ComboFix 11-08-22.03 - adm 22/08/2011 9:31.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.959.

404 [GMT -3:00 ] Executando de: c:\documents and settings\adm\Meus documentos\Downloads\ComboFix. exe AV: ESET Smart Security 4.0 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4 F34C0} FW: Firewall pessoal do ESET *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} * Criado um novo ponto de restaurao . . ((((((((((((((((((((((((((((((((((((( Outras Excluses ))))))))))))))))))))))) )))))))))))))))))))))))))))) . . c:\arquivos de programas\ESET\MiNODLogin c:\arquivos de programas\ESET\MiNODLogin\MiNODLogin.exe c:\arquivos de programas\ESET\MiNODLogin\MiNODLogin.jar c:\arquivos de programas\ESET\MiNODLogin\MiNODLoginLib.dll c:\arquivos de programas\ESET\MiNODLogin\MiNODLoginUninst.exe c:\arquivos de programas\ESET\MiNODLogin\servidores.xml c:\documents and settings\adm\Dados de aplicativos\chrtmp c:\documents and settings\adm\Dados de aplicativos\PriceGong c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\1.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\a.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\b.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\c.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\d.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\e.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\f.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\g.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\h.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\i.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\J.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\k.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\l.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\m.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\mru.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\n.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\o.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\p.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\q.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\r.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\s.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\t.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\u.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\v.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\w.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\x.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\y.xml c:\documents and settings\adm\Dados de aplicativos\PriceGong\Data\z.xml c:\documents and settings\adm\Desktop\Setup.exe c:\documents and settings\adm\Meus documentos\~DFFC13.TMP c:\documents and settings\adm\Meus documentos\~DIF091.TMP c:\documents and settings\adm\Meus documentos\~WRD0000.tmp c:\documents and settings\adm\Meus documentos\01.DOC c:\documents and settings\adm\Meus documentos\Arquivos_Identificacao.zip c:\documents and settings\adm\Recent\Thumbs.db c:\documents and settings\adm\WINDOWS C:\MessengerPlus

c:\messengerplus\enviado.flg c:\messengerplus\juupdate18.log C:\Thumbs.db c:\windows\IsUn0416.exe c:\windows\system32\AutoRun.inf c:\windows\system32\jgaw400.dll c:\windows\system32\MailBee.dll c:\windows\winmgr c:\windows\winmgr\licena.txt c:\windows\winmgr\winmgr.chm c:\windows\winmgr\winmgr.exe . c:\windows\system32\userinit.exe . . . est infectado!! . . ((((((((((((((((((((((((((((((((((((((( Drivers/Servios ))))))))))))))))))))) )))))))))))))))))))))))))))) . . -------\Legacy_K10 -------\Service_k10 . . (((((((((((((((( Arquivos/Ficheiros criados de 2011-07-22 to 2011-08-22 ))))) ))))))))))))))))))))))) . . 2011-08-03 14:19 . 2011-08-03 15:45 -------d-----wc:\arqui vos de programas\PDF to Word 3 2011-08-03 14:19 . 2011-08-03 14:19 75776 ----a-wc:\windows\cadka sdeinst01e.exe 2011-07-25 21:05 . 2011-08-05 11:26 -------d-----wC:\PROC. GUAJARAL . . . ((((((((((((((((((((((((((((((((((((( Relatrio Find3M ))))))))))))))))))))))) ))))))))))))))))))))))))))))) . 2011-08-22 10:47 . 2011-06-02 10:21 404640 ----a-wc:\windows\syste m32\FlashPlayerCPLApp.cpl 2011-07-06 22:52 . 2011-07-08 18:10 41272 ----a-wc:\windows\syste m32\drivers\mbamswissarmy.sys 2011-07-06 22:52 . 2011-07-08 18:10 22712 ----a-wc:\windows\syste m32\drivers\mbam.sys 2011-06-01 11:18 . 2011-06-01 11:18 589824 ----a-wc:\windows\syste m32\CriticasCalculo.dll 2011-06-01 11:18 . 2011-06-01 11:18 1878831 ----a-wc:\windows\syste m32\CalculoV32.dll 2011-05-30 14:57 . 2011-05-30 14:57 73728 ----a-wc:\windows\syste m32\javacpl.cpl 2011-05-30 14:57 . 2011-05-30 14:57 472808 ----a-wc:\windows\syste m32\deployJava1.dll 2011-08-19 10:49 . 2011-06-06 11:23 134104 ----a-wc:\arquivos de p rogramas\mozilla firefox\components\browsercomps.dll . . (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))) ))))))))))))))))))))))))) .

