Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Juhije

[Arquivado] &nbspSuspeita de Keylogger

Recommended Posts

Tenho um jogo e casa chamado WoW e estou com suspeitas de ter sido vitima de keylogger =(.

 

Estava pensando em formatar o PC, pois sou meio Cético com a questão se o anti vírus remove completamente todos os malwares mesmo.

 

Gostaria da ajuda de vocês para evitar formatar.. e quais procedimentos poderia tomar,

 

Obrigado.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Rodei o Hijack This e esse eh o Log File... ele deu uma mensagem dizendo que não podia editar um arquivo la.. ai eu apertei enter e foi =x

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:52:22, on 18/08/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\HijackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Felippe Rodrigues\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized

O8 - Extra context menu item: &Enviar para o OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Serviço de estado do ASP.NET (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 8815 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

Juhije,

 

*Faça um scan online com o NOD32

 

4682a6d30e.gif

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

 

No Aguardo!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Estou baixando pq é a primeira vez que uso.

 

Mas de acordo com o Log do HighJack This, tem algo infectado???... ja troquei a senha ontem e fui hackeado entao eh fato q tem algo.... tou ficando desesperado ja hehehe...

 

Usei o ESET e o Log não deu nada infectado .

 

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a7769075506acb439ae192d910d755e9

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-08-18 07:18:21

# local_time=2010-08-18 04:18:21 (-0300, Hora oficial do Brasil)

# country="Brazil"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=768 16777215 100 0 1747681 1747681 0 0

# compatibility_mode=5891 16776573 100 100 0 12509283 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=86389

# found=0

# cleaned=0

# scan_time=3596

Compartilhar este post


Link para o post
Compartilhar em outros sites

Juhije,

 

Os Logs estão limpos!

 

Se tiver algum Keylogger no seu computador, o mesmo não está ativo!

 

Vamos para última análise;

 

*Baixe o RSIT'>http://images.malwareremoval.com/random/RSIT.exe"]RSIT e salve-o no desktop

*Execute o RSIT e clique em [Continue]

*Ao término do processo, cole os relatórios criados em C:\rsit\log.txt e C:\rsit\info.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Desculpem a demora é que não dormi em casa e cheguei agora do trabalho ^^

 

Aqui estao os logs

 

Info.txt

 

 

info.txt logfile of random's system information tool 1.08 2010-08-19 14:39:22

 

======Uninstall list======

 

Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex

Adobe Reader 9.3.3 - Português-->MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A93000000001}

D3DX10-->MsiExec.exe /X{52CDDA92-56B6-4BA5-BD8D-E13B186008CB}

D'Accord Afinador 3.0-->"C:\Diapasao\D'Accord Afinador 3.0\unins000.exe"

ESET Online Scanner v3-->C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

Junk Mail filter update-->MsiExec.exe /I{11EFF057-8ED2-4321-A19D-D673DECB36CC}

Mesh Runtime-->MsiExec.exe /I{2C4F4D53-78D6-41FB-A4D7-105C537464EB}

Messenger Companion-->MsiExec.exe /I{B1CCA4B9-C1B3-4AE1-A6B1-D7B25354D245}

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft Default Manager-->MsiExec.exe /X{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}

Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}

MSVCRT_amd64-->MsiExec.exe /I{6917F87D-921D-4EFA-9AA5-8CDEA9E28520}

MSVCRT-->MsiExec.exe /I{035C76D2-7D8E-484D-8CA3-686C0B474A2B}

Pando Media Booster-->C:\Program Files (x86)\Pando Networks\Media Booster\uninst.exe

Skype Toolbars-->MsiExec.exe /I{981029E0-7FC9-4CF3-AB39-6F133621921A}

Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}

Windows Live Communications Platform-->MsiExec.exe /I{FA5D1C9E-154D-49B1-8CF0-DF5FAB6171EA}

Windows Live Essentials Beta-->C:\Program Files (x86)\Windows Live\Installer\wlarp.exe

Windows Live Essentials Beta-->MsiExec.exe /I{39875FB8-990B-42B2-AF33-1B9F1679ADA4}

