Ir ao conteúdo
  • Cadastre-se
rodrigoaliste

Pc lerdo (processos estranhos)

Recommended Posts

Meu pc ultimamente ta uma M... tive que formatar ele, e depois que instalei o XP, instalei o nod 32 ele detectou uns virus "virut.av trojan agbot, , mas travo o pc todo e eu exclui ele , pronto. pau de novo, corrompeu o hal.dll no boot! formatei de novo e continua lento e com virus (no processo ta cheio de coisa estranha q aparece, dps some e volta)... to tentando excluir mas parece que as pragas voltam! espero a ajuda de alguem.. segue o log do hijack this:

Logfile of HijackThis v1.99.1

Scan saved at 18:21:09, on 19/5/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

C:\Documents and Settings\Claudia\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\syom.exe

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [iSTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\RunServices: [Windows Microsoft Services] wxaoktnv.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Update] apps.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exe

O4 - HKLM\..\RunOnce: [Microsoft Windows Update] apps.exe

O4 - HKCU\..\RunOnce: [Microsoft Windows Update] apps.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: Advance Service Process - Unknown owner - C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: syom - Unknown owner - C:\WINDOWS\syom.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça o download do SDFix:

http://linhadefensiva.uol.com.br/dl/sdfix

Salve-o em sua área de trabalho. Dê um duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix (geralmente C:\SDFix)

Reinicie em Modo de Segurança (Pressione intermitentemente F8 durante a inicialização, no menu que aparecer escolha através da seta de navegação, Modo Seguro).

  1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  2. Tecle Y para que a ferramenta inicie o processo de remoção
  3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  5. Uma janela com o relatório do SDFix irá aparecer.
  6. Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Obrigado pela ajuda!! ta ae o relatório que apareceu na pasta do programa:

SDFix: Version 1.184

Run by Claudia on ter 20/05/2008 at 15:26

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

Checking Services :

Name :

syom

Path :

syom - Deleted

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Arquivos de programas\Arquivos comuns\Carlson\carlton - Deleted

C:\WINDOWS\syom.exe - Deleted

C:\WINDOWS\system32\WindowsUpdate.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-20 15:35:33

Windows 5.1.2600 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"h0"=dword:00000000

"hdf12"=hex:9c,0b,a9,c4,6e,e1,18,0b,51,c1,da,e2,27,14,0b,ad,cb,c1,1e,5d,86,..

"p0"="C:\Arquivos de programas\DAEMON Tools Pro\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,b5,98,7d,68,b8,15,2b,6d,7d,5f,16,7b,93,a7,db,9f,4b,..

"hdf12"=hex:fd,8a,c1,ed,94,f6,34,62,1a,d9,dc,b2,40,40,26,77,59,01,a0,41,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:c1,da,d4,f9,79,31,1b,7e,de,2b,34,7d,27,a3,f1,c6,2f,86,33,3e,d8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"h0"=dword:00000000

"hdf12"=hex:9c,0b,a9,c4,6e,e1,18,0b,51,c1,da,e2,27,14,0b,ad,cb,c1,1e,5d,86,..

"p0"="C:\Arquivos de programas\DAEMON Tools Pro\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,b5,98,7d,68,b8,15,2b,6d,7d,5f,16,7b,93,a7,db,9f,4b,..

"hdf12"=hex:fd,8a,c1,ed,94,f6,34,62,1a,d9,dc,b2,40,40,26,77,59,01,a0,41,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:c1,da,d4,f9,79,31,1b,7e,de,2b,34,7d,27,a3,f1,c6,2f,86,33,3e,d8,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Arquivos de programas\\Arquivos comuns\\System\\MSASP32.exe"="C:\\Arquivos de programas\\Arquivos comuns\\System\\MSASP32.exe:*:Enabled:Microsoft ASP"

"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

"C:\\WINDOWS\\System32\\windowsupdate.exe"="C:\\WINDOWS\\System32\\windowsupdate.exe:*:Enabled:windowsupdate"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Mar 2008 572 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"

Mon 3 Mar 2008 5,702 A..H. --- "C:\WINDOWS\nod32restoretemdono.reg"

Sun 28 Oct 2001 67,584 ..SHR --- "C:\WINDOWS\system32\wxaoktnv.exe"

Sun 18 May 2008 62,168 ..SHR --- "C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe"

Finished!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Poste um novo log do Hijackthis por gentileza.

Compartilhar este post


Link para o post
Compartilhar em outros sites

beleza.. ta ae o log

obs: agora começo a aparecer um arquivo shvhost.exe nos processos, mt loco

Logfile of HijackThis v1.99.1

Scan saved at 18:58:18, on 20/5/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\dllcache\shvhost.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Hamachi\hamachi.exe

C:\WINDOWS\System32\msiexec.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\windowsupdate.exe

C:\Documents and Settings\Claudia\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exe

O4 - HKLM\..\RunServices: [Windows Microsoft Services] wxaoktnv.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Update] apps.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exe

O4 - HKLM\..\RunOnce: [Microsoft Windows Update] apps.exe

O4 - HKCU\..\RunOnce: [Microsoft Windows Update] apps.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Advance Service Process - Unknown owner - C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

O23 - Service: Microsoft Windows Update (ffor.mylifez.net) - Unknown owner - C:\WINDOWS\System32\apps.exe" -netsvcs (file missing)

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\shvhost.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça o download do ComboFix

É importante que o salve no seu desktop (ambiente de trabalho)

  • Feche todas as janelas e programas.
  • Dê um duplo-clique no combofix.exe, marque 1 e dê o enter.
  • É um pouco demorado, por favor seja paciente.
  • Quando a ferramenta terminar de rodar, gerará um log. Poste o arquivo C:\ComboFix.txt.
  • Faça também um novo log do HijackThis para colocar na sua resposta.

Atenção: Não clique com o mouse enquanto a ferramenta estiver rodando, isso pode fazer com que o PC pare.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ok, nem demorou muito o log do combo fix, na primeira o pc reiniciou sozinho, mas na segunda deu! ta ae

ComboFix 08-05-20.5 - Claudia 2008-05-21 17:06:00.1 - NTFSx86

Executando de: C:\Documents and Settings\Claudia\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-21 to 2008-05-21 ))))))))))))))))))))))))))))))))

.

