[Arquivado]Windows Travado na Tela do Desktop

[V for Vendetta 0]

Detectei que meu msn estava mandando um arquivo para todos meus contatos:

images.zip com uma mensagem em ingles junto

 

Tentei tirar os possiveis arquivos buscando no msconfig e registro.

 

Apos isso tentei instalar o Hoopaa (ele n deixa acessar paginas no Firefox e Internet explorer) tipico programa que observa os sites que entram e bloqueia.

 

Só que na instalação travou. Ao reiniciar ficava na tela do desktop e mais nada. Sem barra, sem icones sem nada.

 

Eu consigo navegar, abrir os programas , tudo pelo gerenciador.

 

Gostaria que analisassem meu LOG

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 14:41:36, on 24/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\mysql\bin\mysqld-max.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\instalações\limpeza\NoLop.exe

C:\WINDOWS\explorer.exe

C:\instalações\limpeza\hijackthis\HiJackThis_v2.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

F2 - REG:system.ini: Shell=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdmcks.dll

O4 - HKLM\..\Run: [super Plug 2007] C:\SUPEREMPRESA\PROGRAMA\SuperPlug.exe

O4 - HKLM\..\Run: [sSC Service Utility] C:\Arquivos de programas\SSC Service Utility\ssc_serv.exe /s

O4 - HKLM\..\Run: [Firebird 1.5] C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe -a

O4 - HKLM\..\Run: [bag_load] C:\WINDOWS\system32\bag_load.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\MSCONFIG.EXE /auto

O4 - HKLM\..\RunServices: [Microsoft Windows Updater] WINUPDATE.EXE

O4 - HKCU\..\Run: [Cobian Backup 8] "C:\Arquivos de programas\Cobian Backup 8\Cobian.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles/2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: MySQL.lnk = C:\MySQL\bin\winmysqladmin.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Descarga selecionada pelo Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Descarregar com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm

O8 - Extra context menu item: Descarregar tudo com Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: ComQuest Memo-Rex - {1C23E480-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\memorex.exe

O9 - Extra 'Tools' menuitem: Memo-Rex - {1C23E480-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\memorex.exe

O9 - Extra button: Agenda de compromissos do Memo-Rex - {1C23E481-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchtasks.exe

O9 - Extra 'Tools' menuitem: Compromissos - {1C23E481-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchtasks.exe

O9 - Extra button: Agenda de contatos do Memo-Rex - {1C23E482-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchcontacts.exe

O9 - Extra 'Tools' menuitem: Contatos - {1C23E482-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchcontacts.exe

O9 - Extra button: Bloco de anotações do Memo-Rex - {1C23E483-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchnotes.exe

O9 - Extra 'Tools' menuitem: Anotações - {1C23E483-C9EF-11D7-B5C2-00010252D526} - C:\Arquivos de programas\ComQuest\Memo-Rex\bin\launchnotes.exe

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Arquivos de programas\Paltalk Messenger\Paltalk.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-max.exe

 

--

End of file - 8833 bytes

[jgarcia 1]

Opa V for Vendetta,

 

Baixe o ComboFix em:

ComboFix

 

1) Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir. O processo vai durar, em média, 10 minutos;

2) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

3) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

4) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

5) Para parar ou sair do ComboFix, tecle "N";

6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

Abraços.

[V for Vendetta 0]

Ola, Jgarcia.

 

Fiz como você disse:

 

Baixei, executei, ele reiniciou.

 

Voltou p o windows com o mesmo problema.

 

Fui no c:\Combofix e achei o combofix.txt

 

dentro dele só tem 1 linha escrita:

 

"Administrador" - 2007-07-25 9:39:38 [GMT -3:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

 

Só isso mesmo? Executei sem ser em modo seguro.

 

No aguardo

 

=====

 

Olá eu editei a mensagem porque passei novamente o programa

 

Agora sim, ele não resetou e voltou como era antes meu micro.

 

MUITO OBRIGADO

 

segue abaixo na sequencia:

 

Combofix.txt

Nolop.log

ComboFix-quarantined-files.txt

 

Abraços

 

"Administrador" - 2007-07-25 10:09:59 [GMT -3:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))

 

 

2007-07-25 09:38 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-24 17:54 <DIR> d-------- C:\VundoFix Backups

2007-07-24 14:35 <DIR> d-------- C:\NoLopBackups

2007-07-24 14:30 132 --a------ C:\delete.bat

2007-07-24 13:33 <DIR> d-------- C:\!KillBox

2007-07-24 11:52 145,408 --a------ C:\WINDOWS\system32\MSCONFIG.EXE

2007-07-24 11:29 <DIR> d-------- C:\Hoopaa

2007-07-24 11:29 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Thraex Software

2007-07-23 17:53 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2007-07-22 17:26 17,408 --a------ C:\WINDOWS\system32\cymdda.dll

2007-07-22 14:25 61,952 --a------ C:\DOCUME~1\ADMINI~1\new2.exe

2007-07-22 14:24 17,408 --a------ C:\WINDOWS\system32\msnt.dll

2007-07-22 13:50 61,952 --a------ C:\DOCUME~1\ADMINI~1\asdf.exe

2007-07-22 13:47 17,408 --a------ C:\WINDOWS\system32\rsshost.dll

2007-07-20 15:51 63,961 --a------ C:\DOCUME~1\ADMINI~1\pf.exe

2007-07-16 14:53 36,864 --a------ C:\WINDOWS\system32\EPLPUX02.EXE

2007-07-16 14:53 182 --a------ C:\WINDOWS\system32\EBPPORT.DAT

2007-07-14 02:53 94,613 --a------ C:\WINDOWS\adasd.exe

2007-07-13 00:27 183,296 --a------ C:\WINDOWS\system32\uds.exe

2007-07-13 00:22 183,296 --a------ C:\WINDOWS\system32\ud.exe

2007-07-13 00:20 183,296 --a------ C:\DOCUME~1\ADMINI~1\ud.exe

2007-07-12 14:48 125,526 --a------ C:\WINDOWS\system32\lkadjas.exe

2007-07-12 12:21 125,526 --a------ C:\WINDOWS\system32\asdh.exe

2007-07-11 21:06 125,526 --a------ C:\WINDOWS\system32\skdaj.exe

2007-07-10 12:58 228 --a------ C:\n.bat

2007-07-05 17:01 <DIR> d-------- C:\Arquivos de programas\Vale Transporte

2007-07-05 10:31 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat

2007-07-05 10:31 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-25 13:15:24 30,634,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2007-07-25 13:09:39 1,199,392 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2007-07-25 12:48:23 417,116 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-07-25 12:48:23 120,752 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2007-07-24 20:52:53 -------- d-----w C:\Arquivos de programas\Mastercx

2007-07-24 20:31:34 -------- d-----w C:\Arquivos de programas\Mozilla Thunderbird

2007-07-24 20:20:27 -------- d-----w C:\Arquivos de programas\Cia. do Software

2007-07-24 18:02:29 -------- d-----w C:\Arquivos de programas\Bonus

2007-07-24 17:03:20 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\Free Download Manager

2007-07-24 14:45:12 -------- d-----w C:\Arquivos de programas\Windows Live Toolbar

2007-07-24 14:29:18 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\uTorrent

2007-07-24 13:43:11 -------- d-----w C:\Arquivos de programas\GbPlugin

2007-07-23 12:26:19 -------- d-----w C:\Arquivos de programas\Promob 4i Bentec Modullare

2007-07-21 21:44:43 -------- d-----w C:\Arquivos de programas\ProMOB 4i Arvy

2007-07-16 18:29:55 -------- d-----w C:\Arquivos de programas\SSC Service Utility

2007-07-16 18:14:20 -------- d-----w C:\Arquivos de programas\EPSON

2007-07-06 13:20:28 966,144 ----a-w C:\WINDOWS\system32\winswag.exe

2007-07-05 18:42:20 -------- d-----w C:\Arquivos de programas\Agenda Digital 1.0

2007-07-05 13:47:29 1,353,216 ----a-w C:\WINDOWS\system32\winswblib.dll

2007-06-23 12:12:53 -------- d-----w C:\Arquivos de programas\MySQL-Front

2007-06-22 20:12:19 -------- d-----w C:\Arquivos de programas\MSN Plus! Live

2007-06-22 20:12:18 -------- d-----w C:\Arquivos de programas\Windows Live

2007-06-22 20:12:18 -------- d-----w C:\Arquivos de programas\MSN Messenger

2007-06-09 19:56:38 256,000 ----a-w C:\WINDOWS\system32\winswag.dat

2007-06-05 15:18:07 -------- d-----w C:\Arquivos de programas\Cobian Backup 8

2007-06-05 14:57:12 -------- d-----w C:\Arquivos de programas\Sayz Me

2007-06-05 14:55:43 -------- d-----w C:\Arquivos de programas\Arquivos comuns\XPressUpdate

2007-06-05 14:55:01 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-06-05 14:54:04 -------- d-----w C:\Arquivos de programas\Hewlett-Packard

2007-06-05 14:52:30 -------- d-----w C:\Arquivos de programas\eMule

2007-06-05 14:51:06 -------- d-----w C:\Arquivos de programas\Yahoo!

2007-06-05 14:50:33 -------- d-----w C:\Arquivos de programas\Apple Software Update

2007-06-05 14:48:28 -------- d-----w C:\Arquivos de programas\Investintech.com Inc

2007-06-05 14:47:41 -------- d-----w C:\Arquivos de programas\Lavasoft

2007-06-05 14:47:40 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\Lavasoft

2007-06-02 16:28:39 1,349,632 ----a-w C:\WINDOWS\system32\__winswblib.dll

2007-05-29 17:58:46 -------- d-----w C:\Arquivos de programas\Arquivos comuns\snpstd

2007-05-26 18:21:10 -------- d-----w C:\Arquivos de programas\MSECache

2007-05-26 17:40:41 -------- d-----w C:\DOCUME~1\ADMINI~1\DADOSD~1\Skype

2007-05-24 20:52:25 31,132 ----a-w C:\clown.dll

2007-05-18 17:33:42 31,132 ----a-w C:\WINDOWS\system32\clown.dll

2006-11-04 13:17:01 774,144 ----a-w C:\Arquivos de programas\RngInterstitial.dll

2006-05-19 14:49:34 469 ----a-w C:\Arquivos de programas\INSTALL.LOG

2005-04-07 18:47:32 548,864 --sh--r C:\WINDOWS\system32\adasoftw.exe

2004-10-22 11:44:49 56 --sh--r C:\WINDOWS\system32\E4DAC76CDB.sys

2005-04-07 18:47:32 1,334,272 --sh--r C:\WINDOWS\system32\JavaMV.exe

2006-02-11 11:30:37 2,620 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2005-04-07 18:47:32 816,128 --sh--r C:\WINDOWS\system32\redrock.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Super Plug 2007"="C:\SUPEREMPRESA\PROGRAMA\SuperPlug.exe" [2007-02-14 09:46]

"SSC Service Utility"="C:\Arquivos de programas\SSC Service Utility\ssc_serv.exe" [2006-01-26 08:59]

"Firebird 1.5"="C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe" [2006-01-17 00:05]

"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 20:50]

"Microsoft"="JavaMV.exe" [2005-04-07 15:47 C:\WINDOWS\system32\JavaMV.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cobian Backup 8"="C:\Arquivos de programas\Cobian Backup 8\Cobian.exe" [2007-03-21 00:35]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

"FFTI"=C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles/2p0mr8z0.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"NoLop"=C:\instalações\limpeza\NoLop.exe

"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Microsoft Windows Updater"=WINUPDATE.EXE

"Microsoft"=JavaMV.exe

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

MySQL.lnk - C:\MySQL\bin\winmysqladmin.exe [2005-10-08 11:52:22]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"NoDispCPL"=0 (0x0)

"NoDispAppearancePage"=0 (0x0)

"NoDispBackgroundPage"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

@=DisableTaskMgr

"NoDispCPL"=0 (0x0)

"NoDispAppearancePage"=0 (0x0)

"NoDispBackgroundPage"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

"NoDispSettingsPage"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"DisableCurrentUserRun"=0 (0x0)

"DisableLocalMachineRun"=0 (0x0)

"NoToolbarCustomize"=0 (0x0)

"NoBandCustomize"=0 (0x0)

"LockTaskbar"=0 (0x0)

"NoPropertiesMyComputer"=0 (0x0)

"NoToolbarsOnTaskbar"=0 (0x0)

"NoTrayItemsDisplay"=0 (0x0)

"StartMenuLogoff"=0 (0x0)

@=

"NoUserNameInStartMenu"=0 (0x0)

"NoStartMenuPinnedList"=0 (0x0)

"NoStartMenuMFUprogramsList"=0 (0x0)

"NoStartMenuMorePrograms"=0 (0x0)

"NoFavoritesMenu"=0 (0x0)

"NoFind"=0 (0x0)

"NoRecentDocsMenu"=0 (0x0)

"NoRun"=0 (0x0)

"NoClose"=0 (0x0)

"NoSetActiveDesktop"=0 (0x0)

"NoSMHelp"=0 (0x0)

"NoWindowsUpdate"=0 (0x0)

"NoViewContextMenu"=0 (0x0)

"NoTrayContextMenu"=0 (0x0)

"NoChangeStartMenu"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"NoWinKeys"=0 (0x0)

"NoViewOnDrive"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"=0 (0x0)

"NoBandCustomize"=0 (0x0)

"LockTaskbar"=0 (0x0)

"NoPropertiesMyComputer"=0 (0x0)

"NoToolbarsOnTaskbar"=0 (0x0)

"NoTrayItemsDisplay"=0 (0x0)

"StartMenuLogoff"=0 (0x0)

@=

"NoUserNameInStartMenu"=0 (0x0)

"NoStartMenuPinnedList"=0 (0x0)

"NoStartMenuMFUprogramsList"=0 (0x0)

"NoStartMenuMorePrograms"=0 (0x0)

"NoFavoritesMenu"=0 (0x0)

"NoRecentDocsMenu"=0 (0x0)

"NoClose"=0 (0x0)

"NoSetActiveDesktop"=0 (0x0)

"NoSMHelp"=0 (0x0)

"NoViewContextMenu"=0 (0x0)

"NoTrayContextMenu"=0 (0x0)

"NoChangeStartMenu"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"NoWinKeys"=0 (0x0)

"NoViewOnDrive"=0 (0x0)

"ForceClassicControlPanel"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-06-25 09:24 332616]

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\WINDOWS\Downloaded Program Files\gbiehabn.dll [2007-01-10 13:08 222392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^iexplore.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^ImageFox.lnk]

backup=C:\WINDOWS\pss\ImageFox.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Acrobat Assistant.lnk]

backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^PalStart.lnk]

backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]

backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DStartup]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Updater]

WINUPDATE.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSsoft A-ware Clean]

nsvsef.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winserver]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"System Event"=2 (0x2)

"abba"=2 (0x2)

"UPHClean"=2 (0x2)

"usnsvc"=3 (0x3)

"sdCoreService"=3 (0x3)

"sdAuxService"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"TrackMSN"=2 (0x2)

"Secure"=2 (0x2)

"r_server"=2 (0x2)

"ose"=3 (0x3)

"MSpack"=2 (0x2)

"MDM"=2 (0x2)

"idsvc"=3 (0x3)

"GbpSv"=2 (0x2)

"Adobe LM Service"=3 (0x3)

 

R0 uagp35;Filtro Microsoft AGPv3.5;C:\WINDOWS\system32\DRIVERS\uagp35.sys

R2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe

R2 rspndr;Respondente de Descoberta de Topologia de Camada de Link;C:\WINDOWS\system32\DRIVERS\rspndr.sys

R3 Eplpdx02;Eplpdx02;\??\C:\WINDOWS\system32\Drivers\EPLPDX02.SYS

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

R3 HidUsb;Driver de classe HID da Microsoft;C:\WINDOWS\system32\DRIVERS\hidusb.sys

R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys

S3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS

S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys

S3 BridgeMP;Miniporta de ponte MAC;C:\WINDOWS\system32\DRIVERS\bridge.sys

S3 CA561;VideoCAM Express V2;C:\WINDOWS\system32\Drivers\SPCA561.SYS

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

S3 ip6fw;Driver de IPv6 do Firewall do Windows;C:\WINDOWS\system32\drivers\ip6fw.sys

S3 ndiscm;Motorola USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys

S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS

S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys

S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys

S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys

S3 USBCM;Scientific-Atlanta USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\Sacm2A.sys

S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys

S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

S4 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

 

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-25 10:15:10

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-25 10:16:59

C:\ComboFix-quarantined-files.txt ... 2007-07-25 10:16

 

--- E O F ---

 

 

===

Agora o Nolop.log

 

NoLop! Log by Skate_Punk_21

 

Fix running from: C:\Arquivos de programas\Mozilla Firefox

[24/07/2007]

[14:30:30]

 

---Infection Files Found/Removed---

C:\WINDOWS\tasks\A27A79E091F1F178.job

 

Beginning Removal...

Rebooting...

Removing Lop's Leftover Files/Folders...

Editing Registry...

**Fix Complete!**

 

---Listing AppData sub directories---

 

C:\Documents and Settings\Administrador\Application Data\Microsoft

 

 

====

Agora o ComboFix-quarantined-files.txt

 

2000-11-13 12:13	  262144	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\FtpX.DLL.vir2005-08-02 18:08	  61440	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir2005-08-02 18:08	  81920	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir2005-08-02 18:10	  32512	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir2005-08-02 18:18	  233472	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir2006-03-24 12:41	  53	--a------	C:\Qoobox\Quarantine\C\WINDOWS\url.ini.vir2006-06-06 07:07	  35	--a------	C:\Qoobox\Quarantine\C\Arquivos de programas\Download Plugin\DlPlugin-Moz\vendor.txt.vir2006-12-05 11:17	  20	--a------	C:\Qoobox\Quarantine\C\Arquivos de programas\Download Plugin\DlPlugin-Moz\buddy.dat.vir2007-07-25 09:45	  1032	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf2007-07-25 09:45	  2404	--a------	C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cfListagem de caminhos de pastaO n£mero de s‚rie do volume ‚ A434-3829C:\QOOBOX\---Quarantine	+---C	|   +---Arquivos de programas	|   |   \---Download Plugin	|   |	   \---DlPlugin-Moz	|   |			   buddy.dat.vir	|   |			   vendor.txt.vir	|   |			   	|   \---WINDOWS	|	   |   url.ini.vir	|	   |   	|	   \---system32	|		   |   FtpX.DLL.vir	|		   |   Packet.dll.vir	|		   |   WanPacket.dll.vir	|		   |   wpcap.dll.vir	|		   |   	|		   \---drivers	|				   npf.sys.vir	|				   	\---Registry_backups			LEGACY_NPF.reg.cf			services_NPF.reg.cf

[jgarcia 1]

Opa V for Vendetta,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS\system32\cymdda.dll

C:\WINDOWS\system32\msnt.dll

C:\WINDOWS\system32\rsshost.dll

C:\WINDOWS\system32\clown.dll

C:\WINDOWS\system32\uds.exe

C:\WINDOWS\system32\ud.exe

C:\WINDOWS\system32\lkadjas.exe

C:\WINDOWS\system32\asdh.exe

C:\WINDOWS\system32\skdaj.exe

C:\WINDOWS\system32\adasoftw.exe

C:\WINDOWS\system32\JavaMV.exe

C:\WINDOWS\adasd.exe

C:\clown.dll

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie em Modo Normal.

 

Delete o conteúdo da pasta C:\!Killbox.

 

Poste novos logs do ComboFix e HijackThis.

 

Aguardo retorno.

 

Um abraço.

[Sam Spade 2]

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.