Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Shademan

[Resolvido!]  Spoolsv.exe

Por , em Tópicos Resolvidos (Seguranca & Malwares)

Recommended Posts

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Não há entradas anormais em seu log. A máquina está apresentando alguma anomalia?

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Anomalia mesmo eu só me preocupo com 2 coisas:

 

01) O meu anti-virus Bitdefender acusar um trojan em um arquivo do Windows, tal como mencionei no primeiro post;

02) Quando ligo a maquina e após entrar no Windows, ora ele fica muito lento (alguma coisa chega a causar lentidão pra abrir qualquer aplicativo, inclusive o Windows Explorer), ora ele fica normal.

 

São esses 2 pontos que me preocupam. Pelo fato que o trojan está em um dos aplicativos que é iniciado com o Windows (spoolsv.exe), imaginei que era ele que pudesse causar esta lentidão às vezes.

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Execute o Active Scan da Panda, observando os seguintes procedimentos:

 

1) Alguns anti-vírus, tal como o AVAST, podem exibir um alerta de detecção durante a execução do scan, porém tal alerta deve ser ignorado. O aviso não passa de um falso-positivo. Sugiro que o AV seja desabilitado, temporariamente, a fim de que o scan ocorra sem problemas;

 

2) Para iniciar o processo, clique sobre o botão 01bt_scan_pt.gif;

 

3) Informe os dados solicitados no formulário;

 

4) Clique sobre o botão "Pesquise agora sem custos";

 

5) Siga todas as instruções que lhe serão passadas e aguarde o fim da varredura;

 

6) Ao término do scan, clique em visualizar o log. Salve-o em seu Desktop;

 

7) Poste o conteúdo do log em sua próxima resposta.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Prezado jgarcia, a princípio deu erro na atalização, mas consegui solucionar. segue o log:

 

ANALYSIS: 2008-05-12 11:46:58

PROTECTIONS: 1

MALWARE: 30

SUSPECTS: 0

;*******************************************************************************

*********************************************************************************

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

=================================================================================

===================

BitDefender Professional Edition v7.2 7.2 Yes Yes

;===============================================================================

=================================================================================

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

=================================================================================

===================

00029007 adware/tvmedia Adware No 0 Yes No c:\documents and settings\junior\dados de aplicativos\tvmknwrd.dll

00029007 adware/tvmedia Adware No 0 Yes No c:\documents and settings\junior\dados de aplicativos\tvmuknwrd.dll

00029007 adware/tvmedia Adware No 0 Yes No c:\documents and settings\junior\dados de aplicativos\tvmcwrd.dll

00034463 adware/wupd Adware No 0 Yes No hkey_local_machine\software\deskad service

00041446 application/myway HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}

00055522 Eicar.Mod Virus No 0 No No C:\Documents and Settings\JUNIOR\Configurações locais\Temp\Av-test.txt

00122168 Application/Restart HackTools No 0 Yes No C:\WINDOWS\system32\Tools\Restart.exe

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@trafficmp[2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Convidado\Cookies\convidado@atdmt[2].txt

00142038 adware/comedy-planet Adware No 0 Yes No hkey_local_machine\software\classes\joke

00142038 adware/comedy-planet Adware No 0 Yes No hkey_classes_root\joke

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@fastclick[2].txt

00147020 Cookie/Lop TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@mp3search[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@com[1].txt

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@yadro[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@statcounter[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@ad.yieldmanager[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@apmebf[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@bs.serving-sys[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@advertising[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@ads.pointroll[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@realmedia[2].txt

00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@terra.com[1].txt

00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@uol.com[1].txt

00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Convidado\Cookies\convidado@uol.com[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@adrevolver[2].txt

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@adultfriendfinder[1].txt

00209833 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@acesso.uol.com[1].txt

00250702 Trj/Downloader.GUT Virus/Trojan No 0 Yes No C:\Arquivos de programas\DremTeamShare\DreMule\Incoming\MuvAudio 1.2 + Crack.zip[MuvAudio 1.2 + Crack/crack.exe]

