Usamos cookies para medir audiência e melhorar sua experiência. Você pode aceitar ou recusar a qualquer momento. Veja sobre o iMasters.
Detectei que meu msn estava mandando um arquivo para todos meus contatos:
images.zip com uma mensagem em ingles junto
Tentei tirar os possiveis arquivos buscando no msconfig e registro.
Apos isso tentei instalar o Hoopaa (ele n deixa acessar paginas no Firefox e Internet explorer) tipico programa que observa os sites que entram e bloqueia.
Só que na instalação travou. Ao reiniciar ficava na tela do desktop e mais nada. Sem barra, sem icones sem nada.
Eu consigo navegar, abrir os programas , tudo pelo gerenciador.
Gostaria que analisassem meu LOG
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:41:36, on 24/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\mysql\bin\mysqld-max.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\instalações\limpeza\NoLop.exe
C:\WINDOWS\explorer.exe
C:\instalações\limpeza\hijackthis\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [super Plug 2007] C:\SUPEREMPRESA\PROGRAMA\SuperPlug.exe
O4 - HKLM\..\Run: [sSC Service Utility] C:\Arquivos de programas\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [Firebird 1.5] C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe -a
O4 - HKLM\..\Run: [bag_load] C:\WINDOWS\system32\bag_load.exe
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\MSCONFIG.EXE /auto
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] WINUPDATE.EXE
O4 - HKCU\..\Run: [Cobian Backup 8] "C:\Arquivos de programas\Cobian Backup 8\Cobian.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles/2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MySQL.lnk = C:\MySQL\bin\winmysqladmin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Descarga selecionada pelo Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Descarregar com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Descarregar tudo com Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ComQuest Memo-Rex - {1C23E480-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\memorex.exe
O9 - Extra 'Tools' menuitem: Memo-Rex - {1C23E480-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\memorex.exe
O9 - Extra button: Agenda de compromissos do Memo-Rex - {1C23E481-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchtasks.exe
O9 - Extra 'Tools' menuitem: Compromissos - {1C23E481-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchtasks.exe
O9 - Extra button: Agenda de contatos do Memo-Rex - {1C23E482-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchcontacts.exe
O9 - Extra 'Tools' menuitem: Contatos - {1C23E482-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchcontacts.exe
O9 - Extra button: Bloco de anotações do Memo-Rex - {1C23E483-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchnotes.exe
O9 - Extra 'Tools' menuitem: Anotações - {1C23E483-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchnotes.exe
O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Arquivos de programas\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-max.exe
--
End of file - 8833 bytes
Ola, Jgarcia.
Fiz como você disse:
Baixei, executei, ele reiniciou.
Voltou p o windows com o mesmo problema.
Fui no c:\Combofix e achei o combofix.txt
dentro dele só tem 1 linha escrita:
"Administrador" - 2007-07-25 9:39:38 [GMT -3:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
Só isso mesmo? Executei sem ser em modo seguro.
No aguardo
=====
Olá eu editei a mensagem porque passei novamente o programa
Agora sim, ele não resetou e voltou como era antes meu micro.
