Jump to content



Foto

Análise de Log

análise de log trojan


Existem 8 respostas neste tópico

#1 augustocezar    

augustocezar
  • Participante
  • 47 mensagens

Publicado 28 December 2012 - 09:56 AM

Prezados,

 

Solicito análise de log após  haver cumprido todas as etapas do tópico. Ontem a noite verifiquei que o meu PC estava muito lento para abrir as páginas da internet, mas não imaginei que fosse uma praga virtual.

 

No entanto, ao desligar o computador, verifiquei que apareceu uma mensagem que dizia que o programa f20 estava sendo finalizado. Intrigado para saber que programa é este, dei uma pesquisada na internet e tive como resposta que isso se trata do Trojan.Win32.Rozena.AMN

 

 

Não tenho certeza se o meu computador está infectado (provavelmente está, mas não sei o tamanho do estrago).

 

Segue o meu log.

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:49:42, on 28/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\ARQUIV~1\AVG\AVG2013\avgrsx.exe
C:\Arquivos de programas\AVG\AVG2013\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\Java\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
C:\Arquivos de programas\AVG\AVG2013\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\AVG\AVG2013\avgemcx.exe
C:\Arquivos de programas\AVG\AVG2013\avgui.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe
D:\real player\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\AVG\AVG2013\avgcsrvx.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...000001c25ae34cf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - D:\Arquivos de programas\Shareaza\RazaWebHook32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinPatrol] D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Arquivos de programas\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [ISW] C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\real player\update\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with &Shareaza - res://D:\Arquivos de programas\Shareaza\RazaWebHook32.dll/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\arquivos de programas\bonjour\mdnsnsp.dll' missing
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Firewall do AVG (avgfws) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
O23 - Service: Watchdog do AVG (avgwd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Serviço do Google Update (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - D:\Arquivos de programas\Java\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Arquivos de programas\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 9345 bytes



#2 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65448 mensagens

Publicado 28 December 2012 - 10:08 AM

Baixe o Malwarebytes' Anti-Malware (MBAM) ou aqui.

Salve ou imprima estas instruções:

Dê um duplo-clique no mbam-setup.exe, escolha a linguagem e na instalação, aceite todas as opções padrão.
Verifique se as caixas Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware estão marcadas e clique então, em Concluir.
Se houver atualizações a serem feitas, serão baixadas e instaladas.
Ao final da atualização, com o programa aberto, marque Verificação Rápida e clique no botão Verificar.
Começará então o exame. Aguarde, pois pode demorar.
Ao acabar o exame, clique em OK, depois no botão Mostrar Resultados para ver o relatório.

Se houver ítens encontrados, certifique-se de que, estão todos marcados e clique no botão Remover.

Ao final da desinfecção, abrirá o Bloco de notas com um Log e poderá aparecer um aviso se quer reiniciar o PC. (Ver Nota abaixo)
O Log é automaticamente salvo pelo MBAM e para vê-lo, clique na aba Logs na janela principal do Programa.

NOTA: Se o MBAM encontrar arquivos que não consiga remover, poderá ter de reiniciar o PC (talvez mais de uma vez). Faça isso imediatamente, ao ser perguntado se quer reiniciar

Selecione, copie e cole o conteúdo do Log do MBAM na sua próxima resposta + um novo Log do HijackThis .
MillionMPV.gif

#3 augustocezar    

augustocezar
  • Participante
  • 47 mensagens

Publicado 28 December 2012 - 10:52 AM

Prezado Mr. Million,

 

Fiz os procedimentos solicitados. Segue o log do MBAM + o novo Log do HijackThis.

