G_santos 0 Denunciar post Postado Janeiro 31, 2008 Aqui está "Silent Runners.vbs", revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"] "MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS] "eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "MDNS" = "C:\WINDOWS\system32\service.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided) -> {HKLM...CLSID} = "BrowsingEnhancer" \InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Sign-in Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS] {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = "Mirar" -> {HKLM...CLSID} = "Mirar" \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] {C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense" -> {HKLM...CLSID} = "GbIehObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo" -> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook" \InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento" \InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj" -> {HKLM...CLSID} = "GbPluginObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj" -> {HKLM...CLSID} = "GbPluginObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoResolveSearch" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ "NoUpdateCheck" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp" Startup items in "User" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar "Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" -> {HKLM...CLSID} = "Mirar" \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided) -> {HKLM...CLSID} = "Mirar" \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Pesquisar" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Free Service, a2free, "C:\Arquivos de programas\a-squared Free\a2service.exe" ["Emsi Software GmbH"] AVG E-mail Scanner, AVGEMS, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2008-01-30 06:07:27) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 70 seconds, including 4 seconds for message boxes) Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Fevereiro 3, 2008 Opa G_santos, Reinicie em Modo Seguro. Vá em Iniciar -> Executar -> digite regedit -> dê Ok. Navegue até a seguinte subchave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run No painel à direita localize e delete: "MDNS" = "C:\WINDOWS\system32\service.exe" Navegue até a seguinte subchave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Localize e delete a seguinte pasta: {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} Navegue até a seguinte subchave: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser Localize e delete a seguinte pasta: {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} Agora vá em Editar -> Localizar -> digite Mirar -> clique em Localizar próxima. Caso alguma entrada contendo Mirar seja encontrada, delete-a. Repita a operação até que todas as entradas que contenham Mirar tenham sido removidas. Saia do Editor do Registro. Reinicie em Modo Normal. Retorne com um novo log do SilentRunners. Um abraço. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Fevereiro 16, 2008 "Silent Runners.vbs", revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"] "MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS] "eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "MDNS" = "C:\WINDOWS\system32\service.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided) -> {HKLM...CLSID} = "BrowsingEnhancer" \InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Sign-in Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS] {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] {C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense" -> {HKLM...CLSID} = "GbIehObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo" -> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook" \InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento" \InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj" -> {HKLM...CLSID} = "GbPluginObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj" -> {HKLM...CLSID} = "GbPluginObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoResolveSearch" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ "NoUpdateCheck" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp" Startup items in "User" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar "Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Pesquisar" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Free Service, a2free, "C:\Arquivos de programas\a-squared Free\a2service.exe" ["Emsi Software GmbH"] AVG E-mail Scanner, AVGEMS, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2008-02-14 22:31:16) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 98 seconds, including 12 seconds for message boxes) Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Fevereiro 17, 2008 Opa G_santos, Vamos lá. 1. Reinicie em Modo Seguro. 