Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

jeovan_toledo

[Arquivado] hacktoot. rootkit, bifrose e outras pragas

Recommended Posts

Galera o que faço???

 

Hacktoot.rootkit, bifrose, packed.generic.99, essas algumas pragas que não deixam eu trabalhar.

Meu 2 programas de segurança, norton e spyware doctor foram desativados, quanto tento roda-los, eles travam, fala que não é um aplicativo válido. tentei voltar a estado original, quando reiniciei a máquina com f8 para restaurar o sitema, mas não vai.

 

Alguém tem alguma solução???

Sei que isso foi criado por hakers no brasil para roubar senhas.

 

Obrigado

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá jeovan_toledo! Baixe > HijackThis

 

Abra uma pasta em C:\ e salve nela.

 

Quando abrir a ferramenta, clique em "Do a system scan and save a logfile". Selecione, copie todo o seu conteúdo e cole na sua próxima resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Segue meu log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:13:55, on 15/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Arquivos de programas\Microsoft Office\Office12\OUTLOOK.EXE

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\uTorrent\uTorrent.exe

C:\Arquivos de programas\Winamp\winamp.exe

C:\WINDOWS\ServicePackFiles\i386\iexplore.exe

C:\Arquivos de programas\Corel\Corel Graphics 12\Programs\CorelDRW.exe

C:\WINDOWS\ServicePackFiles\i386\iexplore.exe

C:\WINDOWS\ServicePackFiles\i386\iexplore.exe

C:\HIJACK\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.shareazaweb.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARQUIV~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll (file missing)

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Win Sync montr] winsyncupx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iSTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\RunServices: [Win Sync montr] winsyncupx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {AEF9B8DB-0DEF-4c0b-8209-661C9E82B8C3} - C:\Arquivos de programas\WinSysClean 2008 Trial\UDManager\UDManager.exe

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\BCL Technologies\easyPDF 5\bepldr.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

 

OBRIGADO!!!

Compartilhar este post


Link para o post
Compartilhar em outros sites

OK, baixe: ComboFix

 

Renomeie-o para qualquer nome, respeitando a extensão .exe (ex:abcde.exe), antes de salvar e salve-o em C:\, segundo as imagens abaixo:

 

combofix1rp0.jpg

 

combofix2wj8.jpg

  • Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.
  • Dê um duplo-clique no ícone do ComboFix, marque 1 e dê o enter para prosseguir o Fix. Aguarde pois é um pouco demorado.
  • O ComboFix reiniciará o PC automaticamente para completar o processo de remoção. Caso isso não aconteça, reinicie manualmente.
  • Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  • IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando. Para parar ou sair do ComboFix, tecle "N".
  • Selecione, copie e cole o conteúdo do ComboFix.txt na sua próxima resposta.
  • Poste também um novo log do HijackThis.
     
    OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

Compartilhar este post


Link para o post
Compartilhar em outros sites

Sam spade

 

Obrigado!!!

 

Eu fiz o que me ensinou...mas deu um pau e o micro reiniciou...pergunto posso apagar as pastas criadas e refazer o processo? Ficou rodando umas 4hs é normal?

 

Obrigado

 

Jeovan

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-05-21.3 - Jeovan 2008-05-24 22:29:06.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.352 [GMT -3:00]

Executando de: C:\Documents and Settings\Jeovan\Desktop\Combo-Fix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))) )

.

 

