Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

bomberman

Recommended Posts

bomberman    0

bomberman
Postado

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:05:53, on 23/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O1 - Hosts: 89.149.243.45 banamex.com

O1 - Hosts: 89.149.243.45 www.boveda.banamex.com.mx

O1 - Hosts: 89.149.243.45 www.bancanetempresarial.banamex.com.mx

O1 - Hosts: 89.149.243.45 bancanetempresarial+banamex.com.mx

O1 - Hosts: 89.149.243.45 boveda.banamex+com.mx

O1 - Hosts: 89.149.243.45 www.banamex.com.mx

O1 - Hosts: 89.149.243.45 banamex.com.mx

O1 - Hosts: 59.149.243.45 www.banamex.com

O1 - Hosts: 89.149.243.45 banamex.com

O1 - Hosts: 89.149.243.45 www.boveda.banamex.com.mx

O1 - Hosts: 89.149.243.45 www.bancanetempresarial.banamex.com.mx

O1 - Hosts: 89.149.243.45 bancanetempresarial+banamex.com.mx

O1 - Hosts: 89.149.243.45 boveda.banamex+com.mx

O1 - Hosts: 89.149.243.45 www.banamex.com.mx

O1 - Hosts: 89.149.243.45 banamex.com.mx

O1 - Hosts: 59.149.243.45 www.banamex.com

O1 - Hosts: 89.149.243.45 www.hacktheworld.comäÈa¬PìKŸ!š,±tš_»˜¼5Q¾ÍtnìÖ#Cd§Ë«Ýå´Ýœâw© }R?å´2PÑ”M½˜ëc/Ë7óAÔ]ײ%‚êNcÓ4&µïB‚ºíÚRn¦ÊÛÚ0òL

O1 - Hosts: (ê¼É¬VZö˜b"à ‚ ãb5ØKkþ°uÜfÕ=¼ˆéùª¾_©ôbtÚåqh¾§ë"1b8b1!CðÆú}‚Mê¥m*•¡Áh´}ꬠR§Y•õ¾#såð ³R›åRcÈÒ-1V¤¶ØÒ66NTRKõAïßŪ˜EFëáBÅÀ¶p¹¯AÑcomáƒÊ7£ñRÂF£öø‘ÔFÚÚ/(FŒ§¤£¶Ÿõ¯ª›‹|GSÙתK‘P¸mD¿™aÆZÚ ¥

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [] C:\Windows\system32\sunwin32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.tvg.es/camweb/camera.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A5C47E21-C3DB-436B-BB38-1DC28529B149}: NameServer = 212.85.153.18

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe

 

--

End of file - 7888 bytes

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um novo log do HijackThis.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

bomberman    0

bomberman
Postado

ComboFix 07-11-19.4C - Usuario 2007-11-28 18:27:55.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.451 [GMT -2:00]

Executando de: C:\Documents and Settings\Usuario\Meus documentos\ComboFix.exe

* Criado um novo ponto de restauro

.

ADS - system32: deleted 70570 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Usuario\Dados de aplicativos\FunWebProducts

C:\WINDOWS\.protected

C:\WINDOWS\system32\Cache

C:\WINDOWS\system32\drivers\etc\.protected

C:\WINDOWS\system32\drivers\system.exe

C:\WINDOWS\system32\svcp.csv

C:\WINDOWS\system32\winsub.xml

C:\WINDOWS\system32\zlbw.dll

 

.

((((((((((((((((((((((( Ficheiros criados de 2007-10-28 to 2007-11-28 ))))))))))))))))))))))))))))))))

.

 

2007-11-16 23:21 <DIR> d-------- C:\My Shared Folder

2007-11-09 11:15 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll

2007-11-09 11:11 <DIR> d-------- C:\Arquivos de programas\WinPcap

2007-11-09 11:11 <DIR> d-------- C:\Arquivos de programas\WC3Banlist

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-28 20:21 --------- d-----w C:\Arquivos de programas\eMule

2007-11-28 19:31 --------- d-----w C:\Arquivos de programas\Warcraft III

2007-11-09 20:07 --------- d-----w C:\Arquivos de programas\Windows Live Safety Center

2007-11-08 01:03 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-10-22 23:45 --------- d-----w C:\Arquivos de programas\Sports Interactive

2007-10-22 23:10 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Sports Interactive

2007-10-22 23:02 --------- d-----w C:\Arquivos de programas\DAEMON Tools

2007-10-22 22:42 --------- d--h--w C:\Arquivos de programas\Zero G Registry

2007-10-22 22:42 --------- d--h--r C:\Documents and Settings\Usuario\Dados de aplicativos\SecuROM

