Logo Hardware.com.br
Prof.Problematic
Prof.Problem... Novo Membro Registrado
34 Mensagens 0 Curtidas

[Resolvido] Analise de Hijack This

#1 Por Prof.Problem... 04/04/2010 - 21:50
Bom pessoal, meu pc ja esta infectado denovo,
Algo esta lentando minha internet, e quando abro o gerenciador de tarefas, tem varios processos com o mesmo nome, por exemplo, quando abro o Google Chrome, aparece uns 4 processos de nome chrome.exe, parece que o malware esta disfarçando seu "peso" com nome de outros processos entende ?

Tem varios processos de nome svchost.exe, abri o gerenciador aqui e contei 6.

Concerteza ta infectado...

Ah, alem de meu mouse estar clicando 2 vezes, direto.Assim, não é toda hora que eu clico que ele clica duas vezes, mas as vezes eu clico uma vez em um icone e ele ja abre.


Vo abusar da paciencia de voces ai, vo postar um relatorio no Hijack.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:49:48, on 4/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\ARQUIV~1\WINDOW~4\MESSEN~1\msnmsgr.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe
C:\WINDOWS\Drivers.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Arquivos comuns\Native Instruments\Hardware\NIHardwareService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\sXe Injected\sXe Injected.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogmoes.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=Explorer.exe "C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe"
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Drivers] Drivers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OIFdA8HS0cTgsDMa] C:\Documents and Settings\Usuario\Dados de aplicativos\IHInM.exe
O4 - HKLM\..\Run: [MSWUpdate] "C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIV~1\WINDOW~4\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3obCwnwz6B3r4mEf4DM4] C:\Documents and Settings\Usuario\Dados de aplicativos\IHInM.exe
O4 - HKCU\..\Run: [Startup] C:\Documents and Settings\Usuario\Dados de aplicativos\Microsoft\svchost.exe
O4 - HKCU\..\Run: [MSWUpdate] "C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe"
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="d:\drivers\xp\PhysX_9.09.0203_SystemSoftware.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Arquivos de programas\Arquivos comuns\Native Instruments\Hardware\NIHardwareService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8271 bytes


Tomara que me ajudem, valeu !
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#2 Por Wings
04/04/2010 - 23:24
Boa noite...

1.
*Baixe o MalwareBytes Anti-malware e salve-o no desktop
*Instale o programa
*Se alguma atualização existir,o download será automático. Aguarde...
*O programa será aberto automaticamente.
*Na aba [Verificação], selecione a opção [Verificação completa]
*Clique em [Verificar] e selecione as unidades a serem examinadas
*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [SIM] > [OK] > [Mostrar Resultados]
*Clique em [Remover Selecionados]
*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.
*Cole-o na sua próxima resposta
Prof.Problematic
Prof.Problem... Novo Membro Registrado
34 Mensagens 0 Curtidas
#3 Por Prof.Problem...
07/04/2010 - 14:13
Desculpe a demora:

Malwarebytes' Anti-Malware 1.41
Versão do banco de dados: 3080
Windows 5.1.2600 Service Pack 2

7/4/2010 14:09:03
mbam-log-2010-04-07 (14-09-03).txt

Tipo de Verificação: Completa (C:\|D:\|)
Objetos verificados: 194202
Tempo decorrido: 21 minute(s), 56 second(s)

Processos da Memória infectados: 1
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 4
Ítens do Registro infectados: 2
Pastas infectadas: 0
Arquivos infectados: 3

Processos da Memória infectados:
C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe (Trojan.Delf) -> Failed to unload process.

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mswupdate (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mswupdate (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startup (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Ítens do Registro infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Delf) -> Data: c:\documents and settings\usuario\dados de aplicativos\lsass.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe "C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\Documents and Settings\Usuario\Dados de aplicativos\lsass.exe (Trojan.Delf) -> Delete on reboot.
C:\Documents and Settings\Usuario\Dados de aplicativos\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#4 Por Wings
07/04/2010 - 14:16
1.
*Reinicie o PC

2.
*Abra o programa Malwarebytes e na aba [Quarentena], selecione todos os resultados e clique em [Remover tudo]
*Clique na aba [Logs], selecione o relatório e clique em [Remover]

3.
*Desative temporariamente seu antivírus

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio > clique na opção "AntiVir Guard enable".