Windows Live Galeria de Fotos Beta-->MsiExec.exe /X{BF3355C3-67EB-41E3-BA8A-57CAF123905A}

Windows Live Installer-->MsiExec.exe /I{46BAF2A0-3789-4E49-B000-4BB64426D1BF}

Windows Live Mail-->MsiExec.exe /I{2607FE6B-1D61-46E5-A544-54666B0EF908}

Windows Live Mail-->MsiExec.exe /I{365BA1B2-4E89-4565-B838-4DA45B85CD37}

Windows Live Messenger Companion Core-->MsiExec.exe /I{9D0467C4-F69C-4E9D-8765-7774D8971F5C}

Windows Live Messenger-->MsiExec.exe /X{2578D94A-A88A-4643-9DAA-F0A5E981EB04}

Windows Live Messenger-->MsiExec.exe /X{704B39D7-CEB0-4979-89E9-845A6B9265F2}

Windows Live Movie Maker-->MsiExec.exe /X{46C106C9-3856-4A6A-AAC8-7070FBA02D2F}

Windows Live Movie Maker-->MsiExec.exe /X{96F437AA-F6DE-4750-BBCF-A71FFA1C681B}

Windows Live Photo Common Beta-->MsiExec.exe /X{923591F0-8B5E-4265-AD5B-5B0F48553616}

Windows Live Photo Common-->MsiExec.exe /X{61E7F654-7D99-4C69-94D8-DF53E297AF9B}

Windows Live Photo Gallery-->MsiExec.exe /X{91803386-4FBD-4C38-9644-26B0F9464031}

Windows Live PIMT Platform-->MsiExec.exe /I{B5BD2B33-FDB8-4DE5-87B3-2810CAF4A6E4}

Windows Live SOXE Definitions-->MsiExec.exe /I{74B0BEB0-2EB3-448F-B8E9-40983BC902E1}

Windows Live SOXE-->MsiExec.exe /I{EFBE9DAB-9C80-4911-847B-2A2C25E8F9CB}

Windows Live Sync ActiveX Control for Remote Connections-->MsiExec.exe /I{D65F8E34-C050-4E6C-86DB-D2B9075749A0}

Windows Live Sync Beta-->MsiExec.exe /I{16EC96C3-5E8D-4BDF-B056-0BCFE2F86ED9}

Windows Live Sync Beta-->MsiExec.exe /I{7A8E7F22-3628-4846-A578-516BDCB2CEAA}

Windows Live UX Platform Language Pack-->MsiExec.exe /I{A0DD0ADA-8843-41A2-975E-9C6A7228DB13}

Windows Live UX Platform-->MsiExec.exe /I{6592C2B8-949A-4C88-BCB9-0990A218B215}

Windows Live Writer Resources-->MsiExec.exe /X{318A5E7A-7986-4707-8DA1-BD13F6A99A3A}

Windows Live Writer-->MsiExec.exe /X{224935E4-2014-4B22-95DC-2CCF5428B4BF}

Windows Live Writer-->MsiExec.exe /X{7195DA78-453B-4057-A462-D72F00F0BF48}

Windows Live Writer-->MsiExec.exe /X{EE338AB8-4E85-4C04-AC07-1357A266DD35}

Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}

World of Warcraft-->C:\Program Files (x86)\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

 

======System event log======

 

Computer Name: 37L4247E29-32

Event Code: 7036

Message: O serviço Cryptographic Services entrou no estado stopped.

Record Number: 5

Source Name: Service Control Manager

Time Written: 20090714051424.262212-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 7036

Message: O serviço Windows Modules Installer entrou no estado stopped.

Record Number: 4

Source Name: Service Control Manager

Time Written: 20090714051424.168612-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 7036

Message: O serviço Software Protection entrou no estado stopped.

Record Number: 3

Source Name: Service Control Manager

Time Written: 20090714051424.059412-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 7036

Message: O serviço Windows Event Log entrou no estado stopped.

Record Number: 2

Source Name: Service Control Manager

Time Written: 20090714051424.012612-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 7036

Message: O serviço Volume Shadow Copy entrou no estado stopped.