MUITO OBRIGADO
segue abaixo na sequencia:
Combofix.txt
Nolop.log
ComboFix-quarantined-files.txt
Abraços
"Administrador" - 2007-07-25 10:09:59 [GMT -3:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))
2007-07-25 09:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 17:54 <DIR> d-------- C:\VundoFix Backups
2007-07-24 14:35 <DIR> d-------- C:\NoLopBackups2007-07-24 14:30 132 --a------ C:\delete.bat
2007-07-24 13:33 <DIR> d-------- C:\!KillBox
2007-07-24 11:52 145,408 --a------ C:\WINDOWS\system32\MSCONFIG.EXE
2007-07-24 11:29 <DIR> d-------- C:\Hoopaa
2007-07-24 11:29 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Thraex Software
2007-07-23 17:53 <DIR> d-------- C:\Arquivos de programas\Trend Micro2007-07-22 17:26 17,408 --a------ C:\WINDOWS\system32\cymdda.dll
2007-07-22 14:25 61,952 --a------ C:\DOCUME~1\ADMINI~1\new2.exe
2007-07-22 14:24 17,408 --a------ C:\WINDOWS\system32\msnt.dll
2007-07-22 13:50 61,952 --a------ C:\DOCUME~1\ADMINI~1\asdf.exe
2007-07-22 13:47 17,408 --a------ C:\WINDOWS\system32\rsshost.dll
2007-07-20 15:51 63,961 --a------ C:\DOCUME~1\ADMINI~1\pf.exe
2007-07-16 14:53 36,864 --a------ C:\WINDOWS\system32\EPLPUX02.EXE
2007-07-16 14:53 182 --a------ C:\WINDOWS\system32\EBPPORT.DAT
2007-07-14 02:53 94,613 --a------ C:\WINDOWS\adasd.exe
2007-07-13 00:27 183,296 --a------ C:\WINDOWS\system32\uds.exe
2007-07-13 00:22 183,296 --a------ C:\WINDOWS\system32\ud.exe
2007-07-13 00:20 183,296 --a------ C:\DOCUME~1\ADMINI~1\ud.exe
2007-07-12 14:48 125,526 --a------ C:\WINDOWS\system32\lkadjas.exe
2007-07-12 12:21 125,526 --a------ C:\WINDOWS\system32\asdh.exe
2007-07-11 21:06 125,526 --a------ C:\WINDOWS\system32\skdaj.exe
2007-07-10 12:58 228 --a------ C:\n.bat
2007-07-05 17:01 <DIR> d-------- C:\Arquivos de programas\Vale Transporte
2007-07-05 10:31 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-05 10:31 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-25 13:15:24 30,634,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-25 13:09:39 1,199,392 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-25 12:48:23 417,116 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-25 12:48:23 120,752 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-07-24 20:52:53 -------- d-----w C:\Arquivos de programas\Mastercx
2007-07-24 20:31:34 -------- d-----w C:\Arquivos de programas\Mozilla Thunderbird
2007-07-24 20:20:27 -------- d-----w C:\Arquivos de programas\Cia. do Software
2007-07-24 18:02:29 -------- d-----w C:\Arquivos de programas\Bonus
2007-07-24 17:03:20 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\Free Download Manager
2007-07-24 14:45:12 -------- d-----w C:\Arquivos de programas\Windows Live Toolbar
2007-07-24 14:29:18 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\uTorrent
2007-07-24 13:43:11 -------- d-----w C:\Arquivos de programas\GbPlugin
2007-07-23 12:26:19 -------- d-----w C:\Arquivos de programas\Promob 4i Bentec Modullare
2007-07-21 21:44:43 -------- d-----w C:\Arquivos de programas\ProMOB 4i Arvy
2007-07-16 18:29:55 -------- d-----w C:\Arquivos de programas\SSC Service Utility
2007-07-16 18:14:20 -------- d-----w C:\Arquivos de programas\EPSON
2007-07-06 13:20:28 966,144 ----a-w C:\WINDOWS\system32\winswag.exe
2007-07-05 18:42:20 -------- d-----w C:\Arquivos de programas\Agenda Digital 1.0
2007-07-05 13:47:29 1,353,216 ----a-w C:\WINDOWS\system32\winswblib.dll
2007-06-23 12:12:53 -------- d-----w C:\Arquivos de programas\MySQL-Front
2007-06-22 20:12:19 -------- d-----w C:\Arquivos de programas\MSN Plus! Live
2007-06-22 20:12:18 -------- d-----w C:\Arquivos de programas\Windows Live
2007-06-22 20:12:18 -------- d-----w C:\Arquivos de programas\MSN Messenger
2007-06-09 19:56:38 256,000 ----a-w C:\WINDOWS\system32\winswag.dat
2007-06-05 15:18:07 -------- d-----w C:\Arquivos de programas\Cobian Backup 8
2007-06-05 14:57:12 -------- d-----w C:\Arquivos de programas\Sayz Me
2007-06-05 14:55:43 -------- d-----w C:\Arquivos de programas\Arquivos comuns\XPressUpdate
2007-06-05 14:55:01 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-06-05 14:54:04 -------- d-----w C:\Arquivos de programas\Hewlett-Packard
2007-06-05 14:52:30 -------- d-----w C:\Arquivos de programas\eMule
2007-06-05 14:51:06 -------- d-----w C:\Arquivos de programas\Yahoo!