C:\Arquivos de programas\Google\googletoolbar1.dll

C:\Arquivos de programas\inetget2

C:\Arquivos de programas\ipwindows

C:\Arquivos de programas\myglobalsearch

C:\Arquivos de programas\MyWay

C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL

C:\Arquivos de programas\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL

C:\WINDOWS\system32\Cache

C:\WINDOWS\system32\drivers\downld

C:\WINDOWS\system32\drivers\downld\1039546.exe

C:\WINDOWS\system32\drivers\downld\1148546.exe

C:\WINDOWS\system32\drivers\downld\1243906.exe

C:\WINDOWS\system32\drivers\downld\1260250.exe

C:\WINDOWS\system32\drivers\downld\1282359.exe

C:\WINDOWS\system32\drivers\downld\1308437.exe

C:\WINDOWS\system32\drivers\downld\1324656.exe

C:\WINDOWS\system32\drivers\downld\1422125.exe

C:\WINDOWS\system32\drivers\downld\1430953.exe

C:\WINDOWS\system32\drivers\downld\1528843.exe

C:\WINDOWS\system32\drivers\downld\1819328.exe

C:\WINDOWS\system32\drivers\downld\1972671.exe

C:\WINDOWS\system32\drivers\downld\2123171.exe

C:\WINDOWS\system32\drivers\downld\256765.exe

C:\WINDOWS\system32\drivers\downld\260078.exe

C:\WINDOWS\system32\drivers\downld\266671.exe

C:\WINDOWS\system32\drivers\downld\271906.exe

C:\WINDOWS\system32\drivers\downld\285109.exe

C:\WINDOWS\system32\drivers\downld\285562.exe

C:\WINDOWS\system32\drivers\downld\292468.exe

C:\WINDOWS\system32\drivers\downld\305015.exe

C:\WINDOWS\system32\drivers\downld\305546.exe

C:\WINDOWS\system32\drivers\downld\311968.exe

C:\WINDOWS\system32\drivers\downld\317468.exe

C:\WINDOWS\system32\drivers\downld\326765.exe

C:\WINDOWS\system32\drivers\downld\329609.exe

C:\WINDOWS\system32\drivers\downld\337171.exe

C:\WINDOWS\system32\drivers\downld\337890.exe

C:\WINDOWS\system32\drivers\downld\345500.exe

C:\WINDOWS\system32\drivers\downld\346328.exe

C:\WINDOWS\system32\drivers\downld\346875.exe

C:\WINDOWS\system32\drivers\downld\364015.exe

C:\WINDOWS\system32\drivers\downld\366453.exe

C:\WINDOWS\system32\drivers\downld\377781.exe

C:\WINDOWS\system32\drivers\downld\377796.exe

C:\WINDOWS\system32\drivers\downld\391375.exe

C:\WINDOWS\system32\drivers\downld\405406.exe

C:\WINDOWS\system32\drivers\downld\405546.exe

C:\WINDOWS\system32\drivers\downld\420953.exe

C:\WINDOWS\system32\drivers\downld\422171.exe

C:\WINDOWS\system32\drivers\downld\422218.exe

C:\WINDOWS\system32\drivers\downld\444156.exe

C:\WINDOWS\system32\drivers\downld\450500.exe

C:\WINDOWS\system32\drivers\downld\474109.exe

C:\WINDOWS\system32\drivers\downld\474250.exe

C:\WINDOWS\system32\drivers\downld\479203.exe

C:\WINDOWS\system32\drivers\downld\486171.exe

C:\WINDOWS\system32\drivers\downld\489718.exe

C:\WINDOWS\system32\drivers\downld\499859.exe

C:\WINDOWS\system32\drivers\downld\508281.exe

C:\WINDOWS\system32\drivers\downld\512218.exe

C:\WINDOWS\system32\drivers\downld\544906.exe

C:\WINDOWS\system32\drivers\downld\561062.exe

C:\WINDOWS\system32\drivers\downld\577734.exe

C:\WINDOWS\system32\drivers\downld\585921.exe

C:\WINDOWS\system32\drivers\downld\596578.exe

C:\WINDOWS\system32\drivers\downld\598421.exe

C:\WINDOWS\system32\drivers\downld\621062.exe

C:\WINDOWS\system32\drivers\downld\642234.exe

C:\WINDOWS\system32\drivers\downld\648140.exe

C:\WINDOWS\system32\drivers\downld\648187.exe

C:\WINDOWS\system32\drivers\downld\649734.exe

C:\WINDOWS\system32\drivers\downld\660406.exe

C:\WINDOWS\system32\drivers\downld\676093.exe

C:\WINDOWS\system32\drivers\downld\682484.exe

C:\WINDOWS\system32\drivers\downld\703468.exe

C:\WINDOWS\system32\drivers\downld\711140.exe

C:\WINDOWS\system32\drivers\downld\713343.exe

C:\WINDOWS\system32\drivers\downld\728296.exe

C:\WINDOWS\system32\drivers\downld\738171.exe

C:\WINDOWS\system32\drivers\downld\743359.exe

C:\WINDOWS\system32\drivers\downld\760328.exe

C:\WINDOWS\system32\drivers\downld\816078.exe

C:\WINDOWS\system32\drivers\downld\830875.exe

C:\WINDOWS\system32\drivers\downld\845343.exe

C:\WINDOWS\system32\drivers\downld\864531.exe

C:\WINDOWS\system32\drivers\downld\894750.exe

C:\WINDOWS\system32\drivers\downld\902546.exe

C:\WINDOWS\system32\drivers\downld\925734.exe

C:\WINDOWS\system32\drivers\downld\926359.exe

C:\WINDOWS\system32\drivers\downld\941890.exe

C:\WINDOWS\system32\drivers\downld\970906.exe

C:\WINDOWS\system32\drivers\downld\974296.exe

C:\WINDOWS\system32\drivers\downld\992593.exe

C:\WINDOWS\system32\drivers\hldrrr.exe

C:\WINDOWS\system32\drivers\mdelk.exe

C:\WINDOWS\system32\oledb32.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_srosa

 

 

((((((((((((((((((((((( Ficheiros criados de 2008-04-25 to 2008-05-25 ))))))))))))))))))))))))))))))))

.