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Versão da Base de Dados:  v2012.12.28.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Guto :: EXPERT [administrador]

28/12/2012 11:29:21
mbam-log-2012-12-28 (11-29-21).txt

Tipo de Verificação:  Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos  | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados:  322685
Tempo decorrido: 15 minuto(s), 23 segundo(s)

Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)

Arquivos Detectados: 0
(Não foram detectados ítens maliciosos)

(fim)

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:52:02, on 28/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\ARQUIV~1\AVG\AVG2013\avgrsx.exe
C:\Arquivos de programas\AVG\AVG2013\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\Java\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
C:\Arquivos de programas\AVG\AVG2013\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\AVG\AVG2013\avgemcx.exe
C:\Arquivos de programas\AVG\AVG2013\avgui.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe
D:\real player\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\AVG\AVG2013\avgcsrvx.exe
D:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...000001c25ae34cf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - D:\Arquivos de programas\Shareaza\RazaWebHook32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinPatrol] D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Arquivos de programas\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [ISW] C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] D:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with &Shareaza - res://D:\Arquivos de programas\Shareaza\RazaWebHook32.dll/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\arquivos de programas\bonjour\mdnsnsp.dll' missing
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Firewall do AVG (avgfws) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
O23 - Service: Watchdog do AVG (avgwd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Serviço do Google Update (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - D:\Arquivos de programas\Java\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Arquivos de programas\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 9518 bytes



#4 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65448 mensagens

Publicado 28 December 2012 - 11:52 AM

Desabilite o seu Antivírus, AntiSpyware e Firewall para não haver conflitos. Mantenha-os desativados até terminar as instruções.

Download ComboFix

Salve no seu Desktop ( Para que a Ferramenta seja executada corretamente é necessário que esteja no Desktop (Área de trabalho)
Feche todas as janelas e programas.

É necessário estar conectado durante o procedimento com o ComboFix;

Execute o combofix.exe, tecle "Sim" para prosseguir. Aguarde, pois é um pouco demorado.

OBS: Caso não queira que seja instalado o Console de Recuperação do Windows, clique em "Não" e depois concorde para que a verificação prossiga.
Ao ser instalado o Console, na Inicialização do Sistema será apresentada a tela para Seleção dos Sistemas Operacionais.
Mais informações sobre o Console:
http://support.micro...kb/307654/pt-br

O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.
Quando acabar, será gerado um Log, que estará em C:\ComboFix.txt. Selecione, copie e cole o conteúdo do ComboFix.txt na sua próxima resposta + um novo Log do HijackThis .

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".

OBS 2: Não execute o ComboFix mais do que uma vez. Isso irá sobreescrever o Log e dificultará a remoção do(s) malware(s)

Caso ocorra algum erro, reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização) e repita o procedimento.

MillionMPV.gif

#5 augustocezar    

augustocezar
  • Participante
  • 47 mensagens

Publicado 28 December 2012 - 03:57 PM

Prezado Mr. Million,

 

Realizado os procedimentos solicitados (tive problemas com o Combofix), segue os logs para análise.

 

Gostaria de lhe fazer uma pergunta: O arquivo C:\32788r22fwjff\pev.3xe é uma ameaça? O AVG detectou esse arquivo como ameaça.

 

 

 

