.:: Análise de logs HijackThis! ::.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:14:03, on 11-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Comodo\Firewall\cmdagent.exe
C:\Programas\MATLAB701\webserver\bin\win32\matlabserver.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Comodo\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Macrogaming\SweetIM\SweetIM.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
c:\windows\syss.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\CCleaner\CCleaner.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\proprietario\Definições locais\Temporary Internet Files\Content.IE5\MU6J1V45\HiJackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 85.92.142.149 l2authd.lineage2.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programas\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Programas\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} (PPSBase Control) - http://hot1.vdown.21cn.com/rmdownload/drm/data3/eyejoy/PpsSetup.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll
O20 - Winlogon Notify: DevConfig - C:\WINDOWS\system\Drvcnf.dll
O21 - SSODL: msole - {627E9AAA-0FF3-44E3-8C12-00F327EA5042} - blank (file missing)
O21 - SSODL: msdde - {2DA84D7F-7A03-4098-ADBD-065813F9E4F6} - blank (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Programas\Ficheiros comuns\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Programas\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programas\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programas\Ficheiros comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe
O24 - Desktop Component 0: (no name) - http://www.si.ips.pt/ests_si/imagens/ESTS
--
End of file - 7522 bytes

Esta aqui o log da ultima versao do Hijack
 
visigode disse:
...
Esta aqui o log da ultima versao do Hijack
Clicar para expandir...
Primeiro (e corrija já!): não use o HijackThis numa pasta de temporários, crie uma pasta própria (C:\HJT) e coloque o ficheiro HiJackThis.exe nessa pasta.
Se assim não fizer corre o risco de não poder desfazer/recuperar algo que tenha apagado por engano com o HJT (os backups perdem-se).

Inicie o programa desta nova localização e marque e limpe estas entradas com o HJT:

O16 - DPF: {D4ACE027-B115-4181-82CF-831C68235CAB} (PPSBase Control) - http://hot1.vdown.21cn.com/rmdownloa...y/PpsSetup.cab
O20 - Winlogon Notify: DevConfig - C:\WINDOWS\system\Drvcnf.dll
O21 - SSODL: msole - {627E9AAA-0FF3-44E3-8C12-00F327EA5042} - blank (file missing)
O21 - SSODL: msdde - {2DA84D7F-7A03-4098-ADBD-065813F9E4F6} - blank (file missing)
O24 - Desktop Component 0: (no name) - http://www.si.ips.pt/ests_si/imagens/ESTS

Reinicie o sistema em modo de segurança (pressione F8 ao arrancar) e verifique se existe e apague este ficheiro:

C:\WINDOWS\syss.exe

Esvazie a Reciclagem.

Reinicie o sistema em modo normal e instale a versão Slim do CCleaner (sem toolbar, em Inglês):
http://www.ccleaner.com/download/builds.aspx

Arranque com o programa, seleccione todas as entradas nos separadores Windows e Applications e clique no botão Run cleaner.

Terminada a limpeza reinicie o sistema.

Descarregue e instale o
SUPERAntiSpyware FREE

Arranque o programa utilizando o ícone criado no ambiente de trabalho.

Actualize as definições clicando no botão Check for Updates...

Terminada a actualização clique em Preferences, depois no separador Scanning Control, em Scanner Options, assegure-se que selecciona

- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.

E desmarque todos os outros. Agora clique em Close para sair deste menu.

Clique em Scan your Computer..., seleccione Perform Complete Scan, clique em Next e aguarde pacientemente até lhe ser apresentado um relatório dos itens encontrados. Clique em OK e Next para confirmar a limpeza.

Encerre o programa, reinicie o PC e teste.

Diga-nos se resultou e coloque um novo log do HJT.

Zee
 
O problema parece ter desaparecido.Aqui fica o log do Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15:06, on 12-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\Comodo\Firewall\cmdagent.exe
C:\Programas\MATLAB701\webserver\bin\win32\matlabserver.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Comodo\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Macrogaming\SweetIM\SweetIM.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\proprietario\Ambiente de trabalho\HijackThis.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\Programas\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 85.92.142.149 l2authd.lineage2.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programas\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Programas\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll
O20 - Winlogon Notify: DevConfig - C:\WINDOWS\system\Drvcnf.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodata Limited License Service - Unknown owner - C:\Programas\Ficheiros comuns\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Programas\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programas\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programas\Ficheiros comuns\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 7151 bytes

agora ha mais algum problema?
 
