[Resolvido!] Nâo consigo apagar virus

quintelab · Julho 23, 2008

Empresteo meu querido pen drive pra um amigo e quando fui utiliza-lo, minha máquina ja estava contaminada. Tem alguns arquivos no D como 0gjn3yw.exe e fi.cmd, eles estão ocultos, não consigo visualiza-los, e nem mesmo consigo alterar o atributo deles, nem com o comando del do DOS eu consigo apagar eles. Existe algum comando del chuck norris para apaga-los??

Algumas mudanças que eu percebi que o virus provoca, não deixa eu ver os arquivos ocultos da minha máquina, ele altera a chave de registro CheckedValue de 1 para 0 que esta no seguinte caminho: HKEY_LOCAL_MACHINE_SOFTWARE/WINDOWS/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL mesmo eu alterando o valor para 1 basta dar um F5 e já era volta para 0.

Ajuda....

Silas Martins · Julho 23, 2008

Siga as instruções contidas AQUI

quintelab · Julho 23, 2008

Opa, ta ae:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:24:32, on 23/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\ARQUIV~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\CBA\pds.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://d/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Atalho para Script.lnk = C:\Script.bat

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.terra.com.br/games/applets...mjolauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\Software\..\Telephony: DomainName = DURAII.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{B26DE35F-7594-4CB8-A3E2-C129CE635825}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DURAII.local

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

--

End of file - 7468 bytes

Silas Martins · Julho 23, 2008

Siga as Instruções:

Baixe o MSNfix.

Salve na área de trabalho, e descompacte ele, após isto, clique duas vezes em MSNFix.bat

Vai se abrir a tela MSN_Fix-menu nela aperte a opçãp R, será dado inicio ao scaneamento.

Caso o scan detecte algo irá aparecer a seguinte informação: Infection Presente, aperte enter, e prossiga.

Caso queira interromper o processo aperte a tecla Q

Na finalização vai se abrir o bloco de notas com um log, selecione todo ele e copie, que se encontra na pasta msnfix.txt.

Poste juntamente um novo log do Hijackthis

Aguardo o retorno.

quintelab · Julho 23, 2008

Valeu grande, só vou ter que arranjar um cd do windows para recuperar o sistema, por que o windows nem inicia mais.

quintelab · Julho 24, 2008

Sila conforme sugeriu segui os processos:

msnfix

MSNFix 1.735

C:\Documents and Settings\Bruno Quintella\Desktop\MSNFix\MSNFix

Fix lançado dia 24/07/2008 - 11:00:59,68 By Bruno Quintella

modo normal

************************ Procurando os arquivos presentes

... C:\??????.exe

... C:\autorun.inf

... C:\Autorun.inf

... C:\WINDOWS\system32\DelZip179.dll

************************ Procurando as pastas presentes

Nenhuma pasta encontrada

************************ Apagando os arquivos

/!\ ... C:\??????.exe

.. OK ... C:\autorun.inf

.. OK ... C:\Autorun.inf

.. OK ... C:\WINDOWS\system32\DelZip179.dll

************************ Limpeza do registro

Os arquivos ainda presentes serão apagado no proximo boot

************************ Apagando os arquivos

.. OK ... C:\??????.exe

************************ Arquivos suspeitos

Nenhum arquivo encontrado

Os arquivos e as chaves do registro apagados foram salvos no arquivo 24072008_11065718.zip

************************ HKLM\...\Winlogon\Userinit

Userinit = C:\WINDOWS\system32\userinit.exe,

------------------------------------------------------------------------

Autor : !aur3n7 Contact: http://changelog.fr

------------------------------------------------------------------------

--------------------------------------------- END ---------------------------------------------

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:35, on 24/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\CBA\pds.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

C:\ARQUIV~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\BRUNOQ~1\CONFIG~1\Temp\RtkBtMnt.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://d/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.terra.com.br/games/applets...mjolauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\Software\..\Telephony: DomainName = DURAII.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{B26DE35F-7594-4CB8-A3E2-C129CE635825}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DURAII.local

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\DefWatch.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec AntiVirus\Rtvscan.exe

--

End of file - 7397 bytes

Silas Martins · Julho 25, 2008

Olá!

Estou pesquisando o seu log.

Brevemente lhe responderei.

DigRam · Julho 25, 2008

Opa! quintelab

Boa Tarde!

À pedido do colaborador,Silas Martins,estou assumindo o caso.
Espero que o analista encontre tempo,para seus compromissos,e retorne às suas análises.

<@> Faça o download do ComboFix.

<@> Baixe-o para o Desktop!

<@> Desabilite as proteções residente de: antivírus,antispywares e Firewall.( Menos o do Windows! )

<@> Feche todas as janelas e execute a ferramenta!

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
Salve-a no Desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix em Modo de Segurança.

<@> Abrirá a janela Auto Scan. Aguarde!

<@> Digite a opção para continuar e < Enter >

<@> Aguarde a conclusão! Durante o scan,evite tocar no mouse ou teclado!

<@> Para parar ou sair do ComboFix,tecle "N".

-------------------------

<@> Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

Abraços!

quintelab · Julho 28, 2008

DigRam valeu pela ajuda cara!!

Estou postando o log aqui do ComboFix, mas deixo a miha opnião de um leigo que acredito que os vírus já eram, os problemas que tive na máquina todos foram selecionados.

