Smitfraud Vírus

PK28 · #1 5 de fevereiro de 2008, 12:35

Olá
Eu sou novo para o conselho de administração e gostaria de ajudar a remover um vírus que eu possa pensar que se trata de Smitfraud e tem desviado o meu navegador. Tenho executar AVG e Adaware mas não ajuda. O SO é XP aqui está o log. Agradeço antecipadamente por sua ajuda.

Logfile do HijackThis v1.99.1
Scan guardado em 19:35:19, em 05/02/2008
Plataforma: Windows XP SP2 (WinNT 5/01/2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Executando processos:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ guard.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
C: \ WINDOWS \ system32 \ cisvc.exe
C: \ WINDOWS \ system32 \ lxcecoms.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ UAService7.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgfwsrv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe
C: \ Program Files \ Thomson \ SpeedTouch USB \ Dragdiag.exe
C: \ Program Files \ PowerISO \ PWRISOVM.EXE
C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgcc.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ avgas.exe
C: \ Program Files \ Dell Support \ DSAgnt.exe
C: \ Program Files \ MSN Messenger \ msnmsgr.exe
C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Arquivos de Programas \ Internet Explorer \ iexplore.exe
C: \ Arquivos de Programas \ HJT \ HijackThis.exe
O3 - Toolbar: Windows Live Toolbar - (BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0) - C: \ Program Files \ Windows Live Toolbar \ msntb.dll
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [ISUSScheduler] "C: \ Program Files \ Common Files \ InstallShield \ UpdateService \ issch.exe"-start
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [LXCECATS] rundll32 C: \ WINDOWS \ system32 \ spool \ DRIVERS \ W32X86 \ 3 \ LXCEtim e.dll, _RunDLLEntry @ 16
O4 - HKLM \ .. \ Run: [lxcemon.exe] "C: \ Program Files \ Lexmark 4300 Series \ lxcemon.exe"
O4 - HKLM \ .. \ Run: [EzPrint] "C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe"
O4 - HKLM \ .. \ Run: [FaxCenterServer] "C: \ Program Files \ Lexmark Fax Solutions \ fm3032.exe" / s
O4 - HKLM \ .. \ Run: [SpeedTouch USB Diagnostics] "C: \ Program Files \ Thomson \ SpeedTouch USB \ Dragdiag.exe" / icon
O4 - HKLM \ .. \ Run: [PWRISOVM.EXE] C: \ Program Files \ PowerISO \ PWRISOVM.EXE
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [AVG7_CC] C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgcc.exe / STARTUP
O4 - HKLM \ .. \ Run: [! AVG Anti-Spyware] "C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ avgas.exe" / minimizada
O4 - HKCU \ .. \ Run: [DellSupport] "C: \ Program Files \ Dell Support \ DSAgnt.exe" / startup
O4 - HKCU \ .. \ Run: [msnmsgr] "C: \ Program Files \ MSN Messenger \ msnmsgr.exe" / background
O4 - HKCU \ .. \ Run: [updateMgr] C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU \ .. \ Run: [SUPERAntiSpyware] C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Uniblue RegistryBooster 2] C: \ Program Files \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe / S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Arquivos de Programas \ Microsoft Office \ Office10 \ Osa.exe
O8 - Extra context menu item: & Windows Live Search - res: / / C: \ Program Files \ Windows Live Toolbar \ msntb.dll / search.htm
O8 - Extra context menu item: Add to Windows & Live Favorites -- http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E & xportar para o Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ MICROS ~ 2 \ Office10 \ EXCEL.EXE/3000
O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ ssv.dll
O9 - Extra button: (no name) - (CD67F990-D8E9-11d2-98FE-00C0F0318AFE) - (no arquivo)
O9 - Extra button: (no name) - (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @ Xpsp3res.dll, -20001 - (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International *
O16 - DPF: (5AE58FCF-6F6A-49B2-B064-02492C66E3F4) (MUCatalogWebControl Classe) -- http://catalog.update.microsoft.com/...?1199470957562
O16 - DPF: (E8F628B5-259A-4734-97EE-BA914D7BE941) (Driver Agent ActiveX Control) -- http://driveragent.com/files/driveragent.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (EB470484-F000-4F17-BAA7-0420975981FF): NameServer = 212.139.132.37 212.139.132.36
O18 - Protocol: livecall - (828030A1-22C1-4009-854F-8E305202313F) - C: \ PROGRA ~ 1 \ MSNMES ~ 1 \ MSGRAP ~ 1.DLL
O18 - Protocol: msnim - (828030A1-22C1-4009-854F-8E305202313F) - C: \ PROGRA ~ 1 \ MSNMES ~ 1 \ MSGRAP ~ 1.DLL
O20 - Winlogon Notify:! SASWinLogon - C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C: \ WINDOWS \ SYSTEM32 \ igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C: \ WINDOWS \ system32 \ WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Grisoft sro - C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Grisoft, sro - C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Grisoft, sro - C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - Grisoft, sro - C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgfwsrv.exe
O23 - Service: lxce_device - - C: \ WINDOWS \ system32 \ lxcecoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel (R) Corporation - C: \ Program Files \ Intel \ PROSetWired \ NCS \ Sync \ Netsvc.exe
O23 - Service: Securom User Access Service (V7) (UserAccess7) - Unknown owner - C: \ WINDOWS \ system32 \ UAService7.exe

**evilfantasy** · #2 5 de fevereiro de 2008, 13:04

Bem-vindo ao CJ.