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\JUNIOR\Cookies\junior@atwola[1].txt

;===============================================================================

=================================================================================

===================

SUSPECTS

Sent Location

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Siga as instruções:

 

1. Reinicie a máquina em Modo Seguro.

 

2. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

c:\documents and settings\junior\dados de aplicativos\tvmknwrd.dll

c:\documents and settings\junior\dados de aplicativos\tvmuknwrd.dll

c:\documents and settings\junior\dados de aplicativos\tvmcwrd.dll

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\Av-test.txt

C:\Arquivos de programas\DremTeamShare\DreMule\Incoming\MuvAudio 1.2 + Crack.zip

C:\WINDOWS\system32\Tools\Restart.exe

Registry::

[-hkey_local_machine\software\deskad service]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}]

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

  • 3. Salve o arquivo como CFScript.txt;
     
    4. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
    645i642.gif
     
    5. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Prezado jgarcia, após os procedimentos e reiniciado a máquina, notei que foi criado um novo ícone do Internet Explorer, o que achei estranho.

 

No mais segue o log do Combofix:

 

ComboFix 08-05-12.1 - JUNIOR 2008-05-13 22:34:52.1 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.584 [GMT -3:00]

Executando de: C:\Documents and Settings\JUNIOR\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\JUNIOR\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\Arquivos de programas\DremTeamShare\DreMule\Incoming\MuvAudio 1.2 + Crack.zip

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\Av-test.txt

c:\documents and settings\junior\dados de aplicativos\tvmcwrd.dll

c:\documents and settings\junior\dados de aplicativos\tvmknwrd.dll

c:\documents and settings\junior\dados de aplicativos\tvmuknwrd.dll

C:\WINDOWS\system32\Tools\Restart.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\DremTeamShare\DreMule\Incoming\MuvAudio 1.2 + Crack.zip

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\Av-test.txt

c:\documents and settings\junior\dados de aplicativos\tvmcwrd.dll

c:\documents and settings\junior\dados de aplicativos\tvmknwrd.dll

c:\documents and settings\junior\dados de aplicativos\tvmuknwrd.dll

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\system32\Tools\Restart.exe

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-14 to 2008-05-14 ))))))))))))))))))))))))))))))))

.

 

2008-05-11 23:29 . 2008-05-11 23:34 <DIR> d-------- C:\Arquivos de programas\Panda Security

2008-05-11 01:58 . 2008-05-11 01:58 42,982,322 --a------ C:\Missinho.zip

2008-05-06 18:42 . 2008-05-06 18:42 212,480 --a------ C:\Anexo1 - Alagoinhas.xls

2008-04-27 20:28 . 2008-04-27 20:28 51,480,944 --a------ C:\Bragadá_-_quebra_Mola_by_Senegal.rar

2008-04-27 19:43 . 2008-04-27 19:43 47,676,419 --a------ C:\Bragaboys_-_bomba_by_Senegal.rar

2008-04-27 13:22 . 2008-04-27 13:33 157,144 --a------ C:\error1.JPG

2008-04-27 13:14 . 2008-04-27 13:14 34,699,178 --a------ C:\Bragadá_e_Tony_Molla_by_Senegal.rar

2008-04-26 20:47 . 2008-04-21 17:27 8,234,109 --a------ C:\08_Baby Doll de Nylon.mp3

2008-04-26 15:13 . 2008-04-26 15:13 <DIR> d-------- C:\Arquivos de programas\wma Studio

2008-04-25 22:25 . 2008-04-25 22:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-04-25 22:25 . 2008-04-26 15:12 <DIR> d-------- C:\WINDOWS\LastGood(3)

2008-04-25 22:25 . 2008-04-25 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-04-23 02:02 . 2008-04-26 15:13 <DIR> d-------- C:\Arquivos de programas\PixiePack Codec Pack

2008-04-23 01:43 . 2008-04-26 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\RapidSolution

2008-04-22 02:28 . 2008-04-26 15:15 <DIR> d-------- C:\Arquivos de programas\Free WMA to MP3 Converter