ComboFix 12-12-28.02 - Guto 28/12/2012  16:26:13.6.2 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.55.1046.18.2038.1772 [GMT -2:00]
Executando de: c:\documents and settings\Guto\Desktop\ComboFix.exe
.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2012-11-28 to 2012-12-28  ))))))))))))))))))))))))))))
.
.
2012-12-28 16:35 . 2012-12-28 16:35    --------    d-----w-    c:\windows\system32\wbem\Repository
2012-12-28 15:23 . 2012-12-28 15:23    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\AVG2013
2012-12-28 15:23 . 2012-12-28 15:23    --------    d-----w-    c:\windows\system32\config\systemprofile\Dados de aplicativos\AVG2013
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\AVG Secure Search
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\AVG Secure Search
2012-12-28 15:22 . 2012-12-28 15:21    26984    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\arquivos de programas\Arquivos comuns\AVG Secure Search
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\arquivos de programas\AVG Secure Search
2012-12-28 15:20 . 2012-12-28 15:20    --------    d-----w-    C:\$AVG
2012-12-28 15:20 . 2012-12-28 15:23    --------    d-----w-    c:\documents and settings\All Users\Dados de aplicativos\AVG2013
2012-12-28 15:17 . 2012-12-28 15:17    --------    d-----w-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\Avg2013
2012-12-28 13:11 . 2012-12-28 13:16    10156344    ----a-w-    C:\mbam-setup-1.70.0.1100.exe
2012-12-28 12:41 . 2012-12-28 12:41    388608    ----a-w-    C:\HijackThis.exe
2012-12-18 15:43 . 2012-12-18 15:43    --------    d-----w-    c:\documents and settings\Inalda\Dados de aplicativos\Check Point Software Technologies LTD
2012-12-14 21:37 . 2012-12-14 21:37    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\Check Point Software Technologies LTD
2012-12-10 17:30 . 2012-12-10 17:30    --------    d-----w-    c:\documents and settings\Inalda\Dados de aplicativos\CheckPoint
2012-12-10 03:05 . 2012-12-10 03:05    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\CheckPoint
2012-12-10 03:02 . 2012-12-10 03:02    --------    d-----w-    c:\arquivos de programas\Check Point Software Technologies LTD
2012-12-10 03:02 . 2012-12-10 03:05    --------    d-----w-    c:\arquivos de programas\CheckPoint
2012-12-10 03:02 . 2012-12-10 03:02    --------    d-----w-    c:\documents and settings\All Users\Dados de aplicativos\CheckPoint
2012-12-10 02:37 . 2012-12-10 02:37    --------    d-----w-    c:\arquivos de programas\AVG
2012-12-10 00:13 . 2012-12-10 00:13    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\TuneUp Software
2012-12-10 00:02 . 2012-12-10 00:02    --------    d-----w-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\MFAData
2012-12-01 18:56 . 2012-12-27 16:54    --------    d-----w-    c:\documents and settings\Inalda\Tracing
.
.
.
(((((((((((((((((((((((((((((((((((((   Relatório Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-04 02:44    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 18:49 . 2010-10-12 02:17    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-12 03:06 . 2012-04-13 22:33    697272    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2012-12-12 03:06 . 2011-05-29 22:57    73656    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 11:55 . 2004-08-04 02:38    1866496    ----a-w-    c:\windows\system32\win32k.sys
2012-11-02 02:04 . 2004-08-04 02:45    375296    ----a-w-    c:\windows\system32\dpnet.dll
2012-11-01 12:12 . 2004-08-04 02:45    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2012-11-01 12:12 . 2004-08-04 02:45    916992    ----a-w-    c:\windows\system32\wininet.dll
2012-11-01 12:12 . 2004-08-04 02:45    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2012-11-01 00:35 . 2004-08-04 02:37    385024    ----a-w-    c:\windows\system32\html.iec
2012-10-22 15:02 . 2012-10-22 15:02    179936    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2012-10-15 05:48 . 2012-10-15 05:48    55776    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2012-10-05 05:32 . 2012-10-05 05:32    93536    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2012-10-02 18:04 . 2004-08-04 02:45    58368    ----a-w-    c:\windows\system32\synceng.dll
2012-10-02 05:30 . 2012-10-02 05:30    159712    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2012-12-07 22:31 . 2012-12-07 22:30    262112    ----a-w-    c:\arquivos de programas\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-11 16861184]
"WinPatrol"="d:\arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [2012-01-02 325728]
"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"ISW"="" [BU]
"ZoneAlarm"="c:\arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-07 73392]
"AVG_UI"="c:\arquivos de programas\AVG\AVG2013\avgui.exe" [2012-11-06 3143800]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\Inalda\Menu Iniciar\Programas\Inicializar\
OpenOffice.org 3.3.lnk - c:\arquivos de programas\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0c:\arquiv~1\AVG\AVG10\avgchsvx.exe /sync\0c:\arquiv~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Guto^Menu Iniciar^Programas^Inicializar^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\Guto\Menu Iniciar\Programas\Inicializar\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51    919008    ----a-w-    c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 00:28    59240    ----a-w-    c:\arquivos de programas\Arquivos comuns\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-05 00:04    136176    ----atw-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 12:47    163840    -c--a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-01-12 15:21    49208    ----a-w-    d:\arquivos de programas\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware]
