Usamos cookies para medir audiência e melhorar sua experiência. Você pode aceitar ou recusar a qualquer momento. Veja sobre o iMasters.
Estou baixando o Malwarebytes para executar nessa maquina.
Logo abaixo outros logs..
BankerFix 3.1 VALKYRIE - Removedor de Bankers
Linha Defensiva | http://www.linhadefensiva.org
http://www.linhadefensiva.org/bankerfix/
-------------------------------------------------------
Data: 2012-06-01 - 15:02
-------------------------------------------------------
Lista de Definição: 2012-03-19-1 | CORE: 2012-01-27-1
=======================================================
Arquivo infectado detectado: C:\DOCUME~1\f003654\CONFIG~1\Temp\6.tmp
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\cno.txt
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\la.txt
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\li.txt
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\ls.txt
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\wina.exe
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\wini.exe
Arquivo infectado removido com sucesso!
Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\wins.exe
Arquivo infectado removido com sucesso!
----- Fim -------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:09:54, on 01/06/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dklog.exe
C:\WINDOWS\system32\dkvcm.exe
C:\Fortes\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Fortes\RemProt\remprots.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dkcktkn.exe
C:\Fortes\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Arquivos de programas\SafeNet\BSecClient\axmonitor.exe
C:\Arquivos de programas\SafeNet\BSecClient\DkAutoReg.exe
C:\Arquivos de programas\Alwil Software\Avast5\avastUI.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Arquivos de programas\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - (no file)
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Arquivos de programas\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [DkStartup] C:\Arquivos de programas\SafeNet\BSecClient\dkstartup.exe
O4 - HKLM\..\Run: [AxMonitor] C:\Arquivos de programas\SafeNet\BSecClient\axmonitor.exe
O4 - HKLM\..\Run: [DkAutoReg] C:\Arquivos de programas\SafeNet\BSecClient\DkAutoReg.exe
O4 - HKLM\..\Run: [avast] "C:\Arquivos de programas\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: www.bancobrasil.com.br
O15 - Trusted Zone: www14.bancobrasil.com.br
O15 - Trusted Zone: www2.bancobrasil.com.br
O15 - Trusted Zone: www.bb.com.br
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O20 - Winlogon Notify: DkWLNP - DkWLNP.dll (file missing)
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: SafeNet Log Service (DkLogger) - SafeNet, Inc. - C:\WINDOWS\system32\dklog.exe
O23 - Service: SafeNet Token Service (DkTknSrv) - SafeNet, Inc. - C:\WINDOWS\system32\dkcktkn.exe
O23 - Service: SafeNet Virtual Channel Monitor (DkVcm) - SafeNet, Inc. - C:\WINDOWS\system32\dkvcm.exe
O23 - Service: Firebird Guardian - Fortes_FB2_1 (FirebirdGuardianFortes_FB2_1) - Firebird Project - C:\Fortes\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - Fortes_FB2_1 (FirebirdServerFortes_FB2_1) - Firebird Project - C:\Fortes\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RemProtNTService - Fortes Informática Ltda - C:\Fortes\RemProt\remprots.exe
--
End of file - 8916 bytes
Olá Edvan
1.
Baixe o createsrp (...de Ramesh Srinivasan*) e salve-o no desktop (Área de Trabalho)
*Execute-o e clique [OK]
2.
*Desative temporariamente seu antivírus
Baixe o ComboFix (...de sUBs*) e salve-o no desktop (Área de Trabalho)
*Execute-o e aceite o contrato.
*Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador
*Usuários do Windows XP: Se o Console de Recuperação do Microsoft Windows não estiver instalado, aceite a sua instalação. Após a instalação do Console, clique [sim] e aguarde a conclusão das etapas
/applications/core/interface/imageproxy/imageproxy.php?img=http://img375.imageshack.us/img375/6271/etapas.jpg&key=886faf50f6e4a02cfc852e77d70bb52b257bfe1b6dfadc5fb94284cceb208d2e" alt="etapas.jpg" />
1) Não use o mouse nem o teclado durante as etapas!!