2008-04-19 19:26 . 2008-04-19 19:26 83,087 --a------ C:\error.JPG

2008-04-18 18:31 . 2008-04-18 18:31 <DIR> d-------- C:\Documents and Settings\Convidado\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-04-18 16:09 . 2005-02-24 12:14 <DIR> d--h----- C:\Documents and Settings\Convidado\Modelos

2008-04-18 16:09 . 2008-04-18 16:09 <DIR> dr------- C:\Documents and Settings\Convidado\Meus documentos

2008-04-18 16:09 . 2004-11-17 21:49 <DIR> dr------- C:\Documents and Settings\Convidado\Menu Iniciar

2008-04-18 16:09 . 2008-04-18 16:09 <DIR> d-------- C:\Documents and Settings\Convidado\Favoritos

2008-04-18 16:09 . 2008-04-18 18:31 <DIR> dr-h----- C:\Documents and Settings\Convidado\Dados de aplicativos

2008-04-18 16:09 . 2008-05-13 22:38 <DIR> d--h----- C:\Documents and Settings\Convidado\Configurações locais

2008-04-18 16:09 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Convidado\Ambiente de rede

2008-04-18 16:09 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Convidado\Ambiente de impressão

2008-04-18 16:09 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Convidado

2008-04-18 16:09 . 2008-05-13 22:34 1,024 --ah----- C:\Documents and Settings\Convidado\NTUSER.DAT.LOG

2008-04-18 16:03 . 2005-02-24 12:14 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-04-18 16:03 . 2008-05-13 22:38 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-04-18 16:03 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Administrador

2008-04-18 16:03 . 2008-05-13 22:34 1,024 --ah----- C:\Documents and Settings\Administrador\NTUSER.DAT.LOG

2008-04-18 01:29 . 2008-04-27 09:26 <DIR> d-------- C:\Hijackthis

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-14 01:31 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-05-09 21:07 --------- d-----w C:\Documents and Settings\JUNIOR\Dados de aplicativos\Skype

2008-05-02 02:10 --------- d-----w C:\Arquivos de programas\Real

2008-05-01 14:20 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-04-27 01:34 --------- d-----w C:\Arquivos de programas\GetRight

2008-04-26 19:16 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-04-26 19:15 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-04-22 05:18 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-04-12 04:44 --------- d-----w C:\Documents and Settings\JUNIOR\Dados de aplicativos\BrOffice.org2

2008-04-02 02:43 --------- d-----w C:\Arquivos de programas\HooTech

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-16 03:21 --------- d-----w C:\Arquivos de programas\Microsoft CAPICOM 2.1.0.2

2008-03-14 20:49 --------- d-----w C:\Arquivos de programas\Windows Live

2008-03-14 20:48 --------- dcsh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-03-14 20:47 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:37 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-19 01:40 36,255,169 ----a-w C:\BARRAVENTO-SAMBA_DE_RODA_DA_BAHIA.zip

2006-05-18 04:44 76 ---ha-w C:\Arquivos de programas\Desktop.ini

2005-06-02 04:48 37 ----a-w C:\Documents and Settings\JUNIOR\getfile.dat

2005-01-05 13:18 284 ----a-w C:\Documents and Settings\JUNIOR\Dados de aplicativos\ViewerApp.dat

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 07:50 155648]

"S3TRAY2"="S3tray2.exe" [2001-12-17 11:09 69632 C:\WINDOWS\system32\S3tray2.exe]

"BDMCon"="C:\ARQUIV~1\Softwin\BITDEF~2\bdmcon.exe" [2005-06-10 14:11 229376]

"BDNewsAgent"="C:\ARQUIV~1\Softwin\BITDEF~2\bdnagent.exe" [2005-06-17 08:36 4608]

"BDSwitchAgent"="C:\Arquivos de programas\Softwin\BitDefender Professional Edition\bdswitch.exe" [2005-06-10 13:20 53248]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-04-26 16:15 185896]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:45 159744]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 04:45 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [2007-05-02 01:13 128512]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-04-15 09:37 378696]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-05-02 01:13 128512]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]

