Publicado em 13 de set.

[Resolvido] &nbspRemoção de trojan

Boa noite equipe Imaster,

Meu anti-virus toda hora me alerta sobre um trojan que não consigo remover. Nome Generic 19.LZU nas pastas c:\WINDOWS\system32\dlodf.dll.

Obrigado desde já.

Segue então o log do hijackthis:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 00:36:38, on 13/9/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

c:\firebird\bin\fbguard.exe

C:\WINDOWS\System32\svchost.exe

c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe

C:\WINDOWS\SYSTEM\HpServ.exe

C:\Arquivos de programas\C&E\OSD\osd.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

C:\ARQUIV~1\AVG\AVG9\avgtray.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

c:\firebird\bin\fbserver.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\Arquivos de programas\AVG\AVG9\avgscanx.exe

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe

C:\hijack\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.160

R3 - URLSearchHook: Thoosje Toolbar - {3ba34663-845a-4931-a6f3-1e033ec342a7} - C:\Arquivos de programas\Thoosje\tbThoo.dll

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Thoosje Toolbar - {3ba34663-845a-4931-a6f3-1e033ec342a7} - C:\Arquivos de programas\Thoosje\tbThoo.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll

O2 - BHO: (no name) - {DF073803-6E52-459A-8EBD-CBBE7960C6C4} - c:\windows\system32\dlodf.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O3 - Toolbar: Thoosje Toolbar - {3ba34663-845a-4931-a6f3-1e033ec342a7} - C:\Arquivos de programas\Thoosje\tbThoo.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [OSD] C:\Arquivos de programas\C&E\OSD\osd.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Arquivos de programas\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DrvIcon] C:\Arquivos de programas\Vista Drive Icon\DrvIcon.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [grcnxto] C:\WINDOWS\system32\uva81xsty8.exe

O4 - HKCU\..\Run: [abgchdy] C:\WINDOWS\system32\o1f703m0nd.exe

O4 - HKCU\..\Run: [abrhi3y] C:\WINDOWS\system32\86m81yj.exe

O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dll

O20 - AppInit_DLLs: C:\ARQUIV~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe

O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Arquivos de programas\AVG\AVG9\Toolbar\ToolbarBroker.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - c:\firebird\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - c:\firebird\bin\fbserver.exe

O23 - Service: Gerenciador do Google Desktop 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

O23 - Service: HP S&P Authorization Service (srvcHP2) - SQUADRA Tecnologia - C:\WINDOWS\SYSTEM\HpServ.exe

End of file - 9103 bytes

Discussão (13)

Entre ou cadastre-se para participar da discussão

Entrar Criar conta

wings· 13 de set.

Boa noite....

*Baixe o MalwareBytes Anti-malware e salve-o no desktop

*Instale o programa e aguarde a atualização

*O programa será aberto automaticamente

*Na aba [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione as partições a serem examinadas (geralmente C:\ e D:\)

*Ao finalizar o scan, clique [sIM] > [OK] > [Mostrar Resultados]

*Clique [Remover Selecionados]

*Cole o relatório apresentado

astronautalouco· 13 de set.

Segue conforme orientação...

Obs. Apareceu uma mensagem dizendo que nem todos os itens puderam ser removidos.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Versão da Base de Dados: 4607

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

13/9/2010 12:46:42

mbam-log-2010-09-13 (12-46-42).txt

Tipo de Verificação: Verificação Completa (C:\|D:\|)

Objetos escaneados: 176207

Tempo decorrido: 34 minuto(s), 2 segundo(s)

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 1

Valores de Registro Infectados: 2

Itens de Dados no Registro Infectados: 6

Pastas Infectadas: 0

Arquivos Infectados: 2

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.

Valores de Registro Infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.AutoRun) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> Quarantined and deleted successfully.