O log não mostra qualquer malware, mas nós podemos ter um olhar mais atento.

Baixar Malwarebytes' Anti-Malware para o seu desktop.

Dê um clique duplo mbam-setup.exe e siga as instruções para instalar o programa.
Ao final, certifique-se de uma marca de verificação é colocada ao lado de Actualizar Malwarebytes' Anti-Malware e Lançamento Malwarebytes' Anti-MalwareE, em seguida, clique em Concluir.
Se uma atualização for encontrada, ela vai baixar e instalar a versão mais recente.
Uma vez carregado o programa, selecione Executar verificação completaE, em seguida, clique em Scan.
Quando a pesquisa estiver concluída, clique em OKE, em seguida, Mostrar resultados para ver os resultados.
Tenha certeza de que tudo está marcada, e clique em Remover Selecionados.
Quando concluído, será aberto um log no Bloco de Notas.
Post que a sessão novamente aqui.

Certifique-se de reiniciar o computador.

O registro também pode ser encontrada aqui:
C: \ Documents and Settings \Username\ Application Data \ Malwarebytes \ Malwarebytes' Anti-Malware \ Logs \log -data. txt
Ou em C: \ Program Files \ Malwarebytes' Anti-Malware \ Logs \log -data. txt

Próximo post adicione
MalwareBytes log

PK28 · #3 5 de fevereiro de 2008, 13:51

Oi EF,

Obrigado pela rápida resposta. Abaixo está o meu log para Malware:

Malwarebytes' Anti-Malware 1/02
Database versão: 320
Scan type: Full Scan (A: \ | C: \ |)
Objetos digitalizados: 73752
Tempo decorrido: 23 minuto (s), 14 segundo (s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Valores do Registro infectados: 0
Dados de Registro Items Infected: 0
Pastas infectadas: 0
Arquivos infectados: 3
Memory Processes Infected:
(N º itens maliciosos detectados)
Memory Modules Infected:
(N º itens maliciosos detectados)
Registry Keys Infected:
(N º itens maliciosos detectados)
Valores do Registro infectados:
(N º itens maliciosos detectados)
Dados de Registro Items Infected:
(N º itens maliciosos detectados)
Folders Infected:
(N º itens maliciosos detectados)
Arquivos Infectados:
C: \ WINDOWS \ system32 \ drivers \ core.cache.dsk (Malware.Trace) -> Falha ao excluir. (Excluir no reboot).
C: \ Documents and Settings \ Ryan Glenn \ Application Data \ ezpinst.exe (Heuristics.Malware) -> quarentena e eliminado com sucesso.
C: \ Documents and Settings \ Ryan Glenn \ Application Data \ inst.exe (Heuristics.Malware) -> quarentena e eliminado com sucesso.

**evilfantasy** · #4 5 de fevereiro de 2008, 14:01

Parece bom até agora.

Em seguida vá para este post e fazer Passo Dois e Terceiro Passo - CCleaner e SUPERAntiSpyware.

Postar o SUPERAntiSpyware log juntamente com um novo log HijackThis no próximo post.

PK28 · #5 5 de fevereiro de 2008, 14:44

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Produzido em 02/05/2008 às 09:34
Aplicação Versão: 3/9/1008
Core Rules Database Version: 3395
Trace Rules Database Version: 1387
Scan type: Complete Scan
Total Scan Time: 00:22:21
Memória itens digitalizados: 376
Memória ameaças detectadas: 0
Secretaria itens digitalizados: 5837
Secretaria ameaças detectadas: 0
Arquivo itens digitalizados: 11505
Arquivo ameaças detectadas: 5
Adware.Tracking Cookie
C: \ Documents and Settings \ Ryan Glenn \ Cookies \ ryan_glenn@ads.techguy [2]. Txt
C: \ Documents and Settings \ Ryan Glenn \ Cookies \ ryan_glenn @ revsci [2]. Txt
C: \ Documents and Settings \ Clare Glenn \ Cookies \ clare_glenn @ pacificpoker [1]. Txt
C: \ Documents and Settings \ Clare Glenn \ Cookies \ clare_glenn@videoegg.adbureau [2]. Txt
RootKit.TnCore / Trace
C: \ WINDOWS \ system32 \ drivers \ core.cache.dsk