C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\Arquivos de programas\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3acm"= l3codecp.acm

"vidc.3ivx"= 3ivxVfWCodec.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\SpRb0x®\\SpRb0x.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\FlashFXP\\flashfxp.exe"=

"C:\\Arquivos de programas\\GenialGiFT\\gift\\giFT.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=

"C:\\Arquivos de programas\\Java\\jre1.5.0_09\\bin\\javaw.exe"=

"C:\\Arquivos de programas\\ICQLite\\ICQLite.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\DremTeamShare\\DreMule\\emule.exe"=

"C:\\Arquivos de programas\\MegaJogos\\jre\\jre\\bin\\javaw.exe"=

"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"C:\\Arquivos de programas\\DsNET Corp\\aTube Catcher 1.0\\smh.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

 

S2 FILESpy;FILESpy;C:\Arquivos de programas\Softwin\BitDefender Professional Edition\filespy.sys [2005-06-10 14:11]

S2 njtefjrn6;rjivrmogbkhk;C:\WINDOWS\system32\fxsedrzc6.exe []

S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-09-05 23:50]

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []

S3 glauiad;D-Link DSL-502G Router;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2004-04-10 23:24]

S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 21:28]

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-13 22:40:55

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-05-13 22:43:25

ComboFix-quarantined-files.txt 2008-05-14 01:43:01

 

Pre-Run: 4,177,448,960 bytes disponíveis

Post-Run: 4,603,666,432 bytes disponíveis

 

171 --- E O F --- 2008-04-26 21:52:34

 

 

E segue o log do Hijackthis:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:51:12, on 13/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\S3tray2.exe

C:\mysql\bin\mysqld-nt.exe

C:\ARQUIV~1\Softwin\BITDEF~2\bdmcon.exe

C:\Arquivos de programas\Softwin\BitDefender Professional Edition\bdswitch.exe

C:\WINDOWS\vsnpstd.exe

C:\WINDOWS\system32\pctspk.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Scan Server\bdss.exe

C:\Arquivos de programas\Softwin\BitDefender Professional Edition\vsserv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\Real\rpbrowserrecordplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [bDMCon] C:\ARQUIV~1\Softwin\BITDEF~2\bdmcon.exe

O4 - HKLM\..\Run: [bDNewsAgent] C:\ARQUIV~1\Softwin\BITDEF~2\bdnagent.exe

O4 - HKLM\..\Run: [bDSwitchAgent] C:\Arquivos de programas\Softwin\BitDefender Professional Edition\bdswitch.exe

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://bin.mcafee.com/molbin/shared/mcinsc...83/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26d37c2294d679...RdxIE601_br.cab

O16 - DPF: {5E91D9B0-3AE2-40B9-9D89-7664D3B83733} - http://www.maxprotector.com.br/maxdownload.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100799040891

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9C377DD8-8CE6-484C-975D-F4D03493EBBE} (DownloadManager Control) - http://www.imusica.com.br/Download.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,20/mcgdmgr.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...571/mcfscan.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{37C1701E-8071-4718-9F09-120D7C4CAC0D}: NameServer = 10.1.1.1

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Unknown owner - C:\Arquivos de programas\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: rjivrmogbkhk (njtefjrn6) - Unknown owner - C:\WINDOWS\system32\fxsedrzc6.exe (file missing)

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Arquivos de programas\Softwin\BitDefender Professional Edition\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\Arquivos de programas\Desktop.ini

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

  • 2. Salve o arquivo como CFScript.txt;
     
    3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
    645i642.gif
     
    4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta.

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Feitos os procedimentos. Segue novo log do combofix:

 

ComboFix 08-05-12.1 - JUNIOR 2008-05-18 13:13:57.2 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.585 [GMT -3:00]

Executando de: C:\Documents and Settings\JUNIOR\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\JUNIOR\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\Arquivos de programas\Desktop.ini

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\Desktop.ini

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-18 to 2008-05-18 ))))))))))))))))))))))))))))))))

.

