[Resolvido!] Analisem o meu log

[Clarissa Gonçalves 0]

Boa tarde, pessoal.

 

De um tempo pra cá, muitas pessoas passaram a receber uns emails estranhos enviados por todos que usaram email HOTMAIL em meu computador. Depois disso, qndo tento abrir o Internet Explorer, ele fica tentando abrir e depois dá erro (aparece aquela mensagem de enviar relatório para a Microsoft).

 

O conteúdo do email que está sendo enviado (com o assunto: "olha isso que engraçado!") é o seguinte:

 

"da so uma olhada nesse video.. quase morro de tanto rir... presta atenção no velhinho de saia.. engraçado demaiss!!

 

http://thorlive.blogspot.com/humor/getVide...5C3&ext=avi "

 

 

Enfim, segue o log do Hijackthis. Espero que alguém possa me ajudar.

 

Logfile of HijackThis v1.99.1

Scan saved at 09:11:49, on 10/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\HP\Smart Web Printing\hpswp_clipbook.exe

C:\DOCUME~1\Deia\CONFIG~1\Temp\Rar$EX13.266\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: System.ContextStaticAttribute - {578A759E-5105-4C41-84B0-5F989ED9EFC4} - C:\WINDOWS\system32\c_10000.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [AudioDeck] C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Inicialização Rápida do Microsoft Office OneNote 2003.lnk = C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205552956062

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

[Sam Spade 2]

Olá Clarissa Gonçalves! Configure o Windows para mostrar todos os arquivos

 

Acesse http://virusscan.jotti.org/

 

No site, na caixa Procurar, cole esta linha abaixo:

 

C:\WINDOWS\system32\c_10000.dll

 

Clique em Submit e aguarde o resultado da análise aparecer. Salve e poste.

[Clarissa Gonçalves 0]

Olá, Sam Spade. Segue o log solicitado:

 

==============

 

Service

File: c_10000.dll

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: e556a1ad9152d88a57e2cc18f89b3a1c

Packers detected: UPACK

 

Scanner results

Scan taken on 17 May 2008 20:12:05 (GMT)

 

A-Squared: Found nothing

AntiVir: Found HEUR/Malware

ArcaVir: Found nothing

Avast: Found Win32:Rootkit-gen

AVG Antivirus: Found Generic10.TIU

BitDefender: Found nothing

ClamAV: Found PUA.Packed.UPack

CPsecure: Found nothing

Dr.Web: Found nothing

F-Prot Antivirus: Found nothing

F-Secure Anti-Virus: Found nothing

Fortinet: Found nothing

Ikarus: Found Trojan-Spy.Win32.Banbra.hb

Kaspersky Anti-Virus: Found nothing

NOD32: Found nothing

Norman Virus Control: Found W32/Suspicious_U.gen

Panda Antivirus: Found nothing

Sophos Antivirus: Found Mal/EncPk-BW

VirusBuster: Found nothing

VBA32:Found nothing

 

Statistics

Last file scanned at least one scanner reported something about: KnightOnLine.zip (MD5: 9c5745a5fd905d7d4f18555638e16afb, size: 1268767 bytes), detected by:

 

Scanner ------------------------ Malware name

A-Squared --------------------- X

AntiVir -------------------------- TR/Spy.Agent.cda.2

ArcaVir ------------------------- Trojan.Downloader.Agent.Bdr

Avast ---------------------------- X

AVG Antivirus ------------------- PSW.Agent.STI

BitDefender --------------------- Trojan.Generic.240729

ClamAV ------------------------- Trojan.Spy-31663

CPsecure ------------------------ Troj.Spy.W32.Agent.cda

Dr.Web ---------------------------- X

F-Prot Antivirus ------------------- X

F-Secure Anti-Virus ------------- Trojan-Spy.Win32.Agent.cda

Fortinet --------------------------- Spy/Agent

Ikarus ---------------------------- Trojan-Spy.Win32.ProAgent.21

Kaspersky Anti-Virus ------------ Trojan-Spy.Win32.Agent.cda

NOD32 ------------------------------- X

Norman Virus Control ------------ W32/Agent.FJMC

Panda Antivirus -------------------- X

Sophos Antivirus ------------------ Mal/Generic-A

VirusBuster ------------------------ X

VBA32 ------------------------------ Trojan-Spy.Win32.Agent.cda

[Sam Spade 2]

Ok, baixe: ComboFix > salve na área de trabalho

• Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.
  