Itens de Dados no Registro Infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-4711532196-5083582120-424796509-3443\yv8g67.exe,C:\Documents and Settings\Jones\Dados de aplicativos\vgdoqo.exe,C:\RECYCLER\S-1-5-21-6415712704-0534000404-847326723-9235\nissan.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0336135900-8476058762-401952557-1737\winsystem.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

Arquivos Infectados:

C:\Documents and Settings\Jones\Configurações locais\Temp\77240.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jones\Configurações locais\Temporary Internet Files\Content.IE5\6XK3C5OP\3[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

wings· 13 de set.

*Desative temporariamente seu antivírus

Clique em [iniciar] > [Programas] > [AVG] Abra a Interface do usuário do AVG

Duplo clique na Proteção Residente

Desmarque a opção "Proteção Residente ativa"

Salve as alterações

*Baixe o ComboFix e salve-o no desktop

*Execute o Combofix e aceite o contrato

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique [sIM] para instalar e depois [sIM] para continuar.

/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imagehost.org/0741/recovery-console-prompt.jpg&key=e82a02a7669077650b575129b2877919986cc4825b1687eb2ffdb0009aaf6732" alt="recovery-console-prompt.jpg" />

/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imagehost.org/0744/recovery-console-installed.jpg&key=ea128ab96f17dd81ce75cb7ce84d8f5e2e8b2b0e5321caf560d0276a9f2199c4" alt="recovery-console-installed.jpg" />

*Aguarde a conclusão de todas as etapas

/applications/core/interface/imageproxy/imageproxy.php?img=http://img375.imageshack.us/img375/6271/etapas.jpg&key=886faf50f6e4a02cfc852e77d70bb52b257bfe1b6dfadc5fb94284cceb208d2e" alt="etapas.jpg" />

*Evite usar o mouse e o teclado durante a execução do Combofix!!..... Para interromper o procedimento tecle [N] ou [2] e depois [ENTER]

*Ao finalizar, o relatório C:\combofix.txt será apresentado.

*Cole-o na próxima resposta.

*Se for reiniciar o PC haverá uma opção, na inicialização, chamada Console de Recuperação. Não entre no Windows através do mesmo desde que devidamente orientado(a)!

astronautalouco· 14 de set.

Segue log do combofix:

ComboFix 10-09-13.01 - Jones 13/09/2010 20:51:55.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1917.1444 [GMT -3:00]

Executando de: c:\documents and settings\Jones\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

c:\documents and settings\Jones\Recent\Thumbs.db

c:\windows\desktop

c:\windows\desktop\Backup Lundi.lnk

c:\windows\Fonts\barras2.ttf

c:\windows\system32\AutoRun.inf

A cópia de c:\windows\system32\drivers\mouclass.sys foi encontrada e desinfectada

Cópia restaurada de - Kitty had a snack :P

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Legacy_NPF

-------\Service_NPF

(((((((((((((((( Arquivos/Ficheiros criados de 2010-08-13 to 2010-09-13 ))))))))))))))))))))))))))))

2010-09-13 15:07 . 2010-09-13 15:07 -------- d-----w- c:\documents and settings\Jones\Dados de aplicativos\Malwarebytes

2010-09-13 15:07 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-13 15:07 . 2010-09-13 15:07 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-09-13 15:07 . 2010-09-13 15:07 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-09-13 15:07 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-13 03:35 . 2010-09-13 03:36 -------- d-----w- C:\hijack

2010-09-10 19:28 . 2010-09-10 19:28 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-09-10 04:25 . 2010-09-10 04:26 -------- d-----w- c:\arquivos de programas\Real

2010-09-10 04:25 . 2010-09-10 04:26 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Real

2010-09-06 15:37 . 2010-06-30 17:22 2102600 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\AVG Security Toolbar\IEToolbar.dll

2010-09-06 14:36 . 2010-09-06 14:36 -------- d-----w- C:\$AVG

2010-09-06 14:36 . 2010-09-06 14:36 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-09-06 14:36 . 2010-09-06 14:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-09-06 14:35 . 2010-09-06 14:35 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-09-06 14:35 . 2010-09-06 14:35 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-09-06 14:35 . 2010-09-13 23:09 -------- d-----w- c:\windows\system32\drivers\Avg

2010-09-06 14:35 . 2010-09-06 15:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\AVG Security Toolbar

2010-09-06 14:35 . 2010-09-13 23:22 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\avg9

2010-09-06 14:35 . 2010-09-06 14:35 -------- d-----w- c:\arquivos de programas\AVG

2010-09-04 21:06 . 2010-09-04 21:06 0 ----a-w- c:\windows\nsreg.dat

2010-08-30 14:19 . 2010-08-30 14:35 -------- d-----w- C:\MAUA_O_IMPERADOR_E_O_REI

2010-08-26 15:21 . 2010-08-26 15:35 -------- d-----w- C:\ALINE_BARROS

2010-08-26 14:46 . 2010-08-26 15:16 -------- d-----w- C:\MEN_OF_HONOR

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

2010-09-10 04:26 . 2010-09-10 04:26 45056 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-09-10 04:26 . 2010-09-10 04:26 45056 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-09-10 04:26 . 2010-09-10 04:26 45056 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-09-10 04:26 . 2010-09-10 04:26 45056 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-09-10 04:26 . 2010-09-10 04:26 49152 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-09-10 04:26 . 2010-09-10 04:26 40960 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-09-10 04:26 . 2010-09-10 04:26 308808 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-09-10 04:26 . 2010-09-10 04:26 14848 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-09-10 04:26 . 2010-09-10 04:26 341600 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-09-10 04:26 . 2010-09-10 04:26 -------- d-----w- c:\arquivos de programas\Arquivos comuns\xing shared

2010-09-10 04:25 . 2003-03-19 01:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-09-09 18:55 . 2009-09-09 12:44 2516 --sha-w- c:\documents and settings\All Users\Dados de aplicativos\KGyGaAvL.sys

2010-09-09 18:54 . 2009-09-09 13:29 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Corel

2010-09-08 16:20 . 2001-10-28 15:07 50002 ----a-w- c:\windows\system32\perfc016.dat

2010-09-08 16:20 . 2001-10-28 15:07 347886 ----a-w- c:\windows\system32\perfh016.dat

2010-09-06 20:39 . 2010-09-06 20:39 0 ----a-w- c:\windows\system32\dloDF.tmp

2010-09-04 20:42 . 2010-02-07 17:53 -------- d-----w- c:\arquivos de programas\Google

2010-08-30 13:54 . 2010-03-08 22:39 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\DVD Shrink

2010-08-25 03:02 . 2010-01-22 20:37 -------- d-----w- c:\arquivos de programas\Oi Velox

2010-08-24 13:23 . 2010-02-05 12:53 -------- d-----w- c:\arquivos de programas\HP

2010-08-24 13:20 . 2010-02-05 12:55 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP

2010-08-12 21:04 . 2009-11-20 00:23 -------- d-----w- c:\documents and settings\Jones\Dados de aplicativos\Free Audio Editor

2010-08-12 20:51 . 2009-11-20 00:22 -------- d-----w- c:\arquivos de programas\Free Audio Editor

2010-08-10 19:05 . 2010-06-02 18:59 -------- d-----w- c:\arquivos de programas\Bible

2010-09-04 19:32 . 2010-09-06 13:55 119808 ----a-w- c:\arquivos de programas\mozilla firefox\components\GoogleDesktopMozilla.dll

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

Nota entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{3ba34663-845a-4931-a6f3-1e033ec342a7}"= "c:\arquivos de programas\Thoosje\tbThoo.dll" [2009-11-09 2331672]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{3ba34663-845a-4931-a6f3-1e033ec342a7}]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ba34663-845a-4931-a6f3-1e033ec342a7}]

2009-11-09 21:38 2331672 ------w- c:\arquivos de programas\Thoosje\tbThoo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-06-30 17:22 2102600 ----a-w- c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

"{3ba34663-845a-4931-a6f3-1e033ec342a7}"= "c:\arquivos de programas\Thoosje\tbThoo.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3ba34663-845a-4931-a6f3-1e033ec342a7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

"{3BA34663-845A-4931-A6F3-1E033EC342A7}"= "c:\arquivos de programas\Thoosje\tbThoo.dll" [2009-11-09 2331672]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3ba34663-845a-4931-a6f3-1e033ec342a7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2007-06-25 53248]

"OSD"="c:\arquivos de programas\C&E\OSD\osd.exe" [2007-08-28 671801]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 16384512]

"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-02 630784]

"Picasa Media Detector"="c:\arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2006-04-19 421888]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"CloneDVDElbyDelay"="c:\arquivos de programas\Elaborate Bytes\CloneDVD\ElbyCheck.exe" [2002-11-02 45056]

"CloneCDTray"="c:\arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" [2004-09-02 57344]

"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2009-07-24 77824]

"Google Desktop Search"="c:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-04 30192]

"AVG9_TRAY"="c:\arquiv~1\AVG\AVG9\avgtray.exe" [2010-09-06 2065760]

"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2010-09-10 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-7-16 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-09-06 14:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\AVG\\AVG9\\avgupd.exe"=

"c:\\Arquivos de programas\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7559:TCP"= 7559:TCP:xmdncaya

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/9/2010 11:35 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/9/2010 11:36 243024]

R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [14/7/2010 20:57 81920]

R2 avg9wd;AVG Free WatchDog;c:\arquivos de programas\AVG\AVG9\avgwdsvc.exe [6/9/2010 11:35 308136]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\firebird\bin\fbguard.exe -s --> c:\firebird\bin\fbguard.exe -s [?]

R2 hpinst;hpinst;c:\windows\system32\drivers\hpinst.sys [14/8/2009 14:44 7296]

R2 srvcHP2;HP S&P Authorization Service;c:\windows\system\HpServ.exe [21/7/2004 04:02 691200]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\firebird\bin\fbserver.exe -s --> c:\firebird\bin\fbserver.exe -s [?]

S0 lxdyskdz;lxdyskdz;c:\windows\system32\drivers\lxdyskdz.sys --> c:\windows\system32\drivers\lxdyskdz.sys [?]

S2 dfsltrdv; de filtro de tráfego IPMonitor;c:\windows\System32\svchost.exe -k netsvcs [4/8/2004 00:45 14336]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [4/9/2010 17:42 136176]

S2 obytvl;Shell Boot;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 00:45 14336]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\arquivos de programas\AVG\AVG9\Toolbar\ToolbarBroker.exe [6/9/2010 11:35 431432]

S3 GoogleDesktopManager-051210-111108;Gerenciador do Google Desktop 5.9.1005.12335;c:\arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe [7/2/2010 14:53 30192]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [16/7/2009 09:51 264576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

dfsltrdv

obytvl

Conteúdo da pasta 'Tarefas Agendadas'

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-09-04 20:42]

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-09-04 20:42]

2010-09-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-1060284298-725345543-1003.job

c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-06-03 06:02]

2010-09-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-1060284298-725345543-1003.job

c:\arquivos de programas\Real\RealUpgrade\realupgrade.exe [2010-06-03 06:02]

------- Scan Suplementar -------

uStart Page = hxxp://www.google.com.br/

uInternet Settings,ProxyServer = 192.168.10.160

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\arquivos de programas\AVG\AVG9\Toolbar\IEToolbar.dll

FF - ProfilePath - c:\documents and settings\Jones\Dados de aplicativos\Mozilla\Firefox\Profiles\sb2s2u71.default\

FF - component: c:\arquivos de programas\AVG\AVG9\Firefox\components\avgssff.dll

FF - component: c:\documents and settings\All Users\Dados de aplicativos\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - ORFÃOS REMOVIDOS - - - -

BHO-{DF073803-6E52-459A-8EBD-CBBE7960C6C4} - c:\windows\system32\dlodf.dll

HKCU-Run-grcnxto - c:\windows\system32\uva81xsty8.exe

HKCU-Run-abgchdy - c:\windows\system32\o1f703m0nd.exe

HKCU-Run-abrhi3y - c:\windows\system32\86m81yj.exe

HKLM-Run-DrvIcon - c:\arquivos de programas\Vista Drive Icon\DrvIcon.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-13 20:59

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\obytvl]

"ServiceDll"="c:\windows\system32\pombaii.dll"

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

------------------------ Outros Processos em Execução ------------------------

c:\arquivos de programas\AVG\AVG9\avgchsvx.exe

c:\arquivos de programas\AVG\AVG9\avgrsx.exe

c:\arquivos de programas\AVG\AVG9\avgcsrvx.exe

c:\firebird\bin\fbguard.exe

c:\arquivos de programas\Arquivos comuns\Protexis\License Service\PsiService_2.exe

c:\arquivos de programas\AVG\AVG9\avgnsx.exe

c:\windows\system32\wdfmgr.exe

c:\firebird\bin\fbserver.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

**************************************************************************

Tempo para conclusão: 2010-09-13 21:01:36 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-09-14 00:01

Pré-execução: 29 pasta(s) 52.816.535.552 bytes disponíveis

Pós execução: 32 pasta(s) 53.472.706.560 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- End Of File - - 7A90D29AE3C480A65FADF53F598AE1A5

wings· 14 de set.

*Abra o bloco de notas e cole nele o código abaixo:

File::c:\windows\system32\drivers\lxdyskdz.sys

c:\windows\system32\pombaii.dll

FileLook::

c:\windows\system32\dloDF.tmp

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7559:TCP"=-

NetSvc::

obytvl

dfsltrdv

Driver::

obytvl

dfsltrdv

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

/applications/core/interface/imageproxy/imageproxy.php?img=http://e.imagehost.org/0616/CFScript.gif&key=995821588d89147a56f11f5fac3fa9589d8f9b036ce5e2e1e08b37718477c6a9" alt="CFScript.gif" />

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório C:\combofix.txt

astronautalouco· 17 de set.

ComboFix 10-09-13.01 - Jones 17/09/2010 10:54:58.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1917.1289 [GMT -3:00]

Executando de: c:\documents and settings\Jones\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Jones\Desktop\CFScript.tx.txt

AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\drivers\lxdyskdz.sys"

"c:\windows\system32\pombaii.dll"

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Legacy_DFSLTRDV

-------\Legacy_OBYTVL

-------\Service_dfsltrdv

-------\Service_obytvl

(((((((((((((((( Arquivos/Ficheiros criados de 2010-08-17 to 2010-09-17 ))))))))))))))))))))))))))))

2010-09-17 02:16 . 2010-09-17 02:16 -------- d-----w- c:\windows\system32\KB905474

2010-09-16 12:34 . 2010-09-16 12:34 -------- d-----w- c:\arquivos de programas\MSXML 6.0

2010-09-16 12:32 . 2010-09-16 12:32 -------- d-----w- c:\windows\ServicePackFiles

2010-09-16 02:43 . 2008-06-14 17:59 272384 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-09-16 02:43 . 2008-06-14 17:59 272384 ------w- c:\windows\system32\drivers\bthport.sys

2010-09-16 02:42 . 2010-02-16 19:33 2185600 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-09-16 02:42 . 2010-02-16 19:33 2141184 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-09-16 02:42 . 2010-02-16 19:33 2062592 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-09-16 02:42 . 2010-02-16 19:32 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-09-16 02:24 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-09-16 01:57 . 2010-09-16 01:57 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight

2010-09-15 21:17 . 2010-09-17 02:15 -------- d--h--w- c:\windows\$hf_mig$