. *Nota* entradas vazias e legtimas por padro no so apresentadas. REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}"= "c:\arquivos de programas\MyAshampoo\p rxtbMyA0.dll" [2011-01-17 175912] . [HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD24 9D}] 2011-01-17 14:54 175912 ----a-wc:\arquivos de programas\Conduit Engine\prxConduitEngine.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a1e75a0e-4397-4ba8-bb50-e19fb66890 f4}] 2011-01-17 14:54 175912 ----a-wc:\arquivos de programas\MyAsham poo\prxtbMyA0.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}"= "c:\arquivos de programas\MyAshampoo\p rxtbMyA0.dll" [2011-01-17 175912] "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\arquivos de programas\ConduitEngin e\prxConduitEngine.dll" [2011-01-17 175912] . [HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}] . [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}"= "c:\arquivos de programas\MyAshampoo\p rxtbMyA0.dll" [2011-01-17 175912] "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\arquivos de programas\ConduitEngin e\prxConduitEngine.dll" [2011-01-17 175912] . [HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}] . [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogMeIn GUI"="c:\arquivos de programas\LogMeIn\x86\LogMeInSystray.exe" [2006-07 -21 303856] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] "egui"="c:\arquivos de programas\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . c:\documents and settings\adm\Menu Iniciar\Programas\Inicializar\ Atalho para data.lnk - C:\data.bat [2007-6-8 29] . c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\ Atualizador de licen as ESET.lnk - c:\qoobox\Quarantine\C\Arquivos de programas\ES ET\MiNODLogin\MiNODLogin.exe.vir [2011-7-17 125952] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) .

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify \LMIinit] 2006-07-21 16:15 11496 ----a-wc:\windows\system32\LMIinit.dll . [HKLM\~\startupfolder\C:^Documents and Settings^adm^Menu Iniciar^Programas^Inici alizar^Stickies.lnk] path=c:\documents and settings\adm\Menu Iniciar\Programas\Inicializar\Stickies.l nk backup=c:\windows\pss\Stickies.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFa ultCheck] c:\windows\system32\dumprep 0 -k [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe AR M] 2011-03-30 00:59 937920 ----a-rc:\arquivos de programas\Arquivo s comuns\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Re ader Speed Launcher] 2011-05-27 17:52 40368 ----a-wc:\arquivos de programas\Adobe\R eader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.E XE] 2008-04-14 10:00 15360 ----a-wc:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwareb ytes' Anti-Malware] 2011-07-06 22:52 449584 ----a-wc:\arquivos de programas\Malware bytes' Anti-Malware\mbamgui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-13 22:21 1695232 --sh--wc:\arquivos de programas\Messeng er\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer] 2009-10-07 19:15 1949765 ----a-wc:\arquivos de programas\Softwar e Informer\softinfo.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaU pdateSched] 2011-01-07 16:12 253672 ----a-wc:\arquivos de programas\Arquivo s comuns\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] 2005-03-07 03:33 53248 -c--a-rc:\windows\system32\VTTimer.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp] 2005-10-31 04:15 163840 -c--a-rc:\windows\system32\VTTrayp.exe . R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256] R2 ekrn;ESET Service;c:\arquivos de programas\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840] R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\arquiv os de programas\Firebird\Firebird_2_1\bin\fbguard.exe [02/12/2010 15:09 81920] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\arquivos de programas\LogMeIn\ x86\rainfo.sys [21/07/2006 13:15 11112]