Logfile do HijackThis v1.99.1
Scan guardado em 21:43:56, em 05/02/2008
Plataforma: Windows XP SP2 (WinNT 5/01/2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Executando processos:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ guard.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
C: \ WINDOWS \ system32 \ cisvc.exe
C: \ WINDOWS \ system32 \ lxcecoms.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ UAService7.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgfwsrv.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe
C: \ Program Files \ Thomson \ SpeedTouch USB \ Dragdiag.exe
C: \ Program Files \ PowerISO \ PWRISOVM.EXE
C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgcc.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ avgas.exe
C: \ Program Files \ Dell Support \ DSAgnt.exe
C: \ Program Files \ MSN Messenger \ msnmsgr.exe
C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ WINDOWS \ explorer.exe
C: \ Arquivos de Programas \ Internet Explorer \ iexplore.exe
C: \ Program Files \ HijackThis \ HijackThis.exe
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.google.co.uk/
O3 - Toolbar: Windows Live Toolbar - (BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0) - C: \ Program Files \ Windows Live Toolbar \ msntb.dll
O4 - HKLM \ .. \ Run: [Persistence] C: \ WINDOWS \ system32 \ igfxpers.exe
O4 - HKLM \ .. \ Run: [ISUSScheduler] "C: \ Program Files \ Common Files \ InstallShield \ UpdateService \ issch.exe"-start
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [LXCECATS] rundll32 C: \ WINDOWS \ system32 \ spool \ DRIVERS \ W32X86 \ 3 \ LXCEtim e.dll, _RunDLLEntry @ 16
O4 - HKLM \ .. \ Run: [lxcemon.exe] "C: \ Program Files \ Lexmark 4300 Series \ lxcemon.exe"
O4 - HKLM \ .. \ Run: [EzPrint] "C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe"
O4 - HKLM \ .. \ Run: [FaxCenterServer] "C: \ Program Files \ Lexmark Fax Solutions \ fm3032.exe" / s
O4 - HKLM \ .. \ Run: [SpeedTouch USB Diagnostics] "C: \ Program Files \ Thomson \ SpeedTouch USB \ Dragdiag.exe" / icon
O4 - HKLM \ .. \ Run: [PWRISOVM.EXE] C: \ Program Files \ PowerISO \ PWRISOVM.EXE
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [AVG7_CC] C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgcc.exe / STARTUP
O4 - HKLM \ .. \ Run: [! AVG Anti-Spyware] "C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ avgas.exe" / minimizada
O4 - HKCU \ .. \ Run: [DellSupport] "C: \ Program Files \ Dell Support \ DSAgnt.exe" / startup
O4 - HKCU \ .. \ Run: [msnmsgr] "C: \ Program Files \ MSN Messenger \ msnmsgr.exe" / background
O4 - HKCU \ .. \ Run: [updateMgr] C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU \ .. \ Run: [SUPERAntiSpyware] C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [Uniblue RegistryBooster 2] C: \ Program Files \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe / S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Arquivos de Programas \ Microsoft Office \ Office10 \ Osa.exe
O8 - Extra context menu item: & Windows Live Search - res: / / C: \ Program Files \ Windows Live Toolbar \ msntb.dll / search.htm
O8 - Extra context menu item: Add to Windows & Live Favorites -- http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E & xportar para o Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ MICROS ~ 2 \ Office10 \ EXCEL.EXE/3000
O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ ssv.dll
O9 - Extra button: (no name) - (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @ Xpsp3res.dll, -20001 - (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O10 - Unknown file em Winsock LSP: c: \ windows \ system32 \ avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International *
O16 - DPF: (5AE58FCF-6F6A-49B2-B064-02492C66E3F4) (MUCatalogWebControl Classe) -- http://catalog.update.microsoft.com/...?1199470957562
O16 - DPF: (E8F628B5-259A-4734-97EE-BA914D7BE941) (Driver Agent ActiveX Control) -- http://driveragent.com/files/driveragent.cab
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (EB470484-F000-4F17-BAA7-0420975981FF): NameServer = 212.139.132.36 212.139.132.37
O18 - Protocol: livecall - (828030A1-22C1-4009-854F-8E305202313F) - C: \ PROGRA ~ 1 \ MSNMES ~ 1 \ MSGRAP ~ 1.DLL
O18 - Protocol: msnim - (828030A1-22C1-4009-854F-8E305202313F) - C: \ PROGRA ~ 1 \ MSNMES ~ 1 \ MSGRAP ~ 1.DLL
O20 - Winlogon Notify:! SASWinLogon - C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C: \ WINDOWS \ SYSTEM32 \ igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C: \ WINDOWS \ system32 \ WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Grisoft sro - C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Grisoft, sro - C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Grisoft, sro - C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - Grisoft, sro - C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgfwsrv.exe
O23 - Service: lxce_device - - C: \ WINDOWS \ system32 \ lxcecoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel (R) Corporation - C: \ Program Files \ Intel \ PROSetWired \ NCS \ Sync \ Netsvc.exe
O23 - Service: Securom User Access Service (V7) (UserAccess7) - Unknown owner - C: \ WINDOWS \ system32 \ UAService7.exe

**evilfantasy** · #6 5 de fevereiro de 2008, 14:54

O log parece bem agora, é o computador ainda dar quaisquer indicações de malware?

