[Resolvido] &nbsptela falsa msn + computador lento

[Hygor Castro 0]

descobri uma tela falsa abrindo no meu pc

para pegar usuario e senha do msn

porq a original tem minimizar e maximixar

essa falsa nao tem

 

ela abre sempre na msm lugar da tela

e o computador ta muito lento =/

O4 - HKCU\..\Run: [Msnsock] c:\Arquivo de programas\msnmnns.exe

 

por favor alguem pod dar uma olhada no meu log

desde ja obrigado a todos do forum.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:16:07, on 22/02/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast5\afwServ.exe

C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Panda USB Vaccine\USBVaccine.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Atheros WLAN Client\ACU.exe

C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe

C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe

C:\Arquivos de programas\Email Marketer Business Edition\Monitor.exe

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

C:\Arquivos de programas\cacaoweb\cacaoweb.exe

C:\Arquivo de programas\atlsys12.exe

C:\Arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

c:\Arquivo de programas\msnmnns.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Administrador\Meus documentos\Downloads\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.turkojan.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [ACU] "C:\Arquivos de programas\Atheros WLAN Client\ACU.exe" -nogui

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: C:\Arquivos de programas\Email Marketer Business Edition\Monitor.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [cacaoweb] "C:\Arquivos de programas\cacaoweb\cacaoweb.exe" -noplayer

O4 - HKCU\..\Run: [services] C:\WINDOWS\system32\imgrdir\services.exe

O4 - HKCU\..\Run: [Winsock] C:\Arquivo de programas\atlsys12.exe

O4 - HKCU\..\Run: [Msnsock] c:\Arquivo de programas\msnmnns.exe

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

O15 - Trusted Zone: www.bb.com.br

O15 - Trusted Zone: www14.bancobrasil.com.br

O15 - Trusted Zone: www2.bancobrasil.com.br

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - ://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287545458531

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - ://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Firewall - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\afwServ.exe

 

--

End of file - 7883 bytes

[Power Max 54]

:) Olá Hygor!

 

:seta: Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

 

Faça o download do ComboFix

Salve-o no Desktop (área de trabalho).

* Desabilite as proteções residente de: antivírus, antispywares e firewall ( menos o do Windows! )

* Feche todas as janelas e execute a ferramenta.

* Ps: A execução, por comando, também é possível:

* Vá em Iniciar --> Executar --> Digite ou cole:

"%userprofile%\desktop\Combofix.exe" /killall

 

 

* Clique em Ok.

* Na solicitação: "Negação de garantia de software" --> Clique em Sim.

 

 

* Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo.

* Terminando,clique Sim ou Yes. --> Aguarde.

 

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

:!: Caso aconteça a notificação de: Aplicativo Win32 inválido ou alguma mensagem parecida com esta, delete a ferramenta ComboFix.exe e faça, novamente, seu download.

* Salve-a no Desktop,renomeada como: Kombo.exe

* Ps: Nomeie durante o salvamento,e não após salvá-la!

* Ps: Surgindo alguma mensagem de erro, rode o ComboFix.exe em "Modo Seguro". <-- Link!

* Ps: Na presença de atividades rootkit,teremos a seguinte janela de notificação:

 

 

* Ps: Anote essas detecções, e dê o OK. Neste caso poste estas detecções que você terá anotado em sua próxima resposta juntamente com os logs pedidos.

* Ps: Para completar as remoções, talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

* Ps: Para evitar problemas, siga todas as recomendações propostas.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

* Abrir-se-á a janela Auto Scan. --> Aguarde!

* Para finalizar remoções, o ComboFix poderá reiniciar o computador.

* Se houver necessidade, digite a opção ( 1 ) --> Aperte Enter! --> Aguarde a conclusão!

* Durante o scan, evite manusear o mouse ou teclado! <-- Importante!

* Caso, por algum motivo de força maior, precise parar ou sair do ComboFix,tecle "N" ou "2" --> Aperte Enter.

<><><><><><><><><><><><>

 

Poste o log do Combofix que estará em C:\ComboFix.txt juntamente com um novo log do Hijackthis em sua próxima resposta e nos diga como está o seu PC depois disto.

