tamires 0 Denunciar post Postado Agosto 13, 2007 ola...semana passada meu pc comeco c umas esquisitices,...qd percebi n achei q fosse nd demais mas ag ta piorando...janelas do ie fecham sozinhas, do explorer tb. tentei reinstalar o AVG e nao consigo, tento executar o arquivo e n consigo! tento passar o panda e nada, e qd tento executar o hijackthis, tb n rola (so em modo de seguranca). analisando o log consegui remover alguns malwares, tb procurei na maquina arquivos estranhos e deletei. (um deles era o eraseme_*.exe, sendo q *eh um numero q ele gera randomicamente, pelo q pesquisei, deletei uns 3 desse)meu c: encheu de arkivos estranhos, deletei todos. so q um deles, sempre q deleto, abre uma tela do dos q cria ele de novo.nao sei mais o q fazer...qria saber se existe alguma solucao sem ser formatar a maquina...aguardo respostagratatamires Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Agosto 14, 2007 Olá tamires! Faça o seguinte pra conseguir gerar um log em modo normal com o HijackThis: Clique com o botão direito em cima do ícone do HijackThis e escolha: Renomear Coloque então como nome > detonador Tente então rodá-lo. Se não conseguir, apesar de não ser o ideal pois, vários processos não aparecem, gere um log em modo de segurança e poste. Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Agosto 15, 2007 entei abrir o hijack mas nao consegui, mesmo mudando o nome, executei no modo de seguranca. tipo, qd pesquiso na net algo sobre isso, a pagina do navegador fech qd tento abrir links q tenham a palavra "hijack", ou "antivirus" por exemplo. esse topico mesmo n consegui acessar, eu navegana no forum normalmente mas qd entrava no topico a janela fechava....tive q salva o log no meu mail p postar aki no servico hj. valeu a ajuda Logfile of HijackThis v1.99.1 Scan saved at 02:12:01, on 14/8/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\userinit.exe C:\WINNT\Explorer.EXE C:\TNT\TNT.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [Windows Service Agccnt] sysinfo.exe O4 - HKLM\..\Run: [Windows LoL Layer] gcol.exe O4 - HKLM\..\Run: [systemms] C:\WINNT\system32\systemms.exe O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\RunServices: [Windows Service Agccnt] sysinfo.exe O4 - HKLM\..\RunServices: [Windows LoL Layer] gcol.exe O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Windows Service Agccnt] sysinfo.exe O4 - HKCU\..\Run: [Windows LoL Layer] gcol.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: ddd5fsk5vheca - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exe O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe O23 - Service: Remote History Services - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: Remote TCPI Services - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Agosto 17, 2007 Faça o download do SDFix: http://linhadefensiva.uol.com.br/dl/sdfix Salve-o em sua área de trabalho. Dê um duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix (geralmente C:\SDFix) Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat Tecle Y para que a ferramenta inicie o processo de remoção Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla. Uma janela com o relatório do SDFix irá aparecer. Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt Poste também um novo log do HijackThis gerado em modo normal. Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Agosto 18, 2007 passei o sd fix e depois fui tentar passar o hijack em modo normal, mas não consegui, precisei passar em modo de seguranca tb. tb não consegui abrir o topico do forum, tive q mandar os logs por email e consegui postar agora... SDFIX SDFix: Version 1.98Run by Tamires on seg 01/01/1601 at 0:05 Microsoft Windows 2000 [VersÆo 5.00.2195]Running From: C:\SDFixSafe Mode:Checking Services: Name:Remote TCPI ServicesImagePath:"C:\WINNT\system32\svshost.exe" Remote TCPI Services - Deleted Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebooting...Normal Mode:Checking Files: Trojan Files Found:C:\WINNT\SYSTEM32\SMMSS.EXE - DeletedC:\WINNT\SYSTEM32\WINDSE~1.EXE - DeletedC:\WINNT\SYSTEM32\WINSECVP.EXE - DeletedC:\WINNT\system32\eraseme_02847.exe - DeletedC:\WINNT\system32\eraseme_03827.exe - Deleted C:\WINNT\system32\helperam1.exe - DeletedC:\WINNT\system32\i - DeletedC:\WINNT\system32\o - DeletedC:\WINNT\system32\svshost.exe - DeletedC:\WINNT\system32\sysinfo.exe - DeletedC:\WINNT\system32\TFTP1416 - Deleted C:\WINNT\system32\TFTP1484 - DeletedC:\WINNT\system32\TFTP484 - Deleted Removing Temp Files...ADS Check:C:\WINNTNo streams found. C:\WINNT\system32No streams found. C:\WINNT\system32\svchost.exeNo streams found. C:\WINNT\system32\ntoskrnl.exeNo streams found. Final Check:Remaining Services:------------------ Remaining Files:---------------C:\WINNT\system32\o FoundBackups Folder: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes:C:\WINNT\system32\msgmgrs.exeC:\WINNT\system32\ovwygsx.exeC:\WINNT\system32\pttryjxd.exeC:\WINNT\system32\vodw.exeC:\WINNT\system32\Wins.exeC:\WINNT\system32\wvtreiro.exeC:\WINNT\system32\xzpu.exe C:\WINNT\system32\dllcache\mlqm.exeC:\WINNT\system32\drivers\rndismpk.sysC:\WINNT\system32\drivers\usb8023k.sys Finished hijack Logfile of HijackThis v1.99.1Scan saved at 01:39:54, on 1/1/1601Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\TNT\TNT.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [Windows Service Agccnt] sysinfo.exeO4 - HKLM\..\Run: [systemms] C:\WINNT\system32\systemms.exeO4 - HKLM\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exeO4 - HKLM\..\Run: [Windows LoL Layer] gcol.exeO4 - HKLM\..\RunServices: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\RunServices: [Windows Service Agccnt] sysinfo.exeO4 - HKLM\..\RunServices: [Microsoft AntiVirus Update Engine] taskmgrs.exeO4 - HKLM\..\RunServices: [Windows LoL Layer] gcol.exeO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [Windows Service Agccnt] sysinfo.exeO4 - HKCU\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exeO4 - HKCU\..\Run: [Windows LoL Layer] gcol.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: ddd5fsk5vheca - Unknown owner - C:\WINNT\system32\svshost.exe (file missing) O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exe O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exeO23 - Service: Remote History Services - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Agosto 18, 2007 Ok, é uma infecção grande por bots. Baixe: KillBox EliTriip No final da página clique no botão Descargar EliTriip. Copie e salve no Bloco de notas este texto em azul: C:\WINNT\system32\o C:\WINNT\system32\systemms.exe C:\WINNT\system32\taskmgrs.exe C:\WINNT\system32\sysinfo.exe C:\WINNT\system32\gcol.exe C:\WINNT\system32\msgmgrs.exe C:\WINNT\system32\ovwygsx.exe C:\WINNT\system32\pttryjxd.exe C:\WINNT\system32\vodw.exe C:\WINNT\system32\wvtreiro.exe C:\WINNT\system32\xzpu.exe Salve ou imprima estas instruções: 1 - Copie o texto que salvou no bloco de notas. Rode o KillBox e marque Delete on Reboot, no menu File clique em Paste from Clipboard. Depois clique no botão All Files. Clique no botão . Responda Sim à pergunta. Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro. 2 - Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em O4 - HKLM\..\Run: [Windows Service Agccnt] sysinfo.exe O4 - HKLM\..\Run: [systemms] C:\WINNT\system32\systemms.exe O4 - HKLM\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exe O4 - HKLM\..\Run: [Windows LoL Layer] gcol.exe O4 - HKLM\..\RunServices: [Windows Service Agccnt] sysinfo.exe O4 - HKLM\..\RunServices: [Microsoft AntiVirus Update Engine] taskmgrs.exe O4 - HKLM\..\RunServices: [Windows LoL Layer] gcol.exe O4 - HKCU\..\Run: [Windows Service Agccnt] sysinfo.exe O4 - HKCU\..