[Arquivado] Meu micro inicializa e já trava ?

MarKteus · Maio 6, 2008

A situação está tão crítica q estou logo enviando dois LOGS um do COMBOFIX e outro do HIJACK

ComboFix 08-05-01.3 - Marcos 2008-05-06 18:28:53.3 - FAT32x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.796 [GMT -3:00]

Executando de: C:\Documents and Settings\Marcos\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-06 to 2008-05-06 ))))))))))))))))))))))))))))))))

.

2008-05-06 17:45 . 2008-05-06 17:45 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configurações locais

2008-05-06 17:45 . 2008-05-06 17:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais

2008-05-06 17:45 . 2008-05-06 17:45 <DIR> d-------- C:\Documents and Settings\Marcos\Configurações locais

2008-05-06 17:45 . 2008-05-06 17:45 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Configurações locais

2008-05-06 10:26 . 2008-05-06 10:22 300,048 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-05-06 10:26 . 2008-05-06 10:22 245,760 --a------ C:\WINDOWS\system32\imon.dll

2008-05-06 10:26 . 2008-05-06 10:22 114,688 --a------ C:\WINDOWS\system32\nms32.dll

2008-05-06 10:26 . 2008-05-06 10:26 442 --a------ C:\WINDOWS\system32\mapisvc.inf

2008-05-06 10:22 . 2008-05-06 10:22 <DIR> d-------- C:\Arquivos de programas\ESET

2008-05-05 08:48 . 2008-05-05 08:48 <DIR> d--hs---- C:\FOUND.001

2008-05-04 14:24 . 2008-05-04 14:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-04 14:24 . 2008-05-04 14:24 1,409 --a------ C:\WINDOWS\QTFont.for

2008-04-17 20:53 . 2008-04-17 20:53 <DIR> d-------- C:\Arquivos de programas\FirebirdClient

2008-04-17 20:53 . 2008-04-17 20:53 <DIR> d-------- C:\Arquivos de programas\Firebird

2008-04-17 20:53 . 2004-02-23 01:05 356,431 --a------ C:\WINDOWS\system32\GDS32.DLL

2008-04-17 20:51 . 2008-04-17 20:51 <DIR> d-------- C:\ViteSoft

2008-04-17 19:58 . 2008-04-17 19:58 <DIR> d-------- C:\BancoBrasil

2008-04-17 19:58 . 2008-04-17 19:59 185 --a------ C:\aapj.properties

2008-04-17 14:42 . 2008-04-18 11:48 921,624 --a------ C:\img1-001.raw

2008-04-09 10:22 . 2004-05-28 09:03 974,848 --a------ C:\WINDOWS\system32\mfc70.dll

2008-04-09 10:22 . 2004-05-28 09:03 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll

2008-04-07 08:03 . 2008-04-07 08:03 <DIR> d--hs---- C:\FOUND.000

2008-04-06 12:46 . 2008-04-06 12:46 <DIR> d-------- C:\WINDOWS\Album

2008-04-06 12:46 . 2008-04-06 12:46 <DIR> d-------- C:\Arquivos de programas\KYE

2008-04-06 12:45 . 2004-06-25 11:44 331,008 --a------ C:\WINDOWS\system32\drivers\snpstd.sys

2008-04-06 12:45 . 2004-06-10 13:48 286,720 --a------ C:\WINDOWS\vsnpstd.exe

2008-04-06 12:45 . 2003-04-21 14:09 245,408 --a------ C:\WINDOWS\system32\unicows.dll

2008-04-06 12:45 . 2004-05-06 11:22 53,248 --a------ C:\WINDOWS\system32\dsnpstd.dll

2008-04-06 12:45 . 2003-01-17 17:34 15,541 --a------ C:\WINDOWS\snpstd.ini

2008-04-06 12:45 . 2003-01-17 17:35 13,023 --a------ C:\WINDOWS\snpstd.src

2008-04-06 12:44 . 2008-04-06 12:44 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\snpstd