• Dê um duplo-clique no combofix.exe, marque 1 e dê o enter para prosseguir o Fix. Aguarde pois é um pouco demorado.
  
• O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.
  
• Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  
• IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".
  
• Selecione, copie e cole o conteúdo do ComboFix.txt na sua próxima resposta.
   
  OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)
  

[Clarissa Gonçalves 0]

Olá, Sam Spade. Segue o log gerado pelo ComboFix:

 

ComboFix 08-05-15.3 - Deia 2008-05-18 13:19:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.635 [GMT -3:00]

Executando de: C:\Documents and Settings\Deia\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\AutoRun.inf

C:\WINDOWS\system32\c_10000.dll

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-04-18 to 2008-05-18 ))))))))))))))))))))))))))))))))

.

 

2008-05-10 09:24 . 2008-05-10 09:24 0 --a------ C:\WINDOWS\nsreg.dat

2008-05-06 15:24 . 2008-05-18 13:11 727,963 --a------ C:\WINDOWS\system32\uvcnb.ebc

2008-04-29 17:56 . 2008-04-29 18:12 233 --a------ C:\WINDOWS\system32\MOP.INI

2008-04-29 15:40 . 2008-04-29 15:40 <DIR> d-------- C:\Arquivos de programas\InstallShield Installation Information

2008-04-29 15:40 . 2008-04-29 17:56 <DIR> d-------- C:\Arquivos de programas\CCLS

2008-04-29 15:40 . 2008-04-29 16:23 280 --a------ C:\WINDOWS\system32\CALL.INI

2008-04-18 23:50 . 2008-04-18 23:50 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-10 22:19 --------- d-----w C:\Arquivos de programas\DreMule

2008-04-25 19:10 --------- d-----w C:\Arquivos de programas\ESET

2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:49 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-23 16:37 --------- d--h--w C:\Arquivos de programas\Scpad

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-15 02:40 298,104 ----a-w C:\WINDOWS\system32\imon.dll

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:37 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]

"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2008-03-14 23:40 949376]

"VTTimer"="VTTimer.exe" [2003-04-15 18:55 36864 C:\WINDOWS\system32\VTTimer.exe]

"AudioDeck"="C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe" [2004-04-19 17:44 7916032]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-03-15 03:11 180269]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

HP Digital Imaging Monitor.lnk - C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

Inicializa‡Æo R pida do Microsoft Office OneNote 2003.lnk - C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 16:30 347976]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\DreMule\\emule.exe"=

 

S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fcb3e91d-fdab-11dc-88c2-000fea9aa60b}]

\Shell\Auto\command - boot.pif

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.pif

 

*Newly Created Service* - CATCHME

*Newly Created Service* - HTTPFILTER

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-18 13:22:45

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\Arquivos de programas\Eset\pr_imon.dll

.

Tempo para conclusão: 2008-05-18 13:25:44

ComboFix-quarantined-files.txt 2008-05-18 16:24:41

 

Pre-Run: 54,227,681,280 bytes disponíveis

Post-Run: 54,329,712,640 bytes disponíveis

 

109 --- E O F --- 2008-05-16 13:54:10

[Sam Spade 2]

Olá, acesse http://virusscan.jotti.org/

 

No site, na caixa Procurar, cole esta linha abaixo:

 

C:\WINDOWS\system32\uvcnb.ebc

 

Clique em Submit, aguarde o resultado da análise aparecer e salve.

 

Faça o mesmo com esse:

 

C:\WINDOWS\system32\MOP.INI

 

Poste os resultados.

[Clarissa Gonçalves 0]

Desculpe pela demora.

Estive viajando esses dias.

Mas segue os logs solicitados.

