information2010-06-27 21:58 . 2010-03-22 01:57	--------	d-----w-	c:\arquivos de programas\Arquivos comuns\Adobe2010-06-27 21:53 . 2010-03-25 00:30	--------	d-----w-	c:\arquivos de programas\CCleaner2010-06-27 19:04 . 2010-03-22 01:33	--------	d-----w-	c:\arquivos de programas\K-Lite Codec Pack2010-06-25 17:09 . 2010-04-03 23:52	304160	----a-w-	C:\PA207.DAT2010-06-25 16:17 . 2010-03-24 22:40	--------	d-----w-	c:\arquivos de programas\Age of Empire2010-06-23 15:18 . 2010-03-22 01:34	--------	d-----w-	c:\arquivos de programas\Marcos Velasco Security2010-06-15 17:59 . 2010-03-24 02:05	--------	d---a-w-	c:\documents and settings\All Users\Dados de aplicativos\TEMP2010-06-02 21:28 . 2010-06-02 21:14	--------	d-----w-	c:\arquivos de programas\Winamp2010-05-30 18:16 . 2010-03-24 00:55	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\Alwil Software2010-05-30 18:13 . 2010-03-22 02:04	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\FLEXnet2010-05-23 21:52 . 2010-05-23 21:52	--------	d-----w-	c:\documents and settings\Marcelo\Dados de aplicativos\Mp3tag2010-05-23 21:52 . 2010-05-23 21:52	--------	d-----w-	c:\arquivos de programas\Mp3tag2010-05-11 00:57 . 2010-05-11 00:56	--------	d-----w-	c:\arquivos de programas\epson.------- Sigcheck -------[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\abc8d424bc7438e463cef8a2ec1c00e4\sp3qfe\tcpip.sys[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\abc8d424bc7438e463cef8a2ec1c00e4\sp3gdr\tcpip.sys[-] 2008-05-27 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys[-] 2008-05-27 . 14170C297963AC4F5775CA678B4D6E4B . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..*Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2009-10-09 25623336]"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2010-07-01 202256][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"nltide_2"="shell32" [X]"nltide_3"="advpack.dll" [2008-05-27 123904][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]2010-06-02 19:06	87424	----a-w-	c:\windows\system32\LMIinit.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]c:\windows\system32\dumprep 0 -k [X][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]c:\windows\system32\dumprep 0 -u [X][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]2008-08-14 10:58	611712	----a-w-	c:\arquivos de programas\Arquivos comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]2008-04-14 11:00	15360	----a-w-	c:\windows\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3700 Series]2005-02-07 11:00	98304	----a-w-	c:\windows\system32\spool\drivers\w32x86\3\E_FATIACL.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]2009-08-28 16:39	33673216	----a-r-	c:\arquivos de programas\VIA\VIAudioi\HDADeck\HDeck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]2004-05-05 14:54	262210	------w-	c:\arquivos de programas\epson\Ink Monitor\InkMonitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]2006-11-03 14:01	319488	----a-w-	c:\windows\PixArt\PAC207\Monitor.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]2007-06-28 16:43	8466432	----a-w-	c:\windows\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]2007-06-28 16:43	81920	----a-w-	c:\windows\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]2007-06-28 16:43	1626112	----a-w-	c:\windows\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]2010-03-23 23:52	149280	----a-w-	c:\arquivos de programas\Java\jre6\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]2010-07-01 00:34	202256	----a-w-	c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"npggsvc"=3 (0x3)"MySQL"=2 (0x2)"JavaQuickStarterService"=2 (0x2)"FLEXnet Licensing Service"=3 (0x3)"Bonjour Service"=2 (0x2)"Apache2.2"=2 (0x2)"WMPNetworkSvc"=3 (0x3)"NVSvc"=2 (0x2)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Arquivos de programas\\Ares\\Ares.exe"="c:\\Arquivos de programas\\Garena\\Garena.exe"="c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"="c:\\Arquivos de programas\\Java\\jre1.6.0\\bin\\javaw.exe"="c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"="c:\\Arquivos de programas\\Age of Empire\\age2_x1.exe"="c:\\Arquivos de programas\\EuroGunz v8.5.8.2\\eurogunz.exe"="c:\\Arquivos de programas\\softnyx\\GunboundS2\\NyxLauncher.exe"="c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"="c:\\Arquivos de programas\\Softnyx\\GunBoundS2\\GunBound.gme"="c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"="c:\\xampp\\apache\\bin\\httpd.exe"="c:\\Arquivos de programas\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"="c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"21006:TCP"= 21006:TCP:BitComet 21006 TCP"21006:UDP"= 21006:UDP:BitComet 21006 UDP"5353:TCP"= 5353:TCP:Adobe CSI CS4R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/7/2010 21:08 64288]R2 AntiVirSchedulerService;Avira AntiVir Programador;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [10/6/2010 15:32 108289]R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe [4/2/2010 12:52 1352832]R3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Marcelo\CONFIG~1\Temp\LIO9.tmp --> c:\docume~1\Marcelo\CONFIG~1\Temp\LIO9.tmp [?]R3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [29/5/2007 13:30 508160]R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [21/3/2010 22:22 1390976]S2 LMIInfo;LogMeIn Kernel Information Provider; [x]S3 npkycryp;npkycryp; [x]S3 XDva327;XDva327; [x]S4 npggsvc;nProtect GameGuard Service; [x]--- =Outros Serviços/Drivers Na Memória ---*NewlyCreated* - GARENAPENGINE.Conteúdo da pasta 'Tarefas Agendadas'2010-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job- c:\arquivos de programas\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:06]2010-07-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]2010-07-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-73586283-1801674531-246586910-1003.job- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]2010-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]2010-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-73586283-1801674531-246586910-1003.job- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-25 01:09]2010-06-25 c:\windows\Tasks\videopadShakeIcon.job- c:\arquivos de programas\NCH Software\VideoPad\videopad.exe [2010-04-02 22:06]..------- Scan Suplementar -------.uInternet Connection Wizard,ShellNext = hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.259&LastError=12007uInternet Settings,ProxyOverride = *.localFF - ProfilePath - c:\documents and settings\Marcelo\Dados de aplicativos\Mozilla\Firefox\Profiles\jukmpvag.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dllFF - component: c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dllFF - component: c:\documents and settings\Marcelo\Dados de aplicativos\Mozilla\Firefox\Profiles\jukmpvag.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dllFF - component: c:\documents and settings\Marcelo\Dados de aplicativos\Mozilla\Firefox\Profiles\jukmpvag.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dllFF - plugin: c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dllFF - plugin: c:\documents and settings\Marcelo\Dados de aplicativos\Mozilla\Firefox\Profiles\jukmpvag.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll---- FIREFOX POLICIES ----c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);..------- Associação de arquivos/ficheiros -------..txt=.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-07-05 20:22Windows 5.1.2600 Service Pack 3 NTFSProcurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucessoarquivos/ficheiros ocultos: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]"ImagePath"="\??\c:\docume~1\Marcelo\CONFIG~1\Temp\LIO9.tmp".--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------- - - - - - - > 'winlogon.exe'(668)c:\windows\system32\LMIinit.dllc:\windows\system32\LMIRfsClientNP.dll- - - - - - - > 'explorer.exe'(2160)c:\windows\system32\ieframe.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\arquivos de programas\WinRAR\rarext.dllc:\arquivos de programas\Avira\AntiVir Desktop\shlext.dllc:\arquivos de programas\Malwarebytes' Anti-Malware\mbamext.dllc:\arquivos de programas\Lavasoft\Ad-Aware\ShellExt.dllc:\arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxc:\arquiv~1\SPYBOT~1\SDHelper.dllc:\windows\system32\LMIRfsClientNP.dll.Tempo para conclusão: 2010-07-05  20:24:47ComboFix-quarantined-files.txt  2010-07-05 23:24Pré-execução: 3.949.228.032 bytes disponíveisPós execução: 4.213.075.968 bytes disponíveisWindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - FF954BF60C3A459DC1BD4D09A934C937