 

2008-05-16 23:18 . 2008-05-16 23:17 568,543 --a------ C:\ahA.gif

2008-05-11 23:29 . 2008-05-11 23:34 <DIR> d-------- C:\Arquivos de programas\Panda Security

2008-04-27 13:22 . 2008-04-27 13:33 157,144 --a------ C:\error1.JPG

2008-04-26 15:13 . 2008-04-26 15:13 <DIR> d-------- C:\Arquivos de programas\wma Studio

2008-04-25 22:25 . 2008-04-25 22:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-04-25 22:25 . 2008-04-26 15:12 <DIR> d-------- C:\WINDOWS\LastGood(3)

2008-04-25 22:25 . 2008-04-25 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-04-23 02:02 . 2008-04-26 15:13 <DIR> d-------- C:\Arquivos de programas\PixiePack Codec Pack

2008-04-23 01:43 . 2008-04-26 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\RapidSolution

2008-04-22 02:28 . 2008-04-26 15:15 <DIR> d-------- C:\Arquivos de programas\Free WMA to MP3 Converter

2008-04-19 19:26 . 2008-04-19 19:26 83,087 --a------ C:\error.JPG

2008-04-18 18:31 . 2008-04-18 18:31 <DIR> d-------- C:\Documents and Settings\Convidado\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-04-18 16:09 . 2005-02-24 12:14 <DIR> d--h----- C:\Documents and Settings\Convidado\Modelos

2008-04-18 16:09 . 2008-04-18 16:09 <DIR> dr------- C:\Documents and Settings\Convidado\Meus documentos

2008-04-18 16:09 . 2004-11-17 21:49 <DIR> dr------- C:\Documents and Settings\Convidado\Menu Iniciar

2008-04-18 16:09 . 2008-04-18 16:09 <DIR> d-------- C:\Documents and Settings\Convidado\Favoritos

2008-04-18 16:09 . 2008-04-18 18:31 <DIR> dr-h----- C:\Documents and Settings\Convidado\Dados de aplicativos

2008-04-18 16:09 . 2008-05-18 13:16 <DIR> d--h----- C:\Documents and Settings\Convidado\Configurações locais

2008-04-18 16:09 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Convidado\Ambiente de rede

2008-04-18 16:09 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Convidado\Ambiente de impressão

2008-04-18 16:09 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Convidado

2008-04-18 16:09 . 2008-05-18 12:00 1,024 --ah----- C:\Documents and Settings\Convidado\NTUSER.DAT.LOG

2008-04-18 16:03 . 2005-02-24 12:14 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-04-18 16:03 . 2008-05-18 13:16 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-04-18 16:03 . 2004-11-17 21:49 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-04-18 16:03 . 2008-04-26 15:17 <DIR> d-------- C:\Documents and Settings\Administrador

2008-04-18 16:03 . 2008-05-18 13:11 1,024 --ah----- C:\Documents and Settings\Administrador\NTUSER.DAT.LOG

2008-04-18 01:29 . 2008-05-13 22:51 <DIR> d-------- C:\Hijackthis

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-18 16:11 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-05-09 21:07 --------- d-----w C:\Documents and Settings\JUNIOR\Dados de aplicativos\Skype

2008-05-02 02:10 --------- d-----w C:\Arquivos de programas\Real

2008-05-01 14:20 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-04-27 01:34 --------- d-----w C:\Arquivos de programas\GetRight

2008-04-26 19:16 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Real

2008-04-26 19:15 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-04-22 05:18 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-04-12 04:44 --------- d-----w C:\Documents and Settings\JUNIOR\Dados de aplicativos\BrOffice.org2

2008-04-02 02:43 --------- d-----w C:\Arquivos de programas\HooTech

2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:49 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:37 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2005-06-02 04:48 37 ----a-w C:\Documents and Settings\JUNIOR\getfile.dat