2012-12-14 18:49    512360    ----a-w-    d:\arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 22:21    1695232    ------w-    c:\arquivos de programas\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 23:56    421888    ----a-w-    c:\arquivos de programas\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 16:33    17418928    ----a-r-    c:\arquivos de programas\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 14:07    252296    ----a-w-    c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-05-29 00:30    296056    ----a-w-    d:\real player\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2012-08-28 09:41    247768    ----a-w-    c:\arquivos de programas\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Arquivos de programas\\KONAMI\\Pro Evolution Soccer 2008 US\\PES2008.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"d:\\Arquivos de programas\\HP\\HP Software Update\\hpwucli.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Guto\\Configurações locais\\Dados de aplicativos\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Arquivos de programas\\Shareaza\\Shareaza.exe"=
"d:\\Arquivos de programas\\IAHGames\\Counter-Strike Online\\Bin\\cstrike-online.exe"=
"d:\\Arquivos de programas\\IAHGames\\Counter-Strike Online\\Bin\\NMService.exe"=
"c:\\Arquivos de programas\\Arquivos comuns\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [15/10/2012 03:48 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [21/9/2012 03:46 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [14/9/2012 03:05 35552]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [22/10/2012 13:02 179936]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [21/9/2012 03:45 19936]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/10/2012 03:30 159712]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [21/9/2012 03:46 164832]
S2 AVGIDSAgent;AVGIDSAgent;c:\arquivos de programas\AVG\AVG2013\avgidsagent.exe [6/11/2012 19:00 5814392]
S2 avgwd;Watchdog do AVG;c:\arquivos de programas\AVG\AVG2013\avgwdsvc.exe [22/10/2012 13:05 196664]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\arquivos de programas\CheckPoint\ZAForceField\ISWKL.sys [2/11/2012 16:17 27056]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\arquivos de programas\CheckPoint\ZAForceField\ISWSVC.exe [2/11/2012 16:17 497320]
S2 SkypeUpdate;Skype Updater;c:\arquivos de programas\Skype\Updater\Updater.exe [13/7/2012 14:28 160944]
S2 TomTomHOMEService;TomTomHOMEService;d:\arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 09:31 92008]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
HPService    REG_MULTI_SZ       HPSLPSVC
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 03:06]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-08-18 18:58]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-08-18 18:58]
.
2012-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1644491937-448539723-839522115-1006.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1644491937-448539723-839522115-1009.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1644491937-448539723-839522115-1006.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1644491937-448539723-839522115-1009.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-28 c:\windows\Tasks\ReclaimerUpdateFiles_Guto.job
- c:\documents and settings\Guto\Dados de aplicativos\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-16 04:30]
.
2012-12-28 c:\windows\Tasks\ReclaimerUpdateXML_Guto.job
- c:\documents and settings\Guto\Dados de aplicativos\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-16 04:30]
.
2012-12-28 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Guto.job
- c:\documents and settings\Guto\Dados de aplicativos\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-16 04:30]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with &Shareaza - d:\arquivos de programas\Shareaza\RazaWebHook32.dll/3000
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: caixa.gov.br\internetbanking
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Guto\Dados de aplicativos\Mozilla\Firefox\Profiles\drldfez7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=MSNTLB&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf&q={searchTerms}
FF - ExtSQL: 2012-12-10 01:05; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\arquivos de programas\CheckPoint\ZAForceField\TrustChecker
FF - ExtSQL: 2012-12-10 01:13; ffxtlbr@zonealarm.com; c:\documents and settings\Guto\Dados de aplicativos\Mozilla\Firefox\Profiles\drldfez7.default\extensions\ffxtlbr@zonealarm.com
FF - ExtSQL: !HIDDEN! 2011-02-28 19:49; smartwebprinting@hp.com; d:\arquivos de programas\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf&q={searchTerms}
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=fc4ba4fb000000000000001c25ae34cf&q=
FF - user.js: extensions.zonealarm.id - fc4ba4fb000000000000001c25ae34cf
FF - user.js: extensions.zonealarm.instlDay - 15684
FF - user.js: extensions.zonealarm.vrsn - 1.6.7.4
FF - user.js: extensions.zonealarm.vrsni - 1.6.7.4
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.6.7.41:02
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN11777616578949-1025
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-28 16:38
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'explorer.exe'(1448)
c:\windows\system32\WININET.dll
.
Tempo para conclusão: 2012-12-28  16:40:53
ComboFix-quarantined-files.txt  2012-12-28 18:40
ComboFix2.txt  2012-12-28 15:50
ComboFix3.txt  2012-12-09 13:41
.
Pré-execução: 9.572.552.704 bytes disponíveis
Pós execução: 9.555.546.112 bytes disponíveis
.
- - End Of File - - 9EFF9A80E80BD1E82FA1C07F1F7B9A62