*Baixe o ComboFix e salve-o no desktop
*Duplo-clique no arquivo Combofix.exe
*Aceite o contrato

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso não esteja, uma janela conforme abaixo será aberta. Clique em [SIM] para aceitar a instalação do mesmo.

recovery-console-prompt.jpg

*Após a instalação, clique em [SIM] para continuar.

recovery-console-installed.jpg

*Aguarde a conclusão de todas as etapas

etapas.jpg

*Enquanto o ComboFix estiver em execução, evite usar o mouse e o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

*O programa será fechado automaticamente

*Cole o relatório criado em C:\combofix.txt
Prof.Problematic
Prof.Problem... Novo Membro Registrado
34 Mensagens 0 Curtidas
#5 Por Prof.Problem...
07/04/2010 - 14:17
Um detalhe Wings,

Esse lsass.exe, o Avira fica detectando esse arquivo toda hora.
E esse svchost.exe, que é um processo do computador, ele está ocupando muito a memória, creio estar infectado.E olhei no Gerenciador aqui agora, ele esta usando uns 40k da memória, dividido em varios processos de mesmo nome(svchost.exe)

O meu processador é um Dual Core.

Obrigado pela ajuda !
Prof.Problematic
Prof.Problem... Novo Membro Registrado
34 Mensagens 0 Curtidas
#7 Por Prof.Problem...
07/04/2010 - 14:26
ComboFix 10-04-06.05 - Usuario 07/04/2010 14:22:08.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2047.1530 [GMT -3:00]
Executando de: c:\documents and settings\Usuario\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Usuario\CONFIG~1\Temp\502.exe
c:\recycler\S-1-5-21-1749116446-3057247965-332635848-5812
c:\recycler\S-1-5-21-1970601395-1321244834-035022554-0675
c:\recycler\S-1-5-21-2297343586-6272494075-040009090-2153
c:\recycler\S-1-5-21-3203183462-3241340938-390254462-0021
c:\recycler\S-1-5-21-3392365527-8542753521-296285443-0823
c:\recycler\S-1-5-21-3940196969-3483539428-584956541-2792
c:\recycler\S-1-5-21-4561385065-7808624782-800584739-1125
c:\recycler\S-1-5-21-4636260106-0204264988-619481103-4670
c:\recycler\S-1-5-21-7101522654-2026865012-908979605-3226
c:\recycler\S-1-5-21-7191813296-1971178592-541314401-5072
c:\recycler\S-1-5-21-7224763398-3624495936-886020820-8222
c:\recycler\S-1-5-21-7727233732-8024729907-807769288-2834
c:\recycler\S-1-5-21-9662597034-2355947882-421080828-4351
c:\windows\Drivers.exe
c:\windows\system32\incognito.exe
c:\windows\system32\YoItzVlad22222.tmp

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-03-07 to 2010-04-07 ))))))))))))))))))))))))))))
.