\Run: [Microsoft AntiVirus Update Engine] taskmgrs.exe O4 - HKCU\..\Run: [Windows LoL Layer] gcol.exe 3 - Vá em Iniciar > Executar > digite: services.msc e clique em OK. Procure o serviço ddd5fsk5vheca, clique em cima com o direito e depois em Propriedades. Coloque o Tipo de Inicialização como desativado. Faça o mesmo com esse: Remote History Services 4 - Abra o HijackThis e clique no botão Open the Misc Tools section e depois em Delete an NT service. Coloque isto: ddd5fsk5vheca Clique em OK. Não reinicie o PC Coloque agora: Remote History Services Clique em OK. Não reinicie o PC 5 - Rode o EliTriip e aguarde o scan terminar. Ao final será gerado um log que encontrará em C:\infoSat.txt 6 - Reinicie em modo normal e localize se existe na pasta dllcache este arquivo: wins.exe C:\WINNT\system32\dllcache <<< nesta pasta É um arquivo legítimo e quero apenas a informação se o tem nesta pasta, para possível substituição, pois o malware pode ter infectado o legítimo que está no diretório System32. 7 - Acesse http://virusscan.jotti.org/ No site, na caixa Procurar, cole esta linha abaixo: C:\WINNT\system32\wins.exe Clique em Submit e aguarde o resultado da análise aparecer e salve. Faça o mesmo com esses (um de cada vez): C:\WINNT\system32\dllcache\mlqm.exe C:\WINNT\system32\drivers\rndismpk.sys C:\WINNT\system32\drivers\usb8023k.sys 8 - Veja se consegue agora rodar o HijackThis em modo normal (se não rode-o em modo de segurança) e salvar o log. Poste: infoSat.txt log do HijackThis resultados das análises no Jotti Informe se localizou o wins.exe na dllcache. . Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Agosto 21, 2007 oienao to conseguindo rodar o EliTriip.mas acho q eh erro nele mesmo,diz q o windows n c0onseguiu rodar e fecha.sera o arkivo q usei ta errado?baixei trez vezes e nd...temalgum outro lugar qeu posso pega-lo?aguardor respostavaleu pela forcatamiresps:por eu n ter conseguido rodar o EliTriip os passos ate entao vou terq fazer d novo? Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Agosto 26, 2007 Olá, desculpe a demora mas o tempo apertou. Siga então as outras instruções, sem o EliTriip. Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Setembro 3, 2007 Consegui passar o EliTriip também. Seguem os logs: 1o log do Hijack Logfile of HijackThis v1.99.1Scan saved at 00:04:22, on 2/9/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\NOTEPAD.EXEC:\TNT\TNT.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.comO4 - HKLM\..\Run: [Service PAck 2] ltx1.exeO4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exeO4 - HKLM\..\Run: [Windows Service Agent] aolo.exeO4 - HKLM\..\Run: [Microsoft Windows Update] n3wt.exeO4 - HKLM\..\Run: [Windows LoL Layer] gnhd.exeO4 - HKLM\..\Run: [sxpzoolkxd] C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\onefanm\dirote.exeO4 - HKLM\..\Run: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\Run: [mmsass] msv.exeO4 - HKLM\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - HKLM\..\RunServices: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\RunServices: [Service PAck 2] ltx1.exeO4 - HKLM\..\RunServices: [Windows Service Agent] aolo.exeO4 - HKLM\..\RunServices: [Microsoft Windows Update] n3wt.exeO4 - HKLM\..\RunServices: [Windows LoL Layer] gnhd.exeO4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\RunServices: [mmsass] msv.exeO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [Service PAck 2] ltx1.exeO4 - HKCU\..\Run: [Windows Service Agent] aolo.exeO4 - HKCU\..\Run: [Microsoft Windows Update] n3wt.exeO4 - HKCU\..\Run: [Windows LoL Layer] gnhd.exeO4 - HKCU\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)O23 - Service: cwa9iok0grrdt - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exeO23 - Service: opj8lnt0biiru - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: p4hrk6hksaw - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exeO23 - Service: r0d au7iridy - Unknown owner - C:\WINNT\system32\svshost.exeO23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe Infosat Sun Sep 02 00:10:40 2007EliTriIP v3.78 (c)2007 S.G.H. / Satinfo S.L.---------------------------------------------Lista de Acciones (por Acción Directa):(Valor Run y RunServices "INTERNETS")Por favor, envienos una muestra del ficheroC:\WINNT\system32\Wins.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "SERVICE PACK 2")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\ltx1.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "WINDOWS SERVICE AGENT")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\aolo.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "MICROSOFT WINDOWS UPDATE")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\n3wt.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "WINDOWS LOL LAYER")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\gnhd.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "SSMS.EXE")Por favor, envienos una muestra del ficheroC:\WINNT\system32\win.exea "virus@satinfo.es". Gracias.(Valor Run y RunServices "MMSASS")Por favor, envienos una muestra del ficheroC:\WINNT\SYSTEM32\msv.exea "virus@satinfo.es". Gracias.Por favor, envienos una muestra del ficheroC:\Muestras\SVSHOST.EXE.Muestra EliTriIP v3.78 a "virus@satinfo.es". Gracias.C:\WINNT\SYSTEM32\SVSHOST.EXE --> EliminadoPor favor, envienos una muestra del ficheroC:\Muestras\WUPDATE.EXE.Muestra EliTriIP v3.78 a "virus@satinfo.es". Gracias.C:\WINNT\SYSTEM32\WUPDATE.EXE --> EliminadoC:\WINNT\SYSTEM32\SVKP.SYS --> EliminadoC:\WINNT\SYSTEM32\I --> EliminadoEntrada Eliminada [HKCU\...\Run] "Microsoft Windows Update"="n3wt.exe"Entrada Eliminada [HKLM\...\Run] "Microsoft Windows Update"="n3wt.exe"Entrada Eliminada [HKLM\...\RunServices] "Microsoft Windows Update"="n3wt.exe"Entrada Eliminada [HKCU\...\Run] "Windows LoL Layer"="gnhd.exe"Entrada Eliminada [HKLM\...\Run] "Windows LoL Layer"="gnhd.exe"Entrada Eliminada [HKLM\...\RunServices] "Windows LoL Layer"="gnhd.exe"No detectado Parche MS04-011 de Microsoft instalado. (LSASS)No detectado Parche MS04-012 de Microsoft instalado. (RPC)No detectado Parche MS06-001 de Microsoft instalado. (WMF)No detectado Parche MS06-070 de Microsoft instalado. (SServidor)ALERTA. WindowsUpdate Incompleto. Sun Sep 02 00:11:35 2007EliTriIP v3.78 (c)2007 S.G.H. / Satinfo S.L.---------------------------------------------Lista de Acciones (por Exploración):Explorando Unidad C:\C:\WINNT\system32\dirote.exe --> Eliminado, RemAdm-ProcLaunchC:\WINNT\system32\fvist.com --> Eliminado, RemAdm-ProcLaunchC:\WINNT\system32\helpersrvcc.exe --> Eliminado, SdBot.worm.genC:\WINNT\system32\onefanm\dirote.exe --> Eliminado, RemAdm-ProcLaunch Não encontrei o wins.exe na pasta C:\WINNT\system32\dllcache. As análises do Jotti: C:\WINNT\system32\wins.exe Service load: (apareceu amarelo, parecia uns 60% preenchido) File: wins.exe_ Status: INFECTED/MALWARE MD5: e9f2651ad1f4d3aeb468a2801fec3664 Packers detected: - Bit9 reports: Not analyzed yet (more info) Scan taken on 02 Sep 2007 13:50:39 (GMT) A-Squared Found nothing AntiVir Found BDS/Rizo.A.39 ArcaVir Found Trojan.Rizo.A Avast Found Win32:Rizo-E AVG Antivirus Found BackDoor.Generic6.HWL BitDefender Found Backdoor.Rizo.A ClamAV Found Trojan.Small-1875 CPsecure Found BackDoor.W32.Rizo.A Dr.Web Found Trojan.Inject.251 F-Prot Antivirus Found W32/Backdoor.AOIS F-Secure Anti-Virus Found Packed.Win32.CPEX-based.f Fortinet Found W32/Rizo.A!tr.bdr Kaspersky Anti-Virus Found Packed.Win32.CPEX-based.f NOD32 Found Win32/TrojanDropper.Rime.Gen Norman Virus Control Found W32/Spybot.BOOK Panda Antivirus Found Generic Rising Antivirus Found Trojan.Win32.Crypt.exf Sophos Antivirus Found Troj/QHost-B VirusBuster Found nothing VBA32 Found Trojan-PSW.Win32.OnLineGames.bs