Última edição:
visigode disse:
...
agora ha mais algum problema?
Clicar para expandir...
Está limpo, mas sugiro arranque o sistema em Modo de Segurança e limpe esta entrada que está inactiva, mas convém limpar:

O20 - Winlogon Notify: DevConfig - C:\WINDOWS\system\Drvcnf.dll (file missing)

Se desaparecer, fica com o log totalmente limpo.

Ainda não instalou o SP3 do Windows XP. Recomendo.

Zee
 
boas,

eu ultimamente tenho notado que há um processo, o svchost.exe, no meu pc que leva o cpu a 100% e consome muita memoria... isto durante uns minutos, depois normaliza...

Log hijackthis:
Código: 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25:51, on 14-07-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Programas\Microsoft IntelliType Pro\itype.exe
C:\Programas\Microsoft IntelliPoint\ipoint.exe
C:\Programas\Microsoft LifeChat\LifeChat.exe
C:\Programas\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\WI1F86~1\MESSEN~1\DEVICE~1\msgrdvmn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\Microsoft IntelliPoint\dpupdchk.exe
C:\Programas\ESET\ESET Smart Security\ekrn.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Orbitdownloader\orbitdm.exe
C:\Programas\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
D:\Programas\screamer-radio\screamer.exe
D:\Programas\screamer-radio\screamer.exe
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Programas\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Windows Live\Messenger\livecall.exe
C:\Programas\Sports Interactive\Football Manager 2008\fm.exe
C:\Programas\FM Modifier 2.2\FMM2.2.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programas\Ficheiros comuns\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [itype] "C:\Programas\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LifeChat] "C:\Programas\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WindowsLivePhone] "C:\PROGRA~1\WI1F86~1\MESSEN~1\DEVICE~1\msgrdvmn.exe" /AutoRun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Programas\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212188153437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212188142406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2FC8CCE-02C8-4B4F-8DCA-F0B029419606}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{A2FC8CCE-02C8-4B4F-8DCA-F0B029419606}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{A2FC8CCE-02C8-4B4F-8DCA-F0B029419606}: NameServer = 192.168.1.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programas\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7948 bytes
Existe alguma anomalia no pc?

obrigado
 
Master87 disse:
boas,

eu ultimamente tenho notado que há um processo, o svchost.exe, no meu pc que leva o cpu a 100% e consome muita memoria... isto durante uns minutos, depois normaliza...

...Existe alguma anomalia no pc?

obrigado
Clicar para expandir...
Nada de extremamente anormal, sugiro apenas limpar esta entrada:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Recomendo ainda desinstalar o Acrobat Reader 8 e instalar a versão 9:
http://www.adobe.com/products/acrobat/readstep2.html

E por fim use o Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Para tentar perceber o que está a consumir recursos.

Boa sorte,

Zee
 
Boas. O meu pc tem tido problemas depois da instalaçao de um programa.
Antivirus por vezes desliga-se, removeu todos os pontos de restauro anteriores, actualizaçoes automaticas desapareceram, browser lento, pop ups com publicidade, e downloads nao intencionais.
Formatei o disco ntfs modo rapido e depois de instalar tudo voltaram os problemas. E a barra de iniciar as vezes desaparece mas volta a aparecer sem fazer nada.

Aqui fica o log do HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:39, on 15-07-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programas\Eset\nod32krn.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Programas\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Intel\NCS\PROSet\PRONoMgr.exe
C:\Programas\Eset\nod32kui.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Programas\Spyware Doctor\pctsTray.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programas\Intel\NCS\Sync\NetSvc.exe
C:\Programas\Valve\Steam\Steam.exe
C:\WINDOWS\explorer.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Johnny\Ambiente de trabalho\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISTray] "C:\Programas\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMbf5938d4] Rundll32.exe "C:\WINDOWS\System32\epusrybi.dll",s
O4 - HKCU\..\Run: [Steam] "c:\programas\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BMbf5938d4] Rundll32.exe "C:\WINDOWS\System32\epusrybi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programas\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programas\Eset\nod32krn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programas\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 4218 bytes
 
