Juhije 0 Denunciar post Postado Agosto 18, 2010 Tenho um jogo e casa chamado WoW e estou com suspeitas de ter sido vitima de keylogger =(. Estava pensando em formatar o PC, pois sou meio Cético com a questão se o anti vírus remove completamente todos os malwares mesmo. Gostaria da ajuda de vocês para evitar formatar.. e quais procedimentos poderia tomar, Obrigado. Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 18, 2010 Olá, Juhije! Seja Bem Vinda ao Fórum iMasters! Por gentileza, Leia: Regra'>http://forum.imasters.com.br/index.php?/topic/165906-regra-n-02-utilizando-o-hijackthis/"]Regra Nº 02 - Utilizando O HijackThis Compartilhar este post Link para o post Compartilhar em outros sites
Juhije 0 Denunciar post Postado Agosto 18, 2010 Rodei o Hijack This e esse eh o Log File... ele deu uma mensagem dizendo que não podia editar um arquivo la.. ai eu apertei enter e foi =x Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 13:52:22, on 18/08/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\HijackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL O2 - BHO: Auxiliar de Conexão do Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [Google Update] "C:\Users\Felippe Rodrigues\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized O8 - Extra context menu item: &Enviar para o OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Serviço de estado do ASP.NET (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8815 bytes Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 18, 2010 Juhije, *Faça um scan online com o NOD32 *Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log No Aguardo! Compartilhar este post Link para o post Compartilhar em outros sites
Juhije 0 Denunciar post Postado Agosto 18, 2010 Estou baixando pq é a primeira vez que uso. Mas de acordo com o Log do HighJack This, tem algo infectado???... ja troquei a senha ontem e fui hackeado entao eh fato q tem algo.... tou ficando desesperado ja hehehe... Usei o ESET e o Log não deu nada infectado . ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=a7769075506acb439ae192d910d755e9 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-08-18 07:18:21 # local_time=2010-08-18 04:18:21 (-0300, Hora oficial do Brasil) # country="Brazil" # lang=1033 # osver=6.1.7600 NT # compatibility_mode=768 16777215 100 0 1747681 1747681 0 0 # compatibility_mode=5891 16776573 100 100 0 12509283 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=86389 # found=0 # cleaned=0 # scan_time=3596 Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 18, 2010 Juhije, Os Logs estão limpos! Se tiver algum Keylogger no seu computador, o mesmo não está ativo! Vamos para última análise; *Baixe o RSIT'>http://images.malwareremoval.com/random/RSIT.exe"]RSIT e salve-o no desktop *Execute o RSIT e clique em [Continue] *Ao término do processo, cole os relatórios criados em C:\rsit\log.txt e C:\rsit\info.txt Compartilhar este post Link para o post Compartilhar em outros sites
Juhije 0 Denunciar post Postado Agosto 19, 2010 Desculpem a demora é que não dormi em casa e cheguei agora do trabalho ^^ Aqui estao os logs Info.txt info.txt logfile of random's system information tool 1.08 2010-08-19 14:39:22 ======Uninstall list====== Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex Adobe Reader 9.3.3 - Português-->MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A93000000001} D3DX10-->MsiExec.exe /X{52CDDA92-56B6-4BA5-BD8D-E13B186008CB} D'Accord Afinador 3.0-->"C:\Diapasao\D'Accord Afinador 3.0\unins000.exe" ESET Online Scanner v3-->C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe Junk Mail filter update-->MsiExec.exe /I{11EFF057-8ED2-4321-A19D-D673DECB36CC} Mesh Runtime-->MsiExec.exe /I{2C4F4D53-78D6-41FB-A4D7-105C537464EB} Messenger Companion-->MsiExec.exe /I{B1CCA4B9-C1B3-4AE1-A6B1-D7B25354D245} Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft Default Manager-->MsiExec.exe /X{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2} Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8} Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} MSVCRT_amd64-->MsiExec.exe /I{6917F87D-921D-4EFA-9AA5-8CDEA9E28520} MSVCRT-->MsiExec.exe /I{035C76D2-7D8E-484D-8CA3-686C0B474A2B} Pando Media Booster-->C:\Program Files (x86)\Pando Networks\Media Booster\uninst.exe Skype Toolbars-->MsiExec.exe /I{981029E0-7FC9-4CF3-AB39-6F133621921A} Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36} Windows Live Communications Platform-->MsiExec.exe /I{FA5D1C9E-154D-49B1-8CF0-DF5FAB6171EA} Windows Live Essentials Beta-->C:\Program Files (x86)\Windows Live\Installer\wlarp.exe Windows Live Essentials Beta-->MsiExec.exe /I{39875FB8-990B-42B2-AF33-1B9F1679ADA4} Windows Live Galeria de Fotos Beta-->MsiExec.exe /X{BF3355C3-67EB-41E3-BA8A-57CAF123905A} Windows Live Installer-->MsiExec.exe /I{46BAF2A0-3789-4E49-B000-4BB64426D1BF} Windows Live Mail-->MsiExec.exe /I{2607FE6B-1D61-46E5-A544-54666B0EF908} Windows Live Mail-->MsiExec.exe /I{365BA1B2-4E89-4565-B838-4DA45B85CD37} Windows Live Messenger Companion Core-->MsiExec.exe /I{9D0467C4-F69C-4E9D-8765-7774D8971F5C} Windows Live Messenger-->MsiExec.exe /X{2578D94A-A88A-4643-9DAA-F0A5E981EB04} Windows Live Messenger-->MsiExec.exe /X{704B39D7-CEB0-4979-89E9-845A6B9265F2} Windows Live Movie Maker-->MsiExec.exe /X{46C106C9-3856-4A6A-AAC8-7070FBA02D2F} Windows Live Movie Maker-->MsiExec.exe /X{96F437AA-F6DE-4750-BBCF-A71FFA1C681B} Windows Live Photo Common Beta-->MsiExec.exe /X{923591F0-8B5E-4265-AD5B-5B0F48553616} Windows Live Photo Common-->MsiExec.exe /X{61E7F654-7D99-4C69-94D8-DF53E297AF9B} Windows Live Photo Gallery-->MsiExec.exe /X{91803386-4FBD-4C38-9644-26B0F9464031} Windows Live PIMT Platform-->MsiExec.exe /I{B5BD2B33-FDB8-4DE5-87B3-2810CAF4A6E4} Windows Live SOXE Definitions-->MsiExec.exe /I{74B0BEB0-2EB3-448F-B8E9-40983BC902E1} Windows Live SOXE-->MsiExec.exe /I{EFBE9DAB-9C80-4911-847B-2A2C25E8F9CB} Windows Live Sync ActiveX Control for Remote Connections-->MsiExec.exe /I{D65F8E34-C050-4E6C-86DB-D2B9075749A0} Windows Live Sync Beta-->MsiExec.exe /I{16EC96C3-5E8D-4BDF-B056-0BCFE2F86ED9} Windows Live Sync Beta-->MsiExec.exe /I{7A8E7F22-3628-4846-A578-516BDCB2CEAA} Windows Live UX Platform Language Pack-->MsiExec.exe /I{A0DD0ADA-8843-41A2-975E-9C6A7228DB13} Windows Live UX Platform-->MsiExec.exe /I{6592C2B8-949A-4C88-BCB9-0990A218B215} Windows Live Writer Resources-->MsiExec.exe /X{318A5E7A-7986-4707-8DA1-BD13F6A99A3A} Windows Live Writer-->MsiExec.exe /X{224935E4-2014-4B22-95DC-2CCF5428B4BF} Windows Live Writer-->MsiExec.exe /X{7195DA78-453B-4057-A462-D72F00F0BF48} Windows Live Writer-->MsiExec.exe /X{EE338AB8-4E85-4C04-AC07-1357A266DD35} Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4} World of Warcraft-->C:\Program Files (x86)\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe ======System event log====== Computer Name: 37L4247E29-32 Event Code: 7036 Message: O serviço Cryptographic Services entrou no estado stopped. Record Number: 5 Source Name: Service Control Manager Time Written: 20090714051424.262212-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 7036 Message: O serviço Windows Modules Installer entrou no estado stopped. Record Number: 4 Source Name: Service Control Manager Time Written: 20090714051424.168612-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 7036 Message: O serviço Software Protection entrou no estado stopped. Record Number: 3 Source Name: Service Control Manager Time Written: 20090714051424.059412-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 7036 Message: O serviço Windows Event Log entrou no estado stopped. Record Number: 2 Source Name: Service Control Manager Time Written: 20090714051424.012612-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 7036 Message: O serviço Volume Shadow Copy entrou no estado stopped. Record Number: 1 Source Name: Service Control Manager Time Written: 20090714051423.934612-000 Event Type: Informações User: =====Application event log===== Computer Name: 37L4247E29-32 Event Code: 1001 Message: Falha no compartilhamento de memória , tipo 0 Nome do Evento: PnPRequestAdditionalSoftware Resposta: Não disponível Id do arquivo CAB: 0 Assinatura do problema: P1: x64 