Edvan 30 Denunciar post Postado Junho 1, 2012 Estou baixando o Malwarebytes para executar nessa maquina. Logo abaixo outros logs.. BankerFix 3.1 VALKYRIE - Removedor de Bankers Linha Defensiva | http://www.linhadefensiva.org http://www.linhadefensiva.org/bankerfix/ ------------------------------------------------------- Data: 2012-06-01 - 15:02 ------------------------------------------------------- Lista de Definição: 2012-03-19-1 | CORE: 2012-01-27-1 ======================================================= Arquivo infectado detectado: C:\DOCUME~1\f003654\CONFIG~1\Temp\6.tmp Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\cno.txt Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\la.txt Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\li.txt Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\ls.txt Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\wina.exe Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\wini.exe Arquivo infectado removido com sucesso! Arquivo infectado detectado: C:\Documents and Settings\All Users\Dados de aplicativos\wins.exe Arquivo infectado removido com sucesso! ----- Fim ------------------------- Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 15:09:54, on 01/06/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\ARQUIV~1\GbPlugin\GbpSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dklog.exe C:\WINDOWS\system32\dkvcm.exe C:\Fortes\Firebird\Firebird_2_1\bin\fbguard.exe C:\Arquivos de programas\Java\jre6\bin\jqs.exe C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe C:\Fortes\RemProt\remprots.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dkcktkn.exe C:\Fortes\Firebird\Firebird_2_1\bin\fbserver.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe C:\Arquivos de programas\SafeNet\BSecClient\axmonitor.exe C:\Arquivos de programas\SafeNet\BSecClient\DkAutoReg.exe C:\Arquivos de programas\Alwil Software\Avast5\avastUI.exe C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\HiJackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Arquivos de programas\Alwil Software\Avast5\aswWebRepIE.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Arquivos de programas\Alwil Software\Avast5\aswWebRepIE.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [DkStartup] C:\Arquivos de programas\SafeNet\BSecClient\dkstartup.exe O4 - HKLM\..\Run: [AxMonitor] C:\Arquivos de programas\SafeNet\BSecClient\axmonitor.exe O4 - HKLM\..\Run: [DkAutoReg] C:\Arquivos de programas\SafeNet\BSecClient\DkAutoReg.exe O4 - HKLM\..\Run: [avast] "C:\Arquivos de programas\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O15 - Trusted Zone: www.bancobrasil.com.br O15 - Trusted Zone: www14.bancobrasil.com.br O15 - Trusted Zone: www2.bancobrasil.com.br O15 - Trusted Zone: www.bb.com.br O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll O20 - Winlogon Notify: DkWLNP - DkWLNP.dll (file missing) O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe O23 - Service: SafeNet Log Service (DkLogger) - SafeNet, Inc. - C:\WINDOWS\system32\dklog.exe O23 - Service: SafeNet Token Service (DkTknSrv) - SafeNet, Inc. - C:\WINDOWS\system32\dkcktkn.exe O23 - Service: SafeNet Virtual Channel Monitor (DkVcm) - SafeNet, Inc. - C:\WINDOWS\system32\dkvcm.exe O23 - Service: Firebird Guardian - Fortes_FB2_1 (FirebirdGuardianFortes_FB2_1) - Firebird Project - C:\Fortes\Firebird\Firebird_2_1\bin\fbguard.exe O23 - Service: Firebird Server - Fortes_FB2_1 (FirebirdServerFortes_FB2_1) - Firebird Project - C:\Fortes\Firebird\Firebird_2_1\bin\fbserver.exe O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: RemProtNTService - Fortes Informática Ltda - C:\Fortes\RemProt\remprots.exe -- End of file - 8916 bytes Compartilhar este post Link para o post Compartilhar em outros sites