2) Para interromper o scan, tecle N
*Cole o relatório apresentado
Bom dia amigo.
Ao tentar baixar o createsrp apareceu a mensagem abaixo:
WikiFortioFile sharing serviceFile with ID '696317' doesn't exist or has expired and is no longer available
Pode rodar o combofix ou tem que seguir a ordem do que você postou?
>
Bom dia amigo.
Ao tentar baixar o createsrp apareceu a mensagem abaixo:
Pode rodar o combofix ou tem que seguir a ordem do que você postou?
Bom dia...
O link foi corrigido.
Eu gosto de criar um ponto de restauração antes.... :thumbsup:
Ponto criado..
Log abaixo:
ComboFix 12-06-03.05 - f003654 04/06/2012 12:30:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.767.414 [GMT -3:00]
Executando de: c:\documents and settings\f003654\Desktop\ComboFix.exe
AV: avast! Antivirus Disabled/Updated {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
ADS - system32: deleted 2 bytes in 1 streams.
ADS - drivers: deleted 208 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\IsUn0416.exe
c:\windows\system\chron32.dll
c:\windows\system\libeay32.dll
c:\windows\system\ssleay32.dll
c:\windows\system32\dllcache\dlimport.exe
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-05-04 to 2012-06-04 ))))))))))))))))))))))))))))
.
.
2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\documents and settings\f003654\Dados de aplicativos\Malwarebytes
2012-06-01 18:14 . 2012-06-01 18:14 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2012-06-01 18:14 . 2012-06-01 18:15 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2012-06-01 18:14 . 2012-04-04 18:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-01 18:08 . 2012-06-01 18:08 388608 ----a-w- C:\HiJackThis.exe
2012-06-01 18:02 . 2012-06-01 18:03 -------- d-----w- C:\LinhaDefensiva
2012-05-08 10:49 . 2012-05-08 10:50 -------- d-----w- c:\documents and settings\f002951
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-04 15:30 . 2012-03-12 19:53 28880 ----a-w- c:\windows\system32\drivers\GbpNdisrd.sys
2012-04-05 12:34 . 2012-03-12 19:52 46408 ----a-w- c:\windows\system32\drivers\gbpkm.sys
2012-03-15 11:09 . 2011-07-01 19:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-07 00:15 . 2011-05-18 13:03 41184 ----a-w- c:\windows\avastSS.scr
2012-03-07 00:15 . 2011-05-18 12:56 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-07 00:03 . 2011-05-18 13:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-07 00:03 . 2011-05-18 12:56 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-07 00:02 . 2011-05-18 12:56 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-07 00:01 . 2011-05-18 12:56 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-07 00:01 . 2011-05-18 12:56 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-07 00:01 . 2011-05-18 12:56 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-07 00:01 . 2011-05-18 12:56 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 23:58 . 2011-05-18 12:56 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
Nota entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\arquivos de programas\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"HP Software Update"="c:\arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"DkStartup"="c:\arquivos de programas\SafeNet\BSecClient\dkstartup.exe" [2008-07-29 49152]
"AxMonitor"="c:\arquivos de programas\SafeNet\BSecClient\axmonitor.exe" [2008-07-29 450560]
"DkAutoReg"="c:\arquivos de programas\SafeNet\BSecClient\DkAutoReg.exe" [2008-07-29 253952]
"avast"="c:\arquivos de programas\Alwil Software\Avast5\avastUI.exe" [2012-03-07 4241512]
"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]
.[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Acrobat Assistant.lnk - c:\arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-4-7 217190]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2012-05-09 12:01 1313864 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DkWLNP]