 

==================

 

File: uvcnb.ebc

Status: OK

 

Scan taken on 17 Jun 2008 00:07:02 (GMT)

A-Squared

Found nothing

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

CPsecure

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found nothing

Ikarus

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

Panda Antivirus

Found nothing

Sophos Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

 

Scanner Malware name

A-Squared Backdoor.Win32.PoisonIvy.ay

AntiVir BDS/Poison.CPD

ArcaVir X

Avast Win32:Poison-DE

AVG Antivirus BackDoor.Generic9.MSS

BitDefender Trojan.Downloader.Agent.ZCR

ClamAV Trojan.Downloader-25476

CPsecure X

Dr.Web Trojan.DownLoader.46203

F-Prot Antivirus X

F-Secure Anti-Virus Backdoor.Win32.Poison.cpb

Fortinet X

Ikarus Backdoor.Win32.PoisonIvy.ay

Kaspersky Anti-Virus Backdoor.Win32.Poison.cpb

NOD32 Win32/Poison.NAI

Norman Virus Control W32/PoisonIvy.gen22

Panda Antivirus X

Sophos Antivirus Troj/Smalla-Gen

VirusBuster Trojan.DL.CKSPost.Gen

VBA32 X

 

===============================

 

File: MOP.INI

Status: OK

 

A-Squared

Found nothing

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

CPsecure

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

F-Secure Anti-Virus

Found nothing

Fortinet

Found nothing

Ikarus

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

Panda Antivirus

Found nothing

Sophos Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found nothing

 

Scanner Malware name

A-Squared X

AntiVir TR/Crypt.TPM.Gen

ArcaVir X

Avast X

AVG Antivirus X

BitDefender MemScan:Backdoor.Prosti.CY

ClamAV PUA.Packed.Themida

CPsecure X

Dr.Web X

F-Prot Antivirus X

F-Secure Anti-Virus X

Fortinet X

Ikarus Generic.Sdbot

Kaspersky Anti-Virus X

NOD32 X

Norman Virus Control X

Panda Antivirus X

Sophos Antivirus Mal/Behav-103

VirusBuster X

VBA32 X

[Sam Spade 2]

Olá, o ComboFix mostrou um vírus que infecta pendrives, drives de mp3/mp4.

 

Baixe: PenClean

 

Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.

 

Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fcb3e91d-fdab-11dc-88c2-000fea9aa60b}]

Se tiver um Pendrive ou um drive de MP3 ou MP4, conecte no PC (se tiver mais de um, tem de conectar todos). Não os tire até completar todas as instruções.

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Execute o PenClean. Selecione a opção Verficar Unidades, marque Todas as Unidades e clique no botão Verificar.

<<Aguarde alguns instantes, o exame é bem rápido>>

 

Será informado se algo foi encontrado, se for encontrado será pedido para reiniciar, clique em Sim. O computador será reiniciado.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, então reinicie manualmente.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes.

 

Aos visitantes: Se estiverem com um problema semelhante, não utilizem esse script, pois o uso sem supervisão pode causar danos ao sistema. Abram um tópico próprio solicitando orientação.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

 

Remova o Pendrive\MP3\MP4 que tenha conectado.

 

Poste o ComboFix.txt, juntamente com o relatório do PenClean > que estará em C:\PenClean\PenClean.txt

[Clarissa Gonçalves 0]

Olá!

 

Mais uma vez, me desculpe pela demora.

São João aqui na Bahia terminou roubando todo meu tempo.

 

Enfim, segue os logs solicitados:

 

======================================

 

ComboFix.txt

 

ComboFix 08-07-15.4 - Deia 2008-07-16 15:47:50.2 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.792 [GMT -3:00]

Executando de: C:\Documents and Settings\Deia\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Deia\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-06-16 to 2008-07-16 ))))))))))))))))))))))))))))))))

.