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:52:20, on 28/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\ARQUIV~1\AVG\AVG2013\avgrsx.exe
C:\Arquivos de programas\AVG\AVG2013\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\Java\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\AVG\AVG2013\avgnsx.exe
C:\Arquivos de programas\AVG\AVG2013\avgemcx.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe
C:\Arquivos de programas\AVG\AVG2013\avgui.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...000001c25ae34cf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - D:\Arquivos de programas\Shareaza\RazaWebHook32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinPatrol] D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ISW] C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Arquivos de programas\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with &Shareaza - res://D:\Arquivos de programas\Shareaza\RazaWebHook32.dll/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\arquivos de programas\bonjour\mdnsnsp.dll' missing
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
O23 - Service: Watchdog do AVG (avgwd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Serviço do Google Update (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - D:\Arquivos de programas\Java\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Arquivos de programas\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 8960 bytes
 



#6 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65448 mensagens

Publicado 28 December 2012 - 04:48 PM

Gostaria de lhe fazer uma pergunta: O arquivo C:\32788r22fwjff\pev.3xe é uma ameaça? O AVG detectou esse arquivo como ameaça.

 
Falso Positivo..

 

Sugiro que imprima ou salve os procedimentos abaixo, e não use a Internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa branca) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na Área de Trabalho ( Desktop), com o nome de CFScript.txt


 

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW"=-

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo:

CFScript.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um Log, que estará em C:\ComboFix.txt.
Faça um novo Log com o HijackThis em Modo Normal e poste + o ComboFix.txt.


 


MillionMPV.gif

#7 augustocezar    

augustocezar
  • Participante
  • 47 mensagens

Publicado 28 December 2012 - 05:28 PM

Mr. Million,

 

Tive problemas para executar o Combofix no modo normal, executei o programa no modo de segurança (funcionou normal, mas o computador não reiniciou). Segue os novos logs para análise.

 