Nenhum ficheiro/arquivo criado durante este período

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 17:12 . 2009-11-05 23:02 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\Skype
2010-04-07 16:33 . 2009-11-05 23:05 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\skypePM
2010-04-07 02:01 . 2010-02-03 20:10 -------- d-----w- c:\arquivos de programas\sXe Injected
2010-04-07 01:12 . 2009-10-27 22:04 -------- d-----w- c:\arquivos de programas\Valve
2010-04-01 02:40 . 2010-04-01 02:40 34322 ----a-w- C:\ads98h394.exe
2010-03-30 19:30 . 2010-03-30 19:30 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Skype
2010-03-29 20:11 . 2010-03-29 20:11 126976 --sh--r- c:\documents and settings\Usuario\Dados de aplicativos\Drivers.exe
2010-03-29 20:11 . 2010-03-29 20:11 126976 --sh--r- c:\documents and settings\Usuario\Dados de aplicativos\Drivers.exe
2010-03-27 19:57 . 2009-08-03 00:59 -------- d-----w- c:\arquivos de programas\Java
2010-03-27 19:57 . 2010-03-27 19:57 152576 ----a-w- c:\documents and settings\Usuario\Dados de aplicativos\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-27 19:57 . 2009-11-23 17:47 79488 ----a-w- c:\documents and settings\Usuario\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-27 19:55 . 2010-03-27 19:55 5 ----a-w- c:\windows\system32\qwpdijifh.tmp
2010-03-27 19:55 . 2010-03-27 19:55 5 ----a-w- c:\windows\system32\qwdijiojdf.tmp
2010-03-24 21:19 . 2010-03-23 18:43 153 ----a-w- c:\arquivos de programas\y
2010-03-15 23:13 . 2009-12-11 23:07 1536 ----a-w- c:\arquivos de programas\readme.html
2010-03-13 15:59 . 2009-08-02 23:37 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2010-02-26 06:12 . 2004-08-04 03:45 664064 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 03:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-21 14:39 . 2001-10-28 12:07 48628 ----a-w- c:\windows\system32\perfc016.dat
2010-02-21 14:39 . 2001-10-28 12:07 344380 ----a-w- c:\windows\system32\perfh016.dat
2010-02-20 19:47 . 2010-01-29 02:15 -------- d-----w- c:\arquivos de programas\Megacubo
2010-02-12 18:56 . 2009-10-28 20:18 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2010-02-12 00:55 . 2010-02-10 23:59 -------- d-----w- c:\arquivos de programas\ROMs
2010-02-10 16:27 . 2010-02-10 16:27 -------- d-----w- c:\arquivos de programas\Robster Productions
2010-02-07 21:59 . 2009-10-28 23:12 -------- d-----w- c:\arquivos de programas\Warcrat III
2010-02-07 21:43 . 2009-10-29 14:01 -------- d-----w- c:\arquivos de programas\Garena
2009-12-11 23:03 . 2009-12-11 23:03 16346 ----a-w- c:\arquivos de programas\flower.zip
2009-12-11 23:03 . 2009-12-11 23:03 148151 ----a-w- c:\arquivos de programas\alpha_flowers.zip
2005-05-01 20:58 . 2009-12-11 23:07 232320 ----a-w- c:\arquivos de programas\AlphaFlowers.ttf
2001-07-20 01:34 . 2009-12-11 23:07 21872 ----a-w- c:\arquivos de programas\flower.TTF
2001-07-20 01:34 . 2009-12-11 23:07 11777 ----a-w- c:\arquivos de programas\folwer.gif
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquiv~1\WINDOW~4\MESSEN~1\msnmsgr.exe" [2009-07-26 3883840]
"ares"="c:\arquivos de programas\Ares\Ares.exe" [2010-01-22 1011712]
"Skype"="c:\arquivos de programas\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"Google Update"="c:\documents and settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-11-16 135664]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WiseStubReboot"="MSIEXEC" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Software Update"="c:\arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\arquiv~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Usuario\Menu Iniciar\Programas\Inicializar\
Adobe Gamma.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
HP Digital Imaging Monitor.lnk - c:\arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Games\\Counter-Strike Source\\hl2.exe"=
"c:\\Arquivos de programas\\Valve\\hl.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Arquivos de programas\\Garena\\Garena.exe"=
"c:\\Arquivos de programas\\Ares\\Ares.exe"=
"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Arquivos de programas\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Arquivos de programas\\Valve\\hlds.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Warcrat III\\Warcraft III.exe"=
"c:\\Arquivos de programas\\Megacubo\\megacubo.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [2/8/2009 22:04 108289]
R2 NIHardwareService;NIHardwareService;c:\arquivos de programas\Arquivos comuns\Native Instruments\Hardware\NIHardwareService.exe [17/7/2009 10:32 3576320]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [16/11/2009 18:43 135664]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Usuario\CONFIG~1\Temp\DUJ239.tmp --> c:\docume~1\Usuario\CONFIG~1\Temp\DUJ239.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA1BEAC3-EFCE-B9FD-7E6E-9ABCDBFDB2F9}]
2010-03-29 20:25 242176 --sha-r- c:\windows\system32\javaw.exe
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-11-16 21:43]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-11-16 21:43]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.ogmoes.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\b2k2n26n.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ogmoes.com.br/
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\b2k2n26n.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8817}\components\GbMzhBnt.dll
FF - component: c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\b2k2n26n.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll
FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-3obCwnwz6B3r4mEf4DM4 - c:\documents and settings\Usuario\Dados de aplicativos\IHInM.exe
HKLM-Run-Drivers - Drivers.exe
HKLM-Run-OIFdA8HS0cTgsDMa - c:\documents and settings\Usuario\Dados de aplicativos\IHInM.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 14:25
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Usuario\CONFIG~1\Temp\DUJ239.tmp"
.
Tempo para conclusão: 2010-04-07 14:25:52
ComboFix-quarantined-files.txt 2010-04-07 17:25
ComboFix2.txt 2010-03-21 14:40