PK28 · #7 5 de fevereiro de 2008, 15:02

Sim, ainda mostrando sinais de Malware unfortunatley ..

**evilfantasy** · #8 5 de fevereiro de 2008, 15:12

Baixar SmitfraudFix (by S! Ri) para o seu desktop.

Extrair todos os arquivos para o seu Destop.
Uma pasta chamada SmitfraudFix será criado em seu desktop.

SmitfraudFix Abra a pasta e dê um duplo clique smitfraudfix.cmd

Selecione a opção # 1 - Procurar por escrever 1 e pressione Digite
- Este programa fará a varredura de grandes quantidades de arquivos em seu computador para os padrões conhecidos por isso, seja paciente enquanto ela trabalha.
- Quando isso for feito, os resultados da verificação serão exibidos e que irá criar um registro denominado rapport.txt
  - Isto está na raiz da sua unidade, por exemplo: Disco Local C: ou partição onde seu sistema operacional está instalado.
- Anexe o log na sua próxima resposta.

Nota: process.exe (Que é utilizado por SmitFraudFIx) é detectado por alguns programas antivírus (AntiVir, Dr.Web, Kaspersky) como um "RiskTool"; não é um vírus, Mas um programa usado para parar processos sistema. Os programas antivírus não pode distinguir entre "bons" e "mal" da utilização de tais programas, pois eles podem alertar o usuário.

http://www.beyondlogic.org/consultin...rocessutil.htm

----------

Faça o download do Combofix por subcategorias de um dos links abaixo.
(Experimente todos os três, se necessário)

Importante! Combofix.exe DEVE ser salvos e corriam para a partir da Desktop.

Feche todos os browsers abertos. (Firefox, Internet Explorer, etc) antes de iniciar Combofix.
Importante! Temporariamente desabilitar seu antivírus, script bloqueio e qualquer antispyware proteção em tempo real antes realizar uma varredura.
- Clique este link para ver uma lista de programas de segurança que devem ser desativados e como desativá-los.
- Se o seu caso não está listado e você não sabe como desativá-lo, por favor, pergunte.
Aviso: Combofix desligar seu computador a partir da Internet. A conexão é automaticamente restaurados antes Combofix completa sua executado.
Dê um clique duplo combofix.exe e siga as instruções.
- A partir do teclado selecione 1 e pressione Digite
Quando terminar, ela irá produzir um log para você.
Post que a log na sua próxima resposta.

Aviso: Não mouseclick combofix da janela enquanto ele está sendo executado. Isso pode fazer com que a barraca

Se Combofix é executado em dificuldade e termina prematuramente, a conexão pode ser restaurada manualmente ao reiniciar o computador.
Importante: Lembre-se de reativar o seu antivírus e antispyware antes de reaproximar-se à Internet.

----------

Próximo post
Smitfraudfix log
Combofix log

PK28 · #9 5 fev 2008, 15:43

SmitFraudFix v2.281
Scan feito a 22:40:52.84, 05/02/2008
Executar a partir do C: \ Documents and Settings \ Ryan Glenn \ Desktop \ SmitfraudFix
SO: Microsoft Windows XP [Versão 5/1/2600] - Windows_NT
O tipo de ficheiros é NTFS
Fix executado no modo normal
»»»»»»»»»»»»»»»»»»»»»»»» Process
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ guard.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
C: \ WINDOWS \ system32 \ lxcecoms.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ UAService7.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgfwsrv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ WINDOWS \ system32 \ igfxpers.exe
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe
C: \ Program Files \ Thomson \ SpeedTouch USB \ Dragdiag.exe
C: \ Program Files \ PowerISO \ PWRISOVM.EXE
C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgcc.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ avgas.exe
C: \ Program Files \ Dell Support \ DSAgnt.exe
C: \ Program Files \ MSN Messenger \ msnmsgr.exe
C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ reader_sl.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ notepad.exe
C: \ Arquivos de Programas \ Internet Explorer \ iexplore.exe
C: \ WINDOWS \ system32 \ cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» Hosts

»»»»»»»»»»»»»»»»»»»»»»»» C: \

»»»»»»»»»»»»»»»»»»»»»»»» C: \ WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C: \ WINDOWS \ system

»»»»»»»»»»»»»»»»»»»»»»»» C: \ WINDOWS \ Web

»»»»»»»»»»»»»»»»»»»»»»»» C: \ WINDOWS \ system32

»»»»»»»»»»»»»»»»»»»»»»»» C: \ Documents and Settings \ Ryan Glenn

»»»»»»»»»»»»»»»»»»»»»»»» C: \ Documents and Settings \ Ryan Glenn \ Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C: \ DOCUME ~ 1 \ RYANGL ~ 1 \ favori ~ 1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C: \ Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrompidas chaves