2008-05-20 22:48 . 2001-08-17 22:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-05-20 22:48 . 2008-05-20 22:50 1,324 --a------ C:\WINDOWS\system32\LexFiles.usr

2008-05-20 22:48 . 2008-05-20 22:48 507 --a------ C:\WINDOWS\LMABB2DD.ini

2008-05-20 22:47 . 2008-05-20 22:47 <DIR> d-------- C:\Arquivos de programas\Lexmark_HostCD

2008-05-20 22:47 . 2008-05-20 22:47 <DIR> d-------- C:\Arquivos de programas\Lexmark

2008-05-20 20:53 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-05-20 19:13 . 2002-12-12 00:14 284,160 --a------ C:\WINDOWS\system32\SET2D.tmp

2008-05-20 19:13 . 2002-12-12 00:14 24,064 --a------ C:\WINDOWS\system32\SET30.tmp

2008-05-20 18:56 . 2008-05-20 19:02 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2008-05-20 18:54 . 2008-05-20 21:07 1,956 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-05-20 18:34 . 2008-05-20 18:34 <DIR> d-------- C:\Arquivos de programas\Microsoft Games

2008-05-20 17:46 . 2008-05-20 21:33 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\Hamachi

2008-05-20 17:44 . 2008-05-20 17:46 <DIR> d-------- C:\Arquivos de programas\Hamachi

2008-05-20 17:44 . 2008-05-20 17:44 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2008-05-20 15:58 . 2008-05-20 15:58 910,336 -r-hsc--- C:\WINDOWS\system32\dllcache\shvhost.exe

2008-05-20 13:14 . 2008-05-20 13:15 <DIR> d-------- C:\WINDOWS\ERUNT

2008-05-20 13:09 . 2008-05-20 15:50 <DIR> d-------- C:\SDFix

2008-05-19 21:44 . 2008-05-19 21:44 122 --a------ C:\WINDOWS\WA.INI

2008-05-19 19:32 . 2008-05-19 19:32 <DIR> d---s---- C:\Documents and Settings\Claudia\UserData

2008-05-19 18:43 . 2004-08-04 09:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll

2008-05-19 18:36 . 2008-05-19 18:36 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\MSN6

2008-05-19 18:36 . 2008-05-19 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\MSN6

2008-05-19 18:11 . 2008-05-19 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2008-05-18 22:47 . 2008-05-18 22:48 1,601,711 --a------ C:\WINDOWS\WANEUninstaller.exe

2008-05-18 22:41 . 2008-05-18 22:41 <DIR> d-------- C:\Games

2008-05-18 22:35 . 2008-05-18 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DAEMON Tools Pro

2008-05-18 22:30 . 2008-05-18 22:31 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\DAEMON Tools Pro

2008-05-18 22:30 . 2008-05-18 22:40 <DIR> d-------- C:\Arquivos de programas\DAEMON Tools Pro

2008-05-18 22:17 . 2008-05-20 16:35 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\BSplayer Pro

2008-05-18 22:17 . 2008-05-20 16:35 <DIR> d-------- C:\Arquivos de programas\Webteh

2008-05-18 22:14 . 2008-05-18 22:14 379 --a------ C:\WINDOWS\ODBC.INI

2008-05-18 22:13 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2008-05-18 22:11 . 2008-05-18 22:11 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\L&H

2008-05-18 22:10 . 2008-05-18 22:10 <DIR> d-------- C:\Arquivos de programas\Microsoft.NET

2008-05-18 22:10 . 2008-05-18 22:10 <DIR> d-------- C:\Arquivos de programas\Microsoft ActiveSync

2008-05-18 22:07 . 2008-05-18 22:07 <DIR> d-------- C:\Arquivos de programas\Microsoft Works

2008-05-18 22:06 . 2008-05-18 22:10 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-05-18 22:00 . 2008-05-18 22:00 <DIR> dr-h----- C:\MSOCache

2008-05-18 21:54 . 2008-05-18 21:54 <DIR> d-------- C:\IUware Online

2008-05-18 21:26 . 2008-05-18 21:26 474,844 --a------ C:\WINDOWS\system32\apps.exe

2008-05-18 21:24 . 2008-05-20 18:19 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-05-18 21:23 . 2008-05-18 21:23 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\PC Tools

2008-05-18 21:23 . 2008-05-18 21:32 <DIR> d-------- C:\Arquivos de programas\Spyware Doctor

2008-05-18 21:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-05-18 21:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-05-18 21:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-05-18 21:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-05-18 20:31 . 2008-05-18 20:39 <DIR> d-------- C:\Arquivos de programas\LimeWire

2008-05-18 20:20 . 2008-05-18 20:20 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-05-18 20:06 . 2008-05-18 20:07 <DIR> d-------- C:\Arquivos de programas\Guitar Pro 5

2008-05-18 20:03 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg

2008-05-18 20:03 . 2008-03-03 18:21 572 --ah----- C:\WINDOWS\nod32fixtemdono.reg

2008-05-18 19:59 . 2008-05-18 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\ESET

2008-05-18 19:59 . 2008-05-18 19:59 <DIR> d-------- C:\Arquivos de programas\ESET

2008-05-18 19:30 . 2008-05-18 19:30 <DIR> d-------- C:\WINDOWS\WinRAR

2008-05-18 19:20 . 2008-05-18 19:20 62,168 --a------ C:\WINDOWS\system32\qz.exe

2008-05-18 19:19 . 2008-05-20 21:00 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\uTorrent

2008-05-18 19:19 . 2008-05-18 19:19 <DIR> d-------- C:\Arquivos de programas\uTorrent

2008-05-18 19:18 . 2008-05-18 19:18 62,168 --a------ C:\WINDOWS\system32\ux.exe

2008-05-18 19:18 . 2008-05-18 19:18 58,804 --a------ C:\WINDOWS\system32\zp.exe

2008-05-18 19:11 . 2008-05-20 22:24 <DIR> d--hs---- C:\WINDOWS\Installer

2008-05-18 19:11 . 2008-05-18 18:53 <DIR> d--h----- C:\Documents and Settings\Claudia\Modelos

2008-05-18 19:11 . 2008-05-20 22:50 <DIR> dr------- C:\Documents and Settings\Claudia\Meus documentos

2008-05-18 19:11 . 2008-05-18 19:19 <DIR> dr------- C:\Documents and Settings\Claudia\Menu Iniciar

2008-05-18 19:11 . 2008-05-19 18:34 <DIR> dr------- C:\Documents and Settings\Claudia\Favoritos

2008-05-18 19:11 . 2008-05-20 17:46 <DIR> d--h----- C:\Documents and Settings\Claudia\Dados de aplicativos

2008-05-18 19:11 . 2008-05-21 17:07 <DIR> d--h----- C:\Documents and Settings\Claudia\Configurações locais

2008-05-18 19:11 . 2008-05-18 18:43 <DIR> d--h----- C:\Documents and Settings\Claudia\Ambiente de rede

2008-05-18 19:11 . 2008-05-18 18:43 <DIR> d--h----- C:\Documents and Settings\Claudia\Ambiente de impressão

2008-05-18 19:11 . 2008-05-19 19:32 <DIR> d-------- C:\Documents and Settings\Claudia

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Dados de aplicativos

2008-05-18 19:08 . 2008-05-21 17:07 <DIR> d--h----- C:\Documents and Settings\NetworkService\Configurações locais

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d--hs---- C:\Documents and Settings\NetworkService

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\LocalService\Dados de aplicativos

2008-05-18 19:08 . 2008-05-21 17:07 <DIR> d--h----- C:\Documents and Settings\LocalService\Configurações locais

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d--hs---- C:\Documents and Settings\LocalService

2008-05-18 19:08 . 2008-05-18 19:08 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-05-18 19:06 . 2008-05-18 18:53 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Modelos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Meus documentos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> dr------- C:\WINDOWS\system32\config\systemprofile\Menu Iniciar

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Favoritos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Dados de aplicativos

2008-05-18 19:06 . 2008-05-21 17:07 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Configurações locais

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Ambiente de rede

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Ambiente de impressão

2008-05-18 19:05 . 2001-10-28 15:06 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2008-05-18 19:04 . 2001-10-28 15:06 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-05-18 19:03 . 2001-10-28 15:06 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll

2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage

2008-05-18 19:01 . 2008-05-18 19:01 2,969 --a------ C:\WINDOWS\system32\CONFIG.NT

2008-05-18 19:01 . 2008-05-18 19:01 0 --a------ C:\WINDOWS\control.ini

2008-05-18 19:00 . 2008-05-18 19:00 299,552 --a------ C:\WINDOWS\WMSysPrx.prx

2008-05-18 19:00 . 2008-05-18 19:11 25,065 --a------ C:\WINDOWS\system32\wmpscheme.xml

2008-05-18 19:00 . 2008-05-18 19:00 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb

2008-05-18 19:00 . 2008-05-18 19:00 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-20 16:05 50,176 ----a-w C:\WINDOWS\system32\ftp.exe

2008-05-20 16:05 24,576 ----a-w C:\WINDOWS\system32\tftp.exe

2008-05-19 01:56 133,632 ----a-w C:\WINDOWS\system32\sfc_os.dll

2008-05-19 00:05 67,072 ----a-w C:\WINDOWS\NOTEPAD.EXE

2008-05-18 23:26 387,584 ----a-w C:\WINDOWS\system32\cmd.exe

2008-05-18 23:14 183,296 ----a-w C:\WINDOWS\system32\accwiz.exe

2008-05-18 23:14 1,154,048 ----a-w C:\WINDOWS\system32\ntbackup.exe

2008-05-18 23:02 504,832 ----a-w C:\WINDOWS\system32\logonui.exe

2008-05-18 23:02 31,744 ----a-w C:\WINDOWS\system32\rundll32.exe

2008-05-18 23:02 219,648 ----a-w C:\WINDOWS\system32\logon.scr

2008-05-18 23:02 21,504 ----a-w C:\WINDOWS\system32\userinit.exe

2008-05-18 23:02 146,944 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

2008-05-18 23:02 134,144 ----a-w C:\WINDOWS\system32\taskmgr.exe

2008-05-18 23:01 67,072 ----a-w C:\WINDOWS\system32\notepad.exe

2008-05-18 23:01 534,528 ----a-w C:\WINDOWS\system32\spider.exe

2008-05-18 23:01 387,584 ----a-w C:\WINDOWS\system32\mstsc.exe

2008-05-18 23:01 346,624 ----a-w C:\WINDOWS\system32\tourstart.exe

2008-05-18 23:01 128,000 ----a-w C:\WINDOWS\system32\mshearts.exe

2008-05-18 21:57 --------- d-----w C:\Arquivos de programas\Serviços on-line

2008-05-18 21:56 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Serviços

2001-10-28 18:06 950,784 --sh--r C:\WINDOWS\system32\windowsupdate.exe

2001-10-28 18:06 67,584 --sh--r C:\WINDOWS\system32\wxaoktnv.exe

.

------- Sigcheck -------

2001-10-28 15:06 1010176 ffafc18920f513d37b875b1ab846b332 C:\WINDOWS\explorer.exe

2001-10-28 15:06 1010176 8e3c79dd881a6203c789099b65c6a073 C:\WINDOWS\system32\dllcache\explorer.exe

2001-10-28 15:06 20480 e1cb08c5d591ccd1c9d358c726deca7a C:\WINDOWS\system32\ctfmon.exe

2001-10-28 15:06 20480 a8469736b1de1098166c7aa839c0bcc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-28 15:06 20480]

"Microsoft Windows Update"="apps.exe" [2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Microsoft Windows Update"="apps.exe" [2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Microsoft Windows Update"="apps.exe" [2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Windows Microsoft Services"="wxaoktnv.exe" [2001-10-28 15:06 67584 C:\WINDOWS\system32\wxaoktnv.exe]

"Microsoft Windows Update"="apps.exe" [2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe]

"windowsupdate"="C:\WINDOWS\System32\windowsupdate.exe" [2001-10-28 15:06 950784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-28 15:06 20480]

"Windows Microsoft Services"="wxaoktnv.exe" [2001-10-28 15:06 67584 C:\WINDOWS\system32\wxaoktnv.exe]

"Microsoft Windows Update"="apps.exe" [2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Microsoft Windows Update"="apps.exe" [2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2001-10-28 15:06 20480 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

--a------ 2007-09-06 10:08 136136 C:\Arquivos de programas\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-02-01 12:55 1103240 C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Update]

--a------ 2008-05-18 21:26 474844 C:\WINDOWS\system32\apps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2001-08-02 07:14 1085469 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Microsoft Services]

-r-hs---- 2001-10-28 15:06 67584 C:\WINDOWS\system32\wxaoktnv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windowsupdate]

-r-hs---- 2001-10-28 15:06 950784 C:\WINDOWS\System32\windowsupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Arquivos de programas\\Arquivos comuns\\System\\MSASP32.exe"=

"C:\\WINDOWS\\System32\\windowsupdate.exe"=

R2 Advance Service Process;Advance Service Process;"C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe" [2008-05-18 21:24]

R2 Microsoft Agent;Microsoft Agent;"C:\WINDOWS\System32\dllcache\shvhost.exe" [2008-05-20 15:58]

R4 ffor.mylifez.net;Microsoft Windows Update;"C:\WINDOWS\System32\apps.exe" -netsvcs []

S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\System32\regedt32.exe [2001-10-28 15:07]

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-21 17:08:47

Windows 5.1.2600 NTFS

detected NTDLL code modification:

ZwOpenFile

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-05-21 17:11:42

ComboFix-quarantined-files.txt 2008-05-21 20:11:33

Pre-Run: 9,998,086,144 bytes disponíveis

Post-Run: 10,081,107,968 bytes disponíveis

205

E o log do hijack this ta aqui:

Logfile of HijackThis v1.99.1

Scan saved at 17:27:29, on 21/5/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\dllcache\shvhost.exe

C:\WINDOWS\System32\apps.exe

C:\WINDOWS\System32\windowsupdate.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Claudia\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\RunServices: [Windows Microsoft Services] wxaoktnv.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Update] apps.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINDOWS\System32\windowsupdate.exe

O4 - HKLM\..\RunOnce: [Microsoft Windows Update] apps.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Microsoft Windows Update] apps.exe

O4 - HKCU\..\RunOnce: [Microsoft Windows Update] apps.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: Advance Service Process - Unknown owner - C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\System32\LMabcoms.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\shvhost.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

=D

Compartilhar este post


Link para o post
Compartilhar em outros sites

Desative temporariamente seu antivírus ou qualquer outro software de segurança, tais como firewall, antispyware, etc.

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Quote":

File::
C:\WINDOWS\system32\apps.exe
C:\WINDOWS\system32\wxaoktnv.exe
C:\WINDOWS\System32\windowsupdate .exe
C:\WINDOWS\System32\windowsupdate.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Update"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft Windows Update"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Microsoft Services"=-
"Microsoft Windows Update"=-
"windowsupdate"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Microsoft Services"=-
"Microsoft Windows Update"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft Windows Update"=-


[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Microsoft Services]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windowsupdate]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\windowsupdate.exe"=-

Driver::
Microsoft Agent
ffor.mylifez.net

  • Salve este arquivo como: CFScript.txt
    cfscriptuq2.gif
  • Tal como exemplificado na foto acima, arraste o arquivo CFScript.txt para o ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.
  • Faça também um novo log do HijackThis para colocar na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Desculpe a demora para responder! aí esta o log do combofix e do hijack-this mais pra baixo

ComboFix 08-05-20.5 - Claudia 2008-05-24 15:16:52.4 - NTFSx86

Executando de: C:\Documents and Settings\Claudia\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Claudia\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\system32\apps.exe

C:\WINDOWS\System32\windowsupdate .exe

C:\WINDOWS\System32\windowsupdate.exe

C:\WINDOWS\system32\wxaoktnv.exe

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-24 to 2008-05-24 ))))))))))))))))))))))))))))))))

.