P2: USB\VID_093A&PID_2510&REV_0100 P3: 6.1.0.0 P4: 0416 P5: input.inf P6: * P7: P8: P9: P10: Arquivos anexados: Estes arquivos podem estar disponíveis em: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_99348a5a2b13b6ac41bb9b6e445c58e1aaa9c5_cab_0526909d Símbolo da análise: Verificando novamente solução: 0 Id de relatório: 4423290c-92a9-11df-bf66-001d7d8321be Status do relatório: 4 Record Number: 5 Source Name: Windows Error Reporting Time Written: 20100718201554.000000-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 5617 Message: Windows Management Instrumentation Service subsystems initialized successfully Record Number: 4 Source Name: Microsoft-Windows-WMI Time Written: 20100718201423.000000-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 5615 Message: Windows Management Instrumentation Service started sucessfully Record Number: 3 Source Name: Microsoft-Windows-WMI Time Written: 20100718201418.000000-000 Event Type: Informações User: Computer Name: 37L4247E29-32 Event Code: 1531 Message: Serviço de Perfil de Usuário iniciado com êxito. Record Number: 2 Source Name: Microsoft-Windows-User Profiles Service Time Written: 20100718201412.796875-000 Event Type: Informações User: AUTORIDADE NT\SISTEMA Computer Name: 37L4247E29-32 Event Code: 4625 Message: O subsistema EventSystem está suprimindo entradas de log de eventos duplicadas para uma duração de 86400 segundos. O tempo limite de supressão pode ser controlado por um valor REG_DWORD denominado SuppressDuplicateDuration sob esta chave do Registro: HKLM\Software\Microsoft\EventSystem\EventLog. Record Number: 1 Source Name: Microsoft-Windows-EventSystem Time Written: 20100718201413.000000-000 Event Type: Informações User: =====Security event log===== Computer Name: 37L4247E29-32 Event Code: 4735 Message: Foi alterado um grupo local com a segurança ativada. Requerente: Identificação de segurança: S-1-5-18 Nome da conta: 37L4247E29-32$ Domínio da conta: WORKGROUP Identificação de logon: 0x3e7 Grupo: Identificação de segurança: S-1-5-32-551 Nome do grupo: Operadores de cópia Domínio do grupo: Builtin Atributos alterados: Nome de conta Sam: - Histórico sid: - Informações adicionais: Privilégios: - Record Number: 5 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100718201344.296875-000 Event Type: Sucesso da Auditoria User: Computer Name: 37L4247E29-32 Event Code: 4731 Message: Foi criado um grupo local com a segurança ativada. Requerente: Identificação de segurança: S-1-5-18 Nome da conta: 37L4247E29-32$ Domínio da conta: WORKGROUP Identificação de logon: 0x3e7 Novo grupo: Identificação de segurança: S-1-5-32-551 Nome do grupo: Operadores de cópia Domínio do grupo: Builtin Atributos: Nome de conta Sam: Operadores de cópia Histórico sid: - Informações adicionais: Privilégios: - Record Number: 4 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100718201344.281250-000 Event Type: Sucesso da Auditoria User: Computer Name: 37L4247E29-32 Event Code: 4902 Message: Criada tabela de diretivas de auditoria por usuário. Número de elementos: 0 Identificação da diretiva: 0x30178 Record Number: 3 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100718201343.640625-000 Event Type: Sucesso da Auditoria User: Computer Name: 37L4247E29-32 Event Code: 4624 Message: O logon de uma conta foi efetuado com sucesso. Requerente: Identificação de segurança: S-1-0-0 Nome da conta: - Domínio da conta: - Identificação de logon: 0x0 Tipo de logon: 0 Novo logon: Identificação de segurança: S-1-5-18 Nome da conta: SISTEMA Domínio da conta: AUTORIDADE NT Identificação de logon: 0x3e7 GUID de logon: {00000000-0000-0000-0000-000000000000} Informações do processo: Identificação do processo: 0x4 Nome do processo: Informações da rede: Nome da estação de trabalho: - Endereço da rede de origem: - Porta de origem: - Informações detalhadas da autenticação: Processo de logon: - Pacote de autenticação: - Serviços transitados: - Nome do pacote (somente NTLM): - Comprimento da chave: 0 Este evento é gerado quando uma sessão de logon é criada. Ele é gerado no computador acessado. Os campos