C:\WINNT\system32\dllcache\mlqm.exe Service load: (vermelho, quase 100%) File: mlqm.exe Status: INFECTED/MALWARE MD5: b552d92ded35704e243f6961bd854966 Packers detected: - Bit9 reports: Not analyzed yet (more info) Scan taken on 02 Sep 2007 14:08:48 (GMT) A-Squared Found nothing AntiVir Found BDS/Vanebot.B ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Generic_c.BOJ BitDefender Found Backdoor.Vanebot.B ClamAV Found nothing CPsecure Found nothing Dr.Web Found Win32.HLLW.SpyBot.88 F-Prot Antivirus Found W32/Backdoor.BLQX F-Secure Anti-Virus Found Backdoor.Win32.VanBot.dn Fortinet Found W32/SpyBot!worm Kaspersky Anti-Virus Found Backdoor.Win32.VanBot.dn NOD32 Found Win32/IRCBot.YE Norman Virus Control Found nothing Panda Antivirus Found W32/Spybot.AIE.worm Rising Antivirus Found Worm.P2p.Win32.SpyBot.dbb Sophos Antivirus Found W32/Vanebot-AR VirusBuster Found Backdoor.Vanbot.EM VBA32 Found Win32.HLLW.SpyBot.88 C:\WINNT\system32\drivers\rndismpk.sys Service load: (vermelho, quase 100%) File: rndismpk.sys Status: OK MD5: af79f98e2a9720995badd93cca1d4e01 Packers detected: - Bit9 reports: No threat detected (more info) Scan taken on 02 Sep 2007 14:12:49 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing C:\WINNT\system32\drivers\usb8023k.sys Service load: (vermelho, quase 100%) File: usb8023k.sys Status: OK MD5: f39039d5c96c1d3ac2a637a659dbf282 Packers detected: - Bit9 reports: No threat detected (more info) Scan taken on 02 Sep 2007 14:18:07 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing Log 2 do Hijack (não consegui passar em modo normal) Logfile of HijackThis v1.99.1Scan saved at 00:50:02, on 2/9/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\TNT\TNT.exeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exeO4 - HKLM\..\Run: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.comO4 - HKLM\..\Run: [Service PAck 2] ltx1.exeO4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exeO4 - HKLM\..\Run: [Windows Service Agent] aolo.exeO4 - HKLM\..\Run: [sxpzoolkxd] C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\onefanm\dirote.exeO4 - HKLM\..\Run: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\Run: [mmsass] msv.exeO4 - HKLM\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - HKLM\..\RunServices: [Internets] C:\WINNT\system32\Wins.exeO4 - HKLM\..\RunServices: [Service PAck 2] ltx1.exeO4 - HKLM\..\RunServices: [Windows Service Agent] aolo.exeO4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exeO4 - HKLM\..\RunServices: [mmsass] msv.exeO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [Service PAck 2] ltx1.exeO4 - HKCU\..\Run: [Windows Service Agent] aolo.exeO4 - HKCU\..\Run: [johnj3155] C:\WINNT\system32\srvcc.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing)O23 - Service: cwa9iok0grrdt - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exeO23 - Service: opj8lnt0biiru - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: p4hrk6hksaw - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exeO23 - Service: r0d au7iridy - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe pronto, é isso... desculpa a demora pra responder também...aqui também to na correria! ainda tive q postar do servico d novo...qd tento abrir esse topico em casa, a pagina fecha. Valeu a ajuda Abs Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Setembro 6, 2007 Ok, baixe > ComboFix Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir o Fix. Vai durar uma média de 10 minutos. O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Quando acabar, será gerado um log, que estará em C:\ComboFix.txt. IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N". Selecione e copie o coteúdo do ComboFix.txt e cole na sua resposta, juntamente com um novo log do HijackThis, de preferência gerado em modo normal, se conseguir. Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Setembro 10, 2007 ComboFix ComboFix 07-09-09.5 - "Tamires" 10/09/2007 1:19:30.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.39 [GMT -3:00] . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINNT\system32\win.exe ((((((((((((((((((((((( Ficheiros criados de 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))) . 2007-09-02 03:25 69,743 --a------ C:\WINNT\system32\qjj.exe 2007-09-02 02:02 175 --a------ C:\WINNT\system32\pathname.dll 2007-09-02 02:02 111,104 --a------ C:\WINNT\system32\pathname.exe 2007-09-02 01:26 91,678 --a------ C:\WINNT\system32\yeahdoit.exe 2007-09-02 00:25 2,368 --a------ C:\WINNT\system32\SVKP.sys 2007-09-02 00:25 <DIR> d-------- C:\WINNT\system32\os2 2007-09-02 00:10 <DIR> d-------- C:\Muestras 2007-09-02 00:09 66,821 --a------ C:\WINNT\system32\eraseme_36615.exe 2007-09-02 00:09 <DIR> d-------- C:\WINNT\system32\jinas 2007-08-27 00:06 <DIR> d-------- C:\WINNT\system32\onefanm 2007-08-25 11:35 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_7c4.dat 2007-08-25 00:40 <DIR> d-------- C:\Arquivos de programas\fdgdfgdf 2007-08-25 00:10 222,720 --a------ C:\WINNT\system32\ltx1.exe 2007-08-21 02:03 66,821 --a------ C:\WINNT\system32\eraseme_56187.exe 2007-08-21 00:16 <DIR> d-------- C:\!KillBox 2007-08-17 01:17 65,397 --a------ C:\WINNT\system32\l4m3rxjpg.exe 2007-08-16 01:03 118,004 --a------ C:\WINNT\system32\asa.exe 2007-08-13 00:13 186 --a------ C:\WINNT\system32\systemms.dll 2007-08-12 03:20 <DIR> d--h----- C:\WINNT\PIF 2007-08-09 22:12 91,700 --a------ C:\WINNT\system32\last.exe . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 29/07/07 06:31 --------- d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Talkback 24/01/00 01:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys 14/08/07 00:32 --------- d-------- C:\Arquivos de programas\MSN Messenger 12/08/07 05:01 --------- d-------- C:\Arquivos de programas\MessengerDiscovery 11/03/04 13:27 40960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe 03/01/06 13:52 271 ---h----- C:\Arquivos de programas\desktop.ini 03/01/06 13:52 22040 ---h----- C:\Arquivos de programas\folder.htt 2003-06-19 15:05:04 283,136 --sh--r C:\WINNT\system32\bllz.exe 2003-06-19 15:05:04 283,136 --sh--r C:\WINNT\system32\gnhd.exe 1601-01-01 02:05:53 73,742 --sh--w C:\WINNT\system32\srvcc.exe 1601-01-01 03:08:47 66,821 --sh--r C:\WINNT\system32\svshost.exe 2003-06-19 15:05:04 204,310 --sh--r C:\WINNT\system32\Wins.exe 2003-06-19 15:05:04 222,720 --sh--r C:\WINNT\system32\xvla.exe 2001-01-01 03:29:40 507,904 -csh--r C:\WINNT\system32\dllcache\mlqm.exe . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . *Nota* entradas vazias & legítimas por defeito não são mostradas. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CountrySelection"="pctptt.exe" [05/01/00 12:41 C:\WINNT\system32\pctptt.exe] "Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\system32\mobsync.exe] "NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/01 11:50 ] "Internets"="C:\WINNT\system32\Wins.exe" [19/06/03 12:05 ] "msngers"="C:\WINNT\system32\fvist.com" [] "Service PAck 2"="ltx1.exe" [25/08/07 00:11 C:\WINNT\system32\ltx1.exe] "nassor"="C:\Arquivos de programas\ewrsadfs\ms04.exe" [08/10/06 23:50 ] "Windows Service Agent"="aolo.exe" [01/01/01 00:07 C:\WINNT\system32\aolo.exe] "sxpzoolkxd"="C:\WINNT\system32\onefanm\f1ght.exe" [01/06/07 00:13 ] "ssms.exe"="C:\WINNT\system32\win.exe" [] "mmsass"="msv.exe" [01/01/01 00:13 C:\WINNT\system32\msv.exe] "johnj3155"="C:\WINNT\system32\srvcc.exe" [01/01/01 00:00 ] "pathname"="C:\WINNT\system32\pathname.exe" [02/09/07 02:02 ] "SECRETSERVICE"="C:\WINNT\system32\jinas\jns.exe" [02/09/07 00:09 ] "Service PAck SFVP"="xvla.exe" [19/06/03 12:05 C:\WINNT\system32\xvla.