Record Number: 1

Source Name: Service Control Manager

Time Written: 20090714051423.934612-000

Event Type: Informações

User:

 

=====Application event log=====

 

Computer Name: 37L4247E29-32

Event Code: 1001

Message: Falha no compartilhamento de memória , tipo 0

Nome do Evento: PnPRequestAdditionalSoftware

Resposta: Não disponível

Id do arquivo CAB: 0

 

Assinatura do problema:

P1: x64

P2: USB\VID_093A&PID_2510&REV_0100

P3: 6.1.0.0

P4: 0416

P5: input.inf

P6: *

P7:

P8:

P9:

P10:

 

Arquivos anexados:

 

Estes arquivos podem estar disponíveis em:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_99348a5a2b13b6ac41bb9b6e445c58e1aaa9c5_cab_0526909d

 

Símbolo da análise:

Verificando novamente solução: 0

Id de relatório: 4423290c-92a9-11df-bf66-001d7d8321be

Status do relatório: 4

Record Number: 5

Source Name: Windows Error Reporting

Time Written: 20100718201554.000000-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 5617

Message: Windows Management Instrumentation Service subsystems initialized successfully

Record Number: 4

Source Name: Microsoft-Windows-WMI

Time Written: 20100718201423.000000-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 5615

Message: Windows Management Instrumentation Service started sucessfully

Record Number: 3

Source Name: Microsoft-Windows-WMI

Time Written: 20100718201418.000000-000

Event Type: Informações

User:

 

Computer Name: 37L4247E29-32

Event Code: 1531

Message: Serviço de Perfil de Usuário iniciado com êxito.

 

 

Record Number: 2

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20100718201412.796875-000

Event Type: Informações

User: AUTORIDADE NT\SISTEMA

 

Computer Name: 37L4247E29-32

Event Code: 4625

Message: O subsistema EventSystem está suprimindo entradas de log de eventos duplicadas para uma duração de 86400 segundos. O tempo limite de supressão pode ser controlado por um valor REG_DWORD denominado SuppressDuplicateDuration sob esta chave do Registro: HKLM\Software\Microsoft\EventSystem\EventLog.

Record Number: 1

Source Name: Microsoft-Windows-EventSystem

Time Written: 20100718201413.000000-000

Event Type: Informações

User:

 

=====Security event log=====

 

Computer Name: 37L4247E29-32

Event Code: 4735

Message: Foi alterado um grupo local com a segurança ativada.

 

Requerente:

Identificação de segurança: S-1-5-18

Nome da conta: 37L4247E29-32$

Domínio da conta: WORKGROUP

Identificação de logon: 0x3e7

 

Grupo:

Identificação de segurança: S-1-5-32-551

Nome do grupo: Operadores de cópia

Domínio do grupo: Builtin

 

Atributos alterados:

Nome de conta Sam: -

Histórico sid: -

 

Informações adicionais:

Privilégios: -

Record Number: 5

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100718201344.296875-000

Event Type: Sucesso da Auditoria

User:

 

Computer Name: 37L4247E29-32

Event Code: 4731

Message: Foi criado um grupo local com a segurança ativada.

 

Requerente:

Identificação de segurança: S-1-5-18

Nome da conta: 37L4247E29-32$

Domínio da conta: WORKGROUP

Identificação de logon: 0x3e7

 

Novo grupo:

Identificação de segurança: S-1-5-32-551

Nome do grupo: Operadores de cópia

Domínio do grupo: Builtin

 

Atributos:

Nome de conta Sam: Operadores de cópia

Histórico sid: -

 

Informações adicionais:

Privilégios: -

Record Number: 4

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100718201344.281250-000

Event Type: Sucesso da Auditoria

User:

 

Computer Name: 37L4247E29-32

Event Code: 4902

Message: Criada tabela de diretivas de auditoria por usuário.

 

Número de elementos: 0

Identificação da diretiva: 0x30178

Record Number: 3

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100718201343.640625-000

Event Type: Sucesso da Auditoria

User:

 

Computer Name: 37L4247E29-32

Event Code: 4624

Message: O logon de uma conta foi efetuado com sucesso.