2008-05-23 20:02 . 2008-05-23 20:02 80,409 -r-hs---- C:\WINDOWS\slysom.exe

2008-05-23 19:45 . 2008-05-23 19:45 80,409 --a------ C:\WINDOWS\system32\bnp.exe

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\Claudia\Configuraþ§es locais

2008-05-23 11:18 . 2008-05-23 11:18 6,004,757 --a------ C:\WINDOWS\system32\qsmzxgfm.exe

2008-05-23 11:18 . 2008-05-23 11:18 1,258,427 --a------ C:\WINDOWS\system32\xmvgvzh.exe

2008-05-23 11:18 . 2008-05-23 11:18 36,864 --a------ C:\WINDOWS\system32\ixvnm.exe

2008-05-23 11:12 . 2008-05-23 11:12 6,004,757 --a------ C:\WINDOWS\system32\gqqz.exe

2008-05-23 11:12 . 2008-05-23 11:12 1,258,427 --a------ C:\WINDOWS\system32\tpdsscz.exe

2008-05-23 11:12 . 2008-05-23 11:12 36,864 --a------ C:\WINDOWS\system32\dsqhro.exe

2008-05-21 23:23 . 2008-05-21 23:23 6,004,757 --a------ C:\WINDOWS\system32\ffsfvnxf.exe

2008-05-21 23:23 . 2008-05-21 23:23 1,258,427 --a------ C:\WINDOWS\system32\wyxtrm.exe

2008-05-21 23:23 . 2008-05-21 23:23 83,968 --a------ C:\WINDOWS\system32\emopr.exe

2008-05-21 23:23 . 2008-05-21 23:23 36,864 --a------ C:\WINDOWS\system32\shhmxe.exe

2008-05-21 22:04 . 2008-05-21 22:05 <DIR> d-------- C:\WINDOWS\UbiSoft

2008-05-21 22:04 . 2008-05-21 22:04 <DIR> d-------- C:\UbiSoft

2008-05-20 22:48 . 2001-08-17 22:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-05-20 22:48 . 2008-05-20 22:50 1,324 --a------ C:\WINDOWS\system32\LexFiles.usr

2008-05-20 22:48 . 2008-05-20 22:48 507 --a------ C:\WINDOWS\LMABB2DD.ini

2008-05-20 22:47 . 2008-05-23 13:01 <DIR> d-------- C:\Arquivos de programas\Lexmark_HostCD

2008-05-20 22:47 . 2008-05-20 22:47 <DIR> d-------- C:\Arquivos de programas\Lexmark

2008-05-20 20:53 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-05-20 19:13 . 2002-12-12 00:14 284,160 --a------ C:\WINDOWS\system32\SET2D.tmp

2008-05-20 19:13 . 2002-12-12 00:14 24,064 --a------ C:\WINDOWS\system32\SET30.tmp

2008-05-20 18:56 . 2008-05-20 19:02 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2008-05-20 18:54 . 2008-05-20 21:07 1,956 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-05-20 18:34 . 2008-05-20 18:34 <DIR> d-------- C:\Arquivos de programas\Microsoft Games

2008-05-20 17:46 . 2008-05-21 19:59 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\Hamachi

2008-05-20 17:44 . 2008-05-20 17:46 <DIR> d-------- C:\Arquivos de programas\Hamachi

2008-05-20 17:44 . 2008-05-20 17:44 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2008-05-20 15:58 . 2008-05-20 15:58 910,336 -r-hsc--- C:\WINDOWS\system32\dllcache\shvhost.exe

2008-05-20 13:14 . 2008-05-20 13:15 <DIR> d-------- C:\WINDOWS\ERUNT

2008-05-20 13:09 . 2008-05-20 15:50 <DIR> d-------- C:\SDFix

2008-05-19 21:44 . 2008-05-19 21:44 122 --a------ C:\WINDOWS\WA.INI

2008-05-19 19:32 . 2008-05-19 19:32 <DIR> d---s---- C:\Documents and Settings\Claudia\UserData

2008-05-19 18:43 . 2004-08-04 09:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll

2008-05-19 18:36 . 2008-05-19 18:36 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\MSN6

2008-05-19 18:36 . 2008-05-19 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\MSN6

2008-05-19 18:11 . 2008-05-19 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2008-05-18 22:47 . 2008-05-18 22:48 1,601,711 --a------ C:\WINDOWS\WANEUninstaller.exe

2008-05-18 22:41 . 2008-05-18 22:41 <DIR> d-------- C:\Games

2008-05-18 22:35 . 2008-05-18 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DAEMON Tools Pro

2008-05-18 22:30 . 2008-05-18 22:31 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\DAEMON Tools Pro

2008-05-18 22:30 . 2008-05-18 22:40 <DIR> d-------- C:\Arquivos de programas\DAEMON Tools Pro

2008-05-18 22:17 . 2008-05-20 16:35 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\BSplayer Pro

2008-05-18 22:17 . 2008-05-20 16:35 <DIR> d-------- C:\Arquivos de programas\Webteh

2008-05-18 22:14 . 2008-05-18 22:14 379 --a------ C:\WINDOWS\ODBC.INI

2008-05-18 22:13 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2008-05-18 22:11 . 2008-05-18 22:11 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\L&H

2008-05-18 22:10 . 2008-05-18 22:10 <DIR> d-------- C:\Arquivos de programas\Microsoft.NET

2008-05-18 22:10 . 2008-05-18 22:10 <DIR> d-------- C:\Arquivos de programas\Microsoft ActiveSync

2008-05-18 22:07 . 2008-05-18 22:07 <DIR> d-------- C:\Arquivos de programas\Microsoft Works

2008-05-18 22:06 . 2008-05-18 22:10 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-05-18 22:00 . 2008-05-18 22:00 <DIR> dr-h----- C:\MSOCache

2008-05-18 21:54 . 2008-05-18 21:54 <DIR> d-------- C:\IUware Online

2008-05-18 21:24 . 2008-05-20 18:19 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-05-18 21:23 . 2008-05-18 21:23 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\PC Tools

2008-05-18 21:23 . 2008-05-18 21:32 <DIR> d-------- C:\Arquivos de programas\Spyware Doctor

2008-05-18 21:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-05-18 21:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-05-18 21:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-05-18 21:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-05-18 20:31 . 2008-05-18 20:39 <DIR> d-------- C:\Arquivos de programas\LimeWire

2008-05-18 20:20 . 2008-05-18 20:20 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-05-18 20:06 . 2008-05-18 20:07 <DIR> d-------- C:\Arquivos de programas\Guitar Pro 5

2008-05-18 20:03 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg

2008-05-18 20:03 . 2008-03-03 18:21 572 --ah----- C:\WINDOWS\nod32fixtemdono.reg

2008-05-18 19:59 . 2008-05-18 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\ESET