2008-07-29 10:01 61440 ----a-w- c:\windows\system32\DkWLNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Arquivos de programas\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Fortes\\RemProt\\remprots.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [12/03/2012 16:52 46408]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [18/05/2011 10:03 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/05/2011 09:56 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/05/2011 09:56 20696]
R2 DkVcm;SafeNet Virtual Channel Monitor;c:\windows\system32\dkvcm.exe [29/07/2008 07:01 122880]
R2 FirebirdGuardianFortes_FB2_1;Firebird Guardian - Fortes_FB2_1;c:\fortes\Firebird\Firebird_2_1\bin\fbguard.exe -s Fortes_FB2_1 --> c:\fortes\Firebird\Firebird_2_1\bin\fbguard.exe -s Fortes_FB2_1 [?]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [12/03/2012 16:52 214088]
R2 RemProtNTService;RemProtNTService;c:\fortes\RemProt\remprots.exe [15/04/2011 08:17 616448]
R3 FirebirdServerFortes_FB2_1;Firebird Server - Fortes_FB2_1;c:\fortes\Firebird\Firebird_2_1\bin\fbserver.exe -s Fortes_FB2_1 --> c:\fortes\Firebird\Firebird_2_1\bin\fbserver.exe -s Fortes_FB2_1 [?]
R3 iKeyEnum;Rainbow iKey Enumerator;c:\windows\system32\drivers\IKEYENUM.SYS [18/03/2011 15:43 12240]
R3 iKeyIFD;Rainbow iKey Virtual Reader;c:\windows\system32\drivers\IKEYIFD.SYS [18/03/2011 15:43 18704]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [12/03/2012 16:53 28880]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [24/08/2010 15:06 135664]
S3 gupdatem;Serviço do Google Update (gupdatem);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [24/08/2010 15:06 135664]S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [12/03/2012 16:53 28880]
S3 RnbToken;Rainbow iKey Token Service;c:\windows\system32\drivers\RNBTOKEN.SYS [18/03/2011 15:43 22096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-08-24 18:06]
.2012-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-08-24 18:06]
.2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{512CAFD7-828F-456F-A754-CFF6F3C345F3}.job
.
2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{94810168-BB5B-4AB0-8C58-68F33B49B71B}.job
.
2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{FEFF8D19-65CD-4838-9307-AE42D11262C9}.job
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bb.com.br\www
TCP: DhcpNameServer = 10.4.65.16
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\f003654\Dados de aplicativos\Mozilla\Firefox\Profiles\xc9hfnuw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\arquivos de programas\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: avast! WebRep: wrc@avast.com - c:\arquivos de programas\Alwil Software\Avast5\WebRep\FF
FF - Ext: Java Quick Starter: jqs@sun.com - c:\arquivos de programas\Java\jre6\lib\deploy\jqs\ff
.
.
HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-swg - c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-TWAIN - c:\windows\IsUn0416.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-04 12:48
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
.
c:\windows\TEMP\_avast_\unp130431930.tmp 569344 bytes executable
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): O arquivo já está sendo usado por outro processo.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
c:\arquivos de programas\GbPlugin\gbieh.dll
c:\windows\system32\DkWLNP.dll
.
Tempo para conclusão: 2012-06-04 12:52:23
ComboFix-quarantined-files.txt 2012-06-04 15:52
.
Pré-execução: 11 pasta(s) 25.649.131.520 bytes disponíveis
Pós execução: 15 pasta(s) 28.746.264.576 bytes disponíveis
.
WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
1.
*Conhece o conteúdo desta pasta?
c:\documents and settings\f002951
2.
Baixe o MBRCheck (...de ad13*) e salve-o no desktop
*Execute-o. Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador
*Tecle N > [ENTER]
*Ao término tecle [ENTER]
*Cole o relatório MBRCheck_data_hora.txt criado no desktop
.*Conhece o conteúdo desta pasta?
c:\documents and settings\f002951
Sim, conheço, cada usuário que loga na maquina com sua senha cria uma pasta de sua matricula.