 

 

 

Obrigado.

[wings 22]

*Desative seu antivírus temporariamente

*Faça um scan online com o NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

[Marcelo de Andrade 2]

Olá Wings.

 

O log é esse :

 

ESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=863421ee275b7945a04f5e1683f5d9d7# end=finished# remove_checked=true# archives_checked=true# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2010-07-08 01:56:47# local_time=2010-07-07 10:56:47 (-0300, Hora oficial do Brasil)# country="Brazil"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 0 0 0 0# compatibility_mode=1797 16775125 100 94 0 50263423 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=98762# found=1# cleaned=1# scan_time=9305D:\Programas\Everest\lavalyseverestultimateeditionv4.00.976keygenvirility.zip	probably a variant of Win32/Agent trojan (deleted - quarantined)	00000000000000000000000000000000	C

 

Dei uma olhada, mas esse arquivo nao existe nem ao menos oculto dentro dessa pasta ... nao sei se isso ajudará em algo pra você :P

[RodrigoSdeC 0]

Olá Wings.

 

O log é esse :

 

ESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=863421ee275b7945a04f5e1683f5d9d7# end=finished# remove_checked=true# archives_checked=true# unwanted_checked=true# unsafe_checked=true# antistealth_checked=true# utc_time=2010-07-08 01:56:47# local_time=2010-07-07 10:56:47 (-0300, Hora oficial do Brasil)# country="Brazil"# lang=1033# osver=5.1.2600 NT Service Pack 3# compatibility_mode=512 16777215 100 0 0 0 0 0# compatibility_mode=1797 16775125 100 94 0 50263423 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=98762# found=1# cleaned=1# scan_time=9305D:\Programas\Everest\lavalyseverestultimateeditionv4.00.976keygenvirility.zip	probably a variant of Win32/Agent trojan (deleted - quarantined)	00000000000000000000000000000000	C

 

Dei uma olhada, mas esse arquivo nao existe nem ao menos oculto dentro dessa pasta ... nao sei se isso ajudará em algo pra você :P

[RodrigoSdeC 0]

Estou exatamente com o mesmo problema...varios iexplore executando e problema com o som wave..

 

nos ajudeeem

[wings 22]

É difícil dizer se este problema é decorrente realmente de contaminação.

 

Vamos continuar a procura.

 

*Acesse o site ConfickerWorkingGroup

*Interprete e informe.

[Marcelo de Andrade 2]

Wings, obrigado pela ajuda.

 

Mas assim que terminou o scan, eu selecionei para deletar esse arquivo e quando reiniciei o PC, ele estava ok. Fiz uma varredura novamente com :

- Spybot;

- Avira;

- Malwarebytes

 

E estava ok. O som wave não abaixa mais e o processo "IEXPLORER.EXE" não aparece mais. Quando chegar em casa, farei esse scan que você me passou agora. Novamente, obrigado.

[wings 22]

Então não necessita fazer o procedimento do Conficker.

 

O arquivo que você se refere foi ao detectado pelo scan online?

 

Caso positivo, darei o tópico como resolvido.

[Marcelo de Andrade 2]

Sim, foi o arquivo encontrado no scan :

D:\Programas\Everest\lavalyseverestultimateeditionv4.00.976keygenvirility.zip

 

Pode fechar. obrigado.

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.