ComboFix 12-12-28.02 - Guto 28/12/2012  18:02:44.7.2 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.55.1046.18.2038.1773 [GMT -2:00]
Executando de: c:\documents and settings\Guto\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Guto\Desktop\CFScript.txt
AV: AVG Internet Security 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2012-11-28 to 2012-12-28  ))))))))))))))))))))))))))))
.
.
2012-12-28 16:35 . 2012-12-28 16:35    --------    d-----w-    c:\windows\system32\wbem\Repository
2012-12-28 15:23 . 2012-12-28 15:23    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\AVG2013
2012-12-28 15:23 . 2012-12-28 15:23    --------    d-----w-    c:\windows\system32\config\systemprofile\Dados de aplicativos\AVG2013
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\AVG Secure Search
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\AVG Secure Search
2012-12-28 15:22 . 2012-12-28 15:21    26984    ----a-w-    c:\windows\system32\drivers\avgtpx86.sys
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\arquivos de programas\Arquivos comuns\AVG Secure Search
2012-12-28 15:22 . 2012-12-28 15:22    --------    d-----w-    c:\arquivos de programas\AVG Secure Search
2012-12-28 15:20 . 2012-12-28 15:20    --------    d-----w-    C:\$AVG
2012-12-28 15:20 . 2012-12-28 15:23    --------    d-----w-    c:\documents and settings\All Users\Dados de aplicativos\AVG2013
2012-12-28 15:17 . 2012-12-28 15:17    --------    d-----w-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\Avg2013
2012-12-28 13:11 . 2012-12-28 13:16    10156344    ----a-w-    C:\mbam-setup-1.70.0.1100.exe
2012-12-28 12:41 . 2012-12-28 12:41    388608    ----a-w-    C:\HijackThis.exe
2012-12-18 15:43 . 2012-12-18 15:43    --------    d-----w-    c:\documents and settings\Inalda\Dados de aplicativos\Check Point Software Technologies LTD
2012-12-14 21:37 . 2012-12-14 21:37    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\Check Point Software Technologies LTD
2012-12-10 17:30 . 2012-12-10 17:30    --------    d-----w-    c:\documents and settings\Inalda\Dados de aplicativos\CheckPoint
2012-12-10 03:05 . 2012-12-10 03:05    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\CheckPoint
2012-12-10 03:02 . 2012-12-10 03:02    --------    d-----w-    c:\arquivos de programas\Check Point Software Technologies LTD
2012-12-10 03:02 . 2012-12-10 03:05    --------    d-----w-    c:\arquivos de programas\CheckPoint
2012-12-10 03:02 . 2012-12-10 03:02    --------    d-----w-    c:\documents and settings\All Users\Dados de aplicativos\CheckPoint
2012-12-10 02:37 . 2012-12-10 02:37    --------    d-----w-    c:\arquivos de programas\AVG
2012-12-10 00:13 . 2012-12-10 00:13    --------    d-----w-    c:\documents and settings\Guto\Dados de aplicativos\TuneUp Software
2012-12-10 00:02 . 2012-12-10 00:02    --------    d-----w-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\MFAData
2012-12-01 18:56 . 2012-12-27 16:54    --------    d-----w-    c:\documents and settings\Inalda\Tracing
.
.
.
(((((((((((((((((((((((((((((((((((((   Relatório Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-04 02:44    290560    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-14 18:49 . 2010-10-12 02:17    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-12 03:06 . 2012-04-13 22:33    697272    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2012-12-12 03:06 . 2011-05-29 22:57    73656    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 11:55 . 2004-08-04 02:38    1866496    ----a-w-    c:\windows\system32\win32k.sys
2012-11-02 02:04 . 2004-08-04 02:45    375296    ----a-w-    c:\windows\system32\dpnet.dll
2012-11-01 12:12 . 2004-08-04 02:45    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2012-11-01 12:12 . 2004-08-04 02:45    916992    ----a-w-    c:\windows\system32\wininet.dll
2012-11-01 12:12 . 2004-08-04 02:45    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2012-11-01 00:35 . 2004-08-04 02:37    385024    ----a-w-    c:\windows\system32\html.iec
2012-10-22 15:02 . 2012-10-22 15:02    179936    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2012-10-15 05:48 . 2012-10-15 05:48    55776    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2012-10-05 05:32 . 2012-10-05 05:32    93536    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2012-10-02 18:04 . 2004-08-04 02:45    58368    ----a-w-    c:\windows\system32\synceng.dll
2012-10-02 05:30 . 2012-10-02 05:30    159712    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2012-12-07 22:31 . 2012-12-07 22:30    262112    ----a-w-    c:\arquivos de programas\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-11 16861184]
"WinPatrol"="d:\arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [2012-01-02 325728]
"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"ZoneAlarm"="c:\arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-07 73392]
"AVG_UI"="c:\arquivos de programas\AVG\AVG2013\avgui.exe" [2012-11-06 3143800]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\Inalda\Menu Iniciar\Programas\Inicializar\
OpenOffice.org 3.3.lnk - c:\arquivos de programas\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0c:\arquiv~1\AVG\AVG10\avgchsvx.exe /sync\0c:\arquiv~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Guto^Menu Iniciar^Programas^Inicializar^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\Guto\Menu Iniciar\Programas\Inicializar\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51    919008    ----a-w-    c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 00:28    59240    ----a-w-    c:\arquivos de programas\Arquivos comuns\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-05 00:04    136176    ----atw-    c:\documents and settings\Guto\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 12:47    163840    -c--a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-01-12 15:21    49208    ----a-w-    d:\arquivos de programas\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware]