 

2008-05-24 22:39 . 2008-05-24 22:39 <DIR> d-------- C:\WINDOWS\system32\drivers\downld

2008-05-24 00:57 . 2008-05-22 11:25 <DIR> d-------- C:\Arquivos de programas\Direct MIDI to MP3 Converter

2008-05-23 22:24 . 2008-05-23 22:30 <DIR> d-------- C:\Arquivos de programas\ISDecisions

2008-05-23 15:34 . 2008-05-23 15:34 <DIR> d-------- C:\Documents and Settings\Jeovan\Dados de aplicativos\Simply Super Software

2008-05-23 15:34 . 2008-05-23 15:34 <DIR> d-------- C:\Documents and Settings\Jeovan\Dados de aplicativos\PC Tools

2008-05-23 15:34 . 2008-05-23 15:35 <DIR> d-------- C:\Arquivos de programas\Astyle CSS editor

2008-05-23 13:33 . 2008-05-23 13:33 <DIR> d-------- C:\Arquivos de programas\real

2008-05-23 13:33 . 2008-05-23 15:47 <DIR> d-------- C:\Arquivos de programas\eread7.0

2008-05-22 22:28 . 2008-05-23 17:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-22 22:28 . 2008-05-22 22:29 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-22 11:26 . 2008-05-22 11:26 <DIR> d-------- C:\WINDOWS\system32\Logfiles

2008-05-14 18:58 . 2008-05-14 18:58 7,680 --ahs---- C:\WINDOWS\system32\Thumbs.db

2008-05-12 12:58 . 2008-05-23 15:34 <DIR> d-------- C:\Arquivos de programas\Spyware Doctor

2008-05-12 12:58 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-05-12 12:58 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-05-12 12:58 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-05-12 12:58 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-05-11 11:05 . 2008-05-11 11:05 2,887,680 --a------ C:\WINDOWS\system32\VagalumePluginWMP.dll

2008-05-07 18:43 . 2008-05-23 17:09 <DIR> d-------- C:\SUD_IGREJA

2008-04-29 22:40 . 2008-04-29 22:40 <DIR> d-------- C:\Documents and Settings\Jeovan\Dados de aplicativos\Nitro PDF

2008-04-29 22:35 . 2008-04-29 22:35 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\BCL Technologies

2008-04-29 22:34 . 2008-04-29 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Nitro PDF

2008-04-29 22:34 . 2008-04-29 22:34 <DIR> d-------- C:\Arquivos de programas\Nitro PDF

2008-04-29 19:03 . 2008-04-29 19:08 <DIR> d-------- C:\Arquivos de programas\VirtualDJ

2008-04-25 13:15 . 2008-04-25 13:15 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-04-25 13:15 . 2008-04-25 13:15 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX

2008-04-25 12:16 . 2008-04-25 12:16 <DIR> d-------- C:\Viper Racing

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))

.

2008-05-25 01:38 --------- d-----w C:\Arquivos de programas\Symantec AntiVirus

2008-05-25 01:30 --------- d-----w C:\Arquivos de programas\Google

2008-05-25 01:05 --------- d-----w C:\Arquivos de programas\DreMule

2008-05-24 13:36 --------- d-----w C:\Arquivos de programas\Trojan Remover

2008-05-23 18:34 --------- d-----w C:\Arquivos de programas\Windows Live Safety Center

2008-05-23 18:34 --------- d-----w C:\Arquivos de programas\Orkut Lite

2008-05-23 18:13 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-05-23 01:28 --------- d-----w C:\Arquivos de programas\QuickTime

2008-05-22 14:26 --------- d-----w C:\Documents and Settings\Jeovan\Dados de aplicativos\uTorrent

2008-05-17 01:50 --------- d-----w C:\Arquivos de programas\Rockstar Games

2008-05-08 20:17 --------- d-----w C:\Documents and Settings\Jeovan\Dados de aplicativos\Skype