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"="" [] "NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [22/09/04 16:10 ] "ctfmon.exe"="ctfmon.exe" [20/02/01 12:09 C:\WINNT\system32\CTFMON.EXE] "Service PAck 2"="ltx1.exe" [25/08/07 00:11 C:\WINNT\system32\ltx1.exe] "Windows Service Agent"="aolo.exe" [01/01/01 00:07 C:\WINNT\system32\aolo.exe] "johnj3155"="C:\WINNT\system32\srvcc.exe" [01/01/01 00:00 ] "Service PAck SFVP"="xvla.exe" [19/06/03 12:05 C:\WINNT\system32\xvla.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "Internets"=C:\WINNT\system32\Wins.exe "Service PAck 2"=ltx1.exe "Windows Service Agent"=aolo.exe "ssms.exe"=C:\WINNT\system32\win.exe "mmsass"=msv.exe "Service PAck SFVP"=xvla.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"=internat.exe "Windows Service Agent"=aolo.exe "Windows Messenger"=msmsgrs.exe "Windows Service Agccnt"=sysinfo.exe "Microsoft AntiVirus Update Engine"=taskmgrs.exe "Windows LoL Layer"=winlolx.exe "Service PAck 2"=ltx1.exe "Microsoft Windows Update"=n3wt.exe C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\ Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-05 05:18:22] Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "rdshost"= {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll [ ] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" R2 cwa9iok0grrdt;cwa9iok0grrdt;"C:\WINNT\system32\svshost.exe" R2 fhm2jdc5dyihg;fhm2jdc5dyihg;"C:\WINNT\system32\svshost.exe" R2 Logitech QuickCam Manager;Logitech QuickCam Manager;"C:\WINNT\system32\dllcache\mlqm.exe" R2 opj8lnt0biiru;opj8lnt0biiru;"C:\WINNT\system32\svshost.exe" R2 p4hrk6hksaw;p4hrk6hksaw;"C:\WINNT\system32\svshost.exe" R2 Pctspk;W2K PCtel speaker phone;C:\WINNT\system32\pctspk.exe R2 r0d au7iridy;r0d au7iridy;"C:\WINNT\system32\svshost.exe" R2 SVKP;SVKP;\??\C:\WINNT\system32\SVKP.sys R2 wampapache;wampapache;"c:\wamp\apache2\bin\Apache.exe" -k runservice R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys R3 SiSV6306;SiSV6306;C:\WINNT\system32\DRIVERS\SiS6306p.sys R3 usbhub20;Suporte a hub raiz USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys S3 C-Dilla;C-Dilla;\??\C:\WINNT\system32\drivers\CDANT.SYS S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-10 01:22:32 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run pathname = C:\WINNT\system32\pathname.exe???????????????????????????????????????????????????????????????? ??? ??????????????????????? ??? ? ????????????????????????? ?????H???????????????????????????????????????????????????????????????????????????????8???@????????????3Gx HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ?????????????????????????n?w?????????? ?l?@?l?@?@???9g?w???????????????`l?@?l?@????????????????????wXg?w????d????g?wt????????g?w???????? ?????????????Hxt???0??????????????`Vn?w????????????????????????????l?@?l?@??????W?w????t?@?????8?@?l?@?l?@???-l??????????? scanning hidden files ... ************************************************************************** . Completion time: 10/09/2007 1:24:48 C:\ComboFix-quarantined-files.txt ... 10/09/07 01:24 . --- E O F --- ele gerou tb um arquivo c a lista de arquivos em quarentena 19/06/03 12:05 436736 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\win.exe.virListagem de caminhos de pastaO n£mero de s‚rie do volume ‚ 0006FE80 BCD0:86BEC:\QOOBOX\QUARANTINE+---C| +---ComboFix| \---WINNT| \---system32| win.exe.vir| \---Registry_backups hijack (eu dei fix em algumas entradas q eu sabia q podia dar,tipo aolo, fvist, ltx1, e mais algumas,perdi o log anterior so sobrou esse :/) Logfile of HijackThis v1.99.1 Scan saved at 01:52:46, on 10/9/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\fotos\fotos.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing) O23 - Service: cwa9iok0grrdt - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: fhm2jdc5dyihg - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: Logitech QuickCam Manager - Unknown owner - C:\WINNT\system32\dllcache\mlqm.exe O23 - Service: opj8lnt0biiru - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: p4hrk6hksaw - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe O23 - Service: r0d au7iridy - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe ultimamente tao invadindo o msn tb :/ mandando msgs em ingles...as vezes o mouse para d funciona e qd tento desligar o pc ele diz q nao tenho permissao para desligar nem reiniciar.. :( to quase desistindo hehe... valeu a ajuda abs Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Setembro 15, 2007 OK, dividirei em dois posts e 2 etapas pois o editor não está aceitando as instruções em um post só. Mas você deve cumprir todas as duas etapas sem interrupção. Salve ou imprima estas instruções, pois vai segui-las desconectada e sem acesso a esta página: ETAPA 1 Delete a pasta C:\Qoobox e delete o log anterior do Combofix > C:\combofix.txt 1 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt. File::C:\WINNT\system32\qjj.exe C:\WINNT\system32\yeahdoit.exe C:\WINNT\system32\eraseme_36615.exe C:\WINNT\system32\last.exe C:\WINNT\system32\systemms.dll C:\WINNT\system32\asa.exe C:\WINNT\system32\l4m3rxjpg.exe C:\WINNT\system32\ltx1.exe C:\WINNT\system32\eraseme_56187.exe C:\WINNT\system32\bllz.exe C:\WINNT\system32\gnhd.exe C:\WINNT\system32\srvcc.exe C:\WINNT\system32\svshost.exe C:\WINNT\system32\Wins.exe C:\WINNT\system32\xvla.exe C:\WINNT\system32\dllcache\mlqm.exe C:\WINNT\system32\fvist.com C:\Arquivos de programas\ewrsadfs\ms04.exe C:\WINNT\system32\win.exe C:\Windows\System32\rdihost.dll C:\WINNT\system32\aolo.exe C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\msv.exe C:\WINNT\system32\jinas\jns.exe C:\WINNT\system32\sysinfo.exe C:\WINNT\system32\msgmgrs.exe C:\WINNT\system32\taskmgrs.exe C:\WINNT\system32\winlolx.exe C:\WINNT\system32\n3wt.exe Folder:: C:\WINNT\system32\jinas C:\WINNT\system32\onefanm Driver:: cwa9iok0grrdt fhm2jdc5dyihg opj8lnt0biiru p4hrk6hksaw r0d au7iridy Logitech QuickCam Manager 2 - Acesse o Painel de Controle. Vá em Ferramentas Administrativas > Serviços Localize o serviço cwa9iok0grrdt. Clique sobre ele, e no menu Ação escolha a opção Parar e confirme. Repita o procedimento e pare também os seguintes serviços: fhm2jdc5dyihg Logitech QuickCam Manager opj8lnt0biiru p4hrk6hksaw r0d au7iridy Rode o HijackThis, clique em None of This, just Star the Program. No canto inferior direito, clique em config. Na próxima tela, clique em Misc Tools, em seguida Delete an NT Service. Na caixa que abrir, coloque o seguinte nome: cwa9iok0grrdt Dê o OK mas não reinicie ainda. Repita o procedimento e coloque os nomes de todos os serviços que você parou na etapa anterior. Um de cada vez. 3 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo. O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção. IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Quando acabar, será gerado um log, que estará em C:\ComboFix.txt. Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Setembro 15, 2007 ETAPA 2 Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro. Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing) Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat Tecle Y para que a ferramenta inicie o processo de remoção Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla. Uma janela com o relatório do SDFix irá aparecer. Uma cópia do relatório estará na pasta SDFix com o nome Report.txt Gere um novo log com o HijackThis. Poste: ComboFix.txt log do HijackThis Report.txt do SDFix Informe se sabe que pasta é esta: fdgdfgdf C:\Arquivos de programas\fdgdfgdf <<< aqui Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Setembro 17, 2007 Não encontrei este serviço: fhm2jdc5dyihg, mas de resto fiz tudo... log combofix ComboFix 07-09-09.5 - "Tamires" 16/09/2007 1:41:17.2 - NTFSx86 MINIMAL Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.90 [GMT -3:00] FILE:: C:\WINNT\system32\qjj.exe C:\WINNT\system32\yeahdoit.exe C:\WINNT\system32\eraseme_36615.exe C:\WINNT\system32\last.exe C:\WINNT\system32\systemms.dll C:\WINNT\system32\asa.exe C:\WINNT\system32\l4m3rxjpg.exe C:\WINNT\system32\ltx1.exe C:\WINNT\system32\eraseme_56187.exe C:\WINNT\system32\bllz.exe C:\WINNT\system32\gnhd.exe C:\WINNT\system32\srvcc.exe C:\WINNT\system32\svshost.exe C:\WINNT\system32\Wins.exe C:\WINNT\system32\xvla.exe C:\WINNT\system32\dllcache\mlqm.exe C:\WINNT\system32\fvist.com C:\Arquivos de programas\ewrsadfs\ms04.exe C:\WINNT\system32\win.exe C:\Windows\System32\rdihost.dll C:\WINNT\system32\aolo.exe C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\msv.exe C:\WINNT\system32\jinas\jns.exe C:\WINNT\system32\sysinfo.exe C:\WINNT\system32\msgmgrs.exe C:\WINNT\system32\taskmgrs.exe C:\WINNT\system32\winlolx.exe C:\WINNT\system32\n3wt.exe . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Arquivos de programas\ewrsadfs\ms04.exe C:\WINNT\system32\bllz.exe C:\WINNT\system32\dllcache\mlqm.exe C:\WINNT\system32\gnhd.exe C:\WINNT\system32\jinas C:\WINNT\system32\jinas\111.reg C:\WINNT\system32\jinas\114.reg C:\WINNT\system32\jinas\140.reg C:\WINNT\system32\jinas\146.reg C:\WINNT\system32\jinas\237.reg C:\WINNT\system32\jinas\266.reg C:\WINNT\system32\jinas\272.reg C:\WINNT\system32\jinas\305.reg C:\WINNT\system32\jinas\316.reg C:\WINNT\system32\jinas\352.reg C:\WINNT\system32\jinas\353.reg C:\WINNT\system32\jinas\364.reg C:\WINNT\system32\jinas\389.reg C:\WINNT\system32\jinas\405.reg C:\WINNT\system32\jinas\452.reg C:\WINNT\system32\jinas\471.reg C:\WINNT\system32\jinas\472.reg C:\WINNT\system32\jinas\478.reg C:\WINNT\system32\jinas\488.reg C:\WINNT\system32\jinas\511.reg C:\WINNT\system32\jinas\537.reg C:\WINNT\system32\jinas\541.reg C:\WINNT\system32\jinas\543.reg C:\WINNT\system32\jinas\559.reg C:\WINNT\system32\jinas\574.reg C:\WINNT\system32\jinas\589.reg C:\WINNT\system32\jinas\592.reg C:\WINNT\system32\jinas\595.reg C:\WINNT\system32\jinas\610.reg C:\WINNT\system32\jinas\624.reg C:\WINNT\system32\jinas\634.reg C:\WINNT\system32\jinas\686.reg C:\WINNT\system32\jinas\710.reg C:\WINNT\system32\jinas\751.reg C:\WINNT\system32\jinas\756.reg C:\WINNT\system32\jinas\771.reg C:\WINNT\system32\jinas\783.reg C:\WINNT\system32\jinas\789.reg C:\WINNT\system32\jinas\825.reg C:\WINNT\system32\jinas\862.reg C:\WINNT\system32\jinas\867.reg C:\WINNT\system32\jinas\874.reg C:\WINNT\system32\jinas\898.reg C:\WINNT\system32\jinas\914.reg C:\WINNT\system32\jinas\935.reg C:\WINNT\system32\jinas\942.reg C:\WINNT\system32\jinas\944.reg C:\WINNT\system32\jinas\971.reg C:\WINNT\system32\jinas\974.reg C:\WINNT\system32\jinas\981.reg C:\WINNT\system32\jinas\997.reg C:\WINNT\system32\jinas\aliases.ini C:\WINNT\system32\jinas\cute C:\WINNT\system32\jinas\jenny C:\WINNT\system32\jinas\jns.exe C:\WINNT\system32\jinas\M!rc C:\WINNT\system32\jinas\mirc.ini C:\WINNT\system32\jinas\msg C:\WINNT\system32\jinas\remote.ini C:\WINNT\system32\jinas\script3 C:\WINNT\system32\jinas\servers.ini C:\WINNT\system32\jinas\sexual C:\WINNT\system32\jinas\systemac.dll C:\WINNT\system32\msv.exe C:\WINNT\system32\n3wt.exe C:\WINNT\system32\onefanm C:\WINNT\system32\onefanm\demo.xt C:\WINNT\system32\onefanm\f1ght.exe C:\WINNT\system32\onefanm\ger.exe C:\WINNT\system32\onefanm\kfolder C:\WINNT\system32\onefanm\redroses C:\WINNT\system32\onefanm\rx C:\WINNT\system32\onefanm\v1rgf C:\WINNT\system32\onefanm\x.q C:\WINNT\system32\onefanm\xsiger.bat C:\WINNT\system32\srvcc.exe C:\WINNT\system32\svshost.exe C:\WINNT\system32\systemms.dll C:\WINNT\system32\win.exe C:\WINNT\system32\Wins.exe C:\WINNT\system32\xvla.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CWA9IOK0GRRDT -------\LEGACY_FHM2JDC5DYIHG -------\LEGACY_LOGITECH_QUICKCAM_MANAGER -------\LEGACY_OPJ8LNT0BIIRU -------\LEGACY_P4HRK6HKSAW -------\LEGACY_R0D_AU7IRIDY ((((((((((((((((((((((( Ficheiros criados de 2007-08-16 to 2007-09-16 )))))))))))))))))))))))))))))))) . 2007-09-16 01:49 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_178.dat 2007-09-14 00:14 2,098 --a------ C:\WINNT\wolzwef.exe 2007-09-14 00:12 <DIR> d-------- C:\windows 2007-09-02 02:02 175 --a------ C:\WINNT\system32\pathname.dll 2007-09-02 02:02 111,104 --a------ C:\WINNT\system32\pathname.exe 2007-09-02 00:25 2,368 --a------ C:\WINNT\system32\SVKP.sys 2007-09-02 00:25 <DIR> d-------- C:\WINNT\system32\os2 2007-09-02 00:10 <DIR> d-------- C:\Muestras 2007-08-25 00:40 <DIR> d-------- C:\Arquivos de programas\fdgdfgdf . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 07-09-16 01:44 --------- d-------- C:\Arquivos de programas\ewrsadfs 07-08-14 00:32 --------- d-------- C:\Arquivos de programas\MSN Messenger 07-08-12 05:01 --------- d-------- C:\Arquivos de programas\MessengerDiscovery 07-08-09 01:47 88819 --a------ C:\WINNT\system32\kke.exe 07-08-09 01:36 685857 --a------ C:\WINNT\system32\beboz.exe 07-07-29 06:31 --------- d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Talkback 07-07-16 22:21 37716 --a------ C:\WINNT\system32\updetwinds.exe 07-06-17 00:11 51200 --a------ C:\WINNT\NirCmd.exe 06-01-03 13:52 271 ---h----- C:\Arquivos de programas\desktop.ini 06-01-03 13:52 22040 ---h----- C:\Arquivos de programas\folder.htt 04-03-11 13:27 40960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe 00-01-24 01:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . *Nota* entradas vazias & legítimas por defeito não são mostradas. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CountrySelection"="pctptt.exe" [00-01-05 12:41 C:\WINNT\system32\pctptt.exe] "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe] "NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 ] "Internets"="C:\WINNT\system32\Wins.exe" [] "msngers"="C:\WINNT\system32\fvist.com" [] "nassor"="C:\Arquivos de programas\ewrsadfs\ms04.exe" [] "syswin.txt"="win.exe" [] "Advanced DHTML Enable"="C:\windows\rdrive\hblPk.exe" [07-08-24 19:01 ] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"="" [] "NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [04-09-22 16:10 ] "ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 C:\WINNT\system32\CTFMON.EXE] "syswin.txt"="win.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "Internets"=C:\WINNT\system32\Wins.exe "ssms.exe"=C:\WINNT\system32\win.exe "syswin.txt"=win.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"=internat.exe "Windows Service Agent"=aolo.exe "Windows Messenger"=msmsgrs.exe "Windows Service Agccnt"=sysinfo.exe "Microsoft AntiVirus Update Engine"=taskmgrs.exe "Windows LoL Layer"=winlolx.exe "Service PAck 2"=ltx1.exe "Microsoft Windows Update"=n3wt.exe "syswin.txt"=win.exe C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\ Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-05 05:18:22] Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "rdshost"= {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll [ ] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys R3 usbhub20;Suporte a hub raiz USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys S2 Microsoft Stats Services;Microsoft Stats Services;"C:\WINNT\system32\svshost.exe" S2 Pctspk;W2K PCtel speaker phone;C:\WINNT\system32\pctspk.exe S2 Remote Security Manager;Remote Security Manager;"C:\WINNT\system32\svshost.exe" S2 SVKP;SVKP;\??\C:\WINNT\system32\SVKP.sys S2 wampapache;wampapache;"c:\wamp\apache2\bin\Apache.exe" -k runservice S3 C-Dilla;C-Dilla;\??\C:\WINNT\system32\drivers\CDANT.SYS S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys S3 SiSV6306;SiSV6306;C:\WINNT\system32\DRIVERS\SiS6306p.sys S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-16 01:49:22 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ?????????????????????????n?w?????????? ?l?