2007-10-20 00:04 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent

2007-10-05 03:04 2,836,992 ----a-w C:\WINDOWS\systemp.exe

2007-10-05 03:04 2,836,992 ----a-w C:\WINDOWS\system32systemSystem.exe

2007-10-03 12:55 139,264 ----a-w C:\WINDOWS\War3Unin.exe

2007-10-03 02:00 --------- d-----w C:\Arquivos de programas\TuneUp Utilities 2007

2007-06-13 13:21 1,232,985 --sh--r C:\WINDOWS\system32\winloading.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 08:06]

"MsmqIntCert"="regsvr32 /s mqrt.dll" []

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 07:24]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:45]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^bsyys.scr]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bsyys.scr

backup=C:\WINDOWS\pss\bsyys.scrCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-14 11:00 267064 --a------ C:\Arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\symanteccsysconf]

C:\WINDOWS\system32\bsyys.scr

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

"nwiz"=nwiz.exe /install

 

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

R2 IOPort;IOPort;\??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

S3 p2pgasvc;Autenticação de grupo de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Gerenciador de identidades ponto-a-ponto da Microsoft;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Configuração de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Protocolo de resolução de nomes ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{038819e6-80ef-11dc-afb4-001195e17282}]

\Shell\AutoRun\command - E:\autorun.exe

 

.

Conte£do da pasta 'Tarefas Agendadas'

"2007-11-22 01:02:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

"2007-11-02 20:18:07 C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job"

- C:\Arquivos de programas\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-11-28 20:31:51 C:\WINDOWS\Tasks\star1.job"

- c:\autoexec.bat

.

**************************************************************************

 

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-28 18:33:28

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusÆo: 2007-11-28 18:34:37 - machine was rebooted

.

--- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:36:06, on 28/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.tvg.es/camweb/camera.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A5C47E21-C3DB-436B-BB38-1DC28529B149}: NameServer = 212.85.153.18

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe

 

--

End of file - 6679 bytes

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

1. Baixe o BankerFix.

 

2. Desative o seu anti-vírus temporariamente.

 

3. Dê um duplo-clique sobre o bankerfix.exe. Uma mensagem aparecerá avisando que o mesmo será baixado via internet. Clique em Ok -> Ok. Aperte Enter e aguarde o término do scan.

 

4. Terminado o scan, leia a mensagem na tela e aperte Enter novamente.

 

5. Habilite o seu anti-vírus.

 

6. Retorne com um novo log do HijackThis, juntamente com o relatorio.txt do BankerFix (ele estará em C:\LinhaDefensiva\).

 

7. Depois de postar a sua resposta você poderá deletar a pasta LinhaDefensiva contida no C.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

bomberman    0

bomberman
Postado

BankerFix 2.4 - Removedor de Bankers

Linha Defensiva - http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

Data: 29/11/2007 - 10:30

-------------------------------------------------------

Lista de Definição: 2007-11-27-1

=======================================================

 

Arquivo infectado detectado: C:\WINDOWS\kwx.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\svchost

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\systemp.exe

Arquivo infectado removido com sucesso!

 

 

Killando arquivos em Help

-----------------------------------

 

Killing '*'

 

Removendo Arquivos em Help

-----------------------------------

 

 

 

----- Fim -------------------------

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:31:52, on 29/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.tvg.es/camweb/camera.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A5C47E21-C3DB-436B-BB38-1DC28529B149}: NameServer = 212.85.153.18

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe

 

--

End of file - 6697 bytes

 

 

 

obrigado pro estar me ajudando ae abraço

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

Poste um novo log do ComboFix, a fim de que eu possa verificar se as entradas ruins foram totalmente removidas.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

bomberman    0

bomberman
Postado

ComboFix 07-12-02.7 - Usuario 2007-12-03 15:10:49.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.467 [GMT -2:00]

Executando de: C:\Documents and Settings\Usuario\Meus documentos\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((( Ficheiros criados de 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))))

.