do assunto indicam a Conta Sistema Local que solicitou o logon. Comumente, isto é um serviço como o de servidor ou um processo local como Winlogon.exe ou Services.exe. O campo tipo de logon indica o tipo de logon ocorrido. Os tipos mais comuns são 2 (interativo) e 3 (em rede). Os campos Novo logon indicam as contas para a qual o novo logon foi criada, isto é, a conta na qual o logon foi efetuado. Os campos de rede indicam onde a solicitação de logon remoto se originou. O nome da estação de trabalho nem sempre está disponível e pode ser deixado em branco em alguns casos. Os campos de informações de autenticação fornecem informações detalhadas sobre esta solicitação específica de logon. -O GUID de logon é um identificador exclusivo que pode ser usado para correlacionar este evento com um evento de KDC. - Serviços transitados indicam qual serviço intermediário participou desta solicitação de logon. - Nome de pacote indica qual subprotocolo foi usado, entre os protocolos NTLM. - Comprimento da chave indica o comprimento da chave da sessão gerada. Ele será 0 se nenhuma chave de sessão foi solicitada. Record Number: 2 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100718201340.562500-000 Event Type: Sucesso da Auditoria User: Computer Name: 37L4247E29-32 Event Code: 4608 Message: Windows está iniciando. Este evento é registrado quando o LSASS.EXE inicia e o subsistema de auditoria é inicializado. Record Number: 1 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20100718201340.437500-000 Event Type: Sucesso da Auditoria User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "Path"=C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Live\Shared "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC "PROCESSOR_ARCHITECTURE"=AMD64 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "USERNAME"=SYSTEM "windir"=%SystemRoot% "PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\ "NUMBER_OF_PROCESSORS"=2 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=AMD64 Family 15 Model 107 Stepping 1, AuthenticAMD "PROCESSOR_REVISION"=6b01 -----------------EOF----------------- Log.txt Logfile of random's system information tool 1.08 (written by random/random) Run by Felippe Rodrigues at 2010-08-19 14:38:48 Microsoft Windows 7 Professional System drive C: has 104 GB (68%) free of 153 GB Total RAM: 894 MB (25% free) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 14:39:12, on 19/08/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Felippe Rodrigues\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Felippe Rodrigues\Desktop\RSIT.exe C:\Program Files (x86)\trend micro\Felippe Rodrigues.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL O2 - BHO: Auxiliar de Conexão do Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [Google Update] "C:\Users\Felippe Rodrigues\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE') O8 - Extra context menu item: &Enviar para o OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: &Anotações Vinculadas do OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Serviço de estado do ASP.NET (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 9687 bytes ======Scheduled tasks folder====== C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2509913390-3270742093-3042151627-1000Core.job C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2509913390-3270742093-3042151627-1000UA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] Groove GFS Browser Helper - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL [2010-03-25 4222864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Auxiliar de Conexão do Windows Live ID - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-05-26 448384] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FDDE16B-836F-4806-AB1F-1455CBEFF289}] Windows Live Messenger Companion Helper - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-06-07 380800] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] Skype add-on for Internet Explorer - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-02-08 804136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}] Office