2005-01-05 13:18 284 ----a-w C:\Documents and Settings\JUNIOR\Dados de aplicativos\ViewerApp.dat

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-13_22.42.47,48 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-14 01:31:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-18 16:11:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat

- 2008-04-26 20:57:04 593,920 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2008-05-14 16:34:50 593,920 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2008-04-26 20:57:04 12,288 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2008-05-14 16:34:50 12,288 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2008-04-26 20:57:05 86,016 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2008-05-14 16:34:50 86,016 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\inficon.exe

- 2008-04-26 20:57:04 135,168 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2008-05-14 16:34:50 135,168 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2008-04-26 20:57:05 11,264 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2008-05-14 16:34:50 11,264 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2008-04-26 20:57:05 27,136 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2008-05-14 16:34:50 27,136 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2008-04-26 20:57:05 4,096 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2008-05-14 16:34:50 4,096 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2008-04-26 20:57:05 794,624 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2008-05-14 16:34:50 794,624 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2008-04-26 20:57:04 249,856 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2008-05-14 16:34:50 249,856 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2008-04-26 20:57:04 61,440 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2008-05-14 16:34:50 61,440 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2008-04-26 20:57:05 23,040 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2008-05-14 16:34:50 23,040 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2008-04-26 20:57:03 286,720 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2008-05-14 16:34:50 286,720 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2008-04-26 20:57:03 409,600 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2008-05-14 16:34:50 409,600 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll

+ 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll

+ 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll

+ 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll

+ 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll

+ 2008-03-25 04:49:45 183,072 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll

+ 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll

+ 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll

+ 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll

+ 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll

+ 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll

+ 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll

+ 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll

+ 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll

+ 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll

+ 2008-03-25 04:49:46 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll

+ 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll

- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe

+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe

- 2004-08-04 07:45:23 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll

+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll

- 2004-08-04 07:45:23 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll

+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll

- 2004-08-04 07:45:24 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll

+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll

- 2004-07-17 18:34:46 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll

+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll

- 2004-08-04 07:45:24 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll

+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll

- 2004-08-04 07:45:24 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll

+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll

- 2004-08-04 07:45:24 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll

+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll

- 2004-08-04 07:45:24 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll

+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll

- 2004-08-04 07:45:24 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll

+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll

- 2004-08-04 07:45:24 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll

+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll

- 2004-08-04 07:45:24 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll

+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll

- 2004-08-04 07:45:24 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll

+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll

- 2004-08-04 07:45:24 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll

+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll

- 2004-08-04 07:45:25 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll

+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll

.

-- Snapshot reset to current date --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 07:50 155648]

"S3TRAY2"="S3tray2.exe" [2001-12-17 11:09 69632 C:\WINDOWS\system32\S3tray2.exe]

"BDMCon"="C:\ARQUIV~1\Softwin\BITDEF~2\bdmcon.exe" [2005-06-10 14:11 229376]

"BDNewsAgent"="C:\ARQUIV~1\Softwin\BITDEF~2\bdnagent.exe" [2005-06-17 08:36 4608]

"BDSwitchAgent"="C:\Arquivos de programas\Softwin\BitDefender Professional Edition\bdswitch.exe" [2005-06-10 13:20 53248]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-04-26 16:15 185896]

"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 04:45 159744]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 04:45 15360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [2007-05-02 01:13 128512]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-04-15 09:37 378696]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-05-02 01:13 128512]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]

C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\Arquivos de programas\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3acm"= l3codecp.acm

"vidc.3ivx"= 3ivxVfWCodec.dll

"vidc.3iv2"= 3ivxVfWCodec.dll

"msacm.divxa32"= divxa32.acm

"VIDC.HFYU"= huffyuv.dll

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"VIDC.VP31"= vp31vfw.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\SpRb0x®\\SpRb0x.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\FlashFXP\\flashfxp.exe"=