Edvan 30 Denunciar post Postado Junho 1, 2012 Desculpa, nao pude mais editar, então estou postando aqui mais um log. :thumbsup: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Versão da Base de Dados: v2012.06.01.05 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 f003654 :: FUN0003 [limitado] 01/06/2012 15:17:59 mbam-log-2012-06-01 (15-17-59).txt Tipo de Verificação: Verificação Completa Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM Opções de verificação desativadas: P2P Objetos escaneados: 512586 Tempo decorrido: 1 hora(s), 35 minuto(s), 13 segundo(s) Processos de Memória Detectados: 0 (Não foram detectados ítens maliciosos) Módulos de Memória Detectados: 0 (Não foram detectados ítens maliciosos) Chaves de Registro Detectadas: 0 (Não foram detectados ítens maliciosos) Valores de Registro Detectadas: 0 (Não foram detectados ítens maliciosos) Itens de Dados no Registro Detectadas: 0 (Não foram detectados ítens maliciosos) Pastas Detectadas: 0 (Não foram detectados ítens maliciosos) Arquivos Detectados: 6 c:\documents and settings\all users\dados de aplicativos\winpro.exe (Trojan.Dropper.PGen) -> Enviado para a Quarentena e deletado com sucesso. C:\Documents and Settings\f003269\Desktop\SoftonicDownloader_para_dvdfab.exe (PUP.BundleOffer.Downloader.S) -> Enviado para a Quarentena e deletado com sucesso. C:\Documents and Settings\f003654\Configurações locais\Temp\ICReinstall_PDFCreatorSetup[1].exe (Adware.Agent) -> Enviado para a Quarentena e deletado com sucesso. c:\linhadefensiva\qua\arquivos\dados de aplicativos\wina.exe.vir (Malware.Packer.Gen) -> Enviado para a Quarentena e deletado com sucesso. c:\linhadefensiva\qua\arquivos\dados de aplicativos\wini.exe.vir (Spyware.Banker) -> Enviado para a Quarentena e deletado com sucesso. c:\linhadefensiva\qua\arquivos\dados de aplicativos\wins.exe.vir (Spyware.Banker) -> Enviado para a Quarentena e deletado com sucesso. (fim) Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 1, 2012 Olá Edvan 1. *Baixe o createsrp (...de Ramesh Srinivasan) e salve-o no desktop (Área de Trabalho) *Execute-o e clique [OK] 2. *Desative temporariamente seu antivírus *Baixe o ComboFix (...de sUBs) e salve-o no desktop (Área de Trabalho) *Execute-o e aceite o contrato. *Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador *Usuários do Windows XP: Se o Console de Recuperação do Microsoft Windows não estiver instalado, aceite a sua instalação. Após a instalação do Console, clique [sim] e aguarde a conclusão das etapas 1) Não use o mouse nem o teclado durante as etapas!! 2) Para interromper o scan, tecle N *Cole o relatório apresentado Compartilhar este post Link para o post Compartilhar em outros sites
Edvan 30 Denunciar post Postado Junho 4, 2012 Bom dia amigo. Ao tentar baixar o createsrp apareceu a mensagem abaixo: WikiFortioFile sharing serviceFile with ID '696317' doesn't exist or has expired and is no longer available Pode rodar o combofix ou tem que seguir a ordem do que você postou? Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 4, 2012 Bom dia amigo. Ao tentar baixar o createsrp apareceu a mensagem abaixo: Pode rodar o combofix ou tem que seguir a ordem do que você postou? Bom dia... O link foi corrigido. Eu gosto de criar um ponto de restauração antes.... :thumbsup: Compartilhar este post Link para o post Compartilhar em outros sites
Edvan 30 Denunciar post Postado Junho 4, 2012 Ponto criado.. Log abaixo: ComboFix 12-06-03.05 - f003654 04/06/2012 12:30:21.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.767.414 [GMT -3:00] Executando de: c:\documents and settings\f003654\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . ADS - system32: deleted 2 bytes in 1 streams. ADS - drivers: deleted 208 bytes in 1 streams. . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\IsUn0416.exe c:\windows\system\chron32.dll c:\windows\system\libeay32.dll c:\windows\system\ssleay32.dll c:\windows\system32\dllcache\dlimport.exe . . (((((((((((((((( Arquivos/Ficheiros criados de 2012-05-04 to 2012-06-04 )))))))))))))))))))))))))))) . . 2012-06-01 18:15 . 2012-06-01 18:15 -------- d-----w- c:\documents and settings\f003654\Dados de aplicativos\Malwarebytes 2012-06-01 18:14 . 2012-06-01 18:14 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes 2012-06-01 18:14 . 2012-06-01 18:15 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware 2012-06-01 18:14 . 2012-04-04 18:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-01 18:08 . 2012-06-01 18:08 388608 ----a-w- C:\HiJackThis.exe 2012-06-01 18:02 . 2012-06-01 18:03 -------- d-----w- C:\LinhaDefensiva 2012-05-08 10:49 . 