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
! Atenção, seguindo as chaves não estão necessariamente infectados!
IEDFix.exe pela S! Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
! Atenção, seguindo as chaves não estão necessariamente infectados!
VACFix
Créditos: Malware Analysis & Diagnostic
Código: S! Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
! Atenção, seguindo as chaves não estão necessariamente infectados!
SrchSTS.exe pela S! Ri
Search SharedTaskScheduler's. Dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
! Atenção, seguindo as chaves não estão necessariamente infectados!
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"AppInit_DLLs" = ""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
! Atenção, seguindo as chaves não estão necessariamente infectados!
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"System" = ""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Descrição: WAN (PPP / SLIP) Interface
DNS Server Search Order: 212.139.132.8
DNS Server Search Order: 212.139.132.9
HKLM \ SYSTEM \ CCS \ Services \ Tcpip \ .. \ (EB470484-F000-4F17-BAA7-0420975981FF): NameServer = 212.139.132.8 212.139.132.9
HKLM \ SYSTEM \ CS1 \ Services \ Tcpip \ .. \ (EB470484-F000-4F17-BAA7-0420975981FF): NameServer = 212.139.132.8 212.139.132.9
HKLM \ SYSTEM \ CS3 \ Services \ Tcpip \ .. \ (EB470484-F000-4F17-BAA7-0420975981FF): NameServer = 212.139.132.36 212.139.132.37

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll para infecção

»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix 08-02.05.3 - Ryan Glenn 2008-02-05 22:31:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.145 [GMT 0:00]
Executando de: C: \ Documents and Settings \ Ryan Glenn \ Desktop \ ComboFix.exe
ATENÇÃO-ESTE NÃO TEM MÁQUINA DE RECUPERAÇÃO CONSOLE INSTALLED!
.
((((((((((((((((((((((((((((((((((((((( Outros Supressões ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ WINDOWS \ system32 \ drivers \ core.cache.dsk
C: \ WINDOWS \ system32 \ drivers \ rmcastt.sys
C: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Network \ Downloader \ qmgr0.dat
C: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Network \ Downloader \ qmgr1.dat
C: \ temp \ tn3
C: \ WINDOWS \ system32 \ drivers \ core.cache.dsk
C: \ WINDOWS \ system32 \ drivers \ rmcastt.sys
C: \ WINDOWS \ system32 \ Install.exe
----- BITS: Possíveis infectados sites -----
hxxp: / / www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers / Serviços )))))))) )))))))))))))))))))))))))))))))))))))))))
.
------- \ LEGACY_RMCASTT
------- \ rmcastt