2012-12-14 18:49    512360    ----a-w-    d:\arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 22:21    1695232    ------w-    c:\arquivos de programas\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 23:56    421888    ----a-w-    c:\arquivos de programas\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 16:33    17418928    ----a-r-    c:\arquivos de programas\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 14:07    252296    ----a-w-    c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-05-29 00:30    296056    ----a-w-    d:\real player\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2012-08-28 09:41    247768    ----a-w-    c:\arquivos de programas\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Arquivos de programas\\KONAMI\\Pro Evolution Soccer 2008 US\\PES2008.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"d:\\Arquivos de programas\\HP\\HP Software Update\\hpwucli.exe"=
"d:\\Arquivos de programas\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Guto\\Configurações locais\\Dados de aplicativos\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Arquivos de programas\\Shareaza\\Shareaza.exe"=
"d:\\Arquivos de programas\\IAHGames\\Counter-Strike Online\\Bin\\cstrike-online.exe"=
"d:\\Arquivos de programas\\IAHGames\\Counter-Strike Online\\Bin\\NMService.exe"=
"c:\\Arquivos de programas\\Arquivos comuns\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Arquivos de programas\\AVG\\AVG2013\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [15/10/2012 03:48 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [21/9/2012 03:46 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [14/9/2012 03:05 35552]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [22/10/2012 13:02 179936]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [21/9/2012 03:45 19936]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/10/2012 03:30 159712]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [21/9/2012 03:46 164832]
S2 AVGIDSAgent;AVGIDSAgent;c:\arquivos de programas\AVG\AVG2013\avgidsagent.exe [6/11/2012 19:00 5814392]
S2 avgwd;Watchdog do AVG;c:\arquivos de programas\AVG\AVG2013\avgwdsvc.exe [22/10/2012 13:05 196664]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\arquivos de programas\CheckPoint\ZAForceField\ISWKL.sys [2/11/2012 16:17 27056]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\arquivos de programas\CheckPoint\ZAForceField\ISWSVC.exe [2/11/2012 16:17 497320]
S2 SkypeUpdate;Skype Updater;c:\arquivos de programas\Skype\Updater\Updater.exe [13/7/2012 14:28 160944]
S2 TomTomHOMEService;TomTomHOMEService;d:\arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 09:31 92008]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
HPService    REG_MULTI_SZ       HPSLPSVC
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 03:06]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-08-18 18:58]
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-08-18 18:58]
.
2012-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1644491937-448539723-839522115-1006.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1644491937-448539723-839522115-1009.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1644491937-448539723-839522115-1006.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1644491937-448539723-839522115-1009.job
- c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2012-04-30 21:21]
.
2012-12-28 c:\windows\Tasks\ReclaimerUpdateFiles_Guto.job
- c:\documents and settings\Guto\Dados de aplicativos\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-16 04:30]
.
2012-12-28 c:\windows\Tasks\ReclaimerUpdateXML_Guto.job
- c:\documents and settings\Guto\Dados de aplicativos\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-16 04:30]
.
2012-12-28 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Guto.job
- c:\documents and settings\Guto\Dados de aplicativos\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-16 04:30]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with &Shareaza - d:\arquivos de programas\Shareaza\RazaWebHook32.dll/3000
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: caixa.gov.br\internetbanking
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Guto\Dados de aplicativos\Mozilla\Firefox\Profiles\drldfez7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=MSNTLB&PC=IPGTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf&q={searchTerms}
FF - ExtSQL: 2012-12-10 01:05; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\arquivos de programas\CheckPoint\ZAForceField\TrustChecker
FF - ExtSQL: 2012-12-10 01:13; ffxtlbr@zonealarm.com; c:\documents and settings\Guto\Dados de aplicativos\Mozilla\Firefox\Profiles\drldfez7.default\extensions\ffxtlbr@zonealarm.com
FF - ExtSQL: !HIDDEN! 2011-02-28 19:49; smartwebprinting@hp.com; d:\arquivos de programas\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf&q={searchTerms}
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan=en&utid=fc4ba4fb000000000000001c25ae34cf
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN11777616578949-1025&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=fc4ba4fb000000000000001c25ae34cf&q=
FF - user.js: extensions.zonealarm.id - fc4ba4fb000000000000001c25ae34cf
FF - user.js: extensions.zonealarm.instlDay - 15684
FF - user.js: extensions.zonealarm.vrsn - 1.6.7.4
FF - user.js: extensions.zonealarm.vrsni - 1.6.7.4
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.6.7.41:02
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN11777616578949-1025
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-28 18:14
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'explorer.exe'(1888)
c:\windows\system32\WININET.dll
.
Tempo para conclusão: 2012-12-28  18:16:50
ComboFix-quarantined-files.txt  2012-12-28 20:16
ComboFix2.txt  2012-12-28 18:40
ComboFix3.txt  2012-12-28 15:50
ComboFix4.txt  2012-12-09 13:41
.
Pré-execução: 9.542.369.280 bytes disponíveis
Pós execução: 9.531.781.120 bytes disponíveis
.
- - End Of File - - D1A66C309D962114DC66312E28D49B92