2008-05-18 19:59 . 2008-05-18 19:59 <DIR> d-------- C:\Arquivos de programas\ESET

2008-05-18 19:30 . 2008-05-18 19:30 <DIR> d-------- C:\WINDOWS\WinRAR

2008-05-18 19:20 . 2008-05-18 19:20 62,168 --a------ C:\WINDOWS\system32\qz.exe

2008-05-18 19:19 . 2008-05-23 12:48 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\uTorrent

2008-05-18 19:19 . 2008-05-18 19:19 <DIR> d-------- C:\Arquivos de programas\uTorrent

2008-05-18 19:18 . 2008-05-18 19:18 62,168 --a------ C:\WINDOWS\system32\ux.exe

2008-05-18 19:18 . 2008-05-18 19:18 58,804 --a------ C:\WINDOWS\system32\zp.exe

2008-05-18 19:11 . 2008-05-20 22:24 <DIR> d--hs---- C:\WINDOWS\Installer

2008-05-18 19:11 . 2008-05-18 18:53 <DIR> d--h----- C:\Documents and Settings\Claudia\Modelos

2008-05-18 19:11 . 2008-05-24 15:11 <DIR> dr------- C:\Documents and Settings\Claudia\Meus documentos

2008-05-18 19:11 . 2008-05-18 19:19 <DIR> dr------- C:\Documents and Settings\Claudia\Menu Iniciar

2008-05-18 19:11 . 2008-05-21 19:41 <DIR> dr------- C:\Documents and Settings\Claudia\Favoritos

2008-05-18 19:11 . 2008-05-20 17:46 <DIR> d--h----- C:\Documents and Settings\Claudia\Dados de aplicativos

2008-05-18 19:11 . 2008-05-24 15:18 <DIR> d--h----- C:\Documents and Settings\Claudia\Configurações locais

2008-05-18 19:11 . 2008-05-18 18:43 <DIR> d--h----- C:\Documents and Settings\Claudia\Ambiente de rede

2008-05-18 19:11 . 2008-05-18 18:43 <DIR> d--h----- C:\Documents and Settings\Claudia\Ambiente de impressão

2008-05-18 19:11 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\Claudia

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Dados de aplicativos

2008-05-18 19:08 . 2008-05-24 15:18 <DIR> d--h----- C:\Documents and Settings\NetworkService\Configurações locais

2008-05-18 19:08 . 2008-05-23 13:02 <DIR> d--hs---- C:\Documents and Settings\NetworkService

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\LocalService\Dados de aplicativos

2008-05-18 19:08 . 2008-05-24 15:18 <DIR> d--h----- C:\Documents and Settings\LocalService\Configurações locais

2008-05-18 19:08 . 2008-05-23 13:02 <DIR> d--hs---- C:\Documents and Settings\LocalService

2008-05-18 19:08 . 2008-05-18 19:08 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-05-18 19:06 . 2008-05-18 18:53 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Modelos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Meus documentos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> dr------- C:\WINDOWS\system32\config\systemprofile\Menu Iniciar

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Favoritos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Dados de aplicativos

2008-05-18 19:06 . 2008-05-24 15:18 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Configurações locais

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Ambiente de rede

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Ambiente de impressão

2008-05-18 19:05 . 2001-10-28 15:06 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2008-05-18 19:04 . 2001-10-28 15:06 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-05-18 19:03 . 2001-10-28 15:06 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll

2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage

2008-05-18 19:01 . 2008-05-18 19:01 2,969 --a------ C:\WINDOWS\system32\CONFIG.NT

2008-05-18 19:01 . 2008-05-18 19:01 0 --a------ C:\WINDOWS\control.ini

2008-05-18 19:00 . 2008-05-18 19:00 299,552 --a------ C:\WINDOWS\WMSysPrx.prx

2008-05-18 19:00 . 2008-05-18 19:11 25,065 --a------ C:\WINDOWS\system32\wmpscheme.xml

2008-05-18 19:00 . 2008-05-18 19:00 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb

2008-05-18 19:00 . 2008-05-18 19:00 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-24 18:09 50,176 ----a-w C:\WINDOWS\system32\ftp.exe

2008-05-24 18:09 24,576 ----a-w C:\WINDOWS\system32\tftp.exe

2008-05-19 01:56 133,632 ----a-w C:\WINDOWS\system32\sfc_os.dll

2008-05-19 00:05 67,072 ----a-w C:\WINDOWS\NOTEPAD.EXE

2008-05-18 23:26 387,584 ----a-w C:\WINDOWS\system32\cmd.exe

2008-05-18 23:14 183,296 ----a-w C:\WINDOWS\system32\accwiz.exe

2008-05-18 23:14 1,154,048 ----a-w C:\WINDOWS\system32\ntbackup.exe

2008-05-18 23:02 504,832 ----a-w C:\WINDOWS\system32\logonui.exe

2008-05-18 23:02 31,744 ----a-w C:\WINDOWS\system32\rundll32.exe

2008-05-18 23:02 219,648 ----a-w C:\WINDOWS\system32\logon.scr

2008-05-18 23:02 21,504 ----a-w C:\WINDOWS\system32\userinit.exe

2008-05-18 23:02 146,944 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

2008-05-18 23:02 134,144 ----a-w C:\WINDOWS\system32\taskmgr.exe

2008-05-18 23:01 67,072 ----a-w C:\WINDOWS\system32\notepad.exe

2008-05-18 23:01 534,528 ----a-w C:\WINDOWS\system32\spider.exe

2008-05-18 23:01 387,584 ----a-w C:\WINDOWS\system32\mstsc.exe

2008-05-18 23:01 346,624 ----a-w C:\WINDOWS\system32\tourstart.exe

2008-05-18 23:01 128,000 ----a-w C:\WINDOWS\system32\mshearts.exe

2008-05-18 21:57 --------- d-----w C:\Arquivos de programas\Serviços on-line

2008-05-18 21:56 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Serviços

.

------- Sigcheck -------

2001-10-28 15:06 1010176 ffafc18920f513d37b875b1ab846b332 C:\WINDOWS\explorer.exe

2001-10-28 15:06 1010176 8e3c79dd881a6203c789099b65c6a073 C:\WINDOWS\system32\dllcache\explorer.exe

2001-10-28 15:06 20480 e1cb08c5d591ccd1c9d358c726deca7a C:\WINDOWS\system32\ctfmon.exe

2001-10-28 15:06 20480 a8469736b1de1098166c7aa839c0bcc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

.