 

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\Usuario\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais

2007-11-16 23:21 . 2007-11-16 23:21 <DIR> d-------- C:\My Shared Folder

2007-11-09 11:15 . 2005-01-22 17:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll

2007-11-09 11:11 . 2007-11-09 11:11 <DIR> d-------- C:\Arquivos de programas\WinPcap

2007-11-09 11:11 . 2007-11-17 17:20 <DIR> d-------- C:\Arquivos de programas\WC3Banlist

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-03 16:49 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent

2007-12-03 01:22 --------- d-----w C:\Arquivos de programas\Warcraft III

2007-11-28 20:21 --------- d-----w C:\Arquivos de programas\eMule

2007-11-09 20:07 --------- d-----w C:\Arquivos de programas\Windows Live Safety Center

2007-11-08 01:03 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-10-22 23:45 --------- d-----w C:\Arquivos de programas\Sports Interactive

2007-10-22 23:10 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Sports Interactive

2007-10-22 23:02 --------- d-----w C:\Arquivos de programas\DAEMON Tools

2007-10-22 22:42 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-10-22 22:42 --------- d--h--w C:\Arquivos de programas\Zero G Registry

2007-10-22 22:42 --------- d--h--r C:\Documents and Settings\Usuario\Dados de aplicativos\SecuROM

2007-10-22 00:24 163,840 ----a-w C:\WINDOWS\system32\sunwin32.exe

2007-10-05 03:04 2,836,992 ----a-w C:\WINDOWS\system32systemSystem.exe

2007-10-03 12:55 139,264 ----a-w C:\WINDOWS\War3Unin.exe

2007-10-03 02:00 --------- d-----w C:\Arquivos de programas\TuneUp Utilities 2007

2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2007-06-13 13:21 1,232,985 --sh--r C:\WINDOWS\system32\winloading.exe

.

 

((((((((((((((((((((((((((((( snapshot@2007-11-28_18.33.58.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-11-08 18:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe

+ 2007-11-27 05:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe

- 2007-11-28 20:32:08 212,606 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

+ 2007-12-03 13:50:14 212,607 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

+ 2007-12-03 13:50:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_238.dat

+ 2007-12-03 13:50:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_494.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 08:06]

"MsmqIntCert"="regsvr32 /s mqrt.dll" []

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 07:24]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:45]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^bsyys.scr]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bsyys.scr

backup=C:\WINDOWS\pss\bsyys.scrCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-14 11:00 267064 --a------ C:\Arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\symanteccsysconf]

C:\WINDOWS\system32\bsyys.scr

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

"nwiz"=nwiz.exe /install

 

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

R2 IOPort;IOPort;\??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

S3 p2pgasvc;Autenticação de grupo de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Gerenciador de identidades ponto-a-ponto da Microsoft;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Configuração de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Protocolo de resolução de nomes ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{038819e6-80ef-11dc-afb4-001195e17282}]

\Shell\AutoRun\command - E:\autorun.exe

 

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-11-29 01:02:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

"2007-11-30 19:20:40 C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job"

- C:\Arquivos de programas\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-12-03 13:50:00 C:\WINDOWS\Tasks\star1.job"

- c:\autoexec.bat

.

**************************************************************************

 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-03 15:13:51

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2007-12-03 15:14:46

.

--- E O F ---

 

mto obrigado ae

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

Vamos lá.

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bsyys.scr

C:\WINDOWS\system32\bsyys.scr

C:\WINDOWS\system32\sunwin32.exe

C:\WINDOWS\system32\winloading.exe

C:\WINDOWS\system32systemSystem.exe

C:\WINDOWS\pss\bsyys.scr

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie em Modo Normal.

 

Vá até a pasta C:\!Killbox e delete o conteúdo.

 

Retorne com novos logs do ComboFix e HijackThis.

 

Um abraço.

Compartilhar este post

Link para o post
Compartilhar em outros sites

bomberman    0

bomberman
Postado

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:29:27, on 10/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.tvg.es/camweb/camera.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A5C47E21-C3DB-436B-BB38-1DC28529B149}: NameServer = 212.85.153.18

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe

 

--

End of file - 6646 bytes

 

 

ComboFix 07-12-09.1 - Usuario 2007-12-10 10:35:43.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.494 [GMT -2:00]

Executando de: C:\Documents and Settings\Usuario\Meus documentos\Meus arquivos recebidos\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((( Ficheiros criados de 2007-11-10 to 2007-12-10 ))))))))))))))))))))))))))))))))

.

 

2007-12-05 22:50 . 2007-12-05 22:50 <DIR> d-------- C:\Arquivos de programas\KAIZEN Games

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\Usuario\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais

2007-11-16 23:21 . 2007-11-16 23:21 <DIR> d-------- C:\My Shared Folder

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-09 01:25 --------- d-----w C:\Arquivos de programas\eMule

2007-12-07 16:24 --------- d-----w C:\Arquivos de programas\Warcraft III

2007-12-06 13:07 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent

2007-12-04 17:40 --------- d-----w C:\Arquivos de programas\WC3Banlist

2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2007-12-03 22:22 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\BSplayer Pro

2007-11-09 20:07 --------- d-----w C:\Arquivos de programas\Windows Live Safety Center