2008-05-02 20:35 --------- d-----w C:\Arquivos de programas\Babylon

2008-04-23 04:08 --------- d-----w C:\Arquivos de programas\MadCars_at

2008-04-22 14:52 --------- d-----w C:\Arquivos de programas\Gercli

2008-04-03 19:45 --------- d-----w C:\Arquivos de programas\WinUHA

2008-04-03 00:33 291,968 ----a-w C:\Documents and Settings\Jeovan\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2008-03-30 16:24 --------- d--h--w C:\Documents and Settings\All Users\Dados de aplicativos\{004D2F01-7C4F-4B48-AB03-8679ED5D1F61}

2008-03-30 16:24 --------- d-----w C:\Arquivos de programas\WinSysClean 2008 Trial

2006-06-14 02:15 104 --sh--r C:\WINDOWS\system32\436C017DF3.sys

2006-06-14 02:15 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]

C:\Arquivos de programas\eread7.0\IEeREAD.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]

"vptray"="C:\ARQUIV~1\SYMANT~1\VPTray.exe" [2004-09-17 06:01 708608]

"Win Sync montr"="winsyncupx.exe" []

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"NaturalPoint"="" []

"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]

"GrooveMonitor"="C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16 5562368]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

"Win Sync montr"="winsyncupx.exe" []

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Acrobat Assistant.lnk - C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-04-07 00:42:52 217190]

Adobe Gamma Loader.exe.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]

"EnableLUA"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]

"NoStartMenuPinnedList"= 0 (0x0)

"NoStartMenuMFUprogramsList"= 0 (0x0)

"NoUserNameInStartMenu"= 0 (0x0)

"NoStartMenuSubFolders"= 0 (0x0)

"NoCommonGroups"= 0 (0x0)

"NoPrinterTabs"= 0 (0x0)

"NoDeletePrinter"= 0 (0x0)

"NoAddPrinter"= 0 (0x0)

"NoPrinters"= 0 (0x0)

"NoFavoritesMenu"= 0 (0x0)

"NoToolbarCustomize"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoChangeAnimation"= 0 (0x0)

"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

"NoLogoff"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [ ]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3codec"= L3codecp.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Acrobat Assistant.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Acrobat Assistant.lnk

backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.exe.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.exe.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Inicialização rápida do HP Photosmart Premier.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Inicialização rápida do HP Photosmart Premier.lnk

backup=C:\WINDOWS\pss\Inicialização rápida do HP Photosmart Premier.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk

backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Speed Agenda.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Speed Agenda.lnk

backup=C:\WINDOWS\pss\Speed Agenda.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Jeovan^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]

path=C:\Documents and Settings\Jeovan\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Jeovan^Menu Iniciar^Programas^Inicializar^Atalho para xampp-control.lnk]

path=C:\Documents and Settings\Jeovan\Menu Iniciar\Programas\Inicializar\Atalho para xampp-control.lnk

backup=C:\WINDOWS\pss\Atalho para xampp-control.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Jeovan^Menu Iniciar^Programas^Inicializar^Recorte de tela e Iniciador do OneNote 2007.lnk]

path=C:\Documents and Settings\Jeovan\Menu Iniciar\Programas\Inicializar\Recorte de tela e Iniciador do OneNote 2007.lnk

backup=C:\WINDOWS\pss\Recorte de tela e Iniciador do OneNote 2007.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

C:\Arquivos de programas\Ares Galaxy P2P Plus\Ares.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

C:\Arquivos de programas\Babylon\Babylon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

--a------ 2003-10-02 01:20 81920 C:\Arquivos de programas\D-Tools\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drvsyskit]

C:\WINDOWS\system32\drivers\hldrrr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Emurayden PSX Emulator]

--a------ 2007-04-09 09:23 200704 C:\Arquivos de programas\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 01:41 49152 C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---hs---- 2004-10-13 13:24 1694208 C:\Arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2005-04-01 15:16 86016 C:\WINDOWS\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2005-04-01 15:16 1495040 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

C:\Arquivos de programas\Power Scan\powerscan.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2007-04-09 09:23 200704 C:\Arquivos de programas\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-22 22:28 413696 C:\Arquivos de programas\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

--a------ 2007-09-17 17:53 483408 C:\Arquivos de programas\Trojan Remover\Trjscan.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

C:\Arquivos de programas\Save\Save.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Macromedia\\Flash MX\\Flash.exe"=

"C:\\Arquivos de programas\\Electric Rain\\Swift 3D\\Version 4.00\\Program\\Swift3D.exe"=

"C:\\Arquivos de programas\\Macromedia\\Fireworks MX\\Fireworks.exe"=

"C:\\Arquivos de programas\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"C:\\Arquivos de programas\\DAP\\DAP.exe"=