Document Cache Handler - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL [2010-02-28 561552] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Default Manager"=C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [2010-05-10 439568] "Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760] "Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Google Update"=C:\Users\Felippe Rodrigues\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-19 136176] "Skype"=C:\Program Files (x86)\Skype\Phone\Skype.exe [2010-05-13 26192168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL [2010-03-25 4222864] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"=credssp.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=5 "ConsentPromptBehaviorUser"=3 "EnableUIADesktopToggle"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoActiveDesktop"=1 "NoActiveDesktopChanges"=1 "ForceActiveDesktopOn"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======File associations====== .js - edit - C:\Windows\System32\Notepad.exe %1 .js - open - C:\Windows\System32\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2010-08-19 14:38:50 ----D---- C:\Program Files (x86)\trend micro 2010-08-19 14:38:48 ----D---- C:\rsit 2010-08-18 14:39:04 ----D---- C:\Program Files (x86)\ESET 2010-08-18 13:51:10 ----D---- C:\HijackThis 2010-08-11 15:07:14 ----D---- C:\Users\Felippe Rodrigues\AppData\Roaming\skypePM 2010-08-11 15:05:11 ----D---- C:\Users\Felippe Rodrigues\AppData\Roaming\Skype 2010-08-11 15:03:32 ----D---- C:\Program Files (x86)\Common Files\Skype 2010-08-11 15:03:23 ----RD---- C:\Program Files (x86)\Skype 2010-08-11 15:02:41 ----D---- C:\ProgramData\Skype 2010-08-11 13:55:31 ----A---- C:\Windows\SysWOW64\schannel.dll 2010-08-11 13:55:04 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe 2010-08-11 13:55:04 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe 2010-08-11 13:54:56 ----A---- C:\Windows\SysWOW64\mshtml.dll 2010-08-11 13:54:53 ----A---- C:\Windows\SysWOW64\ieframe.dll 2010-08-11 13:54:51 ----A---- C:\Windows\SysWOW64\wininet.dll 2010-08-11 13:54:51 ----A---- C:\Windows\SysWOW64\urlmon.dll 2010-08-11 13:54:50 ----A---- C:\Windows\SysWOW64\iepeers.dll 2010-08-11 13:54:49 ----A---- C:\Windows\SysWOW64\mstime.dll 2010-08-11 13:54:49 ----A---- C:\Windows\SysWOW64\iedkcs32.dll 2010-08-11 13:54:47 ----A---- C:\Windows\SysWOW64\msfeedsbs.dll 2010-08-11 13:54:47 ----A---- C:\Windows\SysWOW64\ieui.dll 2010-08-11 13:54:46 ----A---- C:\Windows\SysWOW64\msfeedssync.exe 2010-08-11 13:54:46 ----A---- C:\Windows\SysWOW64\jsproxy.dll 2010-08-11 13:54:22 ----A---- C:\Windows\SysWOW64\rtutils.dll 2010-08-11 13:54:20 ----A---- C:\Windows\SysWOW64\iccvid.dll 2010-08-11 13:52:08 ----A---- C:\Windows\SysWOW64\msxml3.dll 2010-08-09 00:05:00 ----A---- C:\ProgramData\SDGLYBMPWPP.SYS 2010-08-08 23:37:20 ----D---- C:\Diapasao 2010-08-04 13:33:01 ----D---- C:\PFiles 2010-08-02 20:00:58 ----A---- C:\Windows\SysWOW64\shell32.dll 2010-07-22 09:17:17 ----D---- C:\ProgramData\Blizzard Entertainment 2010-07-21 21:13:07 ----D---- C:\Program Files (x86)\Common Files\Blizzard Entertainment 2010-07-21 21:12:34 ----D---- C:\ProgramData\Blizzard ======List of files/folders modified in the last 1 months====== 2010-08-19 14:39:12 ----D---- C:\Windows\Prefetch 2010-08-19 14:38:50 ----RD---- C:\Program Files (x86) 2010-08-19 14:38:19 ----D---- C:\Windows\Temp 2010-08-19 14:06:55 ----SHD---- C:\System Volume Information 2010-08-14 16:28:26 ----SD---- C:\Users\Felippe Rodrigues\AppData\Roaming\Microsoft 2010-08-12 04:28:14 ----D---- C:\Windows\Microsoft.NET 2010-08-12 04:23:14 ----RSD---- C:\Windows\assembly 2010-08-12 03:25:14 ----D---- C:\Windows\winsxs 2010-08-12 03:22:49 ----D---- C:\Windows\SysWOW64 2010-08-12 03:22:49 ----D---- C:\Windows\System32 2010-08-12 03:22:48 ----D---- C:\Windows\SysWOW64\migration 2010-08-12 03:22:48 ----D---- C:\Program Files (x86)\Internet Explorer 2010-08-12 03:06:10 ----SHD---- C:\Windows\Installer 2010-08-12 03:06:04 ----D---- C:\ProgramData\Microsoft Help 2010-08-11 15:07:25 ----HD---- C:\ProgramData 