Pré-execução: 16 pasta(s) 111.930.847.232 bytes disponíveis
Pós execução: 17 pasta(s) 111.933.100.032 bytes disponíveis

- - End Of File - - 82BFFFE34306761BB2323B8655B50222
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#8 Por Wings
07/04/2010 - 14:49
*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

File::
c:\documents and settings\Usuario\Dados de aplicativos\Drivers.exe
c:\windows\system32\qwpdijifh.tmp
c:\windows\system32\qwdijiojdf.tmp
C:\ads98h394.exe
FileLook::
c:\arquivos de programas\y
*Salve o arquivo no desktop como CFScript.txt
*Arraste o arquivo para o Combofix conforme ilustração abaixo:

Imagem

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt e novo log do hijack
Prof.Problematic
Prof.Problem... Novo Membro Registrado
34 Mensagens 0 Curtidas
#9 Por Prof.Problem...
07/04/2010 - 15:15
ComboFix 10-04-06.05 - Usuario 07/04/2010 15:13:06.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2047.1580 [GMT -3:00]
Executando de: c:\documents and settings\Usuario\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Usuario\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"C:\ads98h394.exe"
"c:\documents and settings\Usuario\Dados de aplicativos\Drivers.exe"
"c:\windows\system32\qwdijiojdf.tmp"
"c:\windows\system32\qwpdijifh.tmp"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ads98h394.exe
c:\documents and settings\Usuario\Dados de aplicativos\Drivers.exe
c:\windows\system32\qwdijiojdf.tmp
c:\windows\system32\qwpdijifh.tmp

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-03-07 to 2010-04-07 ))))))))))))))))))))))))))))
.

Nenhum ficheiro/arquivo criado durante este período

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 18:08 . 2010-02-03 20:10 -------- d-----w- c:\arquivos de programas\sXe Injected
2010-04-07 17:53 . 2009-10-27 22:04 -------- d-----w- c:\arquivos de programas\Valve
2010-04-07 17:12 . 2009-11-05 23:02 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\Skype
2010-04-07 16:33 . 2009-11-05 23:05 -------- d-----w- c:\documents and settings\Usuario\Dados de aplicativos\skypePM
2010-03-30 19:30 . 2010-03-30 19:30 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Skype
2010-03-27 19:57 . 2009-08-03 00:59 -------- d-----w- c:\arquivos de programas\Java
2010-03-27 19:57 . 2010-03-27 19:57 152576 ----a-w- c:\documents and settings\Usuario\Dados de aplicativos\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-27 19:57 . 2009-11-23 17:47 79488 ----a-w- c:\documents and settings\Usuario\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-24 21:19 . 2010-03-23 18:43 153 ----a-w- c:\arquivos de programas\y
2010-03-15 23:13 . 2009-12-11 23:07 1536 ----a-w- c:\arquivos de programas\readme.html
2010-03-13 15:59 . 2009-08-02 23:37 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2010-02-26 06:12 . 2004-08-04 03:45 664064 ------w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 03:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-21 14:39 . 2001-10-28 12:07 48628 ----a-w- c:\windows\system32\perfc016.dat
2010-02-21 14:39 . 2001-10-28 12:07 344380 ----a-w- c:\windows\system32\perfh016.dat
2010-02-20 19:47 . 2010-01-29 02:15 -------- d-----w- c:\arquivos de programas\Megacubo
2010-02-12 18:56 . 2009-10-28 20:18 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe
2010-02-12 00:55 . 2010-02-10 23:59 -------- d-----w- c:\arquivos de programas\ROMs
2010-02-10 16:27 . 2010-02-10 16:27 -------- d-----w- c:\arquivos de programas\Robster Productions
2010-02-07 21:59 . 2009-10-28 23:12 -------- d-----w- c:\arquivos de programas\Warcrat III
2010-02-07 21:43 . 2009-10-29 14:01 -------- d-----w- c:\arquivos de programas\Garena
2009-12-11 23:03 . 2009-12-11 23:03 16346 ----a-w- c:\arquivos de programas\flower.zip
2009-12-11 23:03 . 2009-12-11 23:03 148151 ----a-w- c:\arquivos de programas\alpha_flowers.zip
2005-05-01 20:58 . 2009-12-11 23:07 232320 ----a-w- c:\arquivos de programas\AlphaFlowers.ttf
2001-07-20 01:34 . 2009-12-11 23:07 21872 ----a-w- c:\arquivos de programas\flower.TTF
2001-07-20 01:34 . 2009-12-11 23:07 11777 ----a-w- c:\arquivos de programas\folwer.gif
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\arquivos de programas\y ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 153
Created time: 2010-03-23 18:43
Modified time: 2010-03-24 21:19
MD5: 34D8418E23562646F798F1574AEADA71
SHA1: E08E2F57CF751C9D6C620D99840CCB0EE3B63AE6