"C:\\Arquivos de programas\\GenialGiFT\\gift\\giFT.exe"=

"C:\\WINDOWS\\system32\\rtcshare.exe"=

"C:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=

"C:\\Arquivos de programas\\Java\\jre1.5.0_09\\bin\\javaw.exe"=

"C:\\Arquivos de programas\\ICQLite\\ICQLite.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\DremTeamShare\\DreMule\\emule.exe"=

"C:\\Arquivos de programas\\MegaJogos\\jre\\jre\\bin\\javaw.exe"=

"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"C:\\Arquivos de programas\\DsNET Corp\\aTube Catcher 1.0\\smh.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

 

S2 FILESpy;FILESpy;C:\Arquivos de programas\Softwin\BitDefender Professional Edition\filespy.sys [2005-06-10 14:11]

S2 njtefjrn6;rjivrmogbkhk;C:\WINDOWS\system32\fxsedrzc6.exe []

S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-09-05 23:50]

S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []

S3 glauiad;D-Link DSL-502G Router;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2004-04-10 23:24]

S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 21:28]

 

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-18 13:19:10

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-05-18 13:21:32

ComboFix-quarantined-files.txt 2008-05-18 16:21:22

 

Pre-Run: 3,580,919,808 bytes disponíveis

Post-Run: 4,114,575,360 bytes disponíveis

 

230 --- E O F --- 2008-05-16 12:47:38

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Monday, May 26, 2008 11:04:57 AM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 26/05/2008

Kaspersky Anti-Virus database records: 800751

 

 

Scan Settings

Scan using the following antivirus database extended

Scan Archives true

Scan Mail Bases true

 

Scan Target My Computer

A:\

C:\

D:\

E:\

 

Scan Statistics

Total number of scanned objects 60453

Number of viruses found 3

Number of infected objects 10

Number of suspicious objects 0

Duration of the scan process 02:03:25

 

Infected Object Name Virus Name Last Action

C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin\Bb\bb.gpc.upd.017E95D6c Object is locked skipped

 

C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

 

C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Dados de aplicativos\Microsoft\Feeds Cache\index.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Histórico\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\~DFDD84.tmp Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\~DFEBF0.tmp Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\~DFEC01.tmp Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\Cookies\index.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\ntuser.dat Object is locked skipped

 

C:\Documents and Settings\JUNIOR\ntuser.dat.LOG Object is locked skipped

 

C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

 

C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

 

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

 

C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped

 

C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

 

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

 

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

 

C:\mysql\data\mysql.err Object is locked skipped

 

C:\QooBox\Quarantine\C\Arquivos de programas\DremTeamShare\DreMule\Incoming\MuvAudio 1.2 + Crack.zip.vir/MuvAudio 1.2 + Crack/crack.exe Infected: Trojan-Downloader.Win32.Delf.abd skipped

 

C:\QooBox\Quarantine\C\Arquivos de programas\DremTeamShare\DreMule\Incoming\MuvAudio 1.2 + Crack.zip.vir ZIP: infected - 1 skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\JUNIOR\Configurações locais\Temp\Av-test.txt.vir Object is locked skipped

 

C:\SpRb0x®\SpRb0x.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

 

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP607\A0138474.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP607\A0138474.exe mIRC: infected - 1 skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\A0138758.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\A0138758.exe Vise: infected - 1 skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\A0138770.exe/mIRC/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\A0138770.exe ZIP: infected - 1 skipped

 

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\change.log Object is locked skipped

 

C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe Object is locked skipped

 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

 

C:\WINDOWS\SoftwareDistribution\EventCache\{6C74BA8D-E716-4736-8AD7-B9A4CB219F3C}.bin Object is locked skipped

 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

 

C:\WINDOWS\Sti_Trace.log Object is locked skipped

 

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

 

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\default Object is locked skipped

 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

 

C:\WINDOWS\system32\config\SAM Object is locked skipped

 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\software Object is locked skipped

 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\system Object is locked skipped

 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

 

C:\WINDOWS\system32\h323log.txt Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

 

C:\WINDOWS\TEMP\tmp00007f0e\tmp00000000 Object is locked skipped

 

C:\WINDOWS\wiadebug.log Object is locked skipped

 

C:\WINDOWS\wiaservc.log Object is locked skipped

 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Desculpe a demora, pois o tempo não tem sido meu aliado ultimamente.