@?l?@?@???9g?w???????????????`l?@?l?@????????????????????wXg?w????d????g?wt????????g?w???????? ?????????????Hxt???0??????????????`Vn?w????????????????????????????l?@?l?@??????W?w????t?@?????8?@?l?@?l?@???-l??????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-16 1:51:20 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-09-16 01:50 . --- E O F ---[/code] combofix - quarantine files 01-01-01 00:00 270 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\rx.vir01-01-01 00:00 73742 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\srvcc.exe.vir01-01-01 00:02 379316 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\win.exe.vir01-01-01 00:03 186 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\systemms.dll.vir01-01-01 00:05 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\592.reg.vir01-01-01 00:05 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\942.reg.vir01-01-01 00:06 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\914.reg.vir01-01-01 00:07 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\610.reg.vir01-01-01 00:08 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\867.reg.vir01-01-01 00:08 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\981.reg.vir01-01-01 00:08 66821 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\svshost.exe.vir01-01-01 00:10 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\624.reg.vir01-01-01 00:11 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\114.reg.vir01-01-01 00:11 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\488.reg.vir01-01-01 00:11 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\756.reg.vir01-01-01 00:13 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\686.reg.vir01-01-01 00:13 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\935.reg.vir01-01-01 00:13 68266 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\msv.exe.vir01-01-01 00:14 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\146.reg.vir01-01-01 00:14 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\237.reg.vir01-01-01 00:14 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\589.reg.vir01-01-01 00:15 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\316.reg.vir01-01-01 00:15 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\353.reg.vir01-01-01 00:15 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\944.reg.vir01-01-01 00:16 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\405.reg.vir01-01-01 00:16 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\471.reg.vir01-01-01 00:16 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\862.reg.vir01-01-01 00:18 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\364.reg.vir01-01-01 00:18 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\478.reg.vir01-01-01 00:19 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\971.reg.vir01-01-01 00:20 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\305.reg.vir01-01-01 00:21 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\389.reg.vir01-01-01 00:21 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\874.reg.vir01-01-01 00:23 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\111.reg.vir01-01-01 00:23 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\266.reg.vir01-01-01 00:23 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\595.reg.vir01-01-01 00:26 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\272.reg.vir01-01-01 00:28 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\511.reg.vir01-01-01 00:29 507904 --a--c--- C:\Qoobox\Quarantine\C\WINNT\system32\dllcache\mlqm.exe.vir01-01-01 00:30 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\541.reg.vir01-01-01 00:31 266 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\634.reg.vir01-01-01 00:36 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\789.reg.vir01-01-01 00:37 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\783.reg.vir01-01-01 00:43 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\543.reg.vir01-01-01 00:45 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\352.reg.vir01-01-01 00:48 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\559.reg.vir01-01-01 00:50 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\898.reg.vir01-01-01 00:53 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\537.reg.vir01-01-01 00:55 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\710.reg.vir01-01-01 01:00 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\974.reg.vir01-01-01 01:03 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\574.reg.vir01-01-01 01:05 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\825.reg.vir01-01-01 01:12 514208 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\n3wt.exe.vir01-01-01 06:33 0 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\xsiger.bat.vir02-08-27 18:03 29184 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\systemac.dll.vir03-06-19 12:05 204310 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\Wins.exe.vir03-06-19 12:05 222720 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\xvla.exe.vir03-06-19 12:05 283136 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\bllz.exe.vir03-06-19 12:05 283136 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\gnhd.exe.vir05-06-19 13:41 22493 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\sexual.vir05-06-21 13:42 844 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\aliases.ini.vir06-04-18 00:44 204 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\script3.vir06-09-14 00:44 42 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\servers.ini.vir06-10-08 23:50 3104 --a------ C:\Qoobox\Quarantine\C\Arquivos de programas\ewrsadfs\ms04.exe.vir07-04-27 19:17 128617 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\cute.vir07-06-01 00:13 17408 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\f1ght.exe.vir07-06-01 00:13 49107 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\ger.exe.vir07-06-01 00:13 75344 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\demo.xt.vir07-06-01 00:14 2185 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\v1rgf.vir07-06-01 00:30 1667 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\x.q.vir07-06-01 00:37 24196 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\kfolder.vir07-07-08 21:23 15399 --a------ C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir07-08-29 15:11 155 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\remote.ini.vir07-08-29 15:11 992 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\msg.vir07-08-29 15:29 1364 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\M!rc.vir07-09-02 00:09 1771008 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\jns.exe.vir07-09-02 01:05 2648 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\onefanm\redroses.vir07-09-02 02:06 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\140.reg.vir07-09-02 02:06 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\452.reg.vir07-09-02 02:06 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\472.reg.vir07-09-03 02:03 65 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\jenny.vir07-09-10 01:37 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\751.reg.vir07-09-10 01:37 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\771.reg.vir07-09-10 01:37 133 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\997.reg.vir07-09-10 01:37 3105 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\jinas\mirc.ini.vir07-09-16 01:43 830 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_P4HRK6HKSAW.reg.cf07-09-16 01:43 838 