2010-08-11 15:03:32 ----D---- C:\Program Files (x86)\Common Files 2010-08-01 15:36:58 ----D---- C:\Windows 2010-07-21 14:03:07 ----D---- C:\Program Files (x86)\Microsoft Silverlight 2010-07-20 21:34:07 ----D---- C:\Users\Felippe Rodrigues\AppData\Roaming\Mozilla 2010-07-20 19:26:49 ----D---- C:\ProgramData\PMB Files ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [] R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [] R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [] R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [] R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [] R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [] R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys [] S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [] S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [] S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [] S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [] S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AppHostSvc;@%windir%\system32\inetsrv\iisres.dll,-30011; C:\Windows\system32\svchost.exe [2009-07-13 20992] R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992] R2 iprip;@%Systemroot%\system32\iprip.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992] R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17424] R2 simptcp;@%SystemRoot%\system32\simptcp.dll,-200; C:\Windows\System32\tcpsvcs.exe [2009-07-13 9216] R2 W3SVC;@%windir%\system32\inetsrv\iisres.dll,-30003; C:\Windows\system32\svchost.exe [2009-07-13 20992] R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-05-26 2290048] R3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2009-07-13 20992] S2 KMService;KMService; C:\Windows\system32\srvany.exe [2003-04-18 8192] S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992] S3 aspnet_state;Serviço de estado do ASP.NET; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service; C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 51456888] S3 ose64;Office 64 Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440] S3 osppsvc;Office Software Protection Platform; C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184] S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992] S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992] S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992] S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [] S4 wlcrasvc;Windows Live Devices remote connections service; C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-06-04 55648] -----------------EOF----------------- Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 19, 2010 Juhije, 1º *Baixe o MalwareBytes'>http://www.malwarebytes.org/mbam/program/mbam-setup.exe"]MalwareBytes Anti-Malware e salve-o no desktop *Instale o programa *Se alguma atualização existir,o download será automático. Aguarde... *O programa será aberto automaticamente. *Na aba [Verificação], selecione a opção [Verificação completa] *Clique em [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\) *Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados] *Clique em [Remover Selecionados] *Um relatório (mbam-log-ano-mês-data.txt) será apresentado. *Cole-o na sua próxima resposta Compartilhar este post Link para o post Compartilhar em outros sites
Juhije 0 Denunciar post Postado Agosto 19, 2010 Por Enquanto tou baixando o malware bytes... aqui vai o log do Virscan.org VirSCAN.org Scanned Report : Scanned time : 2010/08/09 10:21:56 (ACT) Scanner results: 6% Software(2/36) encontrou código malicioso! File Name : as555gdrzjf67.bat File Size : 388608 byte File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 9a2347903d6edb84c10f288bc0578c1c SHA1 : ae96a47e781ed600704b0b040f6b5c8a92ac5e51 Online report : http://virscan.org/report/64c7f5fb097218c5d43d8a180f7556a0.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 5.0.0.18 20100808201124 2010-08-08 0.55 Packed.Win32.Krap.hm!A2 AhnLab V3 2010.08.07.00 2010.08.07 2010-08-07 1.29 - AntiVir 8.2.4.34 7.10.10.124 2010-08-09 0.35 HEUR/Crypted.E Antiy 2.0.18 20100809.4922704 2010-08-09 0.12 - Arcavir 2009 201006281601 2010-06-28 0.01 - Authentium 5.1.1 201008090738 2010-08-09 2.38 - AVAST! 