((((((((((((((((((((((((( Arquivos criados a partir de 2008/01/05 a 2008/02/05 ))))))))))) ))))))))))))))))))))
.
2008/02/05 22:22. 2008/02/05 22:23 <dir> d -------- C: \ ComboFix [1]
2008/02/05 21:02. 2004/08/04 05:00 388,608 - a ------ C: \ kmd.exe
2008/02/05 20:11. 2008/02/05 20:11 <dir> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008/02/05 20:11. 2008/02/05 20:11 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ Malwarebytes
2008/02/05 20:11. 2008/02/05 20:11 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008/02/05 19:05. 2008/02/05 19:05 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ Uniblue
2008/02/05 18:50. 2008-02-05 18:50 444 - a ------ C: \ WINDOWS \ system32 \ d3d8caps.dat
2008/02/05 18:21. 2008/02/05 18:21 <dir> d -------- C: \ Documents and Settings \ Administrador \ Application Data \ Grisoft
2008/02/05 18:00. 2008/02/05 18:00 <dir> d -------- C: \ Program Files \ RogueRemover GRÁTIS
2008/02/05 17:57. 2007/09/05 23:22 289,144 - a ------ C: \ WINDOWS \ system32 \ VCCLSID.exe
2008/02/05 17:57. 2006/04/27 16:49 288,417 - a ------ C: \ WINDOWS \ system32 \ SrchSTS.exe
2008/02/05 17:57. 2008/02/05 00:23 85,504 - a ------ C: \ WINDOWS \ system32 \ VACFix.exe
2008/02/05 17:57. 2008/01/27 14:37 81,920 - a ------ C: \ WINDOWS \ system32 \ IEDFix.exe
2008/02/05 17:57. 2003/06/05 20:13 53,248 - a ------ C: \ WINDOWS \ system32 \ Process.exe
2008/02/05 17:57. 2004/07/31 17:50 51,200 - a ------ C: \ WINDOWS \ system32 \ dumphive.exe
2008/02/05 17:57. 2007/10/03 23:36 25,600 - a ------ C: \ WINDOWS \ system32 \ WS2Fix.exe
2008/02/04 19:47. 2008/02/04 19:47 <dir> d -------- C: \ WINDOWS \ MaxSecureBackup
2008/02/04 19:46. 2008/02/04 19:57 <dir> d -------- C: \ Program Files \ Max Registry Cleaner
2008/02/04 19:46. 2007/05/24 16:57 143,360 - a ------ C: \ WINDOWS \ system32 \ GetHardDiskNo.dll
2008/02/04 19:46. 2008-02-04 19:46 63 - a ------ C: \ WINDOWS \ system \ SYSRegC.dll
2008/02/02 13:49. 2008/02/02 13:49 <dir> d -------- C: \ Program Files \ Panicware
2008/02/01 20:22. 2008/02/05 22:17 3352 - a ------ C: \ WINDOWS \ system32 \ tmp.reg
2008/02/01 19:32. 2008/02/01 19:32 <dir> d -------- C: \ Documents and Settings \ Administrador \ Application Data \ SUPERAntiSpyware.com
2008/02/01 18:42. 2008/02/05 19:56 <dir> d -------- C: \ Program Files \ HJT
2008/02/01 18:39. 2008/02/01 18:39 <dir> d -------- C: \ Program Files \ FileASSASSIN
2008/02/01 18:31. 2008-02-01 18:31 100 - a ------ C: \ WINDOWS \ system32 \ ikhcore.cfg
2008/02/01 18:21. 2005/09/23 07:29 626,688 - a ------ C: \ WINDOWS \ system32 \ msvcr80.dll
2008/01/31 20:28. 2008/01/31 20:28 <dir> d -------- C: \ VundoFix Backups
2008/01/31 19:34. 2008/02/05 22:26 <dir> d -------- C: \ Program Files \ SUPERAntiSpyware
2008/01/31 19:34. 2008/02/02 00:55 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ SUPERAntiSpyware.com
2008/01/31 19:34. 2008/01/31 19:34 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ SUPERAntiSpyware.com
2008/01/29 22:28. 2008/01/29 22:28 <dir> d -------- C: \ Program Files \ Common Files \ Download Manager
2008/01/29 22:08. 2008/02/01 18:49 <dir> da ------ C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008/01/29 21:15. 2008/02/03 17:03 <dir> d -------- C: \ Program Files \ SpywareBlaster
2008/01/23 18:08. 2008/01/23 18:08 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ SuperAdBlocker.com
2008/01/22 18:39. 2008/01/22 18:39 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ Grisoft
2008/01/22 18:39. 2007/05/30 12:10 10,872 - a ------ C: \ WINDOWS \ system32 \ drivers \ AvgAsCln.sys
2008/01/22 18:18. 2008/01/22 18:18 <dir> d -------- C: \ Documents and Settings \ LocalService \ Application Data \ AVG7
2008/01/22 18:15. 2008/02/05 21:48 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ AVG7
2008/01/22 18:15. 2008/01/22 18:15 110,592 - a ------ C: \ WINDOWS \ system32 \ avgfwafu.dll
2008/01/22 17:56. 2008/02/03 08:41 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Avg7
2008/01/21 21:10. 2008/01/22 18:14 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Grisoft
2008/01/20 16:33. 2008/01/20 16:33 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ ErrorSmart
2008/01/19 10:09. 2008/01/19 10:09 <dir> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab Setup Files
2008/01/12 11:46. 2008/01/12 11:46 <dir> d -------- C: \ Program Files \ Common Files \ Xing partilhada
2008/01/12 10:17. 2008/02/02 00:54 <dir> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008/01/10 19:54. 2008/01/12 10:18 <dir> d -------- C: \ Program Files \ Lavasoft
2008/01/10 19:38. 2008/01/10 19:38 <dir> d -------- C: \ Program Files \ AVI Codec Pack
2008/01/10 18:51. 2005/04/05 14:18 135,168 - a ------ C: \ WINDOWS \ system32 \ igfxres.dll