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0084800d
Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80701000 \WINDOWS\system32\hal.dll
0xF7A2F000 \WINDOWS\system32\KDCOM.DLL
0xF793F000 \WINDOWS\system32\BOOTVID.dll
0xF74E0000 ACPI.sys
0xF7A31000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74CF000 pci.sys
0xF752F000 isapnp.sys
0xF7AF7000 pciide.sys
0xF77AF000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A33000 intelide.sys
0xF753F000 MountMgr.sys
0xF74B0000 ftdisk.sys
0xF7A35000 dmload.sys
0xF748A000 dmio.sys
0xF77B7000 PartMgr.sys
0xF754F000 VolSnap.sys
0xF7472000 atapi.sys
0xF755F000 disk.sys
0xF756F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7452000 fltmgr.sys
0xF7440000 sr.sys
0xF7429000 KSecDD.sys
0xF739C000 Ntfs.sys
0xF757F000 gbpkm.sys
0xF736F000 NDIS.sys
0xF7355000 Mup.sys
0xF773F000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF694A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6936000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF690E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF784F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF68EA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7857000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF68BF000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xF785F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF68AB000 \SystemRoot\system32\DRIVERS\parport.sys
0xF774F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7867000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF786F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF775F000 \SystemRoot\system32\DRIVERS\serial.sys
0xF79E3000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF776F000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF777F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF778F000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6888000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7B94000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF779F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79EB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6871000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75AF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75BF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7877000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6860000 \SystemRoot\system32\DRIVERS\psched.sys
0xF75CF000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7887000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF788F000 \SystemRoot\system32\DRIVERS\gbpndisrd.sys
0xF6830000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF75DF000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A4F000 \SystemRoot\system32\DRIVERS\ikeyenum.sys
0xF7A51000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF67AA000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A0F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF75EF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A23000 \SystemRoot\system32\DRIVERS\ikeyifd.sys
0xF7A27000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xF418D000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xF4169000 \SystemRoot\system32\drivers\portcls.sys
0xF75FF000 \SystemRoot\system32\drivers\drmk.sys
0xF40A9000 \SystemRoot\system32\drivers\AEAudio.sys
0xF4049000 \SystemRoot\system32\drivers\Senfilt.sys
0xF760F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A57000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF789F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7A59000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C6E000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A5B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78AF000 \SystemRoot\System32\drivers\vga.sys
0xF7A5D000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A5F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78B7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78BF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7311000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3FF6000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3F9D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF763F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF3F4F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3F27000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF764F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF78C7000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF79DB000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF3F05000 \SystemRoot\System32\drivers\afd.sys
0xF765F000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3EDA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3E6A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF766F000 \SystemRoot\System32\Drivers\Fips.SYS