2. Vá em Iniciar -> Executar -> digite regedit -> dê Ok. 3. Navegue até a seguinte subchave: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} 4. No painel à direita localize e delete: "MDNS" = "C:\WINDOWS\system32\service.exe" 5. Clique em Editar -> Localizar -> coloque WinNB58.dll -> clique em Localizar próxima. Caso seja encontrada alguma entrada, delete-a. 6. Repita a operação até que todas as entradas que contenham WinNB58.dll tenham sido removidas. 7. Saia do Editor do Registro. 8. Reinicie em Modo Normal. 9. Poste um novo log do ComboFix. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Fevereiro 18, 2008 "Silent Runners.vbs", revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"] "MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS] "eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided) -> {HKLM...CLSID} = "BrowsingEnhancer" \InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Sign-in Helper" \InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS] {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] {C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense" -> {HKLM...CLSID} = "GbIehObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo" -> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook" \InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento" \InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj" -> {HKLM...CLSID} = "GbPluginObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj" -> {HKLM...CLSID} = "GbPluginObj Class" \InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"] <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoResolveSearch" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ "NoUpdateCheck" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp" Startup items in "User" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar "Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Pesquisar" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Fevereiro 20, 2008 Opa G_santos, Siga as instruções: 1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote": File:: C:\WINDOWS\system32\WinNB58.dll ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário. 2. Salve o arquivo como CFScript.txt; 3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe. 4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Fevereiro 21, 2008 Aqui está o log ComboFix 08-02-21 - User 2008-02-21 10:52:31.5 - NTFSx86 Executando de: C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe Command switches used :: C:\Documents and Settings\User\Meus documentos\Downloads\CFScript.txt;.txt * Criado um novo ponto de restauro WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\WinNB58.dll . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat ----- BITS: Possible infected sites ----- hxxp://au.do . ((((((((((((((((((((((( Ficheiros criados de 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))) . 2008-02-21 10:36 . 2008-02-21 10:36 <DIR> d----c--- C:\Arquivos de programas\FBrowsingAdvisor 2008-02-21 10:36 . 2008-02-21 10:36 <DIR> d----c--- C:\Arquivos de programas\FBrowserAdvisor 2008-02-21 10:36 . 2006-04-14 23:05 9,952 --a--c--- C:\regxpcom.exe 2008-02-17 13:19 . 2006-07-25 21:39 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos 2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos 2008-02-17 13:19 . 2006-07-25 18:21 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar 2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos 2008-02-17 13:19 . 2006-07-25 18:21 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos 2008-02-17 13:19 . 2008-02-17 13:19 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais 2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede 2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão 2008-02-13 17:03 . 2008-02-13 17:03 244 --ah-c--- C:\sqmnoopt18.sqm 2008-02-13 17:03 . 2008-02-13 17:03 232 --ah-c--- C:\sqmdata18.sqm 2008-02-13 16:10 . 2008-02-13 16:11 1,374 --a------ C:\WINDOWS\imsins.BAK . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-21 13:50 --------- dc----w C:\Arquivos de programas\BrowsingEnhancer 2008-02-18 23:28 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\LimeWire 2008-02-12 01:11 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\AVG7 2008-02-07 02:30 --------- dc----w C:\Arquivos de programas\LimeWire 2008-01-29 10:00 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\AVG7 2008-01-23 18:32 --------- dc----w C:\Arquivos de programas\Java 2008-01-20 09:10 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Java 2008-01-19 23:11 --------- dc----w C:\Arquivos de programas\eMule 2008-01-04 21:13 --------- dc----w C:\Arquivos de programas\CCleaner 2008-01-04 01:09 --------- dc----w C:\Arquivos de programas\GbPlugin 2008-01-04 01:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin 2008-01-03 20:50 --------- dc----w C:\Arquivos de programas\MSN Messenger 2008-01-03 17:28 --------- dc----w C:\Arquivos de programas\Google 2008-01-03 00:40 --------- dc----w C:\Arquivos de programas\Samsung 2008-01-03 00:40 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information 2008-01-03 00:11 --------- d-----w C:\Arquivos de programas\free-downloads 2007-12-26 13:35 --------- dc----w C:\Arquivos de programas\IObit 2007-12-07 02:09 824,832 ----a-w C:\WINDOWS\system32\wininet.dll 2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Nota* entradas vazias & legítimas por defeito não são mostradas. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}] 2007-12-26 20:32 1019904 --a--c--- C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}] C:\WINDOWS\system32\WinNB58.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {EF99BD32-C1FB-11D2-892F-0090271D4F88} {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} [HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}] [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360] "updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208] "eMuleAutoStart"="C:\Arquivos de programas\eMule\emule.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360] "AVG7_Run"="C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 09:22 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 14:30 347976] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb] C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 14:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] --a------ 2007-12-21 08:23 579072 C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer] -ra------ 2003-04-06 06:39 1818624 C:\WINDOWS\mixer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] --a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] -ra------ 2004-10-07 21:27 126976 C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] -ra------ 2004-10-07 21:31 155648 C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a--c--- 2007-01-19 11:54 5674352 C:\Arquivos de programas\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe] --a------ 2003-03-11 16:24 86016 C:\Arquivos de programas\Intel\NCS\PROSet\PRONoMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool] C:\Arquivos de programas\VIA\RAID\raid_t [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2003-12-08 17:35 32768 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] --a------ 2002-07-12 07:15 106496 C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2006-06-26 15:53 20005928 C:\Arquivos de programas\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] -ra------ 2005-06-06 06:40 544768 C:\WINDOWS\sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] -ra------ 2005-05-17 07:48 77824 C:\WINDOWS\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VModes] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] -ra------ 2005-03-07 16:33 53248 C:\WINDOWS\system32\VTTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp] -ra------ 2005-03-11 06:33 147456 C:\WINDOWS\system32\VTTrayp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator] --a------ 2000-08-31 16:33 395776 C:\ARQUIV~1\MICROP~1\DELTAT~1.0\DWinTrsl.exe S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-21 11:37] S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 04:39] S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 11:19] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-21 10:56:23 Windows 5.1.2600 Service Pack 2 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros ocultos ... Varredura completada com sucesso Ficheiros ocultos: 0 ************************************************************************** . Tempo para conclusão: 2008-02-21 10:58:59 ComboFix-quarantined-files.txt 2008-02-21 13:58:49 ComboFix2.txt 2008-01-11 13:07:55 . 2008-02-13 19:14:21 --- E O F --- Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Fevereiro 24, 2008 Opa G_santos, Execute o Active Scan da Panda, observando os seguintes procedimentos: 1) Alguns anti-vírus, tal como o AVAST, podem exibir um alerta de detecção durante a execução do scan, porém tal alerta deve ser ignorado. O aviso não passa de um falso-positivo. Sugiro que o AV seja desabilitado, temporariamente, a fim de que o scan ocorra sem problemas; 2) Para iniciar o processo, clique sobre o botão ; 3) Informe os dados solicitados no formulário; 4) Clique sobre o botão "Pesquise agora sem custos"; 5) Siga todas as instruções que lhe serão passadas e aguarde o fim da varredura; 6) Ao término do scan, clique em visualizar o log. Salve-o em seu Desktop; 7) Poste o conteúdo do log em sua próxima resposta. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Fevereiro 26, 2008 OLá J Garcia Não consegui , passar o Active Scan da Panda A pagina da Web estava com erro. Ok. Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Março 2, 2008 OLá J Garcia Não consegui , passar o Active Scan da Panda A pagina da Web estava com erro. Ok. Qual erro? Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Março 3, 2008 OLá Jgarcia . Obrigado por está resolvendo esses problemas de infecção espero que esse seu trabalho continue ajudando muitas pessoas. Mais uma coisa , liguei meu computador hoje e ele estava sem audio o Que pode ser? Sera que a placa queimou ou é algum virus. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Março 6, 2008 OLá jgarcia finalmente consegui rodar o activescan do panda aqui está o relatorio. acho que o virus que estava no meu computador danificou o audio do meu computador. Incidência Estado Localização Adware:adware/mirar Não desinfectado Registo do Windows Possível Vírus. Não desinfectado C:\Arquivos de programas\MicroPower Software\Delta Translator 2.0\Registro.exe Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\ComboFix\nircmd.com Spyware:Cookie/AdDynamix Não desinfectado C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt Spyware:Cookie/PointRoll Não desinfectado C:\Documents and Settings\User\Cookies\user@ads.pointroll[2].txt Spyware:Cookie/Ccbill Não desinfectado C:\Documents and Settings\User\Cookies\user@ccbill[1].txt Spyware:Cookie/onestat.com Não desinfectado C:\Documents and Settings\User\Cookies\user@stat.onestat[2].txt Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@terra.com[1].txt Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@uol.com[1].txt Virus:Trj/Bancos.RQ Desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\bankerfix.exe Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.com] Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.cfexe] Virus:Trj/Bancos.RQ Desinfectado C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\bankerfix.exe Virus:Trj/Bankfake.I Desinfectado C:\LinhaDefensiva\fx.reg Virus:Trj/Bancos.RQ Desinfectado C:\LinhaDefensiva\pv.exe Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\WINDOWS\Nircmd.exe Ferramenta potencialmente indesejada:Application/Psexec.A Não desinfectado C:\WINDOWS\PSEXESVC.EXE Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Março 9, 2008 Opa G_santos, Vamos lá. 1. Clique em Iniciar > Executar. 2. Digite regedit > clique em OK. 3. Navegue até a seguinte subchave: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 4. No painel à direita, delete o valor: "ToolbarInstall" = "MirarSetup.exe" 5. Navegue até as seguintes chaves: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser 6. No painel à direita, delete o valor: "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = "" 7. Navegue até a seguinte chave: HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs 8. No painel à direita, delete os valores: "C:\WINDOWS\Downloaded Program Files\MirarSetup.exe" = "" "C:\WINDOWS\System32\WinDmy.dll" = "" 9. Navegue e delete as seguintes chaves do registro: HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4035DE1B-D54A-411E-9EE7-923295D2E86E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{753B9349-7E46-4E5C-A27F-A60A6BF1EAB5} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MirarSetup.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinDmy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} 10. Saia do Editor do Registro. 11. Execute o Killbox, clique em Delete on Reboot. 12. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar. C:\Arquivos de programas\MicroPower Software\Delta Translator 2.0\Registro.exe C:\WINDOWS\PSEXESVC.EXE 13. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files. 14. Aperte em "X". Responda "não" à pergunta. 15. Reinicie em Modo Normal. 16. Delete o conteúdo da pasta C:\!Killbox. 17. Execute o CCleaner e clique em Executar Limpeza. 18. Execute o Active Scan novamente e verifique se ainda detecta algo. Um abraço. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Março 11, 2008 AQui está o log. Incidência Estado Localização Adware:adware/mirar Não desinfectado Registo do Windows Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\ComboFix\nircmd.com Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@uol.com[1].txt Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.com] Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.cfexe] Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\WINDOWS\Nircmd.exe Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Março 16, 2008 Opa G_santos, Vamos lá. 1ª Etapa Baixe o AVG Anti-Spyware em: AVG AntiSpyware 1. Dê duplo-clique sobre o ícone do arquivo baixado; 2. Selecione Português como idioma para instalação; 3. Na janela de boas-vindas do Assistente do AVG Anti-Spyware clique em Seguinte >; 4. Na janela do Contrato de Licença clique em Aceito; 5. Clique em Seguinte > Instalar > aguarde o término do processo de instalação > clique em Terminar; 6. Quando a janela do AVG Anti-Spyware abrir, escolha Atualizar e aguarde o término do processo, mas não o execute ainda. É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível. 2ª Etapa Reinicie em Modo Seguro. 1. Execute o AVG Anti-Spyware e clique em Status. Em Última verificação escolha Verificar agora > Verificação completa do sistema > aguarde o término da varredura; 2. Quando a varredura terminar verifique a coluna Ameaça e, sobretudo, a Ação que será executada. Caso não possua certeza sobre a exclusão de algum arquivo ou tenha certeza de que ele é legítimo, basta selecioná-lo dar um clique direito e escolher Ignorar uma vez ou Adicionar à lista de exceções; 3. Feito o procedimento acima clique em Aplicar todas as ações; 4. Clique em Salvar relatório. Copie o conteúdo do relatório e poste em sua próxima resposta. 