2008-04-06 12:44 . 2004-02-16 13:59 61,440 --a------ C:\WINDOWS\system32\csnpstd.dll

2008-04-06 12:44 . 2004-06-23 16:13 57,344 --a------ C:\WINDOWS\system32\rsnpstd.dll

2008-04-06 12:44 . 2004-05-25 17:21 36,864 --a------ C:\WINDOWS\system32\vsnpstd.dll

2008-04-06 12:44 . 2004-05-25 16:13 36,864 --a------ C:\WINDOWS\system32\dsnpstd.ax

2008-04-06 12:44 . 2004-02-23 15:19 20,480 --a------ C:\WINDOWS\usnpstd.exe

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-14 20:41 --------- d-----w C:\Arquivos de programas\LogMeIn

2004-10-01 18:00 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((( snapshot@2008-05-06_17.43.33.03 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-06 20:40:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-06 21:32:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 155,648 2001-07-09 13:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

----a-w 155,648 2001-07-09 13:50:42 C:\WINDOWS\system32\NeroCheck.exe

----a-w 159,744 2004-08-04 07:45:40 C:\WINDOWS\pchealth\helpctr\binaries\bak\MSConfig.exe

----a-w 159,744 2004-08-04 07:45:40 C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

----a-w 147,514 2003-10-07 12:48:56 C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\bak\TBMon.exe

----a-w 147,514 2003-10-07 12:48:56 C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

----a-w 94,208 2005-10-28 19:25:44 C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 32,768 2004-11-02 23:24:46 C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\bak\PDVDServ.exe

----a-w 155,648 2003-03-31 22:28:28 C:\Arquivos de programas\Hewlett-Packard\Toolbox2.0\bak\hpbpsttp.exe

----a-w 36,864 2002-12-16 19:51:24 C:\Arquivos de programas\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\bak\StatusClient.exe

----a-w 98,304 2006-06-06 07:43:14 C:\Arquivos de programas\Hewlett-Packard\OrderReminder\OrderReminder\bak\OrderReminder.exe

----a-w 90,112 2003-03-29 11:53:44 C:\Arquivos de programas\VirtualDrive\bak\VDTask.exe

----a-w 155,648 2006-09-07 19:38:10 C:\Arquivos de programas\QuickTime Alternative\bak\qttask.exe

----a-w 1,415,824 2005-05-31 04:04:00 C:\Arquivos de programas\Spybot - Search & Destroy\bak\TeaTimer.exe

----a-w 1,415,824 2005-05-31 04:04:00 C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nao sao mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

"NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]

"DAEMON Tools Lite"="C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-02-13 20:09 486856]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-09 08:33 53248 C:\WINDOWS\system32\VTTimer.exe]

"ShStatEXE"="C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.exe" [2004-09-30 08:00 94208]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"Pesquisas"="C:\Arquivos de programas\Lck-Consultoria\retaguarda\CentralLck.exe" [2008-01-03 12:47 8986112]

"LogMeIn GUI"="C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]

"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]

"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2008-05-06 10:22 847872]

"!AVG Anti-Spyware"="C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 06:25 6731312]

"McAfeeUpdaterUI"="C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GbPluginBb"="C:\ARQUIV~1\GBPLUGIN\gbieh.dll" [2008-04-15 09:37 378696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:45 15360]

C:\Documents and Settings\Marcos\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-06 14:57:34 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 0 (0x0)

"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 0 (0x0)

"NoToolbarCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-04-15 09:37 378696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3acm"= l3codecp.acm

"MSVideo"= CSvidcap.dll

"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.exe.lnk]

path=

backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^TVR Scheduler.lnk]

path=

backup=C:\WINDOWS\pss\TVR Scheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcos^Menu Iniciar^Programas^Inicializar^PVRemote.lnk]

path=

backup=C:\WINDOWS\pss\PVRemote.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

C:\Arquivos de programas\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

--a------ 2006-10-13 17:20 20058152 C:\Arquivos de programas\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a------ 2004-03-26 14:40 794624 C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2004-04-01 10:52 1368064 C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelExtreme]

C:\Arquivos de programas\TelExtreme\TelExtreme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ewido anti-spyware 4.0 guard"=2 (0x2)

"Autodesk Licensing Service"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"wuauserv"=3 (0x3)

"SysmonLog"=3 (0x3)

"SoundMAX Agent Service (default)"=2 (0x2)

"SENS"=2 (0x2)

"mi-raysat_3dsmax9_32"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"C:\\ViteSoft\\Admin\\VSCyberAdmin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"137:UDP"= 137:UDP:@xpsp2res.dll,-22001

"1155:TCP"= 1155:TCP:VSCyber

"3050:TCP"= 3050:TCP:Firebird

R1 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [2003-02-25 10:38]

S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe [2004-02-23 01:05]

S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Arquivos de programas\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]

S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]

S2 SQLWriter;SQL Server VSS Writer;"c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]

S3 CXTuner;Conexant TVTuner;C:\WINDOWS\system32\drivers\CXTuner.sys [2006-03-08 23:31]

S3 CXVideo;Conexant Capture;C:\WINDOWS\system32\drivers\CXVCap.sys [2006-03-08 23:30]

S3 CXXBar;Conexant Crossbar;C:\WINDOWS\system32\drivers\CXXBar.sys [2006-03-08 23:30]

S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe [2004-02-23 01:05]

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-06 18:33:07

Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

.

**************************************************************************

.

Tempo para conclusao: 2008-05-06 18:35:56 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-06 21:35:54

ComboFix3.txt 2007-12-05 20:16:04

ComboFix2.txt 2008-05-06 20:45:14

Pre-Run: 5,329,616,896 bytes disponíveis

Post-Run: 5,354,946,560 bytes dispon¡veis

201

LOG HIJACK

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:27:42, on 6/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.escolabinarios.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [Pesquisas] C:\Arquivos de programas\Lck-Consultoria\retaguarda\CentralLck.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\RunOnce: [ GbPluginBb] RunDll32.exe C:\ARQUIV~1\GBPLUGIN\gbieh.dll,Gbieh

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203116029609

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F5100C48-14EF-4AD6-8AE3-28932553FD58}: NameServer = 200.225.197.34,200.225.197.37

O20 - AppInit_DLLs:

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Arquivos de programas\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Arquivos de programas\LogMeIn\x86\LogMeIn.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 6684 bytes

DigRam · Maio 9, 2008

Boa Noite! MarKteus

<@> Desinstale seus programas de segurança bancária.

<@> Sendo que,após a desinfecção,serão novamente reinstalados.

---------------------------------

>@< BAIXE:

< Advanced WindowsCare >

>@< Salve-o no Desktop ou Arquivos de Programa.

>@< Este programa,elimina: históricos e temporários.

>@< Procura,também,otimizar o SO e remover alguns Spywares.

---------------------------------

>@< Antes de executar o programa,atualize o Banco de Dados: Clique em Estado.

>@< Clique em Atualizar Agora. >> Aguarde!

>@< Terminando,vá em Mais >> Clique em Limpador de Memória.

>@< Abrir-se-á a janela: Limpador de Memória.

>@< Clique em Limpar agora! Aguarde...

>@< Surgirá uma mensagem,após o término,informando a quantidade de memória liberada.

>@< Clique em Sair.

>@< Abra o programa e clique em Start >> Clique em Scan. ( Analisar )

>@< Terminando,aparecerão em vermelho,os ítens a serem removidos.

>@< Clique,agora,no botão Care. ( Reparar )

>@< Caso queira monitorar,o que será removido,clique para cada ítem,em: Show Details,antes de clicar em Reparar.

>@< Concluindo,reinicie o computador!

---------------------------------

>@< Faça o download do move-zonebac.vbs.

>@< Salve-o no Desktop.Mas,não execute-o ainda!

>@< Configure o Windows para que mostre: Ver todos os Arquivos,até os ocultos!

>@< Reinicie em Modo Seguro,e rode o move-zonebac.vbs <!>

>@< Surgirá um Prompt,com a mensagem: < Mover arquivos detectados genericamente? >

>@< Nas opções: Sim e Não,escolha o Não!

>@< Espere a conclusão da ferramenta. Aguarde!

>@< Terminando,surgirá um relatório,que voçê postará na sua resposta.

Abraços!

MarKteus · Maio 9, 2008

Boa Noite! MarKteus

<@> Desinstale seus programas de segurança bancária.

<@> Sendo que,após a desinfecção,serão novamente reinstalados.

---------------------------------

>@< BAIXE:

< Advanced WindowsCare >

>@< Salve-o no Desktop ou Arquivos de Programa.

>@< Este programa,elimina: históricos e temporários.

>@< Procura,também,otimizar o SO e remover alguns Spywares.

---------------------------------

>@< Antes de executar o programa,atualize o Banco de Dados: Clique em Estado.

>@< Clique em Atualizar Agora. >> Aguarde!

>@< Terminando,vá em Mais >> Clique em Limpador de Memória.

>@< Abrir-se-á a janela: Limpador de Memória.

>@< Clique em Limpar agora! Aguarde...

>@< Surgirá uma mensagem,após o término,informando a quantidade de memória liberada.

>@< Clique em Sair.

>@< Abra o programa e clique em Start >> Clique em Scan. ( Analisar )

>@< Terminando,aparecerão em vermelho,os ítens a serem removidos.

>@< Clique,agora,no botão Care. ( Reparar )

>@< Caso queira monitorar,o que será removido,clique para cada ítem,em: Show Details,antes de clicar em Reparar.

>@< Concluindo,reinicie o computador!

---------------------------------

>@< Faça o download do move-zonebac.vbs.

>@< Salve-o no Desktop.Mas,não execute-o ainda!

>@< Configure o Windows para que mostre: Ver todos os Arquivos,até os ocultos!

>@< Reinicie em Modo Seguro,e rode o move-zonebac.vbs <!>

>@< Surgirá um Prompt,com a mensagem: < Mover arquivos detectados genericamente? >

>@< Nas opções: Sim e Não,escolha o Não!

>@< Espere a conclusão da ferramenta. Aguarde!

>@< Terminando,surgirá um relatório,que voçê postará na sua resposta.

Abraços!

Postando LOG do Move-Zonebac.vbs

RENOMEADOR DE BAKS

Restaura arquivos de backup do Trojan.Zonebac

Backups: C:\bak-backups\9-5-2008 13-20

-----------------------------------------------------------------------

Chaves do Registro:

HKLM\..\Run: [VTTimer] VTTimer.exe

HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

HKLM\..\Run: [Pesquisas] C:\Arquivos de programas\Lck-Consultoria\retaguarda\CentralLck.exe

HKLM\..\Run: [LogMeIn GUI] C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

HKLM\..\Run: [statusClient] C:\Arquivos de programas\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

HKLM\..\Run: [APVXDWIN] C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE /s

HKCU\..\Run: [MSMSGS] C:\Arquivos de programas\Messenger\msmsgs.exe /background

HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

HKCU\..\Run: [NBJ] C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe

HKCU\..\Run: [DAEMON Tools Lite] C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe -autorun

HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

Procurando: C:\WINDOWS\system32\VTTimer.exe

--> Tamanho: 53248

--> Pasta BAK encontrada, sem arquivo homônimo

--> Pasta BAK não está vazia!!!

Procurando: C:\WINDOWS\system32\NeroCheck.exe

--> Tamanho: 155648

--> BAK encontrado!

--> Tamanho BAK: 155648

--> Arquivo original movido!