2008/01/09 19:20. 2008/01/09 19:20 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ Yahoo!
2008/01/09 18:03. 2008/01/09 18:03 <dir> d - h ----- C: \ WINDOWS \ PIF
2008/01/09 17:52. 2008/01/10 17:51 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ dvdcss
2008/01/08 18:20. 2007/03/05 05:00 421,888 - a ------ C: \ WINDOWS \ system32 \ lxcedrs.dll
2008/01/08 18:20. 2007/01/30 10:22 413,696 - a ------ C: \ WINDOWS \ system32 \ lxceinpa.dll
2008/01/08 18:20. 2007/01/30 10:35 397,312 - a ------ C: \ WINDOWS \ system32 \ lxceiesc.dll
2008/01/08 18:20. 2007/02/22 18:32 344,064 - a ------ C: \ WINDOWS \ system32 \ lxcecoin.dll
2008/01/08 18:20. 2006/10/03 23:21 330,030 - a ------ C: \ WINDOWS \ system32 \ lxcehelp.chm
2008/01/08 18:20. 2007/01/30 10:18 323,584 - a ------ C: \ WINDOWS \ system32 \ lxcehcp.dll
2008/01/08 18:20. 2007/01/30 10:35 274,432 - a ------ C: \ WINDOWS \ system32 \ lxceinst.dll
2008/01/08 18:20. 2005/02/24 17:23 61,440 - a ------ C: \ WINDOWS \ system32 \ lxcecnv4.dll
2008/01/07 20:59. 2008/01/07 20:59 54,156 - ah ----- C: \ WINDOWS \ QTFont.qfn
2008/01/06 20:31. 2008/01/06 20:31 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ InstallShield
2008/01/06 20:18. 2008/01/06 20:35 <dir> d -------- C: \ Documents and Settings \ Ryan Glenn \ Application Data \ VersionTracker Pro
2008/01/05 16:23. 2008/01/05 16:23 <dir> d -------- C: \ Program Files \ Windows Media Connect 2
2008/01/05 16:23. 2006/10/04 14:06 1197294 --------- C: \ WINDOWS \ system32 \ dllcache \ Sysmain.sdb
2008/01/05 16:23. 2006/10/04 14:06 764,868 --------- C: \ WINDOWS \ system32 \ dllcache \ apph_sp.sdb
2008/01/05 16:23. 2006/10/04 14:06 217,118 --------- C: \ WINDOWS \ system32 \ dllcache \ Apphelp.sdb
2008/01/05 16:19. 2008/01/05 16:21 <dir> d -------- C: \ WINDOWS \ system32 \ drivers \ UMDF
2008/01/05 15:19. 2008/01/05 15:19 <dir> d -------- C: \ swsetup
2008/01/05 15:09. 2008/01/05 15:08 23,600 - a ------ C: \ WINDOWS \ system32 \ drivers \ TVICHW32.SYS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008/02/03 23:25 --------- d ----- w C: \ Program Files \ Google
2008/01/31 10:50 --------- d ----- w C: \ Documents and Settings \ Ryan Glenn \ Application Data \ VSO
2008/01/24 17:31 --------- d ----- w C: \ Program Files \ Lx_cats
2008/01/18 19:58 --------- d ----- w C: \ Program Files \ DivX
2008/01/18 19:57 --------- d ----- w C: \ Program Files \ Java
2008/01/18 19:56 --------- d ----- w C: \ Program Files \ Real
2008/01/12 11:45 --------- d ----- w C: \ Program Files \ Common Files \ Real
2008/01/12 10:26 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Lavasoft
2008/01/12 10:18 --------- d ----- w C: \ Documents and Settings \ Ryan Glenn \ Application Data \ Lavasoft
2008/01/09 19:24 --------- d ----- w C: \ Program Files \ Yahoo!
2008/01/08 18:20 --------- d ----- w C: \ Program Files \ Lexmark 4300 Series
2008/01/07 21:55 --------- d ----- w C: \ Documents and Settings \ Ryan Glenn \ Application Data \ AdobeUM
2008/01/04 20:45 --------- d - h - w C: \ Program Files \ InstallShield Informações de instalação
2008/01/04 19:57 --------- d ----- w C: \ Program Files \ Analog Devices
2008/01/04 19:06 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ PC Drivers HeadQuarters
2008/01/04 18:08 --------- d ----- w C: \ Arquivos de Programas \ Gabest
2008/01/04 18:08 --------- d ----- w C: \ Program Files \ CyberLink
2008/01/02 23:18 --------- d ----- w C: \ Program Files \ Ahead
2008/01/02 23:14 --------- d ----- w C: \ Program Files \ Common Files \ Ahead
2007/12/29 14:16 --------- d ----- w C: \ Documents and Settings \ Ryan Glenn \ Application Data \ DivX
2007/12/22 11:48 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ vsosdk
2007/12/21 16:06 47,360 ---- aw C: \ WINDOWS \ system32 \ drivers \ pcouffin.sys
2007/12/21 16:06 47,360 ---- aw C: \ Documents and Settings \ Ryan Glenn \ Application Data \ pcouffin.sys
2007/12/21 16:06 --------- d ----- w C: \ Arquivos de Programas \ VSO
2007/12/11 20:36 --------- d ----- w C: \ Arquivos de Programas \ Virtual Dub
2007/12/10 20:22 --------- d ----- w C: \ Program Files \ plugins
2007/12/10 20:22 --------- d ----- w C: \ Program Files \ aviproxy
2007/12/10 19:47 --------- d ----- w C: \ Documents and Settings \ Ryan Glenn \ Application Data \ Pegasys Inc
2007/12/10 19:39 33,408 ---- aw C: \ WINDOWS \ system32 \ drivers \ CDRBSDRV.SYS
2007/12/06 01:47 --------- d ----- w C: \ Program Files \ MSN Messenger
2007/05/20 11:28 31,528 ---- aw C: \ Documents and Settings \ Ryan Glenn \ Application Data \ GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Nota * entradas vazias & legit entradas padrão não são mostrados
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ actuais ntVersion \ Run]
"DellSupport" = "C: \ Program Files \ Dell Support \ DSAgnt.exe" [2004-07-19 07:51 306688]