2007-11-09 13:11 --------- d-----w C:\Arquivos de programas\WinPcap

2007-11-08 01:03 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-10-22 23:45 --------- d-----w C:\Arquivos de programas\Sports Interactive

2007-10-22 23:10 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Sports Interactive

2007-10-22 23:02 --------- d-----w C:\Arquivos de programas\DAEMON Tools

2007-10-22 22:42 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-10-22 22:42 --------- d--h--w C:\Arquivos de programas\Zero G Registry

2007-10-22 22:42 --------- d--h--r C:\Documents and Settings\Usuario\Dados de aplicativos\SecuROM

2007-10-03 12:55 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

 

((((((((((((((((((((((((((((( snapshot@2007-11-28_18.33.58.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-11-08 18:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe

+ 2007-12-08 05:32:45 141,824 ----a-w C:\WINDOWS\catchme.exe

- 2007-11-28 20:32:08 212,606 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

+ 2007-12-10 12:25:44 212,607 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

+ 2007-12-10 12:25:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_244.dat

+ 2007-12-10 12:25:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_378.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 11:00]

"MsmqIntCert"="regsvr32 /s mqrt.dll" []

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 07:24]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:45]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^bsyys.scr]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bsyys.scr

backup=C:\WINDOWS\pss\bsyys.scrCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-14 11:00 267064 --a------ C:\Arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\symanteccsysconf]

C:\WINDOWS\system32\bsyys.scr

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

"nwiz"=nwiz.exe /install

 

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys

R2 IOPort;IOPort;\??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

S3 p2pgasvc;Autenticação de grupo de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Gerenciador de identidades ponto-a-ponto da Microsoft;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Configuração de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Protocolo de resolução de nomes ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{038819e6-80ef-11dc-afb4-001195e17282}]

\Shell\AutoRun\command - E:\autorun.exe

 

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-12-06 01:02:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

"2007-12-07 19:46:50 C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job"

- C:\Arquivos de programas\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-12-10 12:25:32 C:\WINDOWS\Tasks\star1.job"

- c:\autoexec.bat

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]

-> C:\DOCUME~1\Usuario\CONFIG~1\Temp\krdnokjrIZ4EXU7.dll

.

**************************************************************************

 

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-10 10:38:56

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2007-12-10 10:39:47

.

--- E O F ---

 

 

opa obrigado ae

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

A remoção vai ter que ser na munheca, então, vamos lá.

 

Baixe o CCleaner, mas não execute ainda.

 

Reinicie a máquina em Modo Seguro.

 

Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

Navegue até a seguinte sub-chave:

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder

 

Delete a seguinte pasta:

 

C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^bsyys.scr

 

Navegue até a seguinte sub-chave:

 

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg

 

Delete a seguinte pasta:

 

symanteccsysconf

 

Navegue até a seguinte sub-chave:

 

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2

 

Delete a seguinte pasta:

 

{038819e6-80ef-11dc-afb4-001195e17282}

 

Clique em Editar -> Localizar, coloque bsyys.scr e clique em Localizar próxima. Quando a entrada for encontrada, delete-a.

 

Repita a operação acima até que todas as entradas que contenham bsyys.scr tenham sido removidas.

 

Saia do Editor do Registro.

 

Reinicie a máquina em Modo Normal.

 

Execute o CCleaner e clique em Executar limpeza.

 

Retorne com um novo log do ComboFix.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

bomberman    0

bomberman
Postado

ComboFix 07-12-17.1 - Usuario 2007-12-18 2:59:51.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.503 [GMT -2:00]

Executando de: C:\Documents and Settings\Usuario\Meus documentos\ComboFix.exess.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((( Ficheiros criados de 2007-11-18 to 2007-12-18 ))))))))))))))))))))))))))))))))

.

 

2007-12-18 02:54 . 2007-12-18 02:54 <DIR> d-------- C:\Arquivos de programas\CCleaner

2007-12-16 22:13 . 2007-12-16 22:13 <DIR> d-------- C:\Arquivos de programas\LiveUpdate

2007-12-16 22:12 . 2007-12-16 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\BVRP Software

2007-12-16 22:12 . 2007-12-16 22:13 <DIR> d-------- C:\Arquivos de programas\mobile PhoneTools

2007-12-05 22:50 . 2007-12-05 22:50 <DIR> d-------- C:\Arquivos de programas\KAIZEN Games

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\Usuario\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2007-11-28 18:34 . 2007-11-28 18:34 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-18 04:37 --------- d-----w C:\Arquivos de programas\eMule