(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquiv~1\WINDOW~4\MESSEN~1\msnmsgr.exe" [2009-07-26 3883840]
"ares"="c:\arquivos de programas\Ares\Ares.exe" [2010-01-22 1011712]
"Skype"="c:\arquivos de programas\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"Google Update"="c:\documents and settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-11-16 135664]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WiseStubReboot"="MSIEXEC" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Software Update"="c:\arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\arquiv~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Usuario\Menu Iniciar\Programas\Inicializar\
Adobe Gamma.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
HP Digital Imaging Monitor.lnk - c:\arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Games\\Counter-Strike Source\\hl2.exe"=
"c:\\Arquivos de programas\\Valve\\hl.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Arquivos de programas\\Garena\\Garena.exe"=
"c:\\Arquivos de programas\\Ares\\Ares.exe"=
"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Arquivos de programas\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Arquivos de programas\\Valve\\hlds.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Warcrat III\\Warcraft III.exe"=
"c:\\Arquivos de programas\\Megacubo\\megacubo.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [2/8/2009 22:04 108289]
R2 NIHardwareService;NIHardwareService;c:\arquivos de programas\Arquivos comuns\Native Instruments\Hardware\NIHardwareService.exe [17/7/2009 10:32 3576320]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [16/11/2009 18:43 135664]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Usuario\CONFIG~1\Temp\DUJ239.tmp --> c:\docume~1\Usuario\CONFIG~1\Temp\DUJ239.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA1BEAC3-EFCE-B9FD-7E6E-9ABCDBFDB2F9}]
2010-03-29 20:25 242176 --sha-r- c:\windows\system32\javaw.exe
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-11-16 21:43]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-11-16 21:43]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.ogmoes.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\b2k2n26n.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ogmoes.com.br/
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\b2k2n26n.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8817}\components\GbMzhBnt.dll
FF - component: c:\documents and settings\Usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\b2k2n26n.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 15:14
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Usuario\CONFIG~1\Temp\DUJ239.tmp"
.
Tempo para conclusão: 2010-04-07 15:14:49
ComboFix-quarantined-files.txt 2010-04-07 18:14
ComboFix2.txt 2010-04-07 17:25
ComboFix3.txt 2010-03-21 14:40

Pré-execução: 16 pasta(s) 111.928.565.760 bytes disponíveis
Pós execução: 17 pasta(s) 111.918.698.496 bytes disponíveis

- - End Of File - - AF9395709BBC1F1C532197E4D8BFC681

Log do Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15:38, on 7/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Arquivos comuns\Native Instruments\Hardware\NIHardwareService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ogmoes.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIV~1\WINDOW~4\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Usuario\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="d:\drivers\xp\PhysX_9.09.0203_SystemSoftware.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Arquivos de programas\Arquivos comuns\Native Instruments\Hardware\NIHardwareService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7217 bytes

Valeu !
Prof.Problematic
Prof.Problem... Novo Membro Registrado
34 Mensagens 0 Curtidas
#11 Por Prof.Problem...
07/04/2010 - 15:22
Wings, antes de fazer esse novo processo que voce pediu, meu pc, depois de um tempo ligado, não abre mais músicas, pois fala que há um problema com o dispositivo de som.É como se desinstalasse temporariamente o driver de audio, não da pra escutar nada que precise dele, videos no youtube ficam sem som, enfim, o que pode ser isso ?


Obrigado !
© 1999-2025 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal