Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

tamires

[Arquivado]pc infectado n consigo abrir antivirus...

Recommended Posts

ola...semana passada meu pc comeco c umas esquisitices,...qd percebi n achei q fosse nd demais mas ag ta piorando...janelas do ie fecham sozinhas, do explorer tb. tentei reinstalar o AVG e nao consigo, tento executar o arquivo e n consigo! tento passar o panda e nada, e qd tento executar o hijackthis, tb n rola (so em modo de seguranca). analisando o log consegui remover alguns malwares, tb procurei na maquina arquivos estranhos e deletei. (um deles era o eraseme_*.exe, sendo q *eh um numero q ele gera randomicamente, pelo q pesquisei, deletei uns 3 desse)meu c: encheu de arkivos estranhos, deletei todos. so q um deles, sempre q deleto, abre uma tela do dos q cria ele de novo.nao sei mais o q fazer...qria saber se existe alguma solucao sem ser formatar a maquina...aguardo respostagratatamires

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá tamires! Faça o seguinte pra conseguir gerar um log em modo normal com o HijackThis:

 

Clique com o botão direito em cima do ícone do HijackThis e escolha: Renomear

 

Coloque então como nome > detonador

 

Tente então rodá-lo. Se não conseguir, apesar de não ser o ideal pois, vários processos não aparecem, gere um log em modo de segurança e poste.

Compartilhar este post


Link para o post
Compartilhar em outros sites

entei abrir o hijack mas nao consegui, mesmo mudando o nome, executei no modo de seguranca.

tipo, qd pesquiso na net algo sobre isso, a pagina do navegador fech qd tento abrir links q tenham a palavra "hijack", ou "antivirus" por exemplo. esse topico mesmo n consegui acessar, eu navegana no forum normalmente mas qd entrava no topico a janela fechava....tive q salva o log no meu mail p postar aki no servico hj.

 

valeu a ajuda

 

Logfile of HijackThis v1.99.1

Scan saved at 02:12:01, on 14/8/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\userinit.exe

C:\WINNT\Explorer.EXE

C:\TNT\TNT.exe

 

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe

O4 - HKLM\..\Run: [Windows Service Agccnt] sysinfo.exe

O4 - HKLM\..\Run: [Windows LoL Layer] gcol.exe

O4 - HKLM\..\Run: [systemms] C:\WINNT\system32\systemms.exe

O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe

O4 - HKLM\..\RunServices: [Windows Service Agccnt] sysinfo.exe

O4 - HKLM\..\RunServices: [Windows LoL Layer] gcol.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Windows Service Agccnt] sysinfo.exe

O4 - HKCU\..\Run: [Windows LoL Layer] gcol.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: ddd5fsk5vheca - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

O23 - Service: Remote History Services - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: Remote TCPI Services - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça o download do SDFix:

http://linhadefensiva.uol.com.br/dl/sdfix

 

Salve-o em sua área de trabalho. Dê um duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix (geralmente C:\SDFix)

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

  1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  2. Tecle Y para que a ferramenta inicie o processo de remoção
  3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  5. Uma janela com o relatório do SDFix irá aparecer.
  6. Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt

Poste também um novo log do HijackThis gerado em modo normal.

Compartilhar este post


Link para o post
Compartilhar em outros sites

passei o sd fix e depois fui tentar passar o hijack em modo normal, mas não consegui, precisei passar em modo de seguranca tb.

tb não consegui abrir o topico do forum, tive q mandar os logs por email e consegui postar agora...

 

 

 

SDFIX

SDFix: Version 1.98Run by Tamires on seg 01/01/1601 at 0:05 Microsoft Windows 2000 [VersÆo 5.00.2195]Running From: C:\SDFixSafe Mode:Checking Services: Name:Remote TCPI ServicesImagePath:"C:\WINNT\system32\svshost.exe" Remote TCPI Services - Deleted Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebooting...Normal Mode:Checking Files: Trojan Files Found:C:\WINNT\SYSTEM32\SMMSS.EXE - DeletedC:\WINNT\SYSTEM32\WINDSE~1.EXE - DeletedC:\WINNT\SYSTEM32\WINSECVP.EXE - DeletedC:\WINNT\system32\eraseme_02847.exe - DeletedC:\WINNT\system32\eraseme_03827.exe - Deleted C:\WINNT\system32\helperam1.exe  - DeletedC:\WINNT\system32\i  - DeletedC:\WINNT\system32\o  - DeletedC:\WINNT\system32\svshost.exe  - DeletedC:\WINNT\system32\sysinfo.exe  - DeletedC:\WINNT\system32\TFTP1416  - Deleted C:\WINNT\system32\TFTP1484  - DeletedC:\WINNT\system32\TFTP484  - Deleted Removing Temp Files...ADS Check:C:\WINNTNo streams found. C:\WINNT\system32No streams found. C:\WINNT\system32\svchost.exeNo streams found. C:\WINNT\system32\ntoskrnl.exeNo streams found. 								 Final Check:Remaining Services:------------------ Remaining Files:---------------C:\WINNT\system32\o  FoundBackups Folder: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes:C:\WINNT\system32\msgmgrs.exeC:\WINNT\system32\ovwygsx.exeC:\WINNT\system32\pttryjxd.exeC:\WINNT\system32\vodw.exeC:\WINNT\system32\Wins.exeC:\WINNT\system32\wvtreiro.exeC:\WINNT\system32\xzpu.exe C:\WINNT\system32\dllcache\mlqm.exeC:\WINNT\system32\drivers\rndismpk.sysC:\WINNT\system32\drivers\usb8023k.sys								 Finished

 

hijack

Logfile of HijackThis v1.99.1Scan saved at 01:39:54, on 1/1/1601Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\TNT\TNT.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [Windows Service Agccnt] sysinfo.exeO4 - HKLM\..\Run: [systemms] C:\WINNT\system32\systemms.exeO4 - HKLM\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exeO4 - HKLM\..\Run: [Windows LoL Layer] gcol.exeO4 - HKLM\..\RunServices: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\RunServices: [Windows Service Agccnt] sysinfo.exeO4 - HKLM\..\RunServices: [Microsoft AntiVirus Update Engine] taskmgrs.exeO4 - HKLM\..\RunServices: [Windows LoL Layer] gcol.exeO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [Windows Service Agccnt] sysinfo.exeO4 - HKCU\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exeO4 - HKCU\..\Run: [Windows LoL Layer] gcol.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: ddd5fsk5vheca - Unknown owner - C:\WINNT\system32\svshost.exe (file missing) O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exe O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exeO23 - Service: Remote History Services - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ok, é uma infecção grande por bots. Baixe:

 

KillBox

EliTriip

 

No final da página clique no botão Descargar EliTriip.

 

Copie e salve no Bloco de notas este texto em azul:

 

C:\WINNT\system32\o

C:\WINNT\system32\systemms.exe

C:\WINNT\system32\taskmgrs.exe

C:\WINNT\system32\sysinfo.exe

C:\WINNT\system32\gcol.exe

C:\WINNT\system32\msgmgrs.exe

C:\WINNT\system32\ovwygsx.exe

C:\WINNT\system32\pttryjxd.exe

C:\WINNT\system32\vodw.exe

C:\WINNT\system32\wvtreiro.exe

C:\WINNT\system32\xzpu.exe

 

Salve ou imprima estas instruções:

 

1 - Copie o texto que salvou no bloco de notas. Rode o KillBox e marque Delete on Reboot, no menu File clique em Paste from Clipboard.

Depois clique no botão All Files.

 

Clique no botão killbox.png. Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em ht-fix.png

 

O4 - HKLM\..\Run: [Windows Service Agccnt] sysinfo.exe

 

O4 - HKLM\..\Run: [systemms] C:\WINNT\system32\systemms.exe

 

O4 - HKLM\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exe

 

O4 - HKLM\..\Run: [Windows LoL Layer] gcol.exe

 

O4 - HKLM\..\RunServices: [Windows Service Agccnt] sysinfo.exe

 

O4 - HKLM\..\RunServices: [Microsoft AntiVirus Update Engine] taskmgrs.exe

 

O4 - HKLM\..\RunServices: [Windows LoL Layer] gcol.exe

 

O4 - HKCU\..\Run: [Windows Service Agccnt] sysinfo.exe

 

O4 - HKCU\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exe

 

O4 - HKCU\..\Run: [Windows LoL Layer] gcol.exe

 

3 - Vá em Iniciar > Executar > digite: services.msc e clique em OK.

 

Procure o serviço ddd5fsk5vheca, clique em cima com o direito e depois em Propriedades.

 

Coloque o Tipo de Inicialização como desativado.

 

Faça o mesmo com esse:

 

Remote History Services

 

4 - Abra o HijackThis e clique no botão Open the Misc Tools section e depois em Delete an NT service.

 

Coloque isto: ddd5fsk5vheca

 

Clique em OK. Não reinicie o PC

 

Coloque agora:

 

Remote History Services

 

Clique em OK. Não reinicie o PC

 

5 - Rode o EliTriip e aguarde o scan terminar.

 

Ao final será gerado um log que encontrará em C:\infoSat.txt

 

6 - Reinicie em modo normal e localize se existe na pasta dllcache este arquivo: wins.exe

 

C:\WINNT\system32\dllcache <<< nesta pasta

 

É um arquivo legítimo e quero apenas a informação se o tem nesta pasta, para possível substituição, pois o malware pode ter infectado o legítimo que está no diretório System32.

 

7 - Acesse http://virusscan.jotti.org/

 

No site, na caixa Procurar, cole esta linha abaixo:

 

C:\WINNT\system32\wins.exe

 

Clique em Submit e aguarde o resultado da análise aparecer e salve.

 

Faça o mesmo com esses (um de cada vez):

 

C:\WINNT\system32\dllcache\mlqm.exe

 

C:\WINNT\system32\drivers\rndismpk.sys

 

C:\WINNT\system32\drivers\usb8023k.sys

 

8 - Veja se consegue agora rodar o HijackThis em modo normal (se não rode-o em modo de segurança) e salvar o log.

 

Poste:

 

infoSat.txt

log do HijackThis

resultados das análises no Jotti

 

Informe se localizou o wins.exe na dllcache.

 

.

Compartilhar este post


Link para o post
Compartilhar em outros sites

oienao to conseguindo rodar o EliTriip.mas acho q eh erro nele mesmo,diz q o windows n c0onseguiu rodar e fecha.sera o arkivo q usei ta errado?baixei trez vezes e nd...temalgum outro lugar qeu posso pega-lo?aguardor respostavaleu pela forcatamiresps:por eu n ter conseguido rodar o EliTriip os passos ate entao vou terq fazer d novo?

Compartilhar este post


Link para o post
Compartilhar em outros sites

Consegui passar o EliTriip também. Seguem os logs:

 

1o log do Hijack

Logfile of HijackThis v1.99.1Scan saved at 00:04:22, on 2/9/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\NOTEPAD.EXEC:\TNT\TNT.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.comO4 - HKLM\..\Run: [Service PAck 2] ltx1.exeO4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exeO4 - HKLM\..\Run: [Windows Service Agent] aolo.exeO4 - HKLM\..\Run: [Microsoft Windows Update] n3wt.exeO4 - HKLM\..\Run: [Windows LoL Layer] gnhd.exeO4 - HKLM\..\Run: [sxpzoolkxd] C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\onefanm\dirote.exeO4 - HKLM\..\Run: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\Run: [mmsass] msv.exeO4 - HKLM\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - HKLM\..\RunServices: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\RunServices: [Service PAck 2] ltx1.exeO4 - HKLM\..\RunServices: [Windows Service Agent] aolo.exeO4 - HKLM\..\RunServices: [Microsoft Windows Update] n3wt.exeO4 - HKLM\..\RunServices: [Windows LoL Layer] gnhd.exeO4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\RunServices: [mmsass] msv.exeO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [Service PAck 2] ltx1.exeO4 - HKCU\..\Run: [Windows Service Agent] aolo.exeO4 - HKCU\..\Run: [Microsoft Windows Update] n3wt.exeO4 - HKCU\..\Run: [Windows LoL Layer] gnhd.exeO4 - HKCU\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)O23 - Service: cwa9iok0grrdt - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exeO23 - Service: opj8lnt0biiru - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: p4hrk6hksaw - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exeO23 - Service: r0d au7iridy - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

Infosat

	  Sun Sep 02 00:10:40 2007EliTriIP v3.78  (c)2007 S.G.H. / Satinfo S.L.---------------------------------------------Lista de Acciones (por Acción Directa):(Valor Run y RunServices "INTERNETS")Por favor, envienos una muestra del ficheroC:\WINNT\system32\Wins.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "SERVICE PACK 2")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\ltx1.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "WINDOWS SERVICE AGENT")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\aolo.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "MICROSOFT WINDOWS UPDATE")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\n3wt.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "WINDOWS LOL LAYER")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\gnhd.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "SSMS.EXE")Por favor, envienos una muestra del ficheroC:\WINNT\system32\win.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "MMSASS")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\msv.exea "virus@satinfo.es". Gracias.Por favor, envienos una muestra del ficheroC:\Muestras\SVSHOST.EXE.Muestra EliTriIP v3.78 a "virus@satinfo.es".  Gracias.C:\WINNT\SYSTEM32\SVSHOST.EXE --> EliminadoPor favor, envienos una muestra del ficheroC:\Muestras\WUPDATE.EXE.Muestra EliTriIP v3.78 a "virus@satinfo.es".  Gracias.C:\WINNT\SYSTEM32\WUPDATE.EXE --> EliminadoC:\WINNT\SYSTEM32\SVKP.SYS --> EliminadoC:\WINNT\SYSTEM32\I --> EliminadoEntrada Eliminada [HKCU\...\Run] "Microsoft Windows Update"="n3wt.exe"Entrada Eliminada [HKLM\...\Run] "Microsoft Windows Update"="n3wt.exe"Entrada Eliminada [HKLM\...\RunServices] "Microsoft Windows Update"="n3wt.exe"Entrada Eliminada [HKCU\...\Run] "Windows LoL Layer"="gnhd.exe"Entrada Eliminada [HKLM\...\Run] "Windows LoL Layer"="gnhd.exe"Entrada Eliminada [HKLM\...\RunServices] "Windows LoL Layer"="gnhd.exe"No detectado Parche MS04-011 de Microsoft instalado. (LSASS)No detectado Parche MS04-012 de Microsoft instalado. (RPC)No detectado Parche MS06-001 de Microsoft instalado. (WMF)No detectado Parche MS06-070 de Microsoft instalado. (SServidor)ALERTA. WindowsUpdate Incompleto.	  Sun Sep 02 00:11:35 2007EliTriIP v3.78  (c)2007 S.G.H. / Satinfo S.L.---------------------------------------------Lista de Acciones (por Exploración):Explorando Unidad C:\C:\WINNT\system32\dirote.exe --> Eliminado, RemAdm-ProcLaunchC:\WINNT\system32\fvist.com --> Eliminado, RemAdm-ProcLaunchC:\WINNT\system32\helpersrvcc.exe --> Eliminado, SdBot.worm.genC:\WINNT\system32\onefanm\dirote.exe --> Eliminado, RemAdm-ProcLaunch

 

Não encontrei o wins.exe na pasta C:\WINNT\system32\dllcache.

 

As análises do Jotti:

 

C:\WINNT\system32\wins.exe

Service load: (apareceu amarelo, parecia uns 60% preenchido) File:  wins.exe_  Status:  INFECTED/MALWARE  MD5:  e9f2651ad1f4d3aeb468a2801fec3664  Packers detected:  - Bit9 reports:  Not analyzed yet (more info)  Scan taken on 02 Sep 2007 13:50:39 (GMT)  A-Squared  Found nothing AntiVir  Found BDS/Rizo.A.39  ArcaVir  Found Trojan.Rizo.A  Avast  Found Win32:Rizo-E  AVG Antivirus  Found BackDoor.Generic6.HWL  BitDefender  Found Backdoor.Rizo.A  ClamAV  Found Trojan.Small-1875  CPsecure  Found BackDoor.W32.Rizo.A  Dr.Web  Found Trojan.Inject.251  F-Prot Antivirus  Found W32/Backdoor.AOIS  F-Secure Anti-Virus  Found Packed.Win32.CPEX-based.f  Fortinet  Found W32/Rizo.A!tr.bdr  Kaspersky Anti-Virus  Found Packed.Win32.CPEX-based.f  NOD32  Found Win32/TrojanDropper.Rime.Gen  Norman Virus Control  Found W32/Spybot.BOOK  Panda Antivirus  Found Generic  Rising Antivirus  Found Trojan.Win32.Crypt.exf  Sophos Antivirus  Found Troj/QHost-B  VirusBuster  Found nothing VBA32  Found Trojan-PSW.Win32.OnLineGames.bs

 

C:\WINNT\system32\dllcache\mlqm.exe

Service load:  (vermelho, quase 100%) File:  mlqm.exe  Status:  INFECTED/MALWARE  MD5:  b552d92ded35704e243f6961bd854966  Packers detected:  - Bit9 reports:  Not analyzed yet (more info)  Scan taken on 02 Sep 2007 14:08:48 (GMT)  A-Squared  Found nothing AntiVir  Found BDS/Vanebot.B  ArcaVir  Found nothing Avast  Found nothing AVG Antivirus  Found Generic_c.BOJ  BitDefender  Found Backdoor.Vanebot.B  ClamAV  Found nothing CPsecure  Found nothing Dr.Web  Found Win32.HLLW.SpyBot.88  F-Prot Antivirus  Found W32/Backdoor.BLQX  F-Secure Anti-Virus  Found Backdoor.Win32.VanBot.dn  Fortinet  Found W32/SpyBot!worm  Kaspersky Anti-Virus  Found Backdoor.Win32.VanBot.dn  NOD32  Found Win32/IRCBot.YE  Norman Virus Control  Found nothing Panda Antivirus  Found W32/Spybot.AIE.worm  Rising Antivirus  Found Worm.P2p.Win32.SpyBot.dbb  Sophos Antivirus  Found W32/Vanebot-AR  VirusBuster  Found Backdoor.Vanbot.EM  VBA32  Found Win32.HLLW.SpyBot.88

 

 

C:\WINNT\system32\drivers\rndismpk.sys

Service load:  (vermelho, quase 100%) File:  rndismpk.sys  Status:  OK  MD5:  af79f98e2a9720995badd93cca1d4e01  Packers detected:  - Bit9 reports:  No threat detected (more info)  Scan taken on 02 Sep 2007 14:12:49 (GMT)  A-Squared  Found nothing AntiVir  Found nothing ArcaVir  Found nothing Avast  Found nothing AVG Antivirus  Found nothing BitDefender  Found nothing ClamAV  Found nothing CPsecure  Found nothing Dr.Web  Found nothing F-Prot Antivirus  Found nothing F-Secure Anti-Virus  Found nothing Fortinet  Found nothing Kaspersky Anti-Virus  Found nothing NOD32  Found nothing Norman Virus Control  Found nothing Panda Antivirus  Found nothing Rising Antivirus  Found nothing Sophos Antivirus  Found nothing VirusBuster  Found nothing VBA32  Found nothing

 

 

C:\WINNT\system32\drivers\usb8023k.sys

 

Service load:   (vermelho, quase 100%) File:  usb8023k.sys  Status:  OK  MD5:  f39039d5c96c1d3ac2a637a659dbf282  Packers detected:  - Bit9 reports:  No threat detected (more info)  Scan taken on 02 Sep 2007 14:18:07 (GMT)  A-Squared  Found nothing AntiVir  Found nothing ArcaVir  Found nothing Avast  Found nothing AVG Antivirus  Found nothing BitDefender  Found nothing ClamAV  Found nothing CPsecure  Found nothing Dr.Web  Found nothing F-Prot Antivirus  Found nothing F-Secure Anti-Virus  Found nothing Fortinet  Found nothing Kaspersky Anti-Virus  Found nothing NOD32  Found nothing Norman Virus Control  Found nothing Panda Antivirus  Found nothing Rising Antivirus  Found nothing Sophos Antivirus  Found nothing VirusBuster  Found nothing VBA32  Found nothing

 

 

Log 2 do Hijack (não consegui passar em modo normal)

Logfile of HijackThis v1.99.1Scan saved at 00:50:02, on 2/9/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\TNT\TNT.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.comO4 - HKLM\..\Run: [Service PAck 2] ltx1.exeO4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exeO4 - HKLM\..\Run: [Windows Service Agent] aolo.exeO4 - HKLM\..\Run: [sxpzoolkxd] C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\onefanm\dirote.exeO4 - HKLM\..\Run: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\Run: [mmsass] msv.exeO4 - HKLM\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - HKLM\..\RunServices: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\RunServices: [Service PAck 2] ltx1.exeO4 - HKLM\..\RunServices: [Windows Service Agent] aolo.exeO4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\RunServices: [mmsass] msv.exeO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [Service PAck 2] ltx1.exeO4 - HKCU\..\Run: [Windows Service Agent] aolo.exeO4 - HKCU\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)O23 - Service: cwa9iok0grrdt - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exeO23 - Service: opj8lnt0biiru - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: p4hrk6hksaw - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exeO23 - Service: r0d au7iridy - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

pronto, é isso...

 

desculpa a demora pra responder também...aqui também to na correria!

ainda tive q postar do servico d novo...qd tento abrir esse topico em casa, a pagina fecha.

 

Valeu a ajuda

 

Abs

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ok, baixe > ComboFix

  • Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir o Fix. Vai durar uma média de 10 minutos.
  • O ComboFix reiniciará o PC automaticamente para completar o processo de remoção.
  • Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  • IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".
  • Selecione e copie o coteúdo do ComboFix.txt e cole na sua resposta, juntamente com um novo log do HijackThis, de preferência gerado em modo normal, se conseguir.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix

 

ComboFix 07-09-09.5 - "Tamires" 10/09/2007 1:19:30.1 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.39 [GMT -3:00]

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINNT\system32\win.exe

 

 

((((((((((((((((((((((( Ficheiros criados de 2007-08-10 to 2007-09-10 ))))))))))))))))))))))))))))))))

.

 

2007-09-02 03:25 69,743 --a------ C:\WINNT\system32\qjj.exe

2007-09-02 02:02 175 --a------ C:\WINNT\system32\pathname.dll

2007-09-02 02:02 111,104 --a------ C:\WINNT\system32\pathname.exe

2007-09-02 01:26 91,678 --a------ C:\WINNT\system32\yeahdoit.exe

2007-09-02 00:25 2,368 --a------ C:\WINNT\system32\SVKP.sys

2007-09-02 00:25 <DIR> d-------- C:\WINNT\system32\os2

2007-09-02 00:10 <DIR> d-------- C:\Muestras

2007-09-02 00:09 66,821 --a------ C:\WINNT\system32\eraseme_36615.exe

2007-09-02 00:09 <DIR> d-------- C:\WINNT\system32\jinas

2007-08-27 00:06 <DIR> d-------- C:\WINNT\system32\onefanm

2007-08-25 11:35 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_7c4.dat

2007-08-25 00:40 <DIR> d-------- C:\Arquivos de programas\fdgdfgdf

2007-08-25 00:10 222,720 --a------ C:\WINNT\system32\ltx1.exe

2007-08-21 02:03 66,821 --a------ C:\WINNT\system32\eraseme_56187.exe

2007-08-21 00:16 <DIR> d-------- C:\!KillBox

2007-08-17 01:17 65,397 --a------ C:\WINNT\system32\l4m3rxjpg.exe

2007-08-16 01:03 118,004 --a------ C:\WINNT\system32\asa.exe

2007-08-13 00:13 186 --a------ C:\WINNT\system32\systemms.dll

2007-08-12 03:20 <DIR> d--h----- C:\WINNT\PIF

2007-08-09 22:12 91,700 --a------ C:\WINNT\system32\last.exe

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

29/07/07 06:31 --------- d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Talkback

24/01/00 01:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys

14/08/07 00:32 --------- d-------- C:\Arquivos de programas\MSN Messenger

12/08/07 05:01 --------- d-------- C:\Arquivos de programas\MessengerDiscovery

11/03/04 13:27 40960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe

03/01/06 13:52 271 ---h----- C:\Arquivos de programas\desktop.ini

03/01/06 13:52 22040 ---h----- C:\Arquivos de programas\folder.htt

2003-06-19 15:05:04 283,136 --sh--r C:\WINNT\system32\bllz.exe

2003-06-19 15:05:04 283,136 --sh--r C:\WINNT\system32\gnhd.exe

1601-01-01 02:05:53 73,742 --sh--w C:\WINNT\system32\srvcc.exe

1601-01-01 03:08:47 66,821 --sh--r C:\WINNT\system32\svshost.exe

2003-06-19 15:05:04 204,310 --sh--r C:\WINNT\system32\Wins.exe

2003-06-19 15:05:04 222,720 --sh--r C:\WINNT\system32\xvla.exe

2001-01-01 03:29:40 507,904 -csh--r C:\WINNT\system32\dllcache\mlqm.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

 

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CountrySelection"="pctptt.exe" [05/01/00 12:41 C:\WINNT\system32\pctptt.exe]

"Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\system32\mobsync.exe]

"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/01 11:50 ]

"Internets"="C:\WINNT\system32\Wins.exe" [19/06/03 12:05 ]

"msngers"="C:\WINNT\system32\fvist.com" []

"Service PAck 2"="ltx1.exe" [25/08/07 00:11 C:\WINNT\system32\ltx1.exe]

"nassor"="C:\Arquivos de programas\ewrsadfs\ms04.exe" [08/10/06 23:50 ]

"Windows Service Agent"="aolo.exe" [01/01/01 00:07 C:\WINNT\system32\aolo.exe]

"sxpzoolkxd"="C:\WINNT\system32\onefanm\f1ght.exe" [01/06/07 00:13 ]

"ssms.exe"="C:\WINNT\system32\win.exe" []

"mmsass"="msv.exe" [01/01/01 00:13 C:\WINNT\system32\msv.exe]

"johnj3155"="C:\WINNT\system32\srvcc.exe" [01/01/01 00:00 ]

"pathname"="C:\WINNT\system32\pathname.exe" [02/09/07 02:02 ]

"SECRETSERVICE"="C:\WINNT\system32\jinas\jns.exe" [02/09/07 00:09 ]

"Service PAck SFVP"="xvla.exe" [19/06/03 12:05 C:\WINNT\system32\xvla.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerBar"="" []

"NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [22/09/04 16:10 ]

"ctfmon.exe"="ctfmon.exe" [20/02/01 12:09 C:\WINNT\system32\CTFMON.EXE]

"Service PAck 2"="ltx1.exe" [25/08/07 00:11 C:\WINNT\system32\ltx1.exe]

"Windows Service Agent"="aolo.exe" [01/01/01 00:07 C:\WINNT\system32\aolo.exe]

"johnj3155"="C:\WINNT\system32\srvcc.exe" [01/01/01 00:00 ]

"Service PAck SFVP"="xvla.exe" [19/06/03 12:05 C:\WINNT\system32\xvla.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Internets"=C:\WINNT\system32\Wins.exe

"Service PAck 2"=ltx1.exe

"Windows Service Agent"=aolo.exe

"ssms.exe"=C:\WINNT\system32\win.exe

"mmsass"=msv.exe

"Service PAck SFVP"=xvla.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"internat.exe"=internat.exe

"Windows Service Agent"=aolo.exe

"Windows Messenger"=msmsgrs.exe

"Windows Service Agccnt"=sysinfo.exe

"Microsoft AntiVirus Update Engine"=taskmgrs.exe

"Windows LoL Layer"=winlolx.exe

"Service PAck 2"=ltx1.exe

"Microsoft Windows Update"=n3wt.exe

 

C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\

Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-05 05:18:22]

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"rdshost"= {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll [ ]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

@="Driver"

 

R2 cwa9iok0grrdt;cwa9iok0grrdt;"C:\WINNT\system32\svshost.exe"

R2 fhm2jdc5dyihg;fhm2jdc5dyihg;"C:\WINNT\system32\svshost.exe"

R2 Logitech QuickCam Manager;Logitech QuickCam Manager;"C:\WINNT\system32\dllcache\mlqm.exe"

R2 opj8lnt0biiru;opj8lnt0biiru;"C:\WINNT\system32\svshost.exe"

R2 p4hrk6hksaw;p4hrk6hksaw;"C:\WINNT\system32\svshost.exe"

R2 Pctspk;W2K PCtel speaker phone;C:\WINNT\system32\pctspk.exe

R2 r0d au7iridy;r0d au7iridy;"C:\WINNT\system32\svshost.exe"

R2 SVKP;SVKP;\??\C:\WINNT\system32\SVKP.sys

R2 wampapache;wampapache;"c:\wamp\apache2\bin\Apache.exe" -k runservice

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys

R3 SiSV6306;SiSV6306;C:\WINNT\system32\DRIVERS\SiS6306p.sys

R3 usbhub20;Suporte a hub raiz USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys

S3 C-Dilla;C-Dilla;\??\C:\WINNT\system32\drivers\CDANT.SYS

S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys

S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld

S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-10 01:22:32

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

pathname = C:\WINNT\system32\pathname.exe???????????????????????????????????????????????????????????????? ??? ??????????????????????? ??? ? ????????????????????????? ?????H???????????????????????????????????????????????????????????????????????????????8???@????????????3Gx

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PowerBar = ?????????????????????????n?w?????????? ?l?@?l?@?@???9g?w???????????????`l?@?l?@????????????????????wXg?w????d????g?wt????????g?w???????? ?????????????Hxt???0??????????????`Vn?w????????????????????????????l?@?l?@??????W?w????t?@?????8?@?l?@?l?@???-l???????????

 

scanning hidden files ...

 

**************************************************************************

.

Completion time: 10/09/2007 1:24:48

C:\ComboFix-quarantined-files.txt ... 10/09/07 01:24

.

--- E O F ---

 

ele gerou tb um arquivo c a lista de arquivos em quarentena

 

19/06/03 12:05	   436736	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\win.exe.virListagem de caminhos de pastaO n£mero de s‚rie do volume ‚ 0006FE80 BCD0:86BEC:\QOOBOX\QUARANTINE+---C|   +---ComboFix|   \---WINNT|	   \---system32|			   win.exe.vir|			   \---Registry_backups

 

 

hijack (eu dei fix em algumas entradas q eu sabia q podia dar,tipo aolo, fvist, ltx1, e mais algumas,perdi o log anterior so sobrou esse :/)

Logfile of HijackThis v1.99.1

Scan saved at 01:52:46, on 10/9/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\fotos\fotos.exe

 

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe

O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com

O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe

O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe

O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)

O23 - Service: cwa9iok0grrdt - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: fhm2jdc5dyihg - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exe

O23 - Service: opj8lnt0biiru - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: p4hrk6hksaw - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

O23 - Service: r0d au7iridy - Unknown owner - C:\WINNT\system32\svshost.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

ultimamente tao invadindo o msn tb :/ mandando msgs em ingles...as vezes o mouse para d funciona e qd tento desligar o pc ele diz q nao tenho permissao para desligar nem reiniciar.. :( to quase desistindo hehe...

 

valeu a ajuda

abs

Compartilhar este post


Link para o post
Compartilhar em outros sites

OK, dividirei em dois posts e 2 etapas pois o editor não está aceitando as instruções em um post só. Mas você deve cumprir todas as duas etapas sem interrupção.

 

Salve ou imprima estas instruções, pois vai segui-las desconectada e sem acesso a esta página:

 

ETAPA 1

 

Delete a pasta C:\Qoobox e delete o log anterior do Combofix > C:\combofix.txt

 

1 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINNT\system32\qjj.exe

C:\WINNT\system32\yeahdoit.exe

C:\WINNT\system32\eraseme_36615.exe

C:\WINNT\system32\last.exe

C:\WINNT\system32\systemms.dll

C:\WINNT\system32\asa.exe

C:\WINNT\system32\l4m3rxjpg.exe

C:\WINNT\system32\ltx1.exe

C:\WINNT\system32\eraseme_56187.exe

C:\WINNT\system32\bllz.exe

C:\WINNT\system32\gnhd.exe

C:\WINNT\system32\srvcc.exe

C:\WINNT\system32\svshost.exe

C:\WINNT\system32\Wins.exe

C:\WINNT\system32\xvla.exe

C:\WINNT\system32\dllcache\mlqm.exe

C:\WINNT\system32\fvist.com

C:\Arquivos de programas\ewrsadfs\ms04.exe

C:\WINNT\system32\win.exe

C:\Windows\System32\rdihost.dll

C:\WINNT\system32\aolo.exe

C:\WINNT\system32\onefanm\f1ght.exe

C:\WINNT\system32\msv.exe

C:\WINNT\system32\jinas\jns.exe

C:\WINNT\system32\sysinfo.exe

C:\WINNT\system32\msgmgrs.exe

C:\WINNT\system32\taskmgrs.exe

C:\WINNT\system32\winlolx.exe

C:\WINNT\system32\n3wt.exe

 

Folder::

C:\WINNT\system32\jinas

C:\WINNT\system32\onefanm

 

Driver::

cwa9iok0grrdt

fhm2jdc5dyihg

opj8lnt0biiru

p4hrk6hksaw

r0d au7iridy

Logitech QuickCam Manager

2 - Acesse o Painel de Controle. Vá em Ferramentas Administrativas > Serviços

 

Localize o serviço cwa9iok0grrdt. Clique sobre ele, e no menu Ação escolha a opção Parar e confirme.

 

Repita o procedimento e pare também os seguintes serviços:

fhm2jdc5dyihg

Logitech QuickCam Manager

opj8lnt0biiru

p4hrk6hksaw

r0d au7iridy

 

Rode o HijackThis, clique em None of This, just Star the Program.

No canto inferior direito, clique em config. Na próxima tela, clique em Misc Tools, em seguida Delete an NT Service.

 

Na caixa que abrir, coloque o seguinte nome: cwa9iok0grrdt

 

Dê o OK mas não reinicie ainda.

 

Repita o procedimento e coloque os nomes de todos os serviços que você parou na etapa anterior. Um de cada vez.

 

3 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

CFScript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ETAPA 2

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em ht-fix.png

 

O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe

 

O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com

 

O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe

 

O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe

 

O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe

 

O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)

  1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  2. Tecle Y para que a ferramenta inicie o processo de remoção
  3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  5. Uma janela com o relatório do SDFix irá aparecer.
  6. Uma cópia do relatório estará na pasta SDFix com o nome Report.txt

Gere um novo log com o HijackThis.

 

Poste:

 

ComboFix.txt

log do HijackThis

Report.txt do SDFix

 

Informe se sabe que pasta é esta: fdgdfgdf

 

C:\Arquivos de programas\fdgdfgdf <<< aqui

Compartilhar este post


Link para o post
Compartilhar em outros sites

Não encontrei este serviço: fhm2jdc5dyihg, mas de resto fiz tudo...

 

log combofix

ComboFix 07-09-09.5 - "Tamires" 16/09/2007 1:41:17.2 - NTFSx86 MINIMAL

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.90 [GMT -3:00]

 

FILE::

C:\WINNT\system32\qjj.exe

C:\WINNT\system32\yeahdoit.exe

C:\WINNT\system32\eraseme_36615.exe

C:\WINNT\system32\last.exe

C:\WINNT\system32\systemms.dll

C:\WINNT\system32\asa.exe

C:\WINNT\system32\l4m3rxjpg.exe

C:\WINNT\system32\ltx1.exe

C:\WINNT\system32\eraseme_56187.exe

C:\WINNT\system32\bllz.exe

C:\WINNT\system32\gnhd.exe

C:\WINNT\system32\srvcc.exe

C:\WINNT\system32\svshost.exe

C:\WINNT\system32\Wins.exe

C:\WINNT\system32\xvla.exe

C:\WINNT\system32\dllcache\mlqm.exe

C:\WINNT\system32\fvist.com

C:\Arquivos de programas\ewrsadfs\ms04.exe

C:\WINNT\system32\win.exe

C:\Windows\System32\rdihost.dll

C:\WINNT\system32\aolo.exe

C:\WINNT\system32\onefanm\f1ght.exe

C:\WINNT\system32\msv.exe

C:\WINNT\system32\jinas\jns.exe

C:\WINNT\system32\sysinfo.exe

C:\WINNT\system32\msgmgrs.exe

C:\WINNT\system32\taskmgrs.exe

C:\WINNT\system32\winlolx.exe

C:\WINNT\system32\n3wt.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\ewrsadfs\ms04.exe

C:\WINNT\system32\bllz.exe

C:\WINNT\system32\dllcache\mlqm.exe

C:\WINNT\system32\gnhd.exe

C:\WINNT\system32\jinas

C:\WINNT\system32\jinas\111.reg

C:\WINNT\system32\jinas\114.reg

C:\WINNT\system32\jinas\140.reg

C:\WINNT\system32\jinas\146.reg

C:\WINNT\system32\jinas\237.reg

C:\WINNT\system32\jinas\266.reg

C:\WINNT\system32\jinas\272.reg

C:\WINNT\system32\jinas\305.reg

C:\WINNT\system32\jinas\316.reg

C:\WINNT\system32\jinas\352.reg

C:\WINNT\system32\jinas\353.reg

C:\WINNT\system32\jinas\364.reg

C:\WINNT\system32\jinas\389.reg

C:\WINNT\system32\jinas\405.reg

C:\WINNT\system32\jinas\452.reg

C:\WINNT\system32\jinas\471.reg

C:\WINNT\system32\jinas\472.reg

C:\WINNT\system32\jinas\478.reg

C:\WINNT\system32\jinas\488.reg

C:\WINNT\system32\jinas\511.reg

C:\WINNT\system32\jinas\537.reg

C:\WINNT\system32\jinas\541.reg

C:\WINNT\system32\jinas\543.reg

C:\WINNT\system32\jinas\559.reg

C:\WINNT\system32\jinas\574.reg

C:\WINNT\system32\jinas\589.reg

C:\WINNT\system32\jinas\592.reg

C:\WINNT\system32\jinas\595.reg

C:\WINNT\system32\jinas\610.reg

C:\WINNT\system32\jinas\624.reg

C:\WINNT\system32\jinas\634.reg

C:\WINNT\system32\jinas\686.reg

C:\WINNT\system32\jinas\710.reg

C:\WINNT\system32\jinas\751.reg

C:\WINNT\system32\jinas\756.reg

C:\WINNT\system32\jinas\771.reg

C:\WINNT\system32\jinas\783.reg

C:\WINNT\system32\jinas\789.reg

C:\WINNT\system32\jinas\825.reg

C:\WINNT\system32\jinas\862.reg

C:\WINNT\system32\jinas\867.reg

C:\WINNT\system32\jinas\874.reg

C:\WINNT\system32\jinas\898.reg

C:\WINNT\system32\jinas\914.reg

C:\WINNT\system32\jinas\935.reg

C:\WINNT\system32\jinas\942.reg

C:\WINNT\system32\jinas\944.reg

C:\WINNT\system32\jinas\971.reg

C:\WINNT\system32\jinas\974.reg

C:\WINNT\system32\jinas\981.reg

C:\WINNT\system32\jinas\997.reg

C:\WINNT\system32\jinas\aliases.ini

C:\WINNT\system32\jinas\cute

C:\WINNT\system32\jinas\jenny

C:\WINNT\system32\jinas\jns.exe

C:\WINNT\system32\jinas\M!rc

C:\WINNT\system32\jinas\mirc.ini

C:\WINNT\system32\jinas\msg

C:\WINNT\system32\jinas\remote.ini

C:\WINNT\system32\jinas\script3

C:\WINNT\system32\jinas\servers.ini

C:\WINNT\system32\jinas\sexual

C:\WINNT\system32\jinas\systemac.dll

C:\WINNT\system32\msv.exe

C:\WINNT\system32\n3wt.exe

C:\WINNT\system32\onefanm

C:\WINNT\system32\onefanm\demo.xt

C:\WINNT\system32\onefanm\f1ght.exe

C:\WINNT\system32\onefanm\ger.exe

C:\WINNT\system32\onefanm\kfolder

C:\WINNT\system32\onefanm\redroses

C:\WINNT\system32\onefanm\rx

C:\WINNT\system32\onefanm\v1rgf

C:\WINNT\system32\onefanm\x.q

C:\WINNT\system32\onefanm\xsiger.bat

C:\WINNT\system32\srvcc.exe

C:\WINNT\system32\svshost.exe

C:\WINNT\system32\systemms.dll

C:\WINNT\system32\win.exe

C:\WINNT\system32\Wins.exe

C:\WINNT\system32\xvla.exe

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CWA9IOK0GRRDT

-------\LEGACY_FHM2JDC5DYIHG

-------\LEGACY_LOGITECH_QUICKCAM_MANAGER

-------\LEGACY_OPJ8LNT0BIIRU

-------\LEGACY_P4HRK6HKSAW

-------\LEGACY_R0D_AU7IRIDY

 

 

((((((((((((((((((((((( Ficheiros criados de 2007-08-16 to 2007-09-16 ))))))))))))))))))))))))))))))))

.

 

2007-09-16 01:49 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_178.dat

2007-09-14 00:14 2,098 --a------ C:\WINNT\wolzwef.exe

2007-09-14 00:12 <DIR> d-------- C:\windows

2007-09-02 02:02 175 --a------ C:\WINNT\system32\pathname.dll

2007-09-02 02:02 111,104 --a------ C:\WINNT\system32\pathname.exe

2007-09-02 00:25 2,368 --a------ C:\WINNT\system32\SVKP.sys

2007-09-02 00:25 <DIR> d-------- C:\WINNT\system32\os2

2007-09-02 00:10 <DIR> d-------- C:\Muestras

2007-08-25 00:40 <DIR> d-------- C:\Arquivos de programas\fdgdfgdf

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

07-09-16 01:44 --------- d-------- C:\Arquivos de programas\ewrsadfs

07-08-14 00:32 --------- d-------- C:\Arquivos de programas\MSN Messenger

07-08-12 05:01 --------- d-------- C:\Arquivos de programas\MessengerDiscovery

07-08-09 01:47 88819 --a------ C:\WINNT\system32\kke.exe

07-08-09 01:36 685857 --a------ C:\WINNT\system32\beboz.exe

07-07-29 06:31 --------- d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Talkback

07-07-16 22:21 37716 --a------ C:\WINNT\system32\updetwinds.exe

07-06-17 00:11 51200 --a------ C:\WINNT\NirCmd.exe

06-01-03 13:52 271 ---h----- C:\Arquivos de programas\desktop.ini

06-01-03 13:52 22040 ---h----- C:\Arquivos de programas\folder.htt

04-03-11 13:27 40960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe

00-01-24 01:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

 

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CountrySelection"="pctptt.exe" [00-01-05 12:41 C:\WINNT\system32\pctptt.exe]

"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]

"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ]

"Internets"="C:\WINNT\system32\Wins.exe" []

"msngers"="C:\WINNT\system32\fvist.com" []

"nassor"="C:\Arquivos de programas\ewrsadfs\ms04.exe" []

"syswin.txt"="win.exe" []

"Advanced DHTML Enable"="C:\windows\rdrive\hblPk.exe" [07-08-24 19:01 ]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerBar"="" []

"NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [04-09-22 16:10 ]

"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 C:\WINNT\system32\CTFMON.EXE]

"syswin.txt"="win.exe" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Internets"=C:\WINNT\system32\Wins.exe

"ssms.exe"=C:\WINNT\system32\win.exe

"syswin.txt"=win.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"internat.exe"=internat.exe

"Windows Service Agent"=aolo.exe

"Windows Messenger"=msmsgrs.exe

"Windows Service Agccnt"=sysinfo.exe

"Microsoft AntiVirus Update Engine"=taskmgrs.exe

"Windows LoL Layer"=winlolx.exe

"Service PAck 2"=ltx1.exe

"Microsoft Windows Update"=n3wt.exe

"syswin.txt"=win.exe

 

C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\

Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-05 05:18:22]

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"rdshost"= {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll [ ]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

@="Driver"

 

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys

R3 usbhub20;Suporte a hub raiz USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys

S2 Microsoft Stats Services;Microsoft Stats Services;"C:\WINNT\system32\svshost.exe"

S2 Pctspk;W2K PCtel speaker phone;C:\WINNT\system32\pctspk.exe

S2 Remote Security Manager;Remote Security Manager;"C:\WINNT\system32\svshost.exe"

S2 SVKP;SVKP;\??\C:\WINNT\system32\SVKP.sys

S2 wampapache;wampapache;"c:\wamp\apache2\bin\Apache.exe" -k runservice

S3 C-Dilla;C-Dilla;\??\C:\WINNT\system32\drivers\CDANT.SYS

S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys

S3 SiSV6306;SiSV6306;C:\WINNT\system32\DRIVERS\SiS6306p.sys

S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld

S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice

 

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-16 01:49:22

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PowerBar = ?????????????????????????n?w?????????? ?l?@?l?@?@???9g?w???????????????`l?@?l?@????????????????????wXg?w????d????g?wt????????g?w???????? ?????????????Hxt???0??????????????`Vn?w????????????????????????????l?@?l?@??????W?w????t?@?????8?@?l?@?l?@???-l???????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-16 1:51:20 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 07-09-16 01:50

.

--- E O F ---[/code]

 

combofix - quarantine files

 

01-01-01 00:00	   270	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\rx.vir01-01-01 00:00	   73742	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\srvcc.exe.vir01-01-01 00:02	   379316	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\win.exe.vir01-01-01 00:03	   186	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\systemms.dll.vir01-01-01 00:05	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\592.reg.vir01-01-01 00:05	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\942.reg.vir01-01-01 00:06	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\914.reg.vir01-01-01 00:07	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\610.reg.vir01-01-01 00:08	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\867.reg.vir01-01-01 00:08	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\981.reg.vir01-01-01 00:08	   66821	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\svshost.exe.vir01-01-01 00:10	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\624.reg.vir01-01-01 00:11	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\114.reg.vir01-01-01 00:11	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\488.reg.vir01-01-01 00:11	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\756.reg.vir01-01-01 00:13	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\686.reg.vir01-01-01 00:13	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\935.reg.vir01-01-01 00:13	   68266	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\msv.exe.vir01-01-01 00:14	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\146.reg.vir01-01-01 00:14	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\237.reg.vir01-01-01 00:14	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\589.reg.vir01-01-01 00:15	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\316.reg.vir01-01-01 00:15	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\353.reg.vir01-01-01 00:15	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\944.reg.vir01-01-01 00:16	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\405.reg.vir01-01-01 00:16	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\471.reg.vir01-01-01 00:16	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\862.reg.vir01-01-01 00:18	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\364.reg.vir01-01-01 00:18	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\478.reg.vir01-01-01 00:19	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\971.reg.vir01-01-01 00:20	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\305.reg.vir01-01-01 00:21	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\389.reg.vir01-01-01 00:21	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\874.reg.vir01-01-01 00:23	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\111.reg.vir01-01-01 00:23	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\266.reg.vir01-01-01 00:23	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\595.reg.vir01-01-01 00:26	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\272.reg.vir01-01-01 00:28	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\511.reg.vir01-01-01 00:29	   507904	--a--c---	C:\Qoobox\Quarantine\C\WINNT\system32\dllcache\mlqm.exe.vir01-01-01 00:30	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\541.reg.vir01-01-01 00:31	   266	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\634.reg.vir01-01-01 00:36	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\789.reg.vir01-01-01 00:37	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\783.reg.vir01-01-01 00:43	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\543.reg.vir01-01-01 00:45	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\352.reg.vir01-01-01 00:48	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\559.reg.vir01-01-01 00:50	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\898.reg.vir01-01-01 00:53	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\537.reg.vir01-01-01 00:55	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\710.reg.vir01-01-01 01:00	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\974.reg.vir01-01-01 01:03	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\574.reg.vir01-01-01 01:05	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\825.reg.vir01-01-01 01:12	   514208	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\n3wt.exe.vir01-01-01 06:33	   0	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\xsiger.bat.vir02-08-27 18:03	   29184	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\systemac.dll.vir03-06-19 12:05	   204310	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\Wins.exe.vir03-06-19 12:05	   222720	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\xvla.exe.vir03-06-19 12:05	   283136	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\bllz.exe.vir03-06-19 12:05	   283136	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\gnhd.exe.vir05-06-19 13:41	   22493	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\sexual.vir05-06-21 13:42	   844	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\aliases.ini.vir06-04-18 00:44	   204	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\script3.vir06-09-14 00:44	   42	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\servers.ini.vir06-10-08 23:50	   3104	--a------	C:\Qoobox\Quarantine\C\Arquivos de programas\ewrsadfs\ms04.exe.vir07-04-27 19:17	   128617	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\cute.vir07-06-01 00:13	   17408	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\f1ght.exe.vir07-06-01 00:13	   49107	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\ger.exe.vir07-06-01 00:13	   75344	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\demo.xt.vir07-06-01 00:14	   2185	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\v1rgf.vir07-06-01 00:30	   1667	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\x.q.vir07-06-01 00:37	   24196	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\kfolder.vir07-07-08 21:23	   15399	--a------	C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir07-08-29 15:11	   155	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\remote.ini.vir07-08-29 15:11	   992	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\msg.vir07-08-29 15:29	   1364	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\M!rc.vir07-09-02 00:09	   1771008	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\jns.exe.vir07-09-02 01:05	   2648	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\redroses.vir07-09-02 02:06	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\140.reg.vir07-09-02 02:06	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\452.reg.vir07-09-02 02:06	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\472.reg.vir07-09-03 02:03	   65	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\jenny.vir07-09-10 01:37	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\751.reg.vir07-09-10 01:37	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\771.reg.vir07-09-10 01:37	   133	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\997.reg.vir07-09-10 01:37	   3105	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\jinas\mirc.ini.vir07-09-16 01:43	   830	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_P4HRK6HKSAW.reg.cf07-09-16 01:43	   838	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_R0D_AU7IRIDY.reg.cf07-09-16 01:43	   846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CWA9IOK0GRRDT.reg.cf07-09-16 01:43	   846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_FHM2JDC5DYIHG.reg.cf07-09-16 01:43	   846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_OPJ8LNT0BIIRU.reg.cf07-09-16 01:43	   942	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_LOGITECH_QUICKCAM_MANAGER.reg.cf

 

 

Listagem de caminhos de pastaO n£mero de s‚rie do volume ‚ 0006FE80 BCD0:86BEC:\QOOBOX\QUARANTINE+---C|   +---Arquivos de programas|   |   \---ewrsadfs|   |		   ms04.exe.vir|   |		   |   +---ComboFix|   |	   FProps.vbs.vir|   |	   |   \---WINNT|	   \---system32|		   |   bllz.exe.vir|		   |   gnhd.exe.vir|		   |   msv.exe.vir|		   |   n3wt.exe.vir|		   |   srvcc.exe.vir|		   |   svshost.exe.vir|		   |   systemms.dll.vir|		   |   win.exe.vir|		   |   Wins.exe.vir|		   |   xvla.exe.vir|		   |   |		   +---dllcache|		   |	   mlqm.exe.vir|		   |	   |		   +---jinas|		   |	   111.reg.vir|		   |	   114.reg.vir|		   |	   140.reg.vir|		   |	   146.reg.vir|		   |	   237.reg.vir|		   |	   266.reg.vir|		   |	   272.reg.vir|		   |	   305.reg.vir|		   |	   316.reg.vir|		   |	   352.reg.vir|		   |	   353.reg.vir|		   |	   364.reg.vir|		   |	   389.reg.vir|		   |	   405.reg.vir|		   |	   452.reg.vir|		   |	   471.reg.vir|		   |	   472.reg.vir|		   |	   478.reg.vir|		   |	   488.reg.vir|		   |	   511.reg.vir|		   |	   537.reg.vir|		   |	   541.reg.vir|		   |	   543.reg.vir|		   |	   559.reg.vir|		   |	   574.reg.vir|		   |	   589.reg.vir|		   |	   592.reg.vir|		   |	   595.reg.vir|		   |	   610.reg.vir|		   |	   624.reg.vir|		   |	   634.reg.vir|		   |	   686.reg.vir|		   |	   710.reg.vir|		   |	   751.reg.vir|		   |	   756.reg.vir|		   |	   771.reg.vir|		   |	   783.reg.vir|		   |	   789.reg.vir|		   |	   825.reg.vir|		   |	   862.reg.vir|		   |	   867.reg.vir|		   |	   874.reg.vir|		   |	   898.reg.vir|		   |	   914.reg.vir|		   |	   935.reg.vir|		   |	   942.reg.vir|		   |	   944.reg.vir|		   |	   971.reg.vir|		   |	   974.reg.vir|		   |	   981.reg.vir|		   |	   997.reg.vir|		   |	   aliases.ini.vir|		   |	   cute.vir|		   |	   jenny.vir|		   |	   jns.exe.vir|		   |	   M!rc.vir|		   |	   mirc.ini.vir|		   |	   msg.vir|		   |	   remote.ini.vir|		   |	   script3.vir|		   |	   servers.ini.vir|		   |	   sexual.vir|		   |	   systemac.dll.vir|		   |	   |		   \---onefanm|				   demo.xt.vir|				   f1ght.exe.vir|				   ger.exe.vir|				   kfolder.vir|				   redroses.vir|				   rx.vir|				   v1rgf.vir|				   x.q.vir|				   xsiger.bat.vir|				   \---Registry_backups		LEGACY_CWA9IOK0GRRDT.reg.cf		LEGACY_FHM2JDC5DYIHG.reg.cf		LEGACY_LOGITECH_QUICKCAM_MANAGER.reg.cf		LEGACY_OPJ8LNT0BIIRU.reg.cf		LEGACY_P4HRK6HKSAW.reg.cf		LEGACY_R0D_AU7IRIDY.reg.cf

 

 

log hijack

 

Logfile of HijackThis v1.99.1

Scan saved at 01:52:53, on 16/9/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\Notepad.exe

C:\tnt\tnt.exe

 

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe

O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com

O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe

O4 - HKLM\..\Run: [syswin.txt] win.exe

O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\windows\rdrive\hblPk.exe

O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe

O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe

O4 - HKLM\..\RunServices: [syswin.txt] win.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [syswin.txt] win.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Microsoft Stats Services - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

O23 - Service: Remote Security Manager - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

 

 

sdfix

SDFix: Version 1.98

 

Run by Tamires on dom 16/09/2007 at 1:57

 

Microsoft Windows 2000 [VersÆo 5.00.2195]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\WINNT\system32\i - Deleted

C:\WINNT\system32\o - Deleted

C:\WINNT\system32\pathname.dll - Deleted

C:\WINNT\system32\pathname.exe - Deleted

C:\WINNT\system32\rdihost.dll - Deleted

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINNT

No streams found.

 

C:\WINNT\system32

No streams found.

 

C:\WINNT\system32\svchost.exe

No streams found.

 

C:\WINNT\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

C:\WINNT\system32\drivers\rndismpk.sys

C:\WINNT\system32\drivers\usb8023k.sys

 

Finished

 

 

 

novo log hijack

(dessa vez, dpis de mt tempo, consegui abrir em modo normal,renomeado como TNT)

Logfile of HijackThis v1.99.1

Scan saved at 02:28:31, on 16/9/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\pctspk.exe

C:\WINNT\system32\MSTask.exe

c:\wamp\apache2\bin\Apache.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\ftp.exe

C:\wamp\apache2\bin\Apache.exe

C:\WINNT\system32\ctfmon.exe

C:\tnt\tnt.exe

 

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [syswin.txt] win.exe

O4 - HKLM\..\RunServices: [syswin.txt] win.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [syswin.txt] win.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Microsoft Stats Services - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

O23 - Service: Remote Security Manager - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

 

depois, fui ver a pasta arquivos de programas, nao sabia que pasta era aquela (fdgdfgdf) e deletei. alem dela,deletei mais umas duas ou tres pastas com nomes esquisitos tipo esse, alem de outros arquivos esquisitos no computador...

 

notei que a cpu nao esta mais em 100% de uso.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ok, farei o mesmo dividindo em 2 posts e Etapas. Como da outra vez, deve seguir todas sem interrupções.

 

Salve ou imprima estas instruções, pois vai segui-las desconectada e sem acesso a esta página:

 

ETAPA 1

 

Delete a pasta C:\Qoobox e delete o log anterior do Combofix > C:\combofix.txt

 

1 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINNT\wolzwef.exe

C:\WINNT\system32\svshost.exe

C:\WINNT\system32\pathname.dll

C:\WINNT\system32\pathname.exe

C:\WINNT\system32\kke.exe

C:\WINNT\system32\beboz.exe

C:\WINNT\system32\updetwinds.exe

C:\windows\rdrive\hblPk.exe

 

Folder::

C:\Arquivos de programas\fdgdfgdf

C:\Arquivos de programas\ewrsadfs

 

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Internets"=-

"msngers"=-

"nassor"=-

"syswin.txt"=-

"Advanced DHTML Enable"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerBar"=-

"syswin.txt"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"Internets"=-

"ssms.exe"=-

"syswin.txt"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Windows Service Agent"=-

"Windows Messenger"=-

"Windows Service Agccnt"=-

"Microsoft AntiVirus Update Engine"=-

"Windows LoL Layer"=-

"Service PAck 2"=-

"Microsoft Windows Update"=-

"syswin.txt"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"rdshost"=-

 

Driver::

Microsoft Stats Services

Remote Security Manager

2 - Acesse o Painel de Controle. Vá em Ferramentas Administrativas > Serviços

 

Localize o serviço Microsoft Stats Services. Clique sobre ele, e no menu Ação escolha a opção Parar e confirme.

 

Repita o procedimento e pare também o seguinte serviço:

 

Remote Security Manager

 

3 - Rode o HijackThis, clique em None of This, just Star the Program.

No canto inferior direito, clique em config. Na próxima tela, clique em Misc Tools, em seguida Delete an NT Service.

 

Na caixa que abrir, coloque o seguinte nome: Microsoft Stats Services

 

Dê o OK mas não reinicie ainda.

 

Repita o procedimento e coloque agora: Remote Security Manager

 

Dê o OK mas não reinicie ainda.

 

4 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

CFScript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ETAPA 2

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em ht-fix.png

 

O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe

 

O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com

 

O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe

 

O4 - HKLM\..\Run: [syswin.txt] win.exe

 

O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\windows\rdrive\hblPk.exe

 

O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe

 

O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe

 

O4 - HKLM\..\RunServices: [syswin.txt] win.exe

 

O4 - HKCU\..\Run: [syswin.txt] win.exe

 

O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)

  1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  2. Tecle Y para que a ferramenta inicie o processo de remoção
  3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  5. Uma janela com o relatório do SDFix irá aparecer.
  6. Uma cópia do relatório estará na pasta SDFix com o nome Report.txt

Gere um novo log com o HijackThis.

 

Poste:

 

ComboFix.txt

log do HijackThis

Report.txt do SDFix

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 07-09-09.5 - "Tamires" 16/09/2007 0:09:01.4 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.44 [GMT -3:00]

 

FILE::

C:\WINNT\wolzwef.exe

C:\WINNT\system32\svshost.exe

C:\WINNT\system32\pathname.dll

C:\WINNT\system32\pathname.exe

C:\WINNT\system32\kke.exe

C:\WINNT\system32\beboz.exe

C:\WINNT\system32\updetwinds.exe

C:\windows\rdrive\hblPk.exe

.

 

((((((((((((((((((((((( Ficheiros criados de 2007-08-16 to 2007-09-16 ))))))))))))))))))))))))))))))))

.

 

2007-09-23 00:14 490,496 --a------ C:\WINNT\system32\ValueSoft.exe

2007-09-16 02:23 0 --a------ C:\WINNT\system32\pin.exe

2007-09-02 00:25 2,368 --a------ C:\WINNT\system32\SVKP.sys

2007-09-02 00:25 <DIR> d-------- C:\WINNT\system32\os2

2007-09-02 00:10 <DIR> d-------- C:\Muestras

2007-08-12 03:20 <DIR> d--h----- C:\WINNT\PIF

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

29/07/07 06:31 --------- d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Talkback

24/01/00 01:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys

14/08/07 00:32 --------- d-------- C:\Arquivos de programas\MSN Messenger

12/08/07 05:01 --------- d-------- C:\Arquivos de programas\MessengerDiscovery

11/03/04 13:27 40960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe

03/01/06 13:52 271 ---h----- C:\Arquivos de programas\desktop.ini

03/01/06 13:52 22040 ---h----- C:\Arquivos de programas\folder.htt

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

 

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pronto"="avvg.exe" [01/01/01 00:36 C:\WINNT\system32\avvg.exe]

"CountrySelection"="pctptt.exe" [05/01/00 12:41 C:\WINNT\system32\pctptt.exe]

"Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\system32\mobsync.exe]

"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/01 11:50 ]

"Windows Service Ag3nt"="ValueSoft.exe" [23/09/07 00:15 C:\WINNT\system32\ValueSoft.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [22/09/04 16:10 ]

"ctfmon.exe"="ctfmon.exe" [20/02/01 12:09 C:\WINNT\system32\CTFMON.EXE]

"Windows Service Ag3nt"="ValueSoft.exe" [23/09/07 00:15 C:\WINNT\system32\ValueSoft.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"pronto"=avvg.exe

"Windows Service Ag3nt"=ValueSoft.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"internat.exe"=internat.exe

"Windows Service Ag3nt"=ValueSoft.exe

 

C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\

Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-05 05:18:22]

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

@="Driver"

 

R2 Pctspk;W2K PCtel speaker phone;C:\WINNT\system32\pctspk.exe

R2 SVKP;SVKP;\??\C:\WINNT\system32\SVKP.sys

R2 wampapache;wampapache;"c:\wamp\apache2\bin\Apache.exe" -k runservice

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys

R3 SiSV6306;SiSV6306;C:\WINNT\system32\DRIVERS\SiS6306p.sys

R3 usbhub20;Suporte a hub raiz USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys

S3 C-Dilla;C-Dilla;\??\C:\WINNT\system32\drivers\CDANT.SYS

S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys

S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld

S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice

 

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-16 00:11:46

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

.

Completion time: 16/09/2007 0:14:33

.

--- E O F ---

 

 

1o hijack

Não encontrei nenhuma das entradas mencionadas.

Logfile of HijackThis v1.99.1

Scan saved at 00:23:42, on 16/9/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\userinit.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\NOTEPAD.EXE

C:\tnt\tnt.exe

 

O4 - HKLM\..\Run: [pronto] avvg.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Windows Service Ag3nt] ValueSoft.exe

O4 - HKLM\..\RunServices: [pronto] avvg.exe

O4 - HKLM\..\RunServices: [Windows Service Ag3nt] ValueSoft.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Windows Service Ag3nt] ValueSoft.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

 

2o log hijack

Logfile of HijackThis v1.99.1

Scan saved at 00:43:09, on 16/9/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\pctspk.exe

C:\WINNT\system32\MSTask.exe

c:\wamp\apache2\bin\Apache.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\wamp\apache2\bin\Apache.exe

C:\WINNT\system32\avvg.exe

C:\WINNT\system32\ctfmon.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\tnt\tnt.exe

 

O4 - HKLM\..\Run: [pronto] avvg.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Windows Service Ag3nt] ValueSoft.exe

O4 - HKLM\..\RunServices: [pronto] avvg.exe

O4 - HKLM\..\RunServices: [Windows Service Ag3nt] ValueSoft.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Windows Service Ag3nt] ValueSoft.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

 

=================================

 

SDFix: Version 1.98

 

Run by Tamires on dom 16/09/2007 at 0:28

 

Microsoft Windows 2000 [VersÆo 5.00.2195]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\WINNT\SYSTEM32\AOLO.EXE - Deleted

C:\WINNT\SYSTEM32\PIN.EXE - Deleted

C:\WINNT\system32\o - Deleted

C:\WINNT\system32\ValueSoft.exe - Deleted

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINNT

No streams found.

 

C:\WINNT\system32

No streams found.

 

C:\WINNT\system32\svchost.exe

No streams found.

 

C:\WINNT\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

C:\WINNT\system32\drivers\rndismpk.sys

C:\WINNT\system32\drivers\usb8023k.sys

 

Finished

 

valeu

abs

Compartilhar este post


Link para o post
Compartilhar em outros sites

Salve ou imprima estas instruções, pois vai segui-las desconectada e sem acesso a esta página:

 

Delete a pasta C:\Qoobox e delete o log anterior do Combofix > C:\combofix.txt

 

Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINNT\system32\avvg.exe

 

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pronto"=-

"Windows Service Ag3nt"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Service Ag3nt"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"pronto"=-

"Windows Service Ag3nt"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Windows Service Ag3nt"=-

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

CFScript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

  • Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  • Tecle Y para que a ferramenta inicie o processo de remoção
  • Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  • Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  • Uma janela com o relatório do SDFix irá aparecer.
  • Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt

Gere um novo log com o HijackThis.

 

Poste:

 

ComboFix.txt

log do HijackThis

Report.txt do SDFix

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.