2012-05-08 10:50 -------- d-----w- c:\documents and settings\f002951 . . . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-04 15:30 . 2012-03-12 19:53 28880 ----a-w- c:\windows\system32\drivers\GbpNdisrd.sys 2012-04-05 12:34 . 2012-03-12 19:52 46408 ----a-w- c:\windows\system32\drivers\gbpkm.sys 2012-03-15 11:09 . 2011-07-01 19:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-03-07 00:15 . 2011-05-18 13:03 41184 ----a-w- c:\windows\avastSS.scr 2012-03-07 00:15 . 2011-05-18 12:56 201352 ----a-w- c:\windows\system32\aswBoot.exe 2012-03-07 00:03 . 2011-05-18 13:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-03-07 00:03 . 2011-05-18 12:56 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-03-07 00:02 . 2011-05-18 12:56 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2012-03-07 00:01 . 2011-05-18 12:56 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-03-07 00:01 . 2011-05-18 12:56 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2012-03-07 00:01 . 2011-05-18 12:56 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys 2012-03-07 00:01 . 2011-05-18 12:56 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-03-06 23:58 . 2011-05-18 12:56 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys . . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . *Nota* entradas vazias e legítimas por padrão não são apresentadas. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-07 00:15 123536 ----a-w- c:\arquivos de programas\Alwil Software\Avast5\ashShell.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952] "SoundMAXPnP"="c:\arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504] "Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "HP Software Update"="c:\arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpqSRMon"="c:\arquivos de programas\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "DkStartup"="c:\arquivos de programas\SafeNet\BSecClient\dkstartup.exe" [2008-07-29 49152] "AxMonitor"="c:\arquivos de programas\SafeNet\BSecClient\axmonitor.exe" [2008-07-29 450560] "DkAutoReg"="c:\arquivos de programas\SafeNet\BSecClient\DkAutoReg.exe" [2008-07-29 253952] "avast"="c:\arquivos de programas\Alwil Software\Avast5\avastUI.exe" [2012-03-07 4241512] "SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360] . c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\ Acrobat Assistant.lnk - c:\arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-4-7 217190] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb] 2012-05-09 12:01 1313864 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DkWLNP] 2008-07-29 10:01 61440 ----a-w- c:\windows\system32\DkWLNP.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-06-09 08:06 976832 ----a-w- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Arquivos de programas\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Fortes\\RemProt\\remprots.exe"= "c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"= . R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [12/03/2012 16:52 46408] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [18/05/2011 10:03 612184] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/05/2011 09:56 337880] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/05/2011 09:56 20696] R2 DkVcm;SafeNet Virtual Channel Monitor;c:\windows\system32\dkvcm.exe [29/07/2008 07:01 122880] R2 FirebirdGuardianFortes_FB2_1;Firebird Guardian - Fortes_FB2_1;c:\fortes\Firebird\Firebird_2_1\bin\fbguard.exe -s Fortes_FB2_1 --> c:\fortes\Firebird\Firebird_2_1\bin\fbguard.exe -s Fortes_FB2_1 [?] R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [12/03/2012 16:52 214088] R2 RemProtNTService;RemProtNTService;c:\fortes\RemProt\remprots.exe [15/04/2011 08:17 616448] R3 FirebirdServerFortes_FB2_1;Firebird Server - Fortes_FB2_1;c:\fortes\Firebird\Firebird_2_1\bin\fbserver.exe -s Fortes_FB2_1 --> c:\fortes\Firebird\Firebird_2_1\bin\fbserver.exe -s Fortes_FB2_1 [?] R3 iKeyEnum;Rainbow iKey Enumerator;c:\windows\system32\drivers\IKEYENUM.SYS [18/03/2011 15:43 12240] R3 iKeyIFD;Rainbow iKey Virtual Reader;c:\windows\system32\drivers\IKEYIFD.SYS [18/03/2011 15:43 18704] R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [12/03/2012 16:53 28880] S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [24/08/2010 15:06 135664] S3 gupdatem;Serviço do Google Update (gupdatem);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [24/08/2010 15:06 135664] S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [12/03/2012 16:53 28880] S3 RnbToken;Rainbow iKey Token Service;c:\windows\system32\drivers\RNBTOKEN.SYS [18/03/2011 15:43 22096] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 . Conteúdo da pasta 'Tarefas Agendadas' . 