 

Requerente:

Identificação de segurança: S-1-0-0

Nome da conta: -

Domínio da conta: -

Identificação de logon: 0x0

 

Tipo de logon: 0

 

Novo logon:

Identificação de segurança: S-1-5-18

Nome da conta: SISTEMA

Domínio da conta: AUTORIDADE NT

Identificação de logon: 0x3e7

GUID de logon: {00000000-0000-0000-0000-000000000000}

 

Informações do processo:

Identificação do processo: 0x4

Nome do processo:

 

Informações da rede:

Nome da estação de trabalho: -

Endereço da rede de origem: -

Porta de origem: -

 

Informações detalhadas da autenticação:

Processo de logon: -

Pacote de autenticação: -

Serviços transitados: -

Nome do pacote (somente NTLM): -

Comprimento da chave: 0

 

Este evento é gerado quando uma sessão de logon é criada. Ele é gerado no computador acessado.

 

Os campos do assunto indicam a Conta Sistema Local que solicitou o logon. Comumente, isto é um serviço como o de servidor ou um processo local como Winlogon.exe ou Services.exe.

 

O campo tipo de logon indica o tipo de logon ocorrido. Os tipos mais comuns são 2 (interativo) e 3 (em rede).

 

Os campos Novo logon indicam as contas para a qual o novo logon foi criada, isto é, a conta na qual o logon foi efetuado.

 

Os campos de rede indicam onde a solicitação de logon remoto se originou. O nome da estação de trabalho nem sempre está disponível e pode ser deixado em branco em alguns casos.

 

Os campos de informações de autenticação fornecem informações detalhadas sobre esta solicitação específica de logon.

-O GUID de logon é um identificador exclusivo que pode ser usado para correlacionar este evento com um evento de KDC.

- Serviços transitados indicam qual serviço intermediário participou desta solicitação de logon.

- Nome de pacote indica qual subprotocolo foi usado, entre os protocolos NTLM.

- Comprimento da chave indica o comprimento da chave da sessão gerada. Ele será 0 se nenhuma chave de sessão foi solicitada.

Record Number: 2

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100718201340.562500-000

Event Type: Sucesso da Auditoria

User:

 

Computer Name: 37L4247E29-32

Event Code: 4608

Message: Windows está iniciando.

 

Este evento é registrado quando o LSASS.EXE inicia e o subsistema de auditoria é inicializado.

Record Number: 1

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100718201340.437500-000

Event Type: Sucesso da Auditoria

User:

 

======Environment variables======

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"Path"=C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Live\Shared

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

"PROCESSOR_ARCHITECTURE"=AMD64

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"USERNAME"=SYSTEM

"windir"=%SystemRoot%

"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

"NUMBER_OF_PROCESSORS"=2

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=AMD64 Family 15 Model 107 Stepping 1, AuthenticAMD

"PROCESSOR_REVISION"=6b01

 

-----------------EOF-----------------

 

Log.txt

 

 

Logfile of random's system information tool 1.08 (written by random/random)

Run by Felippe Rodrigues at 2010-08-19 14:38:48

Microsoft Windows 7 Professional

System drive C: has 104 GB (68%) free of 153 GB

Total RAM: 894 MB (25% free)

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:39:12, on 19/08/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Felippe Rodrigues\Desktop\RSIT.exe

C:\Program Files (x86)\trend micro\Felippe Rodrigues.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Felippe Rodrigues\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')

O8 - Extra context menu item: &Enviar para o OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Serviço de estado do ASP.NET (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 9687 bytes

 

======Scheduled tasks folder======

 

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2509913390-3270742093-3042151627-1000Core.job

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2509913390-3270742093-3042151627-1000UA.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]

Groove GFS Browser Helper - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL [2010-03-25 4222864]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

Auxiliar de Conexão do Windows Live ID - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-05-26 448384]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FDDE16B-836F-4806-AB1F-1455CBEFF289}]

Windows Live Messenger Companion Helper - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-06-07 380800]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]

Skype add-on for Internet Explorer - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-02-08 804136]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]

Office Document Cache Handler - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL [2010-02-28 561552]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Default Manager"=C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [2010-05-10 439568]

"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]