((((((((((((((((((((((((((((( snapshot@2008-05-21_17.10.48.69 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-21 20:03:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-24 18:10:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2005-10-20 23:02:28 174,080 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE

- 2008-05-21 01:27:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2008-05-23 23:02:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2008-05-21 01:27:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2008-05-23 23:02:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2008-05-21 01:27:36 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-05-23 23:02:56 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-05-20 16:05:01 50,176 -c--a-w C:\WINDOWS\system32\dllcache\ftp.exe

+ 2008-05-24 18:09:38 50,176 -c--a-w C:\WINDOWS\system32\dllcache\ftp.exe

- 2008-05-20 16:05:01 24,576 -c--a-w C:\WINDOWS\system32\dllcache\tftp.exe

+ 2008-05-24 18:09:38 24,576 -c--a-w C:\WINDOWS\system32\dllcache\tftp.exe

+ 2001-10-28 18:06:32 52,624 ---h--w C:\WINDOWS\system32\winamp.exe

+ 2008-05-22 01:05:37 736,768 ----a-w C:\WINDOWS\UbiSoft\SetupUbi.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-05-18 20:02 146944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Windows has Layer"="fixweb.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-28 15:06 20480]

"Windows has Layer"="fixweb.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Windows has Layer"="fixweb.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable]

--a------ 2008-05-21 23:23 1258427 C:\WINDOWS\System32\wyxtrm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2001-10-28 15:06 20480 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

--a------ 2007-09-06 10:08 136136 C:\Arquivos de programas\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-02-01 12:55 1103240 C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2001-08-02 07:14 1085469 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winamp Agent]

---h----- 2001-10-28 15:06 52624 C:\WINDOWS\System32\winamp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows has Layer]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Arquivos de programas\\Arquivos comuns\\System\\MSASP32.exe"=

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-24 15:19:04

Windows 5.1.2600 NTFS

detected NTDLL code modification:

ZwOpenFile

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-05-24 15:21:14

ComboFix-quarantined-files.txt 2008-05-24 18:20:48

ComboFix2.txt 2008-05-23 16:02:19

ComboFix3.txt 2008-05-21 20:11:47

Pre-Run: 8,727,363,584 bytes disponíveis

Post-Run: 8,714,031,104 bytes disponíveis

232

Log do hijack this:

Logfile of HijackThis v1.99.1

Scan saved at 15:24:11, on 24/5/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\regedit.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Claudia\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: Advance Service Process - Unknown owner - C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\System32\LMabcoms.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: slysom - Unknown owner - C:\WINDOWS\slysom.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Por gentileza, não efetue mudanças no sistema operacional durante o processo de limpeza, tais como alterar as entradas pelo MsConfig, como também evite navegar em sites suspeitos.

Desative temporariamente seu antivírus ou qualquer outro software de segurança, tais como firewall, antispyware, etc.

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Quote":

File::
C:\WINDOWS\system32\qsmzxgfm.exe
C:\WINDOWS\system32\xmvgvzh.exe
C:\WINDOWS\system32\ixvnm.exe
C:\WINDOWS\system32\gqqz.exe
C:\WINDOWS\system32\tpdsscz.exe
C:\WINDOWS\system32\dsqhro.exe
C:\WINDOWS\system32\ffsfvnxf.exe
C:\WINDOWS\system32\wyxtrm.exe
C:\WINDOWS\system32\emopr.exe
C:\WINDOWS\system32\shhmxe.exe
C:\WINDOWS\system32\dllcache\shvhost.exe
C:\WINDOWS\System32\wyxtrm.exe

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows has Layer"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows has Layer"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows has Layer"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced DHTML Enable]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows has Layer]

  • Salve este arquivo como: CFScript.txt
    cfscriptuq2.gif
  • Tal como exemplificado na foto acima, arraste o arquivo CFScript.txt para o ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.
  • Faça também um novo log do HijackThis para colocar na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Desculpe por tirar as entradas do msconfig, é que quando fica muitos processos estranhos rodando na maquina, diz: "o sistema está sendo desligado em 50 segundos..."

ta ae o log do combofix

ComboFix 08-05-20.5 - Claudia 2008-05-25 13:28:25.5 - NTFSx86

Executando de: C:\Documents and Settings\Claudia\Desktop\Rodrigo\ComboFix.exe

Command switches used :: C:\Documents and Settings\Claudia\Desktop\Rodrigo\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\system32\dllcache\shvhost.exe

C:\WINDOWS\system32\dsqhro.exe

C:\WINDOWS\system32\emopr.exe

C:\WINDOWS\system32\ffsfvnxf.exe

C:\WINDOWS\system32\gqqz.exe

C:\WINDOWS\system32\ixvnm.exe

C:\WINDOWS\system32\qsmzxgfm.exe

C:\WINDOWS\system32\shhmxe.exe

C:\WINDOWS\system32\tpdsscz.exe

C:\WINDOWS\System32\wyxtrm.exe

C:\WINDOWS\system32\wyxtrm.exe

C:\WINDOWS\system32\xmvgvzh.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\dllcache\shvhost.exe

C:\WINDOWS\system32\dsqhro.exe

C:\WINDOWS\system32\emopr.exe

C:\WINDOWS\system32\ffsfvnxf.exe

C:\WINDOWS\system32\gqqz.exe

C:\WINDOWS\system32\ixvnm.exe

C:\WINDOWS\system32\qsmzxgfm.exe

C:\WINDOWS\system32\shhmxe.exe

C:\WINDOWS\system32\tpdsscz.exe

C:\WINDOWS\System32\wyxtrm.exe

C:\WINDOWS\system32\xmvgvzh.exe

C:\WINDOWS\TEMP\55673.exe

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-25 to 2008-05-25 ))))))))))))))))))))))))))))))))

.

2008-05-25 12:41 . 2008-05-25 12:56 <DIR> d-------- C:\Arquivos de programas\Java

2008-05-25 11:48 . 2008-05-25 11:48 65,536 --a------ C:\2r6s3e8g1q4.exe

2008-05-25 00:58 . 2008-05-25 00:58 <DIR> d-------- C:\Arquivos de programas\ToniArts

2008-05-25 00:58 . 2008-05-25 00:58 <DIR> d--h----- C:\Arquivos de programas\InstallShield Installation Information

2008-05-25 00:57 . 2008-05-25 00:57 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\InstallShield

2008-05-25 00:03 . 2008-05-25 00:03 65 --a------ C:\WINDOWS\system32\o

2008-05-24 23:52 . 2008-05-24 23:52 80,463 -r-hs---- C:\WINDOWS\naPrdMgr.exe

2008-05-24 18:15 . 2008-05-24 18:16 80,409 --a------ C:\WINDOWS\system32\voi.exe

2008-05-24 18:08 . 2008-05-25 12:33 73,728 --a------ C:\d2r6s3e8g1q4.exe

2008-05-24 18:02 . 2008-05-24 18:02 80,409 --a------ C:\WINDOWS\system32\xfk.exe

2008-05-24 16:08 . 2008-05-24 18:02 <DIR> d---s---- C:\WINDOWS\system32\Microsoft

2008-05-24 16:08 . 2008-05-24 16:07 40,000 --a------ C:\WINDOWS\system32\3rfEK837.exe

2008-05-23 20:02 . 2008-05-23 20:02 80,409 -r-hs---- C:\WINDOWS\slysom.exe

2008-05-23 19:45 . 2008-05-23 19:45 80,409 --a------ C:\WINDOWS\system32\bnp.exe

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2008-05-23 13:02 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\Claudia\Configuraþ§es locais

2008-05-21 22:04 . 2008-05-21 22:05 <DIR> d-------- C:\WINDOWS\UbiSoft

2008-05-21 22:04 . 2008-05-21 22:04 <DIR> d-------- C:\UbiSoft

2008-05-20 22:48 . 2001-08-17 22:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2008-05-20 22:48 . 2008-05-20 22:50 1,324 --a------ C:\WINDOWS\system32\LexFiles.usr