 

2008-07-16 15:36 . 2008-07-16 15:36 <DIR> d-------- C:\PenClean

2008-07-16 15:33 . 2008-03-14 23:26 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-07-16 15:33 . 2008-03-14 20:17 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-07-16 15:33 . 2008-03-14 20:17 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-07-16 15:33 . 2008-03-14 20:17 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-07-16 15:33 . 2008-03-14 20:17 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-07-16 15:33 . 2008-07-16 15:50 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-07-16 15:33 . 2008-03-14 20:17 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-07-16 15:33 . 2008-03-14 20:17 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-07-16 15:33 . 2008-07-16 15:33 <DIR> d-------- C:\Documents and Settings\Administrador

2008-07-10 12:49 . 2008-07-10 12:49 244 --ah----- C:\sqmnoopt03.sqm

2008-07-10 12:49 . 2008-07-10 12:49 232 --ah----- C:\sqmdata03.sqm

2008-07-09 14:16 . 2008-06-14 14:59 272,384 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-07-09 14:16 . 2008-06-14 14:59 272,384 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-07-03 16:33 . 2008-07-16 15:19 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-06-24 07:57 . 2004-08-04 00:45 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-06-24 07:57 . 2001-09-05 23:50 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-15 15:14 --------- d-----w C:\Arquivos de programas\DreMule

2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-05-07 05:15 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 07:14 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

 

((((((((((((((((((((((((((((( snapshot@2008-05-18_13.24.31,12 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-06-14 17:59:51 272,384 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys

- 2000-08-31 11:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe

+ 2000-08-31 11:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe

- 2008-03-31 14:02:09 152,122 ----a-w C:\WINDOWS\hpoins14.dat

+ 2008-07-12 23:37:01 152,122 ----a-w C:\WINDOWS\hpoins14.dat

+ 2008-03-01 13:02:08 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll

+ 2008-03-01 13:02:09 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll

+ 2008-03-01 13:02:09 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll

+ 2008-03-01 13:02:09 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll

+ 2008-03-01 13:02:09 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll

+ 2008-02-29 08:59:58 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe

+ 2008-03-01 13:02:09 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll

+ 2008-03-01 13:02:09 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll

+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll

+ 2008-03-01 13:02:09 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll

+ 2008-03-01 13:02:09 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll

+ 2008-03-01 13:02:10 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll

+ 2008-03-01 13:02:10 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll

+ 2008-03-01 13:02:10 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll

+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe

+ 2008-02-29 09:00:27 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe

+ 2008-03-01 13:02:10 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll

+ 2008-03-01 13:02:10 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll

+ 2008-03-01 13:02:10 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll

+ 2008-03-01 21:32:12 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll

+ 2008-03-01 13:02:12 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll

+ 2008-03-01 13:02:12 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll

+ 2008-03-01 13:02:12 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll

+ 2008-03-01 13:02:12 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll

+ 2008-03-01 13:02:12 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll

+ 2007-03-06 01:01:00 215,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe

+ 2007-03-06 01:02:08 384,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll

+ 2008-03-01 13:02:12 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll

+ 2008-03-01 13:02:12 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll

+ 2008-03-01 13:02:12 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll

+ 2008-03-01 13:02:12 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll

- 2008-05-15 23:27:33 593,920 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2008-07-09 17:54:43 593,920 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\accicons.exe

- 2008-05-15 23:27:33 12,288 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2008-07-09 17:54:43 12,288 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2008-05-15 23:27:33 86,016 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2008-07-09 17:54:43 86,016 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\inficon.exe

- 2008-05-15 23:27:33 135,168 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2008-07-09 17:54:43 135,168 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2008-05-15 23:27:33 11,264 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2008-07-09 17:54:43 11,264 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2008-05-15 23:27:33 27,136 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2008-07-09 17:54:43 27,136 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2008-05-15 23:27:34 4,096 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2008-07-09 17:54:43 4,096 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2008-05-15 23:27:34 794,624 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2008-07-09 17:54:43 794,624 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2008-05-15 23:27:33 249,856 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2008-07-09 17:54:43 249,856 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2008-05-15 23:27:33 61,440 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2008-07-09 17:54:43 61,440 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2008-05-15 23:27:34 23,040 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2008-07-09 17:54:43 23,040 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2008-05-15 23:27:33 286,720 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2008-07-09 17:54:43 286,720 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2008-05-15 23:27:33 409,600 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2008-07-09 17:54:43 409,600 ----a-r C:\WINDOWS\Installer\{90110416-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2000-08-31 11:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe

+ 2000-08-31 11:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe

- 2008-03-01 13:02:08 124,928 ----a-w C:\WINDOWS\system32\advpack.dll

+ 2008-04-23 07:14:09 124,928 ----a-w C:\WINDOWS\system32\advpack.dll

- 2008-03-01 13:02:08 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll

+ 2008-04-23 07:14:09 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll

- 2004-08-04 02:14:16 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys

+ 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys

- 2008-02-20 05:37:59 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

+ 2008-06-20 17:41:07 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

- 2008-03-01 13:02:09 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll

+ 2008-04-23 07:14:09 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll

- 2008-03-01 13:02:09 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll

+ 2008-04-23 07:14:09 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll

- 2008-03-01 13:02:09 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll

+ 2008-04-23 07:14:09 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll

- 2008-03-01 13:02:09 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll

+ 2008-04-23 07:14:09 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll

- 2008-02-29 08:59:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe

+ 2008-04-22 07:43:30 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe

- 2008-03-01 13:02:09 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll

+ 2008-04-23 07:14:09 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll

- 2008-03-01 13:02:09 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll

+ 2008-04-23 07:14:09 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll

- 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll

+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll

- 2008-03-01 13:02:09 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll

+ 2008-04-23 07:14:09 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll

- 2008-03-01 13:02:09 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll

+ 2008-04-23 07:14:09 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll

- 2008-03-01 13:02:10 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll

+ 2008-04-23 07:14:10 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll

- 2008-03-01 13:02:10 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll

+ 2008-04-23 07:14:10 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll

- 2008-03-01 13:02:10 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll

+ 2008-04-23 07:14:10 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll

- 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe

+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe

- 2008-02-29 09:00:27 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe

+ 2008-04-22 07:43:46 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe

- 2008-03-01 13:02:10 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll

+ 2008-04-23 07:14:10 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll

- 2004-08-04 03:45:24 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll

+ 2008-02-26 12:00:47 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll

- 2008-03-01 13:02:10 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll

+ 2008-04-23 07:14:10 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll

- 2008-03-01 13:02:10 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

+ 2008-04-23 07:14:10 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

- 2008-03-01 21:32:12 3,591,680 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll

+ 2008-04-24 04:14:12 3,591,680 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll

- 2008-03-01 13:02:12 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll

+ 2008-04-23 07:14:11 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll

- 2008-03-01 13:02:12 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll

+ 2008-04-23 07:14:11 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll

- 2008-03-01 13:02:12 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll

+ 2008-04-23 07:14:11 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll

- 2004-08-04 03:45:26 247,808 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll

+ 2008-06-20 17:41:07 247,808 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll

- 2008-03-01 13:02:12 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll

+ 2008-04-23 07:14:11 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll

- 2008-03-01 13:02:12 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll

+ 2008-04-23 07:14:11 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll

- 2007-10-29 22:44:03 1,292,288 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll

+ 2008-05-07 05:15:38 1,292,288 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll

- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys

+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys

- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys

+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys

- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

- 2008-03-01 13:02:12 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll

+ 2008-04-23 07:14:11 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll

- 2008-03-01 13:02:12 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll

+ 2008-04-23 07:14:11 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll

- 2008-03-01 13:02:12 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll

+ 2008-04-23 07:14:11 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll

- 2008-03-01 13:02:12 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll

+ 2008-04-23 07:14:11 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll

- 2008-02-20 05:37:59 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll

+ 2008-06-20 17:41:07 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll

- 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

- 2008-03-01 13:02:09 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll

+ 2008-04-23 07:14:09 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll

- 2008-03-01 13:02:09 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll

+ 2008-04-23 07:14:09 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll

- 2008-03-01 13:02:09 133,120 ------w C:\WINDOWS\system32\extmgr.dll

+ 2008-04-23 07:14:09 133,120 ------w C:\WINDOWS\system32\extmgr.dll

- 2008-03-01 13:02:09 63,488 ----a-w C:\WINDOWS\system32\icardie.dll

+ 2008-04-23 07:14:09 63,488 ----a-w C:\WINDOWS\system32\icardie.dll

- 2008-02-29 08:59:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe

+ 2008-04-22 07:43:30 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe

- 2008-03-01 13:02:09 153,088 ------w C:\WINDOWS\system32\ieakeng.dll

+ 2008-04-23 07:14:09 153,088 ------w C:\WINDOWS\system32\ieakeng.dll

- 2008-03-01 13:02:09 230,400 ------w C:\WINDOWS\system32\ieaksie.dll

+ 2008-04-23 07:14:09 230,400 ------w C:\WINDOWS\system32\ieaksie.dll

- 2008-02-15 05:44:25 161,792 ------w C:\WINDOWS\system32\ieakui.dll

+ 2008-04-20 05:07:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll

- 2008-03-01 13:02:09 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll

+ 2008-04-23 07:14:09 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll

- 2008-03-01 13:02:09 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll

+ 2008-04-23 07:14:09 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll

- 2008-03-01 13:02:10 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll

+ 2008-04-23 07:14:10 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll

- 2008-03-01 13:02:10 44,544 ------w C:\WINDOWS\system32\iernonce.dll

+ 2008-04-23 07:14:10 44,544 ------w C:\WINDOWS\system32\iernonce.dll

- 2008-03-01 13:02:10 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll

+ 2008-04-23 07:14:10 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll

- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe

+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe

- 2008-03-01 13:02:10 27,648 ------w C:\WINDOWS\system32\jsproxy.dll

+ 2008-04-23 07:14:10 27,648 ------w C:\WINDOWS\system32\jsproxy.dll

- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe

+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe

- 2004-08-04 03:45:24 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll

+ 2008-02-26 12:00:47 294,912 ----a-w C:\WINDOWS\system32\msctf.dll

- 2008-03-01 13:02:10 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll

+ 2008-04-23 07:14:10 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll

- 2008-03-01 13:02:10 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll

+ 2008-04-23 07:14:10 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll

- 2008-03-01 21:32:12 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll

+ 2008-04-24 04:14:12 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll

- 2008-03-01 13:02:12 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll

+ 2008-04-23 07:14:11 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll

- 2008-03-01 13:02:12 193,024 ------w C:\WINDOWS\system32\msrating.dll

+ 2008-04-23 07:14:11 193,024 ------w C:\WINDOWS\system32\msrating.dll

- 2008-03-01 13:02:12 671,232 ------w C:\WINDOWS\system32\mstime.dll

+ 2008-04-23 07:14:11 671,232 ------w C:\WINDOWS\system32\mstime.dll

- 2008-03-01 13:02:12 102,912 ------w C:\WINDOWS\system32\occache.dll

+ 2008-04-23 07:14:11 102,912 ------w C:\WINDOWS\system32\occache.dll

- 2008-03-01 13:02:12 44,544 ------w C:\WINDOWS\system32\pngfilt.dll

+ 2008-04-23 07:14:11 44,544 ------w C:\WINDOWS\system32\pngfilt.dll

- 2006-10-16 19:10:58 14,640 ------w C:\WINDOWS\system32\spmsg.dll

+ 2007-11-30 11:18:16 18,296 ------w C:\WINDOWS\system32\spmsg.dll

- 2008-03-01 13:02:12 105,984 ----a-w C:\WINDOWS\system32\url.dll

+ 2008-04-23 07:14:11 105,984 ----a-w C:\WINDOWS\system32\url.dll

- 2008-03-01 13:02:12 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll

+ 2008-04-23 07:14:11 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll

- 2008-03-01 13:02:12 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll

+ 2008-04-23 07:14:11 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll

.