3ª Etapa Reinicie o computador em Modo Normal. Execute o CCleaner e clique em Executar Limpeza. Execute o Active Scan mais uma vez e verifique se ainda detecta algo. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Março 17, 2008 Aqui estão --------------------------------------------------------- AVG Anti-Spyware - Relatório de verificação --------------------------------------------------------- + Criação: 21:55 2008-03-13 + Resultado da verificação: C:\Documents and Settings\User\Meus documentos\Musicas\gospel (variados)\Top of Charts - 2005.wma -> Downloader.Wimad.l : Limpo com backup (em quarentena). C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000025.dll -> Not-A-Virus.Adware.Mirar : Ignorado. C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000031.dll -> Not-A-Virus.Adware.Mirar : Ignorado. C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Limpo. C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Limpo. C:\Documents and Settings\User\Cookies\user@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Limpo. C:\Documents and Settings\User\Cookies\user@searchportal.information[1].txt -> TrackingCookie.Information : Limpo. C:\Documents and Settings\User\Cookies\user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Limpo. C:\Documents and Settings\User\Cookies\user@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Limpo. ::Fim do relatório Incidência Estado Localização Adware:adware/mirar Não desinfectado Registo do Windows Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\ComboFix\nircmd.com Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@uol.com[1].txt Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.com] Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.cfexe] Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\WINDOWS\Nircmd.exe Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Março 20, 2008 Opa G_santos, Execute o Housecall da Trendmicro e retorne com o resultado. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Março 20, 2008 ele encontrou um malware e desinfectou mas site não gera um log . eu rodei o avg anti-spynware e eu encontrou 2 trojans estão em quarentena --------------------------------------------------------- AVG Anti-Spyware - Relatório de verificação --------------------------------------------------------- + Criação: 21:55 2008-03-13 + Resultado da verificação: C:\Documents and Settings\User\Meus documentos\Musicas\gospel (variados)\Top of Charts - 2005.wma -> Downloader.Wimad.l : Limpo com backup (em quarentena). C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000025.dll -> Not-A-Virus.Adware.Mirar : Ignorado. C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000031.dll -> Not-A-Virus.Adware.Mirar : Ignorado. ::Fim do relatório --------------------------------------------------------- AVG Anti-Spyware - Relatório de verificação --------------------------------------------------------- + Criação: 23:05 2008-03-17 + Resultado da verificação: C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000025.dll -> Not-A-Virus.Adware.Mirar : Limpo com backup (em quarentena). C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000031.dll -> Not-A-Virus.Adware.Mirar : Limpo com backup (em quarentena). ::Fim do relatório e o meu computador está sem audio! Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Março 21, 2008 Opa G_santos, Baixe o BugHunter e salve em seu desktop. Execute-o dando duplo-clique sobre o arquivo BUGHUNT.EXE. Abrir-se-á uma janela em DOS com as seguintes opções: [A] - Scan for malware only (Localizar o malware, apenas). - Scan for malware and rename it (Localizar e renomear o malware). [C] - Scan for malware and remove it (Localizar e remover o malware). [D] - Scan for malware and ask what to do (Localizar o malware e perguntar o que fazer). [Q] - Exit BugHunter - (Sair do BugHunter). Escolha e opção C e clique sobre o Enter. Aguarde o término da varredura, a qual poderá demorar alguns minutos, portanto seja paciente. Retorne com o resultado. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
G_santos 0 Denunciar post Postado Março 23, 2008 Log file opened: 13:20:09 - 03-21-2008 BugHunter v2.2e using database date/time 03-19-2008|01:15:26 Using configuration file: BUGHUNT.INI => Nfo: Recursive scanning is enabled. => Nfo: BugHunter is only logging found malware... Action taken, and result. =============================================================== Finished Scanning...50,602 Files No known MalWare was found in the specified directories. BugHunter took approximately 24 minutes and 46 seconds to scan the folders. =============================================================== Log file closed.: 13:44:39 - 03-21-2008 Compartilhar este post Link para o post Compartilhar em outros sites