Procurando: C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

--> Tamanho: 132496

--> Pasta BAK não encontrada

Procurando: C:\Arquivos de programas\Lck-Consultoria\retaguarda\CentralLck.exe

--> Tamanho: 8986112

--> Pasta BAK não encontrada

Procurando: C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

--> Tamanho: 63048

--> Pasta BAK não encontrada

Procurando: C:\WINDOWS\vsnpstd.exe

--> Tamanho: 286720

--> Pasta BAK não encontrada

Procurando: C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\APVXDWIN.exe

--> Tamanho: 455984

--> Pasta BAK não encontrada

Procurando: C:\Arquivos de programas\Messenger\msmsgs.exe

--> Tamanho: 1667584

--> Pasta BAK encontrada, sem arquivo homônimo

Procurando: C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

--> Tamanho: 1415824

--> BAK encontrado!

--> Tamanho BAK: 1415824

--> Arquivo original movido!

Procurando: C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe

--> Tamanho: 1961984

--> Pasta BAK não encontrada

Procurando: C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe

--> Tamanho: 486856

--> Pasta BAK não encontrada

Procurando: C:\WINDOWS\system32\ctfmon.exe

--> Tamanho: 15360

--> Pasta BAK não encontrada

Pastas BAK Restantes:

C:\WINDOWS\pchealth\helpctr\binaries\bak - 159744 bytes

--> MSConfig.exe - 159744 bytes [ Encontrado pai: 5/6/2006 00:37:05 ]

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\bak - 147514 bytes

--> TBMon.exe - 147514 bytes

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\bak - 94208 bytes

--> NMBgMonitor.exe - 94208 bytes

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\bak - 32768 bytes

--> PDVDServ.exe - 32768 bytes

C:\Arquivos de programas\Hewlett-Packard\Toolbox2.0\bak - 155648 bytes

--> hpbpsttp.exe - 155648 bytes

C:\Arquivos de programas\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\bak - 36864 bytes

--> StatusClient.exe - 36864 bytes

C:\Arquivos de programas\Hewlett-Packard\OrderReminder\OrderReminder\bak - 98304 bytes

--> OrderReminder.exe - 98304 bytes

C:\Arquivos de programas\VirtualDrive\bak - 90112 bytes

--> VDTask.exe - 90112 bytes

C:\Arquivos de programas\QuickTime Alternative\bak - 155648 bytes

--> qttask.exe - 155648 bytes

DigRam · Maio 10, 2008

Boa Tarde! MarKteus

>@< Poste um novo log do HijackThis + ComboFix.txt,na sua resposta.

Abraços!

MarKteus · Maio 12, 2008

Vou precisar desativar algum software, entrar pelo modo de segurança ? :mellow:

DigRam · Maio 12, 2008

Vou precisar desativar algum software, entrar pelo modo de segurança ? :mellow:

---------------------------

Boa Noite! MarKteus

<@> Desabilite seus programas de proteção,ao executar o ComboFix.

<@> Poste:

<1> HijackThis,feito em Modo Normal.

<2> ComboFix.txt,executado em Modo Seguro.

Abraços!

MarKteus · Maio 13, 2008

Vou precisar desativar algum software, entrar pelo modo de segurança ? :mellow:

---------------------------

Boa Noite! MarKteus

<@> Desabilite seus programas de proteção,ao executar o ComboFix.

<@> Poste:

<1> HijackThis,feito em Modo Normal.

<2> ComboFix.txt,executado em Modo Seguro.

Abraços!

Todos os COMBOFIX q baixei veio com vírus, por isso ñ fiz LOG Scan com ele :blush:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:12:22, on 13/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\pavsrv51.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\AVENGINE.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe

c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\PsCtrls.exe

C:\Arquivos de programas\Arquivos comuns\Panda Software\PavShld\pavprsrv.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\PsImSvc.exe

c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\Lck-Consultoria\retaguarda\CentralLck.exe

C:\WINDOWS\vsnpstd.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\WebProxy.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\psimreal.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.escolabinarios.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Pesquisas] C:\Arquivos de programas\Lck-Consultoria\retaguarda\CentralLck.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [statusClient] C:\Arquivos de programas\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')