"msnmsgr" = "C: \ Program Files \ MSN Messenger \ msnmsgr.exe" [2007-01-19 12:54 5674352]
"updateMgr" = "C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware" = "C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe" = "C: \ WINDOWS \ system32 \ ctfmon.exe" [2004-08-04 05:00 15360]
"Uniblue RegistryBooster 2" = "C: \ Program Files \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe" []
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"Persistência" = "C: \ WINDOWS \ system32 \ igfxpers.ex e" [2005-04-05 19:23 114688]
"ISUSScheduler" = "C: \ Program Files \ Common Files \ InstallShield \ UpdateService \ issch.exe" [2004-07-27 16:50 81920]
"IgfxTray" = "C: \ WINDOWS \ system32 \ igfxtray.exe" [2005-04-05 14:22 94208]
"HotKeysCmds" = "C: \ WINDOWS \ system32 \ hkcmd.exe" [2005-04-05 19:19 77824]
"LXCECATS" = "C: \ WINDOWS \ system32 \ spool \ DRIVERS \ W32X 86 \ 3 \ LXCEtime.dll" [2007-02-22 05:17 73728]
"lxcemon.exe" = "C: \ Program Files \ Lexmark 4300 Series \ lxcemon.exe" [2005-08-02 17:45 192512]
"EzPrint" = "C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe" [2005-07-26 12:17 94208]
"FaxCenterServer" = "C: \ Program Files \ Lexmark Fax Solutions \ fm3032.exe" [2005-07-12 09:36 299008]
"SpeedTouch USB Diagnostics" = "C: \ Program Files \ Thomson \ SpeedTouch USB \ Dragdiag.exe" [2004-01-26 11:38 866816]
"PWRISOVM.EXE" = "C: \ Program Files \ PowerISO \ PWRISOVM.EXE" [2007-01-20 07:09 200704]
"NeroFilterCheck" = "C: \ WINDOWS \ system32 \ NeroCheck.e xe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched" = "C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe" [2007-09-25 00:11 132496]
"AVG7_CC" = "C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgcc.exe" [2008-01-22 18:14 579072]
"! AVG Anti-Spyware" = "C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ avgas.exe" [2007-06-11 09:25 6731312]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"CTFMON.EXE" = "C: \ WINDOWS \ system32 \ CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run" = "C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgw.exe" [2008-01-22 18:14 219136]
C: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Startup \
Adobe Reader Speed Launch.lnk - C: \ Arquivos de Programas \ Adobe \ Acrobat 7.0 \ Reader \ reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C: \ Arquivos de Programas \ Microsoft Office \ Office10 \ Osa.exe [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ actuais ntversion \ policies \ system]
"DisableRegistryTools" = 0 (0x0)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ explorer \ shellexecutehooks]
"(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = C: \ Program Files \ SUPERAntiSpyware \ SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notificar \! SASWinLogon]
C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll 2007-04-19 13:41 294912 C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ contro l \ SecurityProviders]
SecurityProviders msapsspc.dll, schannel.dll, Digest.dll, msnsspc.dll,
S1 SABKUTIL; SABKUTIL; C: \ Program Files \ SuperAdBlocker.com \ Super Ad Blocker \ SABKUTIL.sys []
.
Conteúdo da 'Tarefas agendadas' pasta
"2008-02-05 21:51:05 C: \ WINDOWS \ Tasks \ Verificar Atualizações para o Windows Live Toolbar.job"
- C: \ Program Files \ Windows Live Toolbar \ MSNTBUP.EXE
"2008-02-05 03:30:00 C: \ WINDOWS \ Tasks \ ErrorSmart Scheduled Scan.job"
- C: \ Arquivos de Programas \ ErrorSmart \ ErrorSmart.ex
- C: \ Arquivos de Programas \ ErrorSmart
.
************************************************** ************************
CatchMe 0.3.1344 W2K/XP/Vista - rootkit / stealth malware detector por Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 22:35:43
5/1/2600 Windows Service Pack 2 NTFS
digitalizar processos escondidos ...
escaneamento automático entradas escondidas ...
digitalizar os arquivos ocultos ...
varredura foi concluída com êxito
ficheiros ocultos: 0
************************************************** ************************
.
------------------------ Other Running Processes ----------------------- --
.
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7/5 \ guard.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
C: \ WINDOWS \ system32 \ lxcecoms.exe
C: \ WINDOWS \ system32 \ UAService7.exe
C: \ PROGRA ~ 1 \ Grisoft \ AVG7 \ avgfwsrv.exe
C: \ WINDOWS \ system32 \ wscntfy.exe
C: \ DOCUME ~ 1 \ RYANGL ~ 1 \ LOCALS ~ 1 \ Temp \ SSUPDATE.EXE
.
************************************************** ************************
.
Conclusão time: 2008-02-05 22:38:02 - máquina foi reinicializada [Ryan Glenn]
ComboFix-quarantined-files.txt 2008-02-05 22:37:46
.
2008-01-06 03:02:26 --- EOF ---

**evilfantasy** · #10 5 fev 2008, 15:55

Executar CCleaner.

Postar um novo log HijackThis.

Será que o Combofix ajudar?