2007-06-05 14:50:33 -------- d-----w C:\Arquivos de programas\Apple Software Update
2007-06-05 14:48:28 -------- d-----w C:\Arquivos de programas\Investintech.com Inc
2007-06-05 14:47:41 -------- d-----w C:\Arquivos de programas\Lavasoft
2007-06-05 14:47:40 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\Lavasoft
2007-06-02 16:28:39 1,349,632 ----a-w C:\WINDOWS\system32\__winswblib.dll
2007-05-29 17:58:46 -------- d-----w C:\Arquivos de programas\Arquivos comuns\snpstd
2007-05-26 18:21:10 -------- d-----w C:\Arquivos de programas\MSECache
2007-05-26 17:40:41 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\Skype
2007-05-24 20:52:25 31,132 ----a-w C:\clown.dll
2007-05-18 17:33:42 31,132 ----a-w C:\WINDOWS\system32\clown.dll
2006-11-04 13:17:01 774,144 ----a-w C:\Arquivos de programas\RngInterstitial.dll
2006-05-19 14:49:34 469 ----a-w C:\Arquivos de programas\INSTALL.LOG
2005-04-07 18:47:32 548,864 --sh--r C:\WINDOWS\system32\adasoftw.exe
2004-10-22 11:44:49 56 --sh--r C:\WINDOWS\system32\E4DAC76CDB.sys
2005-04-07 18:47:32 1,334,272 --sh--r C:\WINDOWS\system32\JavaMV.exe
2006-02-11 11:30:37 2,620 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-04-07 18:47:32 816,128 --sh--r C:\WINDOWS\system32\redrock.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
Note empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Super Plug 2007"="C:\SUPEREMPRESA\PROGRAMA\SuperPlug.exe" [2007-02-14 09:46]
"SSC Service Utility"="C:\Arquivos de programas\SSC Service Utility\ssc_serv.exe" [2006-01-26 08:59]
"Firebird 1.5"="C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe" [2006-01-17 00:05]
"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 20:50]
"Microsoft"="JavaMV.exe" [2005-04-07 15:47 C:\WINDOWS\system32\JavaMV.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 8"="C:\Arquivos de programas\Cobian Backup 8\Cobian.exe" [2007-03-21 00:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles/2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"NoLop"=C:\instalações\limpeza\NoLop.exe
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Windows Updater"=WINUPDATE.EXE
"Microsoft"=JavaMV.exe
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
MySQL.lnk - C:\MySQL\bin\winmysqladmin.exe [2005-10-08 11:52:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
@=DisableTaskMgr
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableCurrentUserRun"=0 (0x0)
"DisableLocalMachineRun"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"LockTaskbar"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
@=
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoFind"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"LockTaskbar"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
@=
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"ForceClassicControlPanel"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-06-25 09:24 332616]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\WINDOWS\Downloaded Program Files\gbiehabn.dll [2007-01-10 13:08 222392]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^iexplore.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^ImageFox.lnk]
backup=C:\WINDOWS\pss\ImageFox.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^PalStart.lnk]
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DStartup]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Updater]
WINUPDATE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSsoft A-ware Clean]
nsvsef.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winserver]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"System Event"=2 (0x2)
"abba"=2 (0x2)
"UPHClean"=2 (0x2)
"usnsvc"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"TrackMSN"=2 (0x2)
"Secure"=2 (0x2)
"r_server"=2 (0x2)
"ose"=3 (0x3)
"MSpack"=2 (0x2)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"GbpSv"=2 (0x2)
"Adobe LM Service"=3 (0x3)
R0 uagp35;Filtro Microsoft AGPv3.5;C:\WINDOWS\system32\DRIVERS\uagp35.sys
R2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe
R2 rspndr;Respondente de Descoberta de Topologia de Camada de Link;C:\WINDOWS\system32\DRIVERS\rspndr.sys
R3 Eplpdx02;Eplpdx02;\??\C:\WINDOWS\system32\Drivers\EPLPDX02.SYS
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
R3 HidUsb;Driver de classe HID da Microsoft;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
S3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;Miniporta de ponte MAC;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 CA561;VideoCAM Express V2;C:\WINDOWS\system32\Drivers\SPCA561.SYS
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 ip6fw;Driver de IPv6 do Firewall do Windows;C:\WINDOWS\system32\drivers\ip6fw.sys
S3 ndiscm;Motorola USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys
S3 USBCM;Scientific-Atlanta USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\Sacm2A.sys
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S4 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 10:15:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-25 10:16:59
C:\ComboFix-quarantined-files.txt ... 2007-07-25 10:16
--- E O F ---
===
Agora o Nolop.log
NoLop! Log by Skate_Punk_21
Fix running from: C:\Arquivos de programas\Mozilla Firefox
[24/07/2007]
[14:30:30]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\A27A79E091F1F178.job
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
Fix Complete!