"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Google Update"=C:\Users\Felippe Rodrigues\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-19 136176]

"Skype"=C:\Program Files (x86)\Skype\Phone\Skype.exe [2010-05-13 26192168]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL [2010-03-25 4222864]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"=credssp.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"ConsentPromptBehaviorAdmin"=5

"ConsentPromptBehaviorUser"=3

"EnableUIADesktopToggle"=0

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoActiveDesktop"=1

"NoActiveDesktopChanges"=1

"ForceActiveDesktopOn"=0

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

======File associations======

 

.js - edit - C:\Windows\System32\Notepad.exe %1

.js - open - C:\Windows\System32\WScript.exe "%1" %*

 

======List of files/folders created in the last 1 months======

 

2010-08-19 14:38:50 ----D---- C:\Program Files (x86)\trend micro

2010-08-19 14:38:48 ----D---- C:\rsit

2010-08-18 14:39:04 ----D---- C:\Program Files (x86)\ESET

2010-08-18 13:51:10 ----D---- C:\HijackThis

2010-08-11 15:07:14 ----D---- C:\Users\Felippe Rodrigues\AppData\Roaming\skypePM

2010-08-11 15:05:11 ----D---- C:\Users\Felippe Rodrigues\AppData\Roaming\Skype

2010-08-11 15:03:32 ----D---- C:\Program Files (x86)\Common Files\Skype

2010-08-11 15:03:23 ----RD---- C:\Program Files (x86)\Skype

2010-08-11 15:02:41 ----D---- C:\ProgramData\Skype

2010-08-11 13:55:31 ----A---- C:\Windows\SysWOW64\schannel.dll

2010-08-11 13:55:04 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe

2010-08-11 13:55:04 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe

2010-08-11 13:54:56 ----A---- C:\Windows\SysWOW64\mshtml.dll

2010-08-11 13:54:53 ----A---- C:\Windows\SysWOW64\ieframe.dll

2010-08-11 13:54:51 ----A---- C:\Windows\SysWOW64\wininet.dll

2010-08-11 13:54:51 ----A---- C:\Windows\SysWOW64\urlmon.dll

2010-08-11 13:54:50 ----A---- C:\Windows\SysWOW64\iepeers.dll

2010-08-11 13:54:49 ----A---- C:\Windows\SysWOW64\mstime.dll

2010-08-11 13:54:49 ----A---- C:\Windows\SysWOW64\iedkcs32.dll

2010-08-11 13:54:47 ----A---- C:\Windows\SysWOW64\msfeedsbs.dll

2010-08-11 13:54:47 ----A---- C:\Windows\SysWOW64\ieui.dll

2010-08-11 13:54:46 ----A---- C:\Windows\SysWOW64\msfeedssync.exe

2010-08-11 13:54:46 ----A---- C:\Windows\SysWOW64\jsproxy.dll

2010-08-11 13:54:22 ----A---- C:\Windows\SysWOW64\rtutils.dll

2010-08-11 13:54:20 ----A---- C:\Windows\SysWOW64\iccvid.dll

2010-08-11 13:52:08 ----A---- C:\Windows\SysWOW64\msxml3.dll

2010-08-09 00:05:00 ----A---- C:\ProgramData\SDGLYBMPWPP.SYS

2010-08-08 23:37:20 ----D---- C:\Diapasao

2010-08-04 13:33:01 ----D---- C:\PFiles

2010-08-02 20:00:58 ----A---- C:\Windows\SysWOW64\shell32.dll

2010-07-22 09:17:17 ----D---- C:\ProgramData\Blizzard Entertainment

2010-07-21 21:13:07 ----D---- C:\Program Files (x86)\Common Files\Blizzard Entertainment

2010-07-21 21:12:34 ----D---- C:\ProgramData\Blizzard

 

======List of files/folders modified in the last 1 months======

 

2010-08-19 14:39:12 ----D---- C:\Windows\Prefetch

2010-08-19 14:38:50 ----RD---- C:\Program Files (x86)