 

Ficamos no aguardo.

[Hygor Castro 0]

combofix

ComboFix 11-02-22.01 - Administrador 22/02/2011 19:47:06.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.33.1046.18.1014.224 [GMT -3:00]

Lancé depuis: c:\documents and settings\Administrador\Desktop\ComboFix.exe

AV: avast! Internet Security *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

ADS - system32: deleted 2 bytes in 1 streams.

ADS - drivers: deleted 300 bytes in 1 streams.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\arquivos de programas\FileSystem

c:\arquivos de programas\Turkojan

c:\arquivos de programas\Turkojan\English.lng

c:\arquivos de programas\Turkojan\German.lng

c:\arquivos de programas\Turkojan\MESAJ.DAT

c:\arquivos de programas\Turkojan\Portuguese.lng

c:\arquivos de programas\Turkojan\readme.rtf

c:\arquivos de programas\Turkojan\Spanish.lng

c:\arquivos de programas\Turkojan\Turkce.lng

c:\arquivos de programas\Turkojan\turkojan.ini

c:\arquivos de programas\Turkojan\unins000.dat

c:\arquivos de programas\Turkojan\unins000.exe

c:\documents and settings\Administrador\Cookies.lnk

c:\documents and settings\Administrador\Dados de aplicativos\cacaoweb

c:\documents and settings\Administrador\Dados de aplicativos\cacaoweb\adstorage.db

c:\documents and settings\Administrador\Dados de aplicativos\cacaoweb\storage.db

c:\documents and settings\All Users\Menu Iniciar\Programas\Turkojan

c:\documents and settings\All Users\Menu Iniciar\Programas\Turkojan\Turkojan 4.0.lnk

c:\documents and settings\All Users\Menu Iniciar\Programas\Turkojan\Uninstall Turkojan 4.0.lnk

c:\documents and settings\All Users\Menu Iniciar\Programas\Turkojan\Web Site.url

C:\Thumbs.db

c:\windows\system32\MailBee.dll

D:\AUTORUN.INF

 

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GBPSV

-------\Service_GbpSv

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2011-01-22 au 2011-02-22 ))))))))))))))))))))))))))))))))))))

.

 

2011-02-22 22:58 . 2011-02-22 22:59 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\cacaoweb

2011-02-22 13:57 . 2011-02-22 14:00 -------- d-----w- C:\LinhaDefensiva

2011-02-10 21:50 . 2011-02-22 14:23 -------- d-----w- C:\Arquivo de programas

2011-02-09 12:22 . 2011-02-09 12:37 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\SendBlaster2

2011-02-09 12:05 . 2011-02-09 12:06 -------- d-----w- c:\arquivos de programas\SendBlaster

2011-02-08 16:11 . 2011-02-09 11:41 -------- d-----w- c:\arquivos de programas\Email Marketer Business Edition

2011-02-08 04:34 . 2011-02-08 04:34 -------- d-----w- c:\arquivos de programas\Elcomsoft Password Recovery

2011-02-08 04:34 . 2011-02-08 04:34 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Elcomsoft Password Recovery

2011-02-08 04:34 . 2011-02-08 04:34 -------- d-----w- c:\arquivos de programas\Elcomsoft

2011-02-07 16:28 . 2011-02-08 14:39 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2011-02-07 16:26 . 2011-02-07 16:26 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live

2011-02-01 17:25 . 2011-02-01 17:25 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Skype

2011-01-26 00:55 . 2011-01-26 00:55 -------- d-----w- c:\arquivos de programas\Havij 1.13 Free

2011-01-25 00:26 . 2011-01-25 18:00 -------- d-sh--w- c:\windows\system32\imgrdir

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-08 13:37 . 2010-08-15 19:36 47008 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2011-01-13 08:47 . 2010-11-23 12:42 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2010-11-23 12:42 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:42 . 2010-11-23 12:43 99792 ----a-w- c:\windows\system32\drivers\aswFW.sys

2011-01-13 08:41 . 2010-11-23 12:43 357968 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-01-13 08:41 . 2010-11-23 12:43 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:41 . 2010-11-23 12:42 189904 ----a-w- c:\windows\system32\drivers\aswNdis2.sys