---Listing AppData sub directories---
C:\Documents and Settings\Administrador\Application Data\Microsoft
====
Agora o ComboFix-quarantined-files.txt
2000-11-13 12:13 262144 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\FtpX.DLL.vir2005-08-02 18:08 61440 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir2005-08-02 18:08 81920 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir2005-08-02 18:10 32512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir2005-08-02 18:18 233472 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir2006-03-24 12:41 53 --a------ C:\Qoobox\Quarantine\C\WINDOWS\url.ini.vir2006-06-06 07:07 35 --a------ C:\Qoobox\Quarantine\C\Arquivos de programas\Download Plugin\DlPlugin-Moz\vendor.txt.vir2006-12-05 11:17 20 --a------ C:\Qoobox\Quarantine\C\Arquivos de programas\Download Plugin\DlPlugin-Moz\buddy.dat.vir2007-07-25 09:45 1032 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf2007-07-25 09:45 2404 --a------ C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cfListagem de caminhos de pastaO n£mero de s‚rie do volume ‚ A434-3829C:\QOOBOX\---Quarantine +---C | +---Arquivos de programas | | \---Download Plugin | | \---DlPlugin-Moz | | buddy.dat.vir | | vendor.txt.vir | | | \---WINDOWS | | url.ini.vir | | | \---system32 | | FtpX.DLL.vir | | Packet.dll.vir | | WanPacket.dll.vir | | wpcap.dll.vir | | | \---drivers | npf.sys.vir | \---Registry_backups LEGACY_NPF.reg.cf services_NPF.reg.cf
Opa V for Vendetta,
Vamos lá.
Habilite o Windows para mostrar todos os arquivos (até ocultos).
1ª Etapa
Baixe o Killbox em:
1. Execute o Killbox, clique em Delete on Reboot.
2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.
C:\WINDOWS\system32\cymdda.dll
C:\WINDOWS\system32\msnt.dll
C:\WINDOWS\system32\rsshost.dll
C:\WINDOWS\system32\clown.dll
C:\WINDOWS\system32\uds.exe
C:\WINDOWS\system32\ud.exe
C:\WINDOWS\system32\lkadjas.exe
C:\WINDOWS\system32\asdh.exe
C:\WINDOWS\system32\skdaj.exe
C:\WINDOWS\system32\adasoftw.exe
C:\WINDOWS\system32\JavaMV.exe
C:\WINDOWS\adasd.exe
C:\clown.dll
3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.
4. Aperte em "X". Responda "não" à pergunta.
2ª Etapa
Reinicie em Modo Normal.
Delete o conteúdo da pasta C:\!Killbox.
Poste novos logs do ComboFix e HijackThis.
Aguardo retorno.
Um abraço.
Tópico Arquivado
Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.
Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.
Opa V for Vendetta,
Baixe o ComboFix em:
ComboFix
6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.
Abraços.