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP607\A0138474.exe

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\A0138758.exe

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\A0138770.exe

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}\RP610\change.log

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\mIRC\mirc.exe

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\~DFDD84.tmp

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\~DFEBF0.tmp

C:\Documents and Settings\JUNIOR\Configurações locais\Temp\~DFEC01.tmp

Folder::

C:\System Volume Information\_restore{2A9F566F-9BD1-4165-8456-53CC74AB0509}

C:\QooBox\Quarantine

C:\SpRb0x®\SpRb0x.exe

ATENÇÃO: O script acima foi elaborado especifícamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

  • 2. Salve o arquivo como CFScript.txt;
     
    3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
    645i642.gif
     
    4. Execute o Kaspersky Online novamente e veja se ainda detecta algo.

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Segue o log do Kaspersky:

 

Tuesday, June 10, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Tuesday, June 10, 2008 13:33:01

Records in database: 845725

 

 

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

 

Scan area My Computer

A:\

C:\

D:\

E:\

 

Scan statistics

Files scanned 55069

Threat name 0

Infected objects 0

Suspicious objects 0

Duration of the scan 01:52:40

 

No malware has been detected. The scan area is clean.

The selected area was scanned.

 

---------------------------------------

 

Pelo visto todos os malwares foram eliminados. Mas o tal trojan que está no spoolsv.exe continua e nem foi detectado por ele. Só o bitdefender detectou.

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Baixe Virus Removal Tool (o arquivo é grande, mas vale a pena - escolha o último da lista).

 

Reinicie em Modo Seguro.

 

Execute uma varredura completa e retorne com o resultado.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado
Olá jgarcia, tudo bem?

 

Fiz a varredura em modo seguro e nada foi encontrado.

Você já tentou desinstalar e reinstalar o driver de sua impressora?

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Seguindo sua sugestão, tentei há pouco, excluindo o driver e instalando o novo. Continua essa praga chata que, ao meu ver, parece inofensivo.

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Submeta o arquivo abaixo ao site da Jotti:

 

C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe

 

... e retorne com o resultado.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shademan    0

Shademan
Postado

Ao submeter no site indicado, o bitdefender deu um bip dizendo que estava com o tal trojan (dei OK pra prosseguir). Já no site apareceu uma página em branco apenas com esta mensagem em inglês:

 

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Compartilhar este post

Link para o post
Compartilhar em outros sites

jgarcia    1

jgarcia
Postado

Opa Shademan,

 

Vamos tentar resolver o problema remanescente por meio do CCleaner -> baixe aqui.

 

1. Para efetivar a limpeza basta marcar a opção Limpezano alto e à esquerda – e clicar em Executar Limpezaabaixo e à direita. Neste caso você poderá optar pela limpeza do Windows, de Programas ou de ambos;

 

2. Para a correção de erros basta escolher a opção Registrono alto e à esquerda – clicar em Procurar errosabaixo e à esquerda – e depois em Corrigir Erros Selecionados – abaixo e à direita (por padrão todos serão selecionados);

 

3. Em Ferramentasno alto e à esquerda – você poderá efetivar a desinstalação de programas (os mesmos contidos em Adicionar / Remover programas) ou ainda remover processos de programas contidos na inicialização (somente para usuários experientes);

 

4. Em Opções encontram-se os dispositivos de configuração do CCleaner, os quais sugiro que permaneçam inalterados.

 

Execute as ações acima (apenas 1. e 2.) e retorne com o resultado.

 

Abraços.

Compartilhar este post

Link para o post
Compartilhar em outros sites
Ir para a lista de tópicos Tópicos Resolvidos (Seguranca & Malwares)
×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.

  Aceito