-- Snapshot reset to current date --

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]

"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2008-03-14 23:40 949376]

"AudioDeck"="C:\Arquivos de programas\VIAudioi\SBADeck\ADeck.exe" [2004-04-19 17:44 7916032]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]

"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-03-15 03:11 180269]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]

"VTTimer"="VTTimer.exe" [2003-04-15 18:55 36864 C:\WINDOWS\system32\VTTimer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

HP Digital Imaging Monitor.lnk - C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

Inicializa‡Æo R pida do Microsoft Office OneNote 2003.lnk - C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= "C:\Arquivos de programas\Scpad\scpLIB.dll" [2007-03-27 01:29 128512]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GbPlugin\gbieh.dll" [2007-12-03 16:30 347976]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2007-12-03 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\DreMule\\emule.exe"=

 

S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Conteúdo da pasta 'Tarefas Agendadas'

"2008-07-14 23:36:11 C:\WINDOWS\Tasks\WebReg Deskjet F4100 series.job"

- C:\Arquivos de programas\HP\Digital Imaging\bin\hpqwrg.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-16 15:51:01

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-07-16 15:53:16

ComboFix-quarantined-files.txt 2008-07-16 18:52:52

ComboFix2.txt 2008-05-18 16:25:45

 

Pre-Run: 53,929,078,784 bytes disponíveis

Post-Run: 54,103,052,288 bytes disponíveis

 

315 --- E O F --- 2008-07-10 04:02:46

 

 

======================================

 

PenClean.txt

 

Iniciando relatório do PenClean 2.0.3

Por Renato Victor Mejias

renatomejias@yahoo.com.br

16/7/2008 15:36:39

-----------------------------------------------------------

Arquivos e chaves excluídos da unidade escolhida:

 

Malware não detectado em nenhuma unidade!

 

-----------------------------------------------------------

Fim da análise, a unidade verificada foi: "Todas as unidades"

 

-----------------------------------------------------------

[Sam Spade 2]

Ok, os logs estão limpos. Para finalizar, vá em Iniciar > Executar > digite (ou copie e cole): ComboFix /u

 

Dê o OK. Aguarde, pois isso irá desinstalar o ComboFix, deletar os arquivos e pastas relacionados e apagará pontos da Restauração do sistema que possam estar infectados, criando um ponto limpo.

 

Atualize o Java.

Versões antigas têm vunerabilidades que alguns malwares podem usar para infectar seu sistema.

• Faça download da última versão do Java Runtime Environment (JRE) 6u7.
  
• Procure onde está escrito "Java Runtime Environment (JRE) 6update7".
  
• Clique no botão Download.
  
• Marque a opção que diz Accept License Agreement.
  
• A página será atualizada.
  
• Clique no link para download Windows Offline Installation e salve no seu desktop. (O arquivo tem em torno de 70 Mb)
  
• Feche qualquer programa que esteja executando, especialmente navegadores.
  
• Vá em Iniciar > Painel de Controle duplo clique em Adicionar ou Remover Programas e remova todas as versões antigas do Java.
  Exemplos de versões antigas
  Java 2 Runtime Environment, SE v1.4.2
  J2SE Runtime Environment 5.0
  J2SE Runtime Environment 5.0 Update 6
  
• Selecione qualquer item com nome Java Runtime Environment (JRE ou J2SE).
  
• Clique no botão Remover ou Alterar/Remover.
  
• Repita quantas vezes for necessária para remover cada versão do Java.
  
• Reincie seu computador uma vez que todas as versões do Java tenham sido removidas.
  
• Agora vá no seu desktop, clique duas vezes em jre-6u7-windows-i586-p.exe para instalar a mais nova versão.
  

Visite o Windows Update e atualize o seu sistema, baixando o Service Pack 3

 

Ou, se preferir, baixe e instale o pacote completo (+- 300 Mb):

http://www.microsoft.com/downloads/details...splayLang=pt-br

 

Leia estes artigos sobre segurança:

 

Proteja seu PC

Cuidados ao navegar na net.

 

Abraço.

[Mário Monteiro 179]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.