2008-05-20 22:48 . 2008-05-20 22:48 507 --a------ C:\WINDOWS\LMABB2DD.ini

2008-05-20 22:47 . 2008-05-23 13:01 <DIR> d-------- C:\Arquivos de programas\Lexmark_HostCD

2008-05-20 22:47 . 2008-05-20 22:47 <DIR> d-------- C:\Arquivos de programas\Lexmark

2008-05-20 20:53 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-05-20 19:13 . 2002-12-12 00:14 284,160 --a------ C:\WINDOWS\system32\SET2D.tmp

2008-05-20 19:13 . 2002-12-12 00:14 24,064 --a------ C:\WINDOWS\system32\SET30.tmp

2008-05-20 18:56 . 2008-05-20 19:02 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2008-05-20 18:54 . 2008-05-20 21:07 1,956 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-05-20 18:34 . 2008-05-20 18:34 <DIR> d-------- C:\Arquivos de programas\Microsoft Games

2008-05-20 17:46 . 2008-05-21 19:59 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\Hamachi

2008-05-20 17:44 . 2008-05-20 17:46 <DIR> d-------- C:\Arquivos de programas\Hamachi

2008-05-20 17:44 . 2008-05-20 17:44 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2008-05-20 13:14 . 2008-05-20 13:15 <DIR> d-------- C:\WINDOWS\ERUNT

2008-05-20 13:09 . 2008-05-20 15:50 <DIR> d-------- C:\SDFix

2008-05-19 21:44 . 2008-05-19 21:44 122 --a------ C:\WINDOWS\WA.INI

2008-05-19 19:32 . 2008-05-19 19:32 <DIR> d---s---- C:\Documents and Settings\Claudia\UserData

2008-05-19 18:43 . 2004-08-04 09:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll

2008-05-19 18:36 . 2008-05-19 18:36 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\MSN6

2008-05-19 18:36 . 2008-05-19 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\MSN6

2008-05-19 18:11 . 2008-05-19 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2008-05-18 22:47 . 2008-05-18 22:48 1,601,711 --a------ C:\WINDOWS\WANEUninstaller.exe

2008-05-18 22:41 . 2008-05-18 22:41 <DIR> d-------- C:\Games

2008-05-18 22:35 . 2008-05-18 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DAEMON Tools Pro

2008-05-18 22:30 . 2008-05-18 22:31 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\DAEMON Tools Pro

2008-05-18 22:30 . 2008-05-18 22:40 <DIR> d-------- C:\Arquivos de programas\DAEMON Tools Pro

2008-05-18 22:17 . 2008-05-20 16:35 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\BSplayer Pro

2008-05-18 22:17 . 2008-05-20 16:35 <DIR> d-------- C:\Arquivos de programas\Webteh

2008-05-18 22:14 . 2008-05-18 22:14 379 --a------ C:\WINDOWS\ODBC.INI

2008-05-18 22:13 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2008-05-18 22:11 . 2008-05-18 22:11 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\L&H

2008-05-18 22:10 . 2008-05-18 22:10 <DIR> d-------- C:\Arquivos de programas\Microsoft.NET

2008-05-18 22:10 . 2008-05-18 22:10 <DIR> d-------- C:\Arquivos de programas\Microsoft ActiveSync

2008-05-18 22:07 . 2008-05-18 22:07 <DIR> d-------- C:\Arquivos de programas\Microsoft Works

2008-05-18 22:06 . 2008-05-18 22:10 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-05-18 22:00 . 2008-05-18 22:00 <DIR> dr-h----- C:\MSOCache

2008-05-18 21:54 . 2008-05-18 21:54 <DIR> d-------- C:\IUware Online

2008-05-18 21:24 . 2008-05-20 18:19 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-05-18 21:23 . 2008-05-18 21:23 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\PC Tools

2008-05-18 21:23 . 2008-05-18 21:32 <DIR> d-------- C:\Arquivos de programas\Spyware Doctor

2008-05-18 21:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-05-18 21:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-05-18 21:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-05-18 21:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-05-18 20:31 . 2008-05-18 20:39 <DIR> d-------- C:\Arquivos de programas\LimeWire

2008-05-18 20:20 . 2008-05-18 20:20 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2008-05-18 20:06 . 2008-05-18 20:07 <DIR> d-------- C:\Arquivos de programas\Guitar Pro 5

2008-05-18 20:03 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg

2008-05-18 20:03 . 2008-03-03 18:21 572 --ah----- C:\WINDOWS\nod32fixtemdono.reg

2008-05-18 19:59 . 2008-05-18 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\ESET

2008-05-18 19:59 . 2008-05-18 19:59 <DIR> d-------- C:\Arquivos de programas\ESET

2008-05-18 19:30 . 2008-05-18 19:30 <DIR> d-------- C:\WINDOWS\WinRAR

2008-05-18 19:20 . 2008-05-18 19:20 62,168 --a------ C:\WINDOWS\system32\qz.exe

2008-05-18 19:19 . 2008-05-25 13:28 <DIR> d-------- C:\Documents and Settings\Claudia\Dados de aplicativos\uTorrent

2008-05-18 19:19 . 2008-05-18 19:19 <DIR> d-------- C:\Arquivos de programas\uTorrent

2008-05-18 19:18 . 2008-05-18 19:18 62,168 --a------ C:\WINDOWS\system32\ux.exe

2008-05-18 19:18 . 2008-05-18 19:18 58,804 --a------ C:\WINDOWS\system32\zp.exe

2008-05-18 19:11 . 2008-05-25 12:56 <DIR> d--hs---- C:\WINDOWS\Installer

2008-05-18 19:11 . 2008-05-18 18:53 <DIR> d--h----- C:\Documents and Settings\Claudia\Modelos

2008-05-18 19:11 . 2008-05-24 15:11 <DIR> dr------- C:\Documents and Settings\Claudia\Meus documentos

2008-05-18 19:11 . 2008-05-18 19:19 <DIR> dr------- C:\Documents and Settings\Claudia\Menu Iniciar

2008-05-18 19:11 . 2008-05-21 19:41 <DIR> dr------- C:\Documents and Settings\Claudia\Favoritos

2008-05-18 19:11 . 2008-05-20 17:46 <DIR> d--h----- C:\Documents and Settings\Claudia\Dados de aplicativos

2008-05-18 19:11 . 2008-05-25 13:30 <DIR> d--h----- C:\Documents and Settings\Claudia\Configurações locais

2008-05-18 19:11 . 2008-05-18 18:43 <DIR> d--h----- C:\Documents and Settings\Claudia\Ambiente de rede

2008-05-18 19:11 . 2008-05-18 18:43 <DIR> d--h----- C:\Documents and Settings\Claudia\Ambiente de impressão

2008-05-18 19:11 . 2008-05-23 13:02 <DIR> d-------- C:\Documents and Settings\Claudia

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Dados de aplicativos

2008-05-18 19:08 . 2008-05-25 13:30 <DIR> d--h----- C:\Documents and Settings\NetworkService\Configurações locais

2008-05-18 19:08 . 2008-05-23 13:02 <DIR> d--hs---- C:\Documents and Settings\NetworkService

2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\LocalService\Dados de aplicativos

2008-05-18 19:08 . 2008-05-25 13:30 <DIR> d--h----- C:\Documents and Settings\LocalService\Configurações locais

2008-05-18 19:08 . 2008-05-23 13:02 <DIR> d--hs---- C:\Documents and Settings\LocalService