2007-12-17 00:13 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-12-16 23:47 --------- d-----w C:\Arquivos de programas\Warcraft III

2007-12-15 01:12 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\uTorrent

2007-12-04 17:40 --------- d-----w C:\Arquivos de programas\WC3Banlist

2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2007-12-03 22:22 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\BSplayer Pro

2007-11-09 20:07 --------- d-----w C:\Arquivos de programas\Windows Live Safety Center

2007-11-09 13:11 --------- d-----w C:\Arquivos de programas\WinPcap

2007-10-22 23:45 --------- d-----w C:\Arquivos de programas\Sports Interactive

2007-10-22 23:10 --------- d-----w C:\Documents and Settings\Usuario\Dados de aplicativos\Sports Interactive

2007-10-22 23:02 --------- d-----w C:\Arquivos de programas\DAEMON Tools

2007-10-22 22:42 107,888 -c--a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-10-22 22:42 --------- d--h--w C:\Arquivos de programas\Zero G Registry

2007-10-22 22:42 --------- d--h--r C:\Documents and Settings\Usuario\Dados de aplicativos\SecuROM

2007-10-03 12:55 139,264 ----a-w C:\WINDOWS\War3Unin.exe

.

 

((((((((((((((((((((((((((((( snapshot@2007-11-28_18.33.58.62 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-08-04 01:08:44 25,600 -c--a-w C:\WINDOWS\system32\dllcache\usbser.sys

- 2004-08-04 02:08:44 25,600 ----a-w C:\WINDOWS\system32\drivers\usbser.sys

+ 2004-08-04 01:08:44 25,600 ----a-w C:\WINDOWS\system32\drivers\usbser.sys

- 2007-11-28 20:32:08 212,606 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

+ 2007-12-18 04:52:53 212,606 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

- 2007-07-22 20:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe

+ 2007-12-13 23:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe

+ 2007-12-18 04:52:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_26c.dat

+ 2007-12-14 14:14:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e0.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 11:00]

"MsmqIntCert"="regsvr32 /s mqrt.dll" []

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:45 C:\WINDOWS\system32\rundll32.exe]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 07:24]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:45]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-14 11:00 267064 --a------ C:\Arquivos de programas\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

"nwiz"=nwiz.exe /install

 

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-08-26 02:38]

R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 18:57]

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs []

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 19:10]

S3 p2pgasvc;Autenticação de grupo de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc []

S3 p2pimsvc;Gerenciador de identidades ponto-a-ponto da Microsoft;C:\WINDOWS\System32\svchost.exe -k p2psvc []

S3 p2psvc;Configuração de rede ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc []

S3 PNRPSvc;Protocolo de resolução de nomes ponto-a-ponto;C:\WINDOWS\System32\svchost.exe -k p2psvc []

S3 XDva031;XDva031;C:\WINDOWS\system32\XDva031.sys []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-12-13 01:02:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

"2007-12-14 20:52:00 C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job"

- C:\Arquivos de programas\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-12-18 04:52:40 C:\WINDOWS\Tasks\star1.job"

- c:\autoexec.bat

.

**************************************************************************

 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-18 03:03:18

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2007-12-18 3:04:07

.

2007-09-01 02:41:34 --- E O F ---

 

 

abraço

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

Submeta o arquivo abaixo ao site da Jotti:

 

C:\WINDOWS\system32\swreg.exe

 

... e retorne com o resultado.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

bomberman    0

bomberman
Postado

Scan taken on 22 Dec 2007 20:45:14 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

Zoner Antivirus Found nothing

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa bomberman,

 

Execute o Active Scan da Panda, observando os seguintes procedimentos:

 

1) Alguns anti-vírus, tal como o AVAST, podem exibir um alerta de detecção durante a execução do scan, porém tal alerta deve ser ignorado. O aviso não passa de um falso-positivo. Sugiro que o AV seja desabilitado, temporariamente, a fim de que o scan ocorra sem problemas;

 

2) Para iniciar o processo, clique sobre o botão 01bt_scan_pt.gif;

 

3) Informe os dados solicitados no formulário;

 

4) Clique sobre o botão "Pesquise agora sem custos";

 

5) Siga todas as instruções que lhe serão passadas e aguarde o fim da varredura;

 

6) Ao término do scan, clique em visualizar o log. Salve-o em seu Desktop;

 

7) Poste o conteúdo do log em sua próxima resposta.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Mário Monteiro    179

Mário Monteiro
Postado

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post

Link para o post
Compartilhar em outros sites
Ir para a lista de tópicos Tópicos Arquivados (Seguranca & Malwares)
×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.

  Aceito