2010-08-19 14:38:19 ----D---- C:\Windows\Temp

2010-08-19 14:06:55 ----SHD---- C:\System Volume Information

2010-08-14 16:28:26 ----SD---- C:\Users\Felippe Rodrigues\AppData\Roaming\Microsoft

2010-08-12 04:28:14 ----D---- C:\Windows\Microsoft.NET

2010-08-12 04:23:14 ----RSD---- C:\Windows\assembly

2010-08-12 03:25:14 ----D---- C:\Windows\winsxs

2010-08-12 03:22:49 ----D---- C:\Windows\SysWOW64

2010-08-12 03:22:49 ----D---- C:\Windows\System32

2010-08-12 03:22:48 ----D---- C:\Windows\SysWOW64\migration

2010-08-12 03:22:48 ----D---- C:\Program Files (x86)\Internet Explorer

2010-08-12 03:06:10 ----SHD---- C:\Windows\Installer

2010-08-12 03:06:04 ----D---- C:\ProgramData\Microsoft Help

2010-08-11 15:07:25 ----HD---- C:\ProgramData

2010-08-11 15:03:32 ----D---- C:\Program Files (x86)\Common Files

2010-08-01 15:36:58 ----D---- C:\Windows

2010-07-21 14:03:07 ----D---- C:\Program Files (x86)\Microsoft Silverlight

2010-07-20 21:34:07 ----D---- C:\Users\Felippe Rodrigues\AppData\Roaming\Mozilla

2010-07-20 19:26:49 ----D---- C:\ProgramData\PMB Files

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys []

R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys []

R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys []

R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys []

R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys []

R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys []

R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys []

S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys []

S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys []

S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys []

S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys []

S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys []

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 AppHostSvc;@%windir%\system32\inetsrv\iisres.dll,-30011; C:\Windows\system32\svchost.exe [2009-07-13 20992]

R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]

R2 iprip;@%Systemroot%\system32\iprip.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]

R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17424]

R2 simptcp;@%SystemRoot%\system32\simptcp.dll,-200; C:\Windows\System32\tcpsvcs.exe [2009-07-13 9216]

R2 W3SVC;@%windir%\system32\inetsrv\iisres.dll,-30003; C:\Windows\system32\svchost.exe [2009-07-13 20992]

R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-05-26 2290048]

R3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2009-07-13 20992]

S2 KMService;KMService; C:\Windows\system32\srvany.exe [2003-04-18 8192]

S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]

S3 aspnet_state;Serviço de estado do ASP.NET; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe []

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service; C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 51456888]

S3 ose64;Office 64 Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]

S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]

S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992]

S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]

S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]

S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe []

S4 wlcrasvc;Windows Live Devices remote connections service; C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-06-04 55648]

 

-----------------EOF-----------------

Compartilhar este post


Link para o post
Compartilhar em outros sites

Juhije,

 

*Baixe o MalwareBytes'>http://www.malwarebytes.org/mbam/program/mbam-setup.exe"]MalwareBytes Anti-Malware e salve-o no desktop

*Instale o programa

*Se alguma atualização existir,o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

Compartilhar este post


Link para o post
Compartilhar em outros sites

Por Enquanto tou baixando o malware bytes...

 

aqui vai o log do Virscan.org

 

VirSCAN.org Scanned Report :

Scanned time : 2010/08/09 10:21:56 (ACT)

Scanner results: 6% Software(2/36) encontrou código malicioso!

File Name : as555gdrzjf67.bat

File Size : 388608 byte

File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5 : 9a2347903d6edb84c10f288bc0578c1c

SHA1 : ae96a47e781ed600704b0b040f6b5c8a92ac5e51

Online report : http://virscan.org/report/64c7f5fb097218c5d43d8a180f7556a0.html

 

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 5.0.0.18 20100808201124 2010-08-08 0.55 Packed.Win32.Krap.hm!A2