Log:

ComboFix 08-07-27.5 - Bruno Quintella 2008-07-27 22:55:48.1 - NTFSx86 MINIMAL
Executando de: C:\Documents and Settings\Bruno Quintella\Desktop\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\1rfw8hjr.com

C:\Autorun.inf

C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\FNA2MXLY\interclick.com

C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\FNA2MXLY\interclick.com\ud.sol

C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com

C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

C:\WINDOWS\system32\Cache

C:\WINDOWS\system32\Cfx32.lic

C:\WINDOWS\system32\cfx32.ocx

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

D:\Autorun.inf

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-28 ))))))))))))))))))))))))))))))))

.

2008-07-25 00:00 . 2008-07-25 00:00 <DIR> d-------- C:\Documents and Settings\Bruno Quintella\Contacts

2008-07-24 23:59 . 2008-07-25 00:00 <DIR> d-------- C:\Arquivos de programas\Windows Live

2008-07-24 13:07 . 2008-07-24 23:59 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-07-24 13:06 . 2008-07-24 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-07-24 13:06 . 2008-07-24 13:09 <DIR> d-------- C:\Arquivos de programas\Valve

2008-07-24 10:53 . 2005-11-28 12:56 143,360 --a------ C:\WINDOWS\system32\igfxres.dll

2008-07-24 10:45 . 2004-08-03 21:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime

2008-07-24 10:44 . 2001-10-28 11:06 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll

2008-07-24 10:43 . 2001-10-28 11:06 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-07-24 10:42 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2008-07-24 10:39 . 2001-10-28 11:06 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe

2008-07-24 10:36 . 2001-10-28 11:06 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe

2008-07-24 05:54 . 2008-07-27 22:53 1,063,403,520 --a------ C:\WINDOWS\MEMORY.DMP

2008-07-23 16:24 . 2008-07-23 16:24 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2008-07-23 14:40 . 2008-07-24 11:02 645 --a------ C:\autorun.MSNFix

2008-07-23 13:40 . 2008-07-25 09:43 87,297 -r-hs---- C:\g2pfnid.com

2008-07-23 11:49 . 2008-07-23 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-07-23 11:49 . 2008-07-23 12:25 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy

2008-07-18 08:04 . 2008-07-18 08:04 <DIR> d-------- C:\WINDOWS\system32\WinNTDlls

2008-07-18 08:04 . 2008-07-18 08:04 <DIR> d-------- C:\WINDOWS\system32\Win98Dlls

2008-07-18 08:04 . 2008-07-18 08:24 <DIR> d-------- C:\Arquivos de programas\Microsoft Press Training Kit Exam Prep

2008-07-15 14:54 . 2008-07-15 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avg8

2008-07-14 14:48 . 2008-07-27 21:23 79,360 -r-hs---- C:\WINDOWS\system32\ckvo1.dll

2008-07-11 16:56 . 2008-07-11 16:56 <DIR> d-------- C:\Arquivos de programas\Google

2008-07-10 11:18 . 2006-12-11 09:44 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll

2008-07-10 11:18 . 2006-12-11 09:44 116,736 --a------ C:\WINDOWS\system32\aaclient.dll

2008-07-10 11:18 . 2006-12-11 09:44 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll

2008-07-10 08:02 . 2008-07-10 08:02 2,923 --a------ C:\WINDOWS\RBuilder.ini

2008-07-09 17:13 . 2003-10-16 19:11 867,328 --a------ C:\WINDOWS\system\IBOLE.dll

2008-07-08 21:57 . 2008-07-08 21:59 <DIR> d-------- C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\GetRightToGo

2008-07-08 14:21 . 2008-07-08 14:21 <DIR> d-------- C:\Arquivos de programas\Lavalys

2008-07-07 08:42 . 2008-07-07 08:42 <DIR> d-------- C:\WINDOWS\SchCache

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-28 02:53 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-07-25 21:29 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\Skype

2008-07-24 15:28 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Symantec

2008-07-24 15:28 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-07-24 15:27 --------- d-----w C:\Arquivos de programas\Symantec

2008-07-23 16:08 --------- d-----w C:\Arquivos de programas\PowerISO

2008-07-23 13:07 --------- d-----w C:\Arquivos de programas\Launch Manager

2008-07-18 19:02 --------- d-----w C:\Arquivos de programas\eMule

2008-07-14 21:26 69 ------w C:\Script.bat

2008-07-11 17:55 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-07-08 20:03 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\skypePM

2008-06-28 20:24 --------- d-----w C:\Arquivos de programas\PKR

2008-06-16 21:43 --------- d-----w C:\Arquivos de programas\TortoiseCVS

2008-06-16 21:35 --------- d-----w C:\Arquivos de programas\FirebirdClient 2.0

2008-06-16 21:02 --------- d-----w C:\Arquivos de programas\GExperts for Delphi 7

2008-06-16 21:00 --------- d-----w C:\Arquivos de programas\Indy 9 for Delphi 6

2008-06-16 20:55 --------- d-----w C:\Arquivos de programas\Steema Software

2008-06-16 20:52 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\HK-Software

2008-06-16 20:52 --------- d-----w C:\Arquivos de programas\Woll2Woll

2008-06-16 20:50 --------- d-----w C:\Arquivos de programas\HK-Software

2008-06-16 20:49 --------- d-----w C:\Arquivos de programas\Firebird

2008-06-16 20:41 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Borland Shared

2008-06-16 20:34 --------- d-----w C:\Arquivos de programas\Borland

2008-06-16 03:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\DVDVideoSoft

2008-06-16 03:03 --------- d-----w C:\Arquivos de programas\DVDVideoSoft

2008-02-09 01:16 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:07 761