"C:\\Arquivos de programas\\Crystal FTP Pro\\crystalftp.exe"=

"C:\\Arquivos de programas\\ABC\\abc.exe"=

"C:\\Arquivos de programas\\HarD4ce\\SuDiX\\SuDiX.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]

"80:TCP"= 80:TCP:HTTP

 

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnps hark.sys [2003-10-02 02:16]

R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3s hark.sys [2003-09-27 13:37]

S2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe [2007-02-23 13:58]

S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Arquivos de programas\Arquivos comuns\BCL Technologies\easyPDF 5\bepldr.exe" [2007-02-21 17:26]

S3 I2m_ama;I2m_ama;C:\WINDOWS\system32\drivers\nvapu. sys [2002-04-11 14:42]

S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2006-06-02 12:14]

 

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3fe9c9ca-bff0-11d3-a145-00e01876d8e8}]

\Shell\AutoRun\command - nideiect.com

\Shell\explore\Command - nideiect.com

\Shell\open\Command - nideiect.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{883cb230-0b19-11dd-a43e-00e01876d8e8}]

\Shell\AutoRun\command - I:\nideiect.com

\Shell\explore\Command - I:\nideiect.com

\Shell\open\Command - I:\nideiect.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c50fccc0-fb76-11d9-9d3d-00e01876d8e8}]

\Shell\AutoRun\command - F:\Setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ed885fab-25af-11dd-a47c-00e01876d8e8}]

\Shell\AutoRun\command - I:\nideiect.com

\Shell\explore\Command - I:\nideiect.com

\Shell\open\Command - I:\nideiect.com

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{20063EB9-64D3-53D3-3AEB-E740124D7590}]

C:\WINDOWS\wmp\wmp.exe s

.

************************************************** ************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-24 22:39:09

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ*veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

************************************************** ************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\drivers\CDANTSRV.EXE

C:\WINDOWS\system32\Crypserv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\imapi.exe

.

************************************************** ************************

.

Tempo para conclusÆo: 2008-05-24 22:52:33 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-25 01:52:21

 

Pre-Run: 4,851,204,096 bytes disponíveis

Post-Run: 4,760,576,000 bytes dispon¡veis

 

345

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:57:55, on 24/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\ServicePackFiles\i386\iexplore.exe

C:\HIJACK\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Arquivos de programas\eread7.0\IEeREAD.dll (file missing)

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARQUIV~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll (file missing)

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Win Sync montr] winsyncupx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\RunServices: [Win Sync montr] winsyncupx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {AEF9B8DB-0DEF-4c0b-8209-661C9E82B8C3} - C:\Arquivos de programas\WinSysClean 2008 Trial\UDManager\UDManager.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DL L

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\BCL Technologies\easyPDF 5\bepldr.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Arquivos de programas\Symantec AntiVirus\SavRoam.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

 

Obrigado, fico aguardando novas orientações

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá, o ComboFix mostrou também um vírus que infectra pendrives, drives de MP3/MP4.

 

Faça o download do Flash_Disinfector.exe e salve na sua área de trabalho.

 

Salve ou imprima estas instruções:

 

1 - Em Adicionar/remover programas, desinstale:

 

Save ou WhenUSave

 

2 - Delete a pasta C:\Qoobox (se ela existir), e delete o log anterior do Combofix -> C:\combofix.txt

 

3 - Desative seu antivirus, antispywares e firewall, para não causar conflitos. Mantenha-os desativados até terminar as instruções.

 

4 - Selecione e copie o texto dentro do QUOTE. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINDOWS\system32\drivers\hldrrr.exe

C:\WINDOWS\wmp\wmp.exe

I:\nideiect.com

Folder::

C:\WINDOWS\system32\drivers\downld

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"Win Sync montr"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

"Win Sync montr"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\drvsyskit]

[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3fe9c9ca-bff0-11d3-a145-00e01876d8e8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{883cb230-0b19-11dd-a43e-00e01876d8e8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c50fccc0-fb76-11d9-9d3d-00e01876d8e8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ed885fab-25af-11dd-a47c-00e01876d8e8}]

5 - Se tiver um Pendrive ou um drive de MP3 ou MP4, conecte no PC (se tiver mais de um, tem de conectar todos). Não os tire até completar todas as instruções.

 

Execute o Flash_Disinfector.exe. Vá seguindo os prompts que poderão aparecer.

 

Espere até que o programa conclua a busca e depois saia do programa.

 

6 - Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

CFScript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção. Se isso não ocorrer, reinicie manualmente.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

OBS: Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e dificultará a remoção do(s) malware(s)

 

7 - Remova o Pendrive\MP3\MP4 que tenha conectado.

 

8 - Gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.