AhnLab V3 2010.08.07.00 2010.08.07 2010-08-07 1.29 -

AntiVir 8.2.4.34 7.10.10.124 2010-08-09 0.35 HEUR/Crypted.E

Antiy 2.0.18 20100809.4922704 2010-08-09 0.12 -

Arcavir 2009 201006281601 2010-06-28 0.01 -

Authentium 5.1.1 201008090738 2010-08-09 2.38 -

AVAST! 4.7.4 100809-0 2010-08-09 0.20 -

AVG 8.5.793 271.1.1/3060 2010-08-09 1.16 -

BitDefender 7.90123.6154149 7.33271 2010-08-09 4.54 -

ClamAV 0.96.1 11518 2010-08-09 0.41 -

Comodo 4.0 5695 2010-08-09 1.30 -

CP Secure 1.3.0.5 2010.08.09 2010-08-09 0.49 -

Dr.Web 5.0.2.3300 2010.08.09 2010-08-09 9.18 -

F-Prot 4.4.4.56 20100809 2010-08-09 2.32 -

F-Secure 7.02.73807 2010.08.09.02 2010-08-09 0.63 -

Fortinet 4.1.143 12.227 2010-08-08 0.26 -

GData 21.645/21.242 20100809 2010-08-09 8.26 -

ViRobot 20100809 2010.08.09 2010-08-09 0.39 -

Ikarus T3. 2010.08.09.76452 2010-08-09 5.42 -

JiangMin 13.0.900 2010.08.08 2010-08-08 2.19 -

Kaspersky 5.5.10 2010.08.09 2010-08-09 0.43 -

KingSoft 2009.2.5.15 2010.8.9.18 2010-08-09 1.41 -

McAfee 5400.1158 6068 2010-08-08 18.89 -

Microsoft 1.6004 2010.08.09 2010-08-09 9.84 -

Norman 6.05.11 6.05.00 2010-08-09 6.04 -

Panda 9.05.01 2010.08.08 2010-08-08 3.60 -

Trend Micro 9.120-1004 7.372.12 2010-08-09 0.00 -

Quick Heal 11.00 2010.08.09 2010-08-09 2.25 -

Rising 20.0 22.60.00.04 2010-08-09 2.38 -

Sophos 3.10.0 4.56 2010-08-09 5.21 -

Sunbelt 3.9.2432.2 6703 2010-08-08 0.30 -

Symantec 1.3.0.24 20100808.003 2010-08-08 0.20 -

nProtect 20100808.01 8813262 2010-08-08 10.30 -

The Hacker 6.5.2.1 v00339 2010-08-08 0.99 -

VBA32 3.12.12.8 20100809.0801 2010-08-09 3.31 -

VirusBuster 4.5.11.10 10.127.49/2027385 2010-08-09 3.79 -

Compartilhar este post


Link para o post
Compartilhar em outros sites

Esse arquivo ta junto com o HighJack This na pasta e um arquivo txt do Highjack This... esse é o Login do meu PC.... será que o HighJack não gera ele automaticamente??

Compartilhar este post


Link para o post
Compartilhar em outros sites
Esse arquivo ta junto com o HighJack This na pasta e um arquivo txt do Highjack This... esse é o Login do meu PC.... será que o HighJack não gera ele automaticamente??
Juhije,

 

Isso. Foi um equívoco...

 

É o RSIT que gera altomaticamente...

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ainda devo fazer a verificação com o malware byte... de qquer forma ja estou fazendo

 

Log do Mbam

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Versão da Base de Dados: 4450

 

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

 

19/08/2010 22:01:55

mbam-log-2010-08-19 (22-01-55).txt

 

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 206164

Tempo decorrido: 47 minuto(s), 45 segundo(s)

 

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 0

Valores de Registro Infectados: 0

Itens de Dados no Registro Infectados: 0

Pastas Infectadas: 0

Arquivos Infectados: 0

 

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

(Não foram detectados ítens maliciosos)

 

Valores de Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Itens de Dados no Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

 

Arquivos Infectados:

(Não foram detectados ítens maliciosos)

Compartilhar este post


Link para o post
Compartilhar em outros sites

Juhije,

 

- Faça o download do RootkitBuster'>http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.80.1077.zip"]RootkitBuster

- Descompacte-o no desktop;

- Abra a pasta e execute-o como administrador;

- Clique em [scan Now] e aguarde o scan...

- No término, Clique em [View Log] e poste o relatório aqui;

 

No aguardo!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.