R2 MBAMService;MBAMService;c:\arquivos de programas\Malwarebytes' Anti-Malware\m bamservice.exe [08/07/2011 15:10 366640] R2 MSSQL$SQLNG;SQL Server (SQLNG);c:\arquivos de programas\Microsoft SQL Server\ MSSQL.1\MSSQL\Binn\sqlservr.exe [10/12/2010 18:29 29293408] R2 TeamViewer5;TeamViewer 5;c:\arquivos de programas\TeamViewer\Version5\TeamVie wer_Service.exe [27/11/2009 12:24 185640] R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\arquivos d e programas\Firebird\Firebird_2_1\bin\fbserver.exe [02/12/2010 15:09 2732032] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08/07/2011 15:10 22712] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c :\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 1303 84] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\wind ows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13 :16 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSv cs AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc FastUserSwitchingCompatibility HidServ LanmanServer LanmanWorkstation Messenger Nla NWCWorkstation Schedule Seclogon SRService Themes TrkWks W32Time Wmi WmdmPmSp winmgmt wscsvc xmlprov napagent hkmsvc BITS wuauserv ShellHWDetection helpsvc . . ------- Scan Suplementar ------. uStart Page = hxxp://www.google.com.br/ uInternet Settings,ProxyServer = 10.1.1.253:3128

uInternet Settings,ProxyOverride = <local> IE: &Download All using 4shared Desktop - c:\arquivos de programas\4shared Deskt op\down_all.htm IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3 000 Trusted Zone: fazenda.gov.br\receita Trusted Zone: fazenda.gov.br\www8.receita TCP: Interfaces\{3FB0F51C-5128-452E-808B-C2F78D522DE5}: NameServer = 201.10.128. 2,201.10.1.2 TCP: Interfaces\{AD9CD570-0400-48AB-9DD7-2D72B4B09582}: NameServer = 201.10.128. 2,201.10.1.2 FF - ProfilePath - c:\documents and settings\adm\Dados de aplicativos\Mozilla\Fi refox\Profiles\3tk67ue7.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt. aspx?ctid=CT2475029&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - MyAshampoo Customized Web Search FF - prefs.js: browser.startup.homepage - www.google.com.br FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT24 75029&q= . - - - - ORFOS REMOVIDOS - - - . MSConfigStartUp-avast! - c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe MSConfigStartUp-FATORXxx - c:\documents and settings\All Users\Dados de aplicati vos\FATORXxx.exe MSConfigStartUp-WinMgr - c:\windows\winmgr\winmgr.exe AddRemove-Gerador de Declarao RAIS - GDRAIS 2007 ( Verso 2007.4 ) - c:\gdrais~1\UNW ISE.EXE AddRemove-Gerador de Declarao Rais Genrico76_06 - GDRais Genrico [verso 10.2006] - c: \gdrais~2\UNWISE.EXE AddRemove-MiNODLogin - c:\arquivos de programas\ESET\MiNODLogin\MiNODLoginUninst .exe AddRemove-Validador Sintegra 2006 - c:\windows\IsUn0416.exe AddRemove-Validador Sintegra 2008 - c:\windows\IsUn0416.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/ /www.gmer.net Rootkit scan 2011-08-22 09:39 Windows 5.1.2600 Service Pack 3 NTFS . Procurando processos ocultos ... . Procurando entradas auto inicializveis ocultas ... . Procurando ficheiros/arquivos ocultos ... . Varredura completada com sucesso arquivos/ficheiros ocultos: 0 . ************************************************************************** . --------------------- CHAVES DO REGISTRO BLOQUEADAS --------------------. [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData 6~*] \LocalSystem\Components\ "6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

. --------------------- DLLs Carregadas Sob os Processos em Execuo -------------------. - - - - - - - > 'winlogon.exe'(832) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . - - - - - - - > 'explorer.exe'(2184) c:\windows\system32\WININET.dll c:\arquiv~1\WINDOW~2\wmpband.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Outros Processos em Execuo -----------------------. c:\arquivos de programas\Java\jre6\bin\jqs.exe c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE c:\arquivos de programas\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\arquivos de programas\TeamViewer\Version5\TeamViewer.exe c:\windows\system32\wscntfy.exe c:\windows\SOUNDMAN.EXE . ************************************************************************** . Tempo para concluso: 2011-08-22 09:43:20 - Mquina reiniciou ComboFix-quarantined-files.txt 2011-08-22 12:43 . Pr-execuo: 53 pasta(s) 298.679.959.552 bytes disponveis Ps execuo: 56 pasta(s) 299.233.771.520 bytes disponveis . - - End Of File - - 8D912C4130D864EB8696965F43A424C4