4.7.4 100809-0 2010-08-09 0.20 - AVG 8.5.793 271.1.1/3060 2010-08-09 1.16 - BitDefender 7.90123.6154149 7.33271 2010-08-09 4.54 - ClamAV 0.96.1 11518 2010-08-09 0.41 - Comodo 4.0 5695 2010-08-09 1.30 - CP Secure 1.3.0.5 2010.08.09 2010-08-09 0.49 - Dr.Web 5.0.2.3300 2010.08.09 2010-08-09 9.18 - F-Prot 4.4.4.56 20100809 2010-08-09 2.32 - F-Secure 7.02.73807 2010.08.09.02 2010-08-09 0.63 - Fortinet 4.1.143 12.227 2010-08-08 0.26 - GData 21.645/21.242 20100809 2010-08-09 8.26 - ViRobot 20100809 2010.08.09 2010-08-09 0.39 - Ikarus T3. 2010.08.09.76452 2010-08-09 5.42 - JiangMin 13.0.900 2010.08.08 2010-08-08 2.19 - Kaspersky 5.5.10 2010.08.09 2010-08-09 0.43 - KingSoft 2009.2.5.15 2010.8.9.18 2010-08-09 1.41 - McAfee 5400.1158 6068 2010-08-08 18.89 - Microsoft 1.6004 2010.08.09 2010-08-09 9.84 - Norman 6.05.11 6.05.00 2010-08-09 6.04 - Panda 9.05.01 2010.08.08 2010-08-08 3.60 - Trend Micro 9.120-1004 7.372.12 2010-08-09 0.00 - Quick Heal 11.00 2010.08.09 2010-08-09 2.25 - Rising 20.0 22.60.00.04 2010-08-09 2.38 - Sophos 3.10.0 4.56 2010-08-09 5.21 - Sunbelt 3.9.2432.2 6703 2010-08-08 0.30 - Symantec 1.3.0.24 20100808.003 2010-08-08 0.20 - nProtect 20100808.01 8813262 2010-08-08 10.30 - The Hacker 6.5.2.1 v00339 2010-08-08 0.99 - VBA32 3.12.12.8 20100809.0801 2010-08-09 3.31 - VirusBuster 4.5.11.10 10.127.49/2027385 2010-08-09 3.79 - Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 19, 2010 Juhije, Ok. Fico no aguardo do relatório. Compartilhar este post Link para o post Compartilhar em outros sites
Juhije 0 Denunciar post Postado Agosto 19, 2010 Esse arquivo ta junto com o HighJack This na pasta e um arquivo txt do Highjack This... esse é o Login do meu PC.... será que o HighJack não gera ele automaticamente?? Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 19, 2010 Esse arquivo ta junto com o HighJack This na pasta e um arquivo txt do Highjack This... esse é o Login do meu PC.... será que o HighJack não gera ele automaticamente??Juhije, Isso. Foi um equívoco... É o RSIT que gera altomaticamente... Compartilhar este post Link para o post Compartilhar em outros sites
Juhije 0 Denunciar post Postado Agosto 19, 2010 Ainda devo fazer a verificação com o malware byte... de qquer forma ja estou fazendo Log do Mbam Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Versão da Base de Dados: 4450 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 19/08/2010 22:01:55 mbam-log-2010-08-19 (22-01-55).txt Tipo de Verificação: Verificação Completa (C:\|) Objetos escaneados: 206164 Tempo decorrido: 47 minuto(s), 45 segundo(s) Processos de Memória Infectados: 0 Módulos de Memória Infectados: 0 Chaves de Registro Infectadas: 0 Valores de Registro Infectados: 0 Itens de Dados no Registro Infectados: 0 Pastas Infectadas: 0 Arquivos Infectados: 0 Processos de Memória Infectados: (Não foram detectados ítens maliciosos) Módulos de Memória Infectados: (Não foram detectados ítens maliciosos) Chaves de Registro Infectadas: (Não foram detectados ítens maliciosos) Valores de Registro Infectados: (Não foram detectados ítens maliciosos) Itens de Dados no Registro Infectados: (Não foram detectados ítens maliciosos) Pastas Infectadas: (Não foram detectados ítens maliciosos) Arquivos Infectados: (Não foram detectados ítens maliciosos) Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Agosto 20, 2010 Juhije, - Faça o download do RootkitBuster'>http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.80.1077.zip"]RootkitBuster - Descompacte-o no desktop; - Abra a pasta e execute-o como administrador; - Clique em [scan Now] e aguarde o scan... - No término, Clique em [View Log] e poste o relatório aqui; No aguardo! Compartilhar este post Link para o post Compartilhar em outros sites
Felipe_88 0 Denunciar post Postado Setembro 20, 2010 Tópico Arquivado Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado. Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura. Compartilhar este post Link para o post Compartilhar em outros sites