Desliga o System Restore e faz Fix nas seguintes linhas:

O4 - HKLM\..\Run: [BMbf5938d4] Rundll32.exe "C:\WINDOWS\System32\epusrybi.dll",s
O4 - HKCU\..\Run: [BMbf5938d4] Rundll32.exe "C:\WINDOWS\System32\epusrybi.dll",s

Depois disso corre o SuperAntiSpyware para fazer o resto da limpeza
 
jalexis disse:
Boas. O meu pc tem tido problemas depois da instalaçao de um programa.
Antivirus por vezes desliga-se, removeu todos os pontos de restauro anteriores, actualizaçoes automaticas desapareceram, browser lento, pop ups com publicidade, e downloads nao intencionais.
Formatei o disco ntfs modo rapido e depois de instalar tudo voltaram os problemas. E a barra de iniciar as vezes desaparece mas volta a aparecer sem fazer nada.

...
Clicar para expandir...
Sugiro uma nova formatação e de imediato a instalação do SP3 do Windows XP, está com o SP1 que é extremamente vulnerável e não me surpreende que tenha problemas de imediato.

Pode eventualmente descarregar o SP3 e gravar para suporte externo a fim de instalar ainda antes de se ligar à internet.

Se, depois disso, os problemas voltarem, coloque um novo log do HJT.

Nota: nem sequer analisei o log que colocou porque acho um desperdício de tempo e trabalho se continuar apenas com o SP1 do Windows XP.

Boa sorte,

Zee
 
Última edição:
mas antes de formatar tinha instalado o sp2. depois formatei e antes de instalar o service pack 2 que estava a fazer download nas actualizaçoes automaticas apareceram me as janelas pop up do browser e mandou me as actualizaçoes abaixo. e nao consegui voltar a ligar porque dava um erro qualquer
 
Quanto às dicas do DekkeR tenho umas duvidas.

1-como e que se desliga o system restore?
2-quanto ao fix do rundll32 eu antes de vir a este forum tinha estado a procura de informaçao e soube que o rundll32 podia-se camuflar em virus. entao fui a pasta system32 e apaguei-o.
cerca de 30 min depois o ficheiro tinha-se regenerado. agora com o HJT fiz fix as duas entradas e fiz um novo scan.

O4 - HKLM\..\Run: [BMbf5938d4] Rundll32.exe "C:\WINDOWS\System32\epusrybi.dll",s
esta entrada continua a aparecer.
 
jalexis disse:
mas antes de formatar tinha instalado o sp2. depois formatei e antes de instalar o service pack 2 que estava a fazer download nas actualizaçoes automaticas apareceram me as janelas pop up do browser e mandou me as actualizaçoes abaixo. e nao consegui voltar a ligar porque dava um erro qualquer
Clicar para expandir...
Como sugeri, faça o download do SP3 e grave em suporte externo para instalar antes de se ligar à internet.

O pacote é um bocado pesado mas é preferível (supondo que é PT-PT):
http://www.microsoft.com/downloads/...5e76-401f-be08-1e1555d4f3d4&DisplayLang=pt-pt
 
Última edição:
2 coisas:

- A instalação do Service Pack 3 não vai resolver isso.
- O Nod32 não vai detectar porque isso é malware, não é virus.. a não ser que a ESET tenha adicionado essa feature.

Para desligares o System Restore, carregas no My Computer com o botão direito e escolhes Properties. Lá deverás ter uma tab "System Restore" onde só precisas de activar a box que diz "Turn Off.."

O SuperAntiSpyware deverá dar conta do recado.
 
Depois de desligares o System Restore corre o HJT outra vez e vê se a entrada desaparece.

Se não desaparecer corre em Safe Mode.

EDIT: Não é o rundll32.exe que tens de apagar mas sim o ficheiro .dll
 
Não desapareceu. Para ja estou a fazer scan com o SuperAntiSpyware.

Edit: Eu apaguei o rundll32.exe . onde esta o dll?
 
Última edição:
Inicie sessão ou registe-se para poder participar.
Back
Topo