2011-01-13 08:40 . 2010-11-23 12:42 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2010-11-23 12:42 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2010-11-23 12:42 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2010-11-23 12:42 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2010-11-23 12:42 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2010-11-23 12:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-01-13 08:47 120712 ----a-w- c:\arquivos de programas\Alwil Software\Avast5\ashShell.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2010-04-21 136176]

"cacaoweb"="c:\arquivos de programas\cacaoweb\cacaoweb.exe" [2011-02-16 356080]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]

"SynTPEnh"="c:\arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]

"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2010-04-28 202256]

"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-05-26 413696]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

"ACU"="c:\arquivos de programas\Atheros WLAN Client\ACU.exe" [2009-05-12 479320]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"avast5"="c:\arquiv~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]

"Email Marketer Monitor"="c:\arquivos de programas\Email Marketer Business Edition\Monitor.exe" [2009-11-19 209920]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

McAfee Security Scan Plus.lnk - c:\arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2011-02-08 13:34 354592 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutorunRemover.exe]

2009-10-22 01:08 1360896 ----a-w- c:\arquivos de programas\AutorunRemover\AutorunRemover.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2009-02-18 06:28 166424 ----a-w- c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2009-02-18 06:28 141848 ----a-w- c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msb382]

2010-12-30 16:27 12652544 ----a-w- c:\windows\system32\msmb\msb382.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2002-04-11 10:36 1458448 ----a-w- c:\arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2009-02-18 06:28 137752 ----a-w- c:\windows\system32\igfxpers.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Arquivos de programas\\CyberScript32\\CyberScript.exe"=

"c:\\Documents and Settings\\Administrador\\Configurações locais\\Dados de aplicativos\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Arquivos de programas\\cacaoweb\\cacaoweb.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9104:TCP"= 9104:TCP:gaxstls

"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot

"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot

"53:UDP"= 53:UDP:Realtek AP UDP Prot

 

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [23/11/2010 09:42 12112]

R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [23/11/2010 09:42 189904]

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [15/8/2010 16:36 47008]

R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [23/11/2010 09:43 99792]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [23/11/2010 09:43 357968]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [23/11/2010 09:43 294608]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23/11/2010 09:43 17744]

R3 VMC33F;Vimicro Camera Service VMC33F;c:\windows\system32\drivers\VMC33F.sys [21/4/2010 20:44 237952]

S2 avast! Firewall;avast! Firewall;c:\arquivos de programas\Alwil Software\Avast5\afwServ.exe [23/11/2010 09:42 119200]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21/4/2010 20:51 1684736]

S3 EWSASERV;EWSA Control Service;c:\arquivos de programas\Elcomsoft Password Recovery\Elcomsoft Wireless Security Auditor\ewsaserv.exe [18/1/2011 15:28 73520]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\arquivos de programas\McAfee Security Scan\2.0.181\McCHSvc.exe [15/1/2010 09:49 227232]

.

Contenu du dossier 'Tâches planifiées'

 

2011-02-22 c:\windows\Tasks\PandaUSBVaccine.job

- c:\arquivos de programas\Panda USB Vaccine\RunInteractiveWin.exe [2010-11-23 18:45]

 

2011-02-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

 

2011-02-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1078081533-1580436667-527237240-500.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

 

2011-02-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

 

2011-02-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1078081533-1580436667-527237240-500.job

- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.turkojan.com/

mStart Page = hxxp://google.com/

Trusted Zone: com.br\www.bb

Trusted Zone: com.br\www14.bancobrasil

Trusted Zone: com.br\www2.bancobrasil

Trusted Zone: malwareremoval.com\images

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\00s79cg2.default\

FF - prefs.js: network.proxy.ftp - 109.235.49.111

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher - 109.235.49.111

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http - 109.235.49.111

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.socks - 109.235.49.111

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl - 109.235.49.111

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\arquivos de programas\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\arquivos de programas\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: Java Quick Starter: jqs@sun.com - c:\arquivos de programas\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Módulo de Segurança - Banco do Brasil: {87F8774F-B485-47E2-A755-A40A8A5E886C} - %profile%\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}

FF - Ext: digitalchocolate Toolbar: {60c4696a-e4eb-4d2d-9060-38928dd0b6a2} - %profile%\extensions\{60c4696a-e4eb-4d2d-9060-38928dd0b6a2}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

.