2012-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-08-24 18:06] . 2012-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-08-24 18:06] . 2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{512CAFD7-828F-456F-A754-CFF6F3C345F3}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 07:31] . 2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{94810168-BB5B-4AB0-8C58-68F33B49B71B}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 07:31] . 2012-06-04 c:\windows\Tasks\User_Feed_Synchronization-{FEFF8D19-65CD-4838-9307-AE42D11262C9}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 07:31] . . ------- Scan Suplementar ------- . uStart Page = hxxp://www.google.com.br/ IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: bancobrasil.com.br\www Trusted Zone: bancobrasil.com.br\www14 Trusted Zone: bancobrasil.com.br\www2 Trusted Zone: bb.com.br\www TCP: DhcpNameServer = 10.4.65.16 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\f003654\Dados de aplicativos\Mozilla\Firefox\Profiles\xc9hfnuw.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\arquivos de programas\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: avast! WebRep: wrc@avast.com - c:\arquivos de programas\Alwil Software\Avast5\WebRep\FF FF - Ext: Java Quick Starter: jqs@sun.com - c:\arquivos de programas\Java\jre6\lib\deploy\jqs\ff . - - - - ORFÃOS REMOVIDOS - - - - . HKLM-Run-nwiz - nwiz.exe MSConfigStartUp-swg - c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe AddRemove-TWAIN - c:\windows\IsUn0416.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-04 12:48 Windows 5.1.2600 Service Pack 3 NTFS . Procurando processos ocultos ... . Procurando entradas auto inicializáveis ocultas ... . Procurando ficheiros/arquivos ocultos ... . . c:\windows\TEMP\_avast_\unp130431930.tmp 569344 bytes executable . Varredura completada com sucesso arquivos/ficheiros ocultos: 1 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 . CreateFile("\\.\PHYSICALDRIVE0"): O arquivo já está sendo usado por outro processo. device: opened successfully user: error reading MBR kernel: MBR read successfully user != kernel MBR !!! . ************************************************************************** . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- . - - - - - - - > 'winlogon.exe'(964) c:\arquivos de programas\GbPlugin\gbieh.dll c:\windows\system32\DkWLNP.dll . Tempo para conclusão: 2012-06-04 12:52:23 ComboFix-quarantined-files.txt 2012-06-04 15:52 . Pré-execução: 11 pasta(s) 25.649.131.520 bytes disponíveis Pós execução: 15 pasta(s) 28.746.264.576 bytes disponíveis . WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - B6380579ABA1A489D928322902FDD397 Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 4, 2012 1. *Conhece o conteúdo desta pasta? c:\documents and settings\f002951 2. *Baixe o MBRCheck (...de ad13) e salve-o no desktop *Execute-o. Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador *Tecle N > [ENTER] *Ao término tecle [ENTER] *Cole o relatório MBRCheck_data_hora.txt criado no desktop Compartilhar este post Link para o post Compartilhar em outros sites
