[Resolvido!]hldrrr.exe

Eric Carneiro · Janeiro 15, 2008

Como muitos posts que vi aqui, estou também com esse problema, como devo proceder para eliminar esta praga?

Log do Hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 10:48:45, on 15/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

C:\Arquivos de programas\LogMeIn\x86\RaMaint.exe

C:\Arquivos de programas\LogMeIn\x86\LogMeIn.exe

C:\Arquivos de programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Downloads\fsbl.exe

C:\Documents and Settings\Eric e Eve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Arquivos de programas\Ipswitch\WS_FTP Pro\wsbho2k0.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll

O3 - Toolbar: &iG - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Arquivos de programas\Paltalk Messenger\Paltalk.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - C:\ARQUIV~1\iGv6\igshop.dll (file missing)

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/legacy/ractrl.cab?lmi=100

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll

O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll

O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Arquivos de programas\iolo\Common\Lib\ioloDMVSvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Arquivos de programas\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Arquivos de programas\LogMeIn\x86\LogMeIn.exe

O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Arquivos de programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Baixei o F-Secure BlackLight como sugere em aguns tópicos e segue o Log do mesmo:

01/15/08 10:46:35 [info]: BlackLight Engine 1.0.67 initialized

01/15/08 10:46:35 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/15/08 10:46:35 [Note]: 7019 4

01/15/08 10:46:35 [Note]: 7005 0

01/15/08 10:46:45 [Note]: 7006 0

01/15/08 10:46:45 [Note]: 7011 964

01/15/08 10:46:52 [Note]: 7026 0

01/15/08 10:46:58 [Note]: 7026 0

01/15/08 10:46:58 [Note]: 7024 3

01/15/08 10:46:58 [info]: Hidden process: C:\Arquivos de programas\iolo\Common\Lib\ioloDMVSvc.exe

01/15/08 10:46:58 [Note]: 7024 3

01/15/08 10:46:58 [info]: Hidden process: C:\WINDOWS\system32\drivers\hldrrr.exe

01/15/08 10:46:58 [Note]: 7024 3

01/15/08 10:46:58 [info]: Hidden process: C:\WINDOWS\system32\wintems.exe

01/15/08 10:47:06 [Note]: FSRAW library version 1.7.1024

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\CrlWTC114.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\Wt13br.ths

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13cbe.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\Wt13cbepo.cbt

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13LDPO.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13LDXX.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13LI.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\Wt13po.icr

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\Wt13po.lex

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\Wt13po.sav

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\Wt13po.ths

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13sphs.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13spls.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13SPML.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13sptl.ico

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13sptlPO.exe

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13SPTP.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13SPWP.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WT13uipo.dll

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WTPO.chm

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\WTSPUT.chm

01/15/08 10:47:19 [Note]: 10002 3

01/15/08 10:47:19 [Note]: 10002 2

01/15/08 10:47:20 [Note]: 10002 3

01/15/08 10:47:20 [Note]: 10002 2

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\Empty.txt

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\Filters.xml

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\news.png

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\paint.png

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\Profiles\Blank.txt

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\Sample1.jpg

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [info]: Hidden file: c:\Arquivos de programas\Movie Maker\Shared\Sample2.jpg

01/15/08 10:48:59 [Note]: 10002 3

01/15/08 10:48:59 [Note]: 10002 2

01/15/08 10:54:58 [Note]: 10002 2

01/15/08 10:55:56 [info]: Hidden file: C:\WINDOWS\system32\wintems.exe

01/15/08 10:55:56 [Note]: 10002 2

01/15/08 10:56:14 [info]: Hidden file: c:\WINDOWS\system32\drivers\srosa.sys

01/15/08 10:56:14 [Note]: 10002 2

01/15/08 10:56:14 [info]: Hidden file: C:\WINDOWS\system32\drivers\hldrrr.exe

01/15/08 10:56:14 [Note]: 10002 2

01/15/08 11:01:18 [Note]: 7007 0

Lucasg3 · Janeiro 15, 2008

Olá Eric Carneiro,

Seja Bem-Vindo(a) ao Fórum iMaster !

Passo 1

Baixe EliBaglA:

http://linhadefensiva.uol.com.br/dl/elibagle

* Execute a ferramenta EliBaglA. O exame pode levar um tempo para terminar. Seja paciente.

* Quando o exame chegar ao fim será criado um relatório em C:\infoSat.txt.

* Poste o Log.

Passo 2

Faça o download do SafeMode Repair.zip:

http://www.hijackthis-forum.de/attachment....mp;d=1187631899

* Descompacte-o em seu desktop.

* Clique com o botão direito no arquivo SafeModeRepair.reg e em Mesclar.

Passo 3

Execute o F-Secure Blacklight:

* Ao final do scan, anexe o arquivo fsb-xxxxx.log (onde xxx são números) na sua resposta.

Passo 4

Execute o HijackThis, gere um relatório e cole na sua resposta.

Eric Carneiro · Janeiro 15, 2008

Segue os logs como pedido:

Log EliBaglA:

Tue Jan 15 12:30:53 2008

----------------------------------------------

Lista de Acciones (por Acción Directa):

Por favor, envienos una muestra del fichero

C:\Muestras\WINTEMS.EXE.Muestra EliBagle v10.85

a "virus@satinfo.es". Gracias.

C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.

C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle

Por favor, envienos una muestra del fichero

C:\Muestras\SROSA.SYS.Muestra EliBagle v10.85

a "virus@satinfo.es". Gracias.

C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle Acceso Denegado.

Por favor, envienos una muestra del fichero

C:\Muestras\HLDRRR.EXE.Muestra EliBagle v10.85

a "virus@satinfo.es". Gracias.

C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado.

Restaurada Clave: "SafeBoot\Minimal y Network"

Log F-Secure BlackLight:

01/15/08 12:33:46 [info]: BlackLight Engine 1.0.67 initialized

01/15/08 12:33:46 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/15/08 12:33:46 [Note]: 7019 4

01/15/08 12:33:46 [Note]: 7005 0

01/15/08 12:33:54 [Note]: 7006 0

01/15/08 12:33:54 [Note]: 7011 1536

01/15/08 12:33:59 [Note]: 7026 0

01/15/08 12:34:05 [Note]: 7026 0

01/15/08 12:34:05 [Note]: 7024 3

01/15/08 12:34:05 [info]: Hidden process: C:\WINDOWS\system32\wintems.exe

01/15/08 12:34:05 [Note]: 7024 3

01/15/08 12:34:05 [info]: Hidden process: C:\WINDOWS\system32\drivers\hldrrr.exe

01/15/08 12:34:05 [Note]: 7024 3

01/15/08 12:34:05 [info]: Hidden process: C:\Arquivos de programas\iolo\Common\Lib\ioloDMVSvc.exe

01/15/08 12:34:11 [Note]: FSRAW library version 1.7.1024

01/15/08 12:34:24 [info]: Hidden file: c:\Arquivos de programas\Arquivos comuns\Corel\Shared\Writing Tools\13\CrlWTC114.dll