0xF3E19000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF3D57000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xF772F000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF4139000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3D3F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7ADF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6763000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77FF000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B20000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xB87F8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB8780000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8542000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xB8425000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A93000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB828D000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7F80000 \SystemRoot\system32\drivers\wdmaud.sys
0xB835D000 \SystemRoot\system32\drivers\sysaudio.sys
0xB785B000 \SystemRoot\System32\Drivers\HTTP.sys
0xB682E000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dllProcesses (total 41):
0 System Idle Process
4 System
880 C:\WINDOWS\system32\smss.exe
940 C:\WINDOWS\system32\csrss.exe
964 C:\WINDOWS\system32\winlogon.exe
1008 C:\WINDOWS\system32\services.exe
1020 C:\WINDOWS\system32\lsass.exe
1200 C:\WINDOWS\system32\nvsvc32.exe
1236 C:\ARQUIV~1\GbPlugin\gbpsv.exe
1272 C:\WINDOWS\system32\svchost.exe
1348 C:\WINDOWS\system32\svchost.exe
1472 C:\WINDOWS\system32\svchost.exe
1580 C:\WINDOWS\system32\svchost.exe
1720 C:\WINDOWS\system32\svchost.exe
1888 C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
1932 C:\WINDOWS\system32\spoolsv.exe
2004 C:\WINDOWS\system32\scardsvr.exe
172 C:\WINDOWS\system32\svchost.exe
336 C:\WINDOWS\system32\dklog.exe
472 C:\WINDOWS\system32\dkvcm.exe
552 C:\Fortes\Firebird\Firebird_2_1\bin\fbguard.exe
844 C:\Arquivos de programas\Java\jre6\bin\jqs.exe
896 C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe
1024 C:\Fortes\RemProt\remprots.exe
1568 C:\WINDOWS\system32\svchost.exe
1988 C:\WINDOWS\system32\dkcktkn.exe
2476 C:\Fortes\Firebird\Firebird_2_1\bin\fbserver.exe
2804 C:\WINDOWS\system32\wbem\wmiapsrv.exe
2816 C:\WINDOWS\explorer.exe
3128 C:\WINDOWS\system32\alg.exe
1784 C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
2056 C:\WINDOWS\system32\rundll32.exe
2284 C:\Arquivos de programas\HP\HP Software Update\hpwuSchd2.exe
2456 C:\Arquivos de programas\HP\Digital Imaging\bin\HpqSRmon.exe
2892 C:\Arquivos de programas\Safenet\BSecClient\AXMonitor.exe
3304 C:\Arquivos de programas\Safenet\BSecClient\dkAutoReg.exe
4092 C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe
2920 C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
1648 C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
3076 C:\WINDOWS\system32\ctfmon.exe
3664 C:\Documents and Settings\f003654\Desktop\MBRCheck.exe\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: SAMSUNGHD081GJ, Rev: GE100-07
Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 2C6D77F4F50AA9DE10FCE2024558166E9012FC6F
Done!
Bom dia!
O PC está limpo....:)
1.
*Renomei o Combofix para Uninstall
*Execute-o, aguarde a mensagem ComboFix foi desinstalado e clique [OK]
*Delete o arquivo C:\Combofix.txt
2.
*Delete o MBRCheck
Um abraço.
Feito, valeu pela ajuda.
Um abraço.
PROBLEMA RESOLVIDO
Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.
Desculpa, nao pude mais editar, então estou postando aqui mais um log. :thumbsup:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Versão da Base de Dados: v2012.06.01.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
f003654 :: FUN0003 [limitado]
01/06/2012 15:17:59
mbam-log-2012-06-01 (15-17-59).txt
Tipo de Verificação: Verificação Completa
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados: 512586
Tempo decorrido: 1 hora(s), 35 minuto(s), 13 segundo(s)
Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)
Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)
Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)
Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)
Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)
Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)
Arquivos Detectados: 6
c:\documents and settings\all users\dados de aplicativos\winpro.exe (Trojan.Dropper.PGen) -> Enviado para a Quarentena e deletado com sucesso.
C:\Documents and Settings\f003269\Desktop\SoftonicDownloader_para_dvdfab.exe (PUP.BundleOffer.Downloader.S) -> Enviado para a Quarentena e deletado com sucesso.
C:\Documents and Settings\f003654\Configurações locais\Temp\ICReinstall_PDFCreatorSetup[1].exe (Adware.Agent) -> Enviado para a Quarentena e deletado com sucesso.
c:\linhadefensiva\qua\arquivos\dados de aplicativos\wina.exe.vir (Malware.Packer.Gen) -> Enviado para a Quarentena e deletado com sucesso.
c:\linhadefensiva\qua\arquivos\dados de aplicativos\wini.exe.vir (Spyware.Banker) -> Enviado para a Quarentena e deletado com sucesso.
c:\linhadefensiva\qua\arquivos\dados de aplicativos\wins.exe.vir (Spyware.Banker) -> Enviado para a Quarentena e deletado com sucesso.
(fim)