 

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:26:58, on 28/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\ARQUIV~1\AVG\AVG2013\avgrsx.exe
C:\Arquivos de programas\AVG\AVG2013\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\Java\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\AVG\AVG2013\avgnsx.exe
C:\Arquivos de programas\AVG\AVG2013\avgemcx.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe
C:\Arquivos de programas\AVG\AVG2013\avgui.exe
C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...000001c25ae34cf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - D:\Arquivos de programas\Shareaza\RazaWebHook32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Arquivos de programas\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Arquivos de programas\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinPatrol] D:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Arquivos de programas\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Arquivos de programas\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [ISW] C:\Arquivos de programas\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with &Shareaza - res://D:\Arquivos de programas\Shareaza\RazaWebHook32.dll/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - D:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\arquivos de programas\bonjour\mdnsnsp.dll' missing
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgidsagent.exe
O23 - Service: Watchdog do AVG (avgwd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Serviço do Google Update (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - D:\Arquivos de programas\Java\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Arquivos de programas\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Arquivos de programas\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Arquivos de programas\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 8999 bytes
 



#8 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 65448 mensagens

Publicado 28 December 2012 - 05:38 PM

Ok, o PC está limpo (Y)
Finalizando.......
Clique em Iniciar > Executar > digite (ou copie e cole): ComboFix /Uninstall > dê Ok.

Limpe a Restauração do Sistema, criando um Ponto de Restauração do Sistema limpo.

 

Clique com o botão direito do mouse em cima do MEU COMPUTADOR/ Propiedades/ Restauração do Sistema/ marque Desativar Restauração do Sistema/ Aplicar > OK.
Depois desmarque novamente. Aplicar > OK.


MillionMPV.gif

#9 augustocezar    

augustocezar
  • Participante
  • 47 mensagens

Publicado 28 December 2012 - 05:53 PM

Obrigado Mr. Million pela grande ajuda! =)

 

Tudo voltou ao normal.

 

Desejo a você um feliz ano novo de muitas realizações.