Edvan 30 Denunciar post Postado Junho 5, 2012 .*Conhece o conteúdo desta pasta? c:\documents and settings\f002951 Sim, conheço, cada usuário que loga na maquina com sua senha cria uma pasta de sua matricula. MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Professional Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x0084800d Kernel Drivers (total 120): 0x804D7000 \WINDOWS\system32\ntoskrnl.exe 0x80701000 \WINDOWS\system32\hal.dll 0xF7A2F000 \WINDOWS\system32\KDCOM.DLL 0xF793F000 \WINDOWS\system32\BOOTVID.dll 0xF74E0000 ACPI.sys 0xF7A31000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xF74CF000 pci.sys 0xF752F000 isapnp.sys 0xF7AF7000 pciide.sys 0xF77AF000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xF7A33000 intelide.sys 0xF753F000 MountMgr.sys 0xF74B0000 ftdisk.sys 0xF7A35000 dmload.sys 0xF748A000 dmio.sys 0xF77B7000 PartMgr.sys 0xF754F000 VolSnap.sys 0xF7472000 atapi.sys 0xF755F000 disk.sys 0xF756F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xF7452000 fltmgr.sys 0xF7440000 sr.sys 0xF7429000 KSecDD.sys 0xF739C000 Ntfs.sys 0xF757F000 gbpkm.sys 0xF736F000 NDIS.sys 0xF7355000 Mup.sys 0xF773F000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xF694A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys 0xF6936000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xF690E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xF784F000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xF68EA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xF7857000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xF68BF000 \SystemRoot\system32\DRIVERS\e1000325.sys 0xF785F000 \SystemRoot\system32\DRIVERS\fdc.sys 0xF68AB000 \SystemRoot\system32\DRIVERS\parport.sys 0xF774F000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xF7867000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xF786F000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xF775F000 \SystemRoot\system32\DRIVERS\serial.sys 0xF79E3000 \SystemRoot\system32\DRIVERS\serenum.sys 0xF776F000 \SystemRoot\system32\DRIVERS\imapi.sys 0xF777F000 \SystemRoot\system32\DRIVERS\cdrom.sys 0xF778F000 \SystemRoot\system32\DRIVERS\redbook.sys 0xF6888000 \SystemRoot\system32\DRIVERS\ks.sys 0xF7B94000 \SystemRoot\system32\DRIVERS\audstub.sys 0xF779F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xF79EB000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xF6871000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xF75AF000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xF75BF000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xF7877000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xF6860000 \SystemRoot\system32\DRIVERS\psched.sys 0xF75CF000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xF787F000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xF7887000 \SystemRoot\system32\DRIVERS\raspti.sys 0xF788F000 \SystemRoot\system32\DRIVERS\gbpndisrd.sys 0xF6830000 \SystemRoot\system32\DRIVERS\rdpdr.sys 0xF75DF000 \SystemRoot\system32\DRIVERS\termdd.sys 0xF7A4F000 \SystemRoot\system32\DRIVERS\ikeyenum.sys 0xF7A51000 \SystemRoot\system32\DRIVERS\swenum.sys 0xF67AA000 \SystemRoot\system32\DRIVERS\update.sys 0xF7A0F000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xF75EF000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xF7A23000 \SystemRoot\system32\DRIVERS\ikeyifd.sys 0xF7A27000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS 0xF418D000 \SystemRoot\system32\drivers\ADIHdAud.sys 0xF4169000 \SystemRoot\system32\drivers\portcls.sys 0xF75FF000 \SystemRoot\system32\drivers\drmk.sys 0xF40A9000 \SystemRoot\system32\drivers\AEAudio.sys 0xF4049000 \SystemRoot\system32\drivers\Senfilt.sys 0xF760F000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xF7A57000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xF789F000 \SystemRoot\system32\DRIVERS\flpydisk.sys 0xF7A59000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF7C6E000 \SystemRoot\System32\Drivers\Null.SYS 0xF7A5B000 \SystemRoot\System32\Drivers\Beep.SYS 0xF78AF000 \SystemRoot\System32\drivers\vga.sys 0xF7A5D000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF7A5F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xF78B7000 \SystemRoot\System32\Drivers\Msfs.SYS 0xF78BF000 \SystemRoot\System32\Drivers\Npfs.SYS 0xF7311000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xF3FF6000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xF3F9D000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xF763F000 \SystemRoot\System32\Drivers\aswTdi.SYS 0xF3F4F000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xF3F27000 \SystemRoot\system32\DRIVERS\netbt.sys 0xF764F000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xF78C7000 \SystemRoot\System32\Drivers\aswRdr.SYS 0xF79DB000 \SystemRoot\System32\drivers\ws2ifsl.sys 0xF3F05000 \SystemRoot\System32\drivers\afd.sys 0xF765F000 \SystemRoot\system32\DRIVERS\netbios.sys 0xF3EDA000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xF3E6A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xF766F000 \SystemRoot\System32\Drivers\Fips.SYS 0xF3E19000 \SystemRoot\System32\Drivers\aswSP.SYS 0xF3D57000 \SystemRoot\System32\Drivers\aswSnx.SYS 0xF772F000 \SystemRoot\System32\Drivers\Aavmker4.SYS 0xF4139000 \SystemRoot\System32\Drivers\Cdfs.SYS 0xF3D3F000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xF7ADF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xF6763000 \SystemRoot\System32\drivers\Dxapi.sys 0xF77FF000 \SystemRoot\System32\watchdog.sys 0xBD000000 \SystemRoot\System32\drivers\dxg.sys 0xF7B20000 \SystemRoot\System32\drivers\dxgthk.sys 0xBD012000 \SystemRoot\System32\nv4_disp.dll 0xB87F8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS 0xB8780000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xB8542000 \SystemRoot\System32\Drivers\aswMon2.SYS 0xB8425000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xF7A93000 \SystemRoot\System32\Drivers\ParVdm.SYS 0xB828D000 \SystemRoot\system32\DRIVERS\srv.sys 0xB7F80000 \SystemRoot\system32\drivers\wdmaud.sys 0xB835D000 \SystemRoot\system32\drivers\sysaudio.sys 0xB785B000 \SystemRoot\System32\Drivers\HTTP.sys 0xB682E000 \SystemRoot\system32\drivers\kmixer.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 41): 0 System Idle Process 4 System 880 C:\WINDOWS\system32\smss.exe 940 C:\WINDOWS\system32\csrss.exe 964 C:\WINDOWS\system32\winlogon.exe 1008 C:\WINDOWS\system32\services.exe 1020 C:\WINDOWS\system32\lsass.exe 1200 C:\WINDOWS\system32\nvsvc32.exe 1236 C:\ARQUIV~1\GbPlugin\gbpsv.exe 1272 C:\WINDOWS\system32\svchost.exe 1348 C:\WINDOWS\system32\svchost.exe 1472 C:\WINDOWS\system32\svchost.exe 1580 C:\WINDOWS\system32\svchost.exe 1720 C:\WINDOWS\system32\svchost.exe 1888 C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe 1932 C:\WINDOWS\system32\spoolsv.exe 2004 C:\WINDOWS\system32\scardsvr.exe 172 C:\WINDOWS\system32\svchost.exe 336 C:\WINDOWS\system32\dklog.exe 472 C:\WINDOWS\system32\dkvcm.exe 552 C:\Fortes\Firebird\Firebird_2_1\bin\fbguard.exe 844 C:\Arquivos de programas\Java\jre6\bin\jqs.exe 896 C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe 1024 C:\Fortes\RemProt\remprots.exe 1568 C:\WINDOWS\system32\svchost.exe 1988 C:\WINDOWS\system32\dkcktkn.exe 2476 C:\Fortes\Firebird\Firebird_2_1\bin\fbserver.exe 2804 C:\WINDOWS\system32\wbem\wmiapsrv.exe 2816 C:\WINDOWS\explorer.exe 3128 C:\WINDOWS\system32\alg.exe 1784 C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe 2056 C:\WINDOWS\system32\rundll32.exe 2284 C:\Arquivos de programas\HP\HP Software Update\hpwuSchd2.exe 2456 C:\Arquivos de programas\HP\Digital Imaging\bin\HpqSRmon.exe 2892 C:\Arquivos de programas\Safenet\BSecClient\AXMonitor.exe 3304 C:\Arquivos de programas\Safenet\BSecClient\dkAutoReg.exe 4092 C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe 2920 C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe 1648 C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe 3076 C:\WINDOWS\system32\ctfmon.exe 3664 C:\Documents and Settings\f003654\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) PhysicalDrive0 Model Number: SAMSUNGHD081GJ, Rev: GE100-07 Size Device Name MBR Status -------------------------------------------- 74 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: 2C6D77F4F50AA9DE10FCE2024558166E9012FC6F Done! Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 5, 2012 Bom dia! O PC está limpo....:) 1. *Renomei o Combofix para Uninstall *Execute-o, aguarde a mensagem ComboFix foi desinstalado e clique [OK] *Delete o arquivo C:\Combofix.txt 2. *Delete o MBRCheck Um abraço. Compartilhar este post Link para o post Compartilhar em outros sites
Edvan 30 Denunciar post Postado Junho 5, 2012 Feito, valeu pela ajuda. Um abraço. Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 5, 2012 PROBLEMA RESOLVIDO Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico. Compartilhar este post Link para o post Compartilhar em outros sites