2008-05-18 19:08 . 2008-05-18 19:08 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

2008-05-18 19:06 . 2008-05-18 18:53 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Modelos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Meus documentos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> dr------- C:\WINDOWS\system32\config\systemprofile\Menu Iniciar

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Favoritos

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Dados de aplicativos

2008-05-18 19:06 . 2008-05-25 13:30 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Configurações locais

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Ambiente de rede

2008-05-18 19:06 . 2008-05-18 18:43 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Ambiente de impressão

2008-05-18 19:05 . 2001-10-28 15:06 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2008-05-18 19:04 . 2001-10-28 15:06 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-05-18 19:03 . 2001-10-28 15:06 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll

2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-05-18 19:02 . 2008-05-18 19:02 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage

2008-05-18 19:01 . 2008-05-18 19:01 2,969 --a------ C:\WINDOWS\system32\CONFIG.NT

2008-05-18 19:01 . 2008-05-18 19:01 0 --a------ C:\WINDOWS\control.ini

2008-05-18 19:00 . 2008-05-18 19:00 299,552 --a------ C:\WINDOWS\WMSysPrx.prx

2008-05-18 19:00 . 2008-05-18 19:11 25,065 --a------ C:\WINDOWS\system32\wmpscheme.xml

2008-05-18 19:00 . 2008-05-18 19:00 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb

2008-05-18 19:00 . 2008-05-18 19:00 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-25 15:33 50,176 ----a-w C:\WINDOWS\system32\ftp.exe

2008-05-25 15:33 24,576 ----a-w C:\WINDOWS\system32\tftp.exe

2008-05-19 01:56 133,632 ----a-w C:\WINDOWS\system32\sfc_os.dll

2008-05-19 00:05 67,072 ----a-w C:\WINDOWS\NOTEPAD.EXE

2008-05-18 23:26 387,584 ----a-w C:\WINDOWS\system32\cmd.exe

2008-05-18 23:14 183,296 ----a-w C:\WINDOWS\system32\accwiz.exe

2008-05-18 23:14 1,154,048 ----a-w C:\WINDOWS\system32\ntbackup.exe

2008-05-18 23:02 504,832 ----a-w C:\WINDOWS\system32\logonui.exe

2008-05-18 23:02 31,744 ----a-w C:\WINDOWS\system32\rundll32.exe

2008-05-18 23:02 219,648 ----a-w C:\WINDOWS\system32\logon.scr

2008-05-18 23:02 21,504 ----a-w C:\WINDOWS\system32\userinit.exe

2008-05-18 23:02 146,944 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

2008-05-18 23:02 134,144 ----a-w C:\WINDOWS\system32\taskmgr.exe

2008-05-18 23:01 67,072 ----a-w C:\WINDOWS\system32\notepad.exe

2008-05-18 23:01 534,528 ----a-w C:\WINDOWS\system32\spider.exe

2008-05-18 23:01 387,584 ----a-w C:\WINDOWS\system32\mstsc.exe

2008-05-18 23:01 346,624 ----a-w C:\WINDOWS\system32\tourstart.exe

2008-05-18 23:01 128,000 ----a-w C:\WINDOWS\system32\mshearts.exe

2008-05-18 21:57 --------- d-----w C:\Arquivos de programas\Serviços on-line

2008-05-18 21:56 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Serviços

.

------- Sigcheck -------

2001-10-28 15:06 1010176 ffafc18920f513d37b875b1ab846b332 C:\WINDOWS\explorer.exe

2001-10-28 15:06 1010176 8e3c79dd881a6203c789099b65c6a073 C:\WINDOWS\system32\dllcache\explorer.exe

2001-10-28 15:06 20480 e1cb08c5d591ccd1c9d358c726deca7a C:\WINDOWS\system32\ctfmon.exe

2001-10-28 15:06 20480 a8469736b1de1098166c7aa839c0bcc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-28 15:06 20480]

"uTorrent"="C:\Arquivos de programas\uTorrent\uTorrent.exe" [2008-05-18 19:19 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2008-05-18 20:02 146944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-28 15:06 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2001-10-28 15:06 20480 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]

--a------ 2007-09-06 10:08 136136 C:\Arquivos de programas\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

--a------ 2008-02-01 12:55 1103240 C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2001-08-02 07:14 1085469 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winamp Agent]

---h----- 2001-10-28 15:06 52624 C:\WINDOWS\System32\winamp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Arquivos de programas\\Arquivos comuns\\System\\MSASP32.exe"=

.

Conteúdo da pasta 'Tarefas Agendadas'

"2008-05-25 03:53:02 C:\WINDOWS\Tasks\At1.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At10.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At11.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At12.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At13.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-25 16:00:02 C:\WINDOWS\Tasks\At14.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At15.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At16.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At17.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At18.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At19.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-25 04:00:01 C:\WINDOWS\Tasks\At2.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 22:00:02 C:\WINDOWS\Tasks\At20.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At21.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At22.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At23.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At24.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-25 05:00:01 C:\WINDOWS\Tasks\At3.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At4.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At5.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At6.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At7.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At8.job"

- C:\WINDOWS\System32\3rfEK837.exe

"2008-05-24 19:08:26 C:\WINDOWS\Tasks\At9.job"

- C:\WINDOWS\System32\3rfEK837.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-25 13:31:22

Windows 5.1.2600 NTFS

detected NTDLL code modification:

ZwOpenFile

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-05-25 13:33:23

ComboFix-quarantined-files.txt 2008-05-25 16:33:02

ComboFix2.txt 2008-05-24 18:21:15

ComboFix3.txt 2008-05-23 16:02:19

ComboFix4.txt 2008-05-21 20:11:47

Pre-Run: 9,186,824,192 bytes disponíveis

Post-Run: 9,297,027,072 bytes disponíveis

283

E o do Hijack This:

Logfile of HijackThis v1.99.1

Scan saved at 13:36:13, on 25/5/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Claudia\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\uTorrent.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: Advance Service Process - Unknown owner - C:\Arquivos de programas\Arquivos comuns\System\MSASP32.exe

O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\System32\LMabcoms.exe

O23 - Service: naPrdMgr - Unknown owner - C:\WINDOWS\naPrdMgr.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Recomendo que instale pelo menos o Service Pack 1 no seu computador, com um computador desatualizado do jeito que está você fica altamente vulnerável.

Após a instalação dele volte com novo log do ComboFix.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Infelizmente nao foi possivel fazer um log do combofix, pois hj dps q cheguei da escola, o HD nao dava boot (fail to boot from ide-0, algo assim, e já havia acontecido antes).

como devo proceder? formatar pela terceira vez o pc? nao tem como excluir os vírus pelo linux, pois parece que mesmo dps de formatar os problemas continuam... é mt azar nossa! obrigado pela ajuda que você tem me dado ae pra resolver os problemas Renato

(estou falando com você através do boot CD-ROM do linux kurumin 6.0)

Compartilhar este post


Link para o post
Compartilhar em outros sites

Esse tipo de erro geralmente é associado com problemas com hardware. Mas tente o seguinte:

-Entre no console de recuperação através do CD

-Digite o comando fixboot

-Reinicie

Não é garantido, mas pode ser que resolva esse problema.

Compartilhar este post


Link para o post
Compartilhar em outros sites





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×