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_R0D_AU7IRIDY.reg.cf07-09-16 01:43 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_CWA9IOK0GRRDT.reg.cf07-09-16 01:43 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_FHM2JDC5DYIHG.reg.cf07-09-16 01:43 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_OPJ8LNT0BIIRU.reg.cf07-09-16 01:43 942 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_LOGITECH_QUICKCAM_MANAGER.reg.cf Listagem de caminhos de pastaO n£mero de s‚rie do volume ‚ 0006FE80 BCD0:86BEC:\QOOBOX\QUARANTINE+---C| +---Arquivos de programas| | \---ewrsadfs| | ms04.exe.vir| | | +---ComboFix| | FProps.vbs.vir| | | \---WINNT| \---system32| | bllz.exe.vir| | gnhd.exe.vir| | msv.exe.vir| | n3wt.exe.vir| | srvcc.exe.vir| | svshost.exe.vir| | systemms.dll.vir| | win.exe.vir| | Wins.exe.vir| | xvla.exe.vir| | | +---dllcache| | mlqm.exe.vir| | | +---jinas| | 111.reg.vir| | 114.reg.vir| | 140.reg.vir| | 146.reg.vir| | 237.reg.vir| | 266.reg.vir| | 272.reg.vir| | 305.reg.vir| | 316.reg.vir| | 352.reg.vir| | 353.reg.vir| | 364.reg.vir| | 389.reg.vir| | 405.reg.vir| | 452.reg.vir| | 471.reg.vir| | 472.reg.vir| | 478.reg.vir| | 488.reg.vir| | 511.reg.vir| | 537.reg.vir| | 541.reg.vir| | 543.reg.vir| | 559.reg.vir| | 574.reg.vir| | 589.reg.vir| | 592.reg.vir| | 595.reg.vir| | 610.reg.vir| | 624.reg.vir| | 634.reg.vir| | 686.reg.vir| | 710.reg.vir| | 751.reg.vir| | 756.reg.vir| | 771.reg.vir| | 783.reg.vir| | 789.reg.vir| | 825.reg.vir| | 862.reg.vir| | 867.reg.vir| | 874.reg.vir| | 898.reg.vir| | 914.reg.vir| | 935.reg.vir| | 942.reg.vir| | 944.reg.vir| | 971.reg.vir| | 974.reg.vir| | 981.reg.vir| | 997.reg.vir| | aliases.ini.vir| | cute.vir| | jenny.vir| | jns.exe.vir| | M!rc.vir| | mirc.ini.vir| | msg.vir| | remote.ini.vir| | script3.vir| | servers.ini.vir| | sexual.vir| | systemac.dll.vir| | | \---onefanm| demo.xt.vir| f1ght.exe.vir| ger.exe.vir| kfolder.vir| redroses.vir| rx.vir| v1rgf.vir| x.q.vir| xsiger.bat.vir| \---Registry_backups LEGACY_CWA9IOK0GRRDT.reg.cf LEGACY_FHM2JDC5DYIHG.reg.cf LEGACY_LOGITECH_QUICKCAM_MANAGER.reg.cf LEGACY_OPJ8LNT0BIIRU.reg.cf LEGACY_P4HRK6HKSAW.reg.cf LEGACY_R0D_AU7IRIDY.reg.cf log hijack Logfile of HijackThis v1.99.1 Scan saved at 01:52:53, on 16/9/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\Notepad.exe C:\tnt\tnt.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe O4 - HKLM\..\Run: [syswin.txt] win.exe O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\windows\rdrive\hblPk.exe O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe O4 - HKLM\..\RunServices: [syswin.txt] win.exe O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [syswin.txt] win.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing) O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Microsoft Stats Services - Unknown owner - C:\WINNT\system32\svshost.exe (file missing) O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe O23 - Service: Remote Security Manager - Unknown owner - C:\WINNT\system32\svshost.exe (file missing) O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe sdfix SDFix: Version 1.98 Run by Tamires on dom 16/09/2007 at 1:57 Microsoft Windows 2000 [VersÆo 5.00.2195] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINNT\system32\i - Deleted C:\WINNT\system32\o - Deleted C:\WINNT\system32\pathname.dll - Deleted C:\WINNT\system32\pathname.exe - Deleted C:\WINNT\system32\rdihost.dll - Deleted Removing Temp Files... ADS Check: C:\WINNT No streams found. C:\WINNT\system32 No streams found. C:\WINNT\system32\svchost.exe No streams found. C:\WINNT\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\WINNT\system32\drivers\rndismpk.sys C:\WINNT\system32\drivers\usb8023k.sys Finished novo log hijack (dessa vez, dpis de mt tempo, consegui abrir em modo normal,renomeado como TNT) Logfile of HijackThis v1.99.1 Scan saved at 02:28:31, on 16/9/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\pctspk.exe C:\WINNT\system32\MSTask.exe c:\wamp\apache2\bin\Apache.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\cmd.exe C:\WINNT\system32\ftp.exe C:\wamp\apache2\bin\Apache.exe C:\WINNT\system32\ctfmon.exe C:\tnt\tnt.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [syswin.txt] win.exe O4 - HKLM\..\RunServices: [syswin.txt] win.exe O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [syswin.txt] win.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Microsoft Stats Services - Unknown owner - C:\WINNT\system32\svshost.exe (file missing) O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe O23 - Service: Remote Security Manager - Unknown owner - C:\WINNT\system32\svshost.exe (file missing) O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe depois, fui ver a pasta arquivos de programas, nao sabia que pasta era aquela (fdgdfgdf) e deletei. alem dela,deletei mais umas duas ou tres pastas com nomes esquisitos tipo esse, alem de outros arquivos esquisitos no computador... notei que a cpu nao esta mais em 100% de uso. Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Setembro 19, 2007 Ok, farei o mesmo dividindo em 2 posts e Etapas. Como da outra vez, deve seguir todas sem interrupções. Salve ou imprima estas instruções, pois vai segui-las desconectada e sem acesso a esta página: ETAPA 1 Delete a pasta C:\Qoobox e delete o log anterior do Combofix > C:\combofix.txt 1 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt. File::C:\WINNT\wolzwef.exe C:\WINNT\system32\svshost.exe C:\WINNT\system32\pathname.dll C:\WINNT\system32\pathname.exe C:\WINNT\system32\kke.exe C:\WINNT\system32\beboz.exe C:\WINNT\system32\updetwinds.exe C:\windows\rdrive\hblPk.exe Folder:: C:\Arquivos de programas\fdgdfgdf C:\Arquivos de programas\ewrsadfs Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Internets"=- "msngers"=- "nassor"=- "syswin.txt"=- "Advanced DHTML Enable"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"=- "syswin.txt"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "Internets"=- "ssms.exe"=- "syswin.txt"=- [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Windows Service Agent"=- "Windows Messenger"=- "Windows Service Agccnt"=- "Microsoft AntiVirus Update Engine"=- "Windows LoL Layer"=- "Service PAck 2"=- "Microsoft Windows Update"=- "syswin.txt"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "rdshost"=- Driver:: Microsoft Stats Services Remote Security Manager 2 - Acesse o Painel de Controle. Vá em Ferramentas Administrativas > Serviços Localize o serviço Microsoft Stats Services. Clique sobre ele, e no menu Ação escolha a opção Parar e confirme. Repita o procedimento e pare também o seguinte serviço: Remote Security Manager 3 - Rode o HijackThis, clique em None of This, just Star the Program. No canto inferior direito, clique em config. Na próxima tela, clique em Misc Tools, em seguida Delete an NT Service. Na caixa que abrir, coloque o seguinte nome: Microsoft Stats Services Dê o OK mas não reinicie ainda. Repita o procedimento e coloque agora: Remote Security Manager Dê o OK mas não reinicie ainda. 4 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo. O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção. IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Quando acabar, será gerado um log, que estará em C:\ComboFix.txt. Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Setembro 19, 2007 ETAPA 2 Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro. Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em O4 - HKLM\..\Run: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\Run: [msngers] C:\WINNT\system32\fvist.com O4 - HKLM\..\Run: [nassor] C:\Arquivos de programas\ewrsadfs\ms04.exe O4 - HKLM\..\Run: [syswin.txt] win.exe O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\windows\rdrive\hblPk.exe O4 - HKLM\..\RunServices: [internets] C:\WINNT\system32\Wins.exe O4 - HKLM\..\RunServices: [ssms.exe] C:\WINNT\system32\win.exe O4 - HKLM\..\RunServices: [syswin.txt] win.exe O4 - HKCU\..\Run: [syswin.txt] win.exe O21 - SSODL: rdshost - {4BCC6DE8-4ECA-4628-A6A6-A793EA19306C} - rdihost.dll (file missing) Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat Tecle Y para que a ferramenta inicie o processo de remoção Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla. Uma janela com o relatório do SDFix irá aparecer. Uma cópia do relatório estará na pasta SDFix com o nome Report.txt Gere um novo log com o HijackThis. Poste: ComboFix.txt log do HijackThis Report.txt do SDFix Compartilhar este post Link para o post Compartilhar em outros sites
tamires 0 Denunciar post Postado Setembro 23, 2007 ComboFix 07-09-09.5 - "Tamires" 16/09/2007 0:09:01.4 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.44 [GMT -3:00] FILE:: C:\WINNT\wolzwef.exe C:\WINNT\system32\svshost.exe C:\WINNT\system32\pathname.dll C:\WINNT\system32\pathname.exe C:\WINNT\system32\kke.exe C:\WINNT\system32\beboz.exe C:\WINNT\system32\updetwinds.exe C:\windows\rdrive\hblPk.exe . ((((((((((((((((((((((( Ficheiros criados de 2007-08-16 to 2007-09-16 )))))))))))))))))))))))))))))))) . 2007-09-23 00:14 490,496 --a------ C:\WINNT\system32\ValueSoft.exe 2007-09-16 02:23 0 --a------ C:\WINNT\system32\pin.exe 2007-09-02 00:25 2,368 --a------ C:\WINNT\system32\SVKP.sys 2007-09-02 00:25 <DIR> d-------- C:\WINNT\system32\os2 2007-09-02 00:10 <DIR> d-------- C:\Muestras 2007-08-12 03:20 <DIR> d--h----- C:\WINNT\PIF . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 29/07/07 06:31 --------- d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Talkback 24/01/00 01:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys 14/08/07 00:32 --------- d-------- C:\Arquivos de programas\MSN Messenger 12/08/07 05:01 --------- d-------- C:\Arquivos de programas\MessengerDiscovery 11/03/04 13:27 40960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe 03/01/06 13:52 271 ---h----- C:\Arquivos de programas\desktop.ini 03/01/06 13:52 22040 ---h----- C:\Arquivos de programas\folder.htt . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . *Nota* entradas vazias & legítimas por defeito não são mostradas. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "pronto"="avvg.exe" [01/01/01 00:36 C:\WINNT\system32\avvg.exe] "CountrySelection"="pctptt.exe" [05/01/00 12:41 C:\WINNT\system32\pctptt.exe] "Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\system32\mobsync.exe] "NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/01 11:50 ] "Windows Service Ag3nt"="ValueSoft.exe" [23/09/07 00:15 C:\WINNT\system32\ValueSoft.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [22/09/04 16:10 ] "ctfmon.exe"="ctfmon.exe" [20/02/01 12:09 C:\WINNT\system32\CTFMON.EXE] "Windows Service Ag3nt"="ValueSoft.exe" [23/09/07 00:15 C:\WINNT\system32\ValueSoft.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "pronto"=avvg.exe "Windows Service Ag3nt"=ValueSoft.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "internat.exe"=internat.exe "Windows Service Ag3nt"=ValueSoft.exe C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\ Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-05 05:18:22] Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 08:01:04] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" R2 Pctspk;W2K PCtel speaker phone;C:\WINNT\system32\pctspk.exe R2 SVKP;SVKP;\??\C:\WINNT\system32\SVKP.sys R2 wampapache;wampapache;"c:\wamp\apache2\bin\Apache.exe" -k runservice R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys R3 SiSV6306;SiSV6306;C:\WINNT\system32\DRIVERS\SiS6306p.sys R3 usbhub20;Suporte a hub raiz USB 2.0;C:\WINNT\system32\DRIVERS\usbhub20.sys S3 C-Dilla;C-Dilla;\??\C:\WINNT\system32\drivers\CDANT.SYS S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-16 00:11:46 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . Completion time: 16/09/2007 0:14:33 . --- E O F --- 1o hijack Não encontrei nenhuma das entradas mencionadas. Logfile of HijackThis v1.99.1Scan saved at 00:23:42, on 16/9/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\userinit.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\NOTEPAD.EXE C:\tnt\tnt.exe O4 - HKLM\..\Run: [pronto] avvg.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows Service Ag3nt] ValueSoft.exe O4 - HKLM\..\RunServices: [pronto] avvg.exe O4 - HKLM\..\RunServices: [Windows Service Ag3nt] ValueSoft.exe O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Windows Service Ag3nt] ValueSoft.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe 2o log hijack Logfile of HijackThis v1.99.1 Scan saved at 00:43:09, on 16/9/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\pctspk.exe C:\WINNT\system32\MSTask.exe c:\wamp\apache2\bin\Apache.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\wamp\apache2\bin\Apache.exe C:\WINNT\system32\avvg.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\NOTEPAD.EXE C:\tnt\tnt.exe O4 - HKLM\..\Run: [pronto] avvg.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows Service Ag3nt] ValueSoft.exe O4 - HKLM\..\RunServices: [pronto] avvg.exe O4 - HKLM\..\RunServices: [Windows Service Ag3nt] ValueSoft.exe O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [Windows Service Ag3nt] ValueSoft.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing) O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe ================================= SDFix: Version 1.98 Run by Tamires on dom 16/09/2007 at 0:28 Microsoft Windows 2000 [VersÆo 5.00.2195] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINNT\SYSTEM32\AOLO.EXE - Deleted C:\WINNT\SYSTEM32\PIN.EXE - Deleted C:\WINNT\system32\o - Deleted C:\WINNT\system32\ValueSoft.exe - Deleted Removing Temp Files... ADS Check: C:\WINNT No streams found. C:\WINNT\system32 No streams found. C:\WINNT\system32\svchost.exe No streams found. C:\WINNT\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: C:\WINNT\system32\drivers\rndismpk.sys C:\WINNT\system32\drivers\usb8023k.sys Finished valeu abs Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Setembro 27, 2007 Salve ou imprima estas instruções, pois vai segui-las desconectada e sem acesso a esta página: Delete a pasta C:\Qoobox e delete o log anterior do Combofix > C:\combofix.txt Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt. File::C:\WINNT\system32\avvg.exe Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "pronto"=- "Windows Service Ag3nt"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Service Ag3nt"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] "pronto"=- "Windows Service Ag3nt"=- [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Windows Service Ag3nt"=- Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo. O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção. IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Quando acabar, será gerado um log, que estará em C:\ComboFix.txt. Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat Tecle Y para que a ferramenta inicie o processo de remoção Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla. Uma janela com o relatório do SDFix irá aparecer. Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt Gere um novo log com o HijackThis. Poste: ComboFix.txt log do HijackThis Report.txt do SDFix Compartilhar este post Link para o post Compartilhar em outros sites
Sam Spade 2 Denunciar post Postado Dezembro 13, 2007 Tópico Arquivado Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado. Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura. Compartilhar este post Link para o post Compartilhar em outros sites