- - - - ORPHELINS SUPPRIMES - - - -

 

HKCU-Run-ares - c:\arquivos de programas\Ares\Ares.exe

HKCU-Run-services - c:\windows\system32\imgrdir\services.exe

MSConfigStartUp-jcriel - c:\documents and settings\Administrador\jcriel.exe

MSConfigStartUp-loemuur - c:\documents and settings\Administrador\loemuur.exe

MSConfigStartUp-Msnsock - c:\arquivo de programas\msnmnns.exe

AddRemove-HijackThis - c:\documents and settings\Administrador\Desktop\HijackThis\HijackThis.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-22 19:59

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

cacaoweb = "c:\arquivos de programas\cacaoweb\cacaoweb.exe" -noplayer?abled:cacaoweb?as??????????O???????????????O???O???????????O?\?O??>G??????>G?????????????( ??????Service Pack 3?????????????????????????????????????????????????????????????

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spupdsvc]

"ImagePath"="c:\windows\system32\spupdsvc.exe"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spupdsvc]

"ImagePath"="c:\windows\system32\spupdsvc.exe"

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'winlogon.exe'(1212)

c:\arquivos de programas\GbPlugin\gbieh.dll

 

- - - - - - - > 'explorer.exe'(2544)

c:\arquivos de programas\GbPlugin\gbieh.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

c:\arquivos de programas\Panda USB Vaccine\USBVaccine.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\RTHDCPL.EXE

c:\arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

c:\windows\SoftwareDistribution\Download\230e9ebaea1c9dd1bccd89bc9daa1b59\update\update.exe

.

**************************************************************************

.

Heure de fin: 2011-02-22 20:07:32 - La machine a redémarré

ComboFix-quarantined-files.txt 2011-02-22 23:07

 

Avant-CF: 1 881 550 848 bytes disponíveis

Après-CF: 11 pasta(s) 25 382 494 208 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe

[boot Loader]

timeout=2

Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[Operating Systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - 17B6CF848A5A5009ED7D05647E9BBBEC

 

hijackthis

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:11:41, on 22/02/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Panda USB Vaccine\USBVaccine.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe

C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe

C:\Arquivos de programas\Email Marketer Business Edition\Monitor.exe

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe

C:\Arquivos de programas\cacaoweb\cacaoweb.exe

C:\Arquivos de programas\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Documents and Settings\Administrador\Meus documentos\Downloads\HiJackThis.exe

C:\WINDOWS\SoftwareDistribution\Download\de546db5c7c7cd0e3cfc26112ac520d5\update\update.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.turkojan.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Arquivos de programas\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [ACU] "C:\Arquivos de programas\Atheros WLAN Client\ACU.exe" -nogui

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: C:\Arquivos de programas\Email Marketer Business Edition\Monitor.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [cacaoweb] "C:\Arquivos de programas\cacaoweb\cacaoweb.exe" -noplayer

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

O15 - Trusted Zone: www.bb.com.br

O15 - Trusted Zone: www14.bancobrasil.com.br

O15 - Trusted Zone: www2.bancobrasil.com.br

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - ://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287545458531

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - ://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Firewall - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\afwServ.exe

 

--

End of file - 7538 bytes

 

segue muito lento =/

[Power Max 54]

:) Vários problemas foram removidos pelo Combofix.

_______________________

 

:seta: Siga, por gentileza, as dicas deste tutorial para fazer uma limpeza de seu PC com o Malwarebytes:

 

Tutorial do Malwarebytes Anti-Malware

 

Na sua próxima resposta poste este log do Malwarebytes juntamente com um novo log do Hijackthis e nos diga como está o seu PC após este procedimento.

 

Ficamos no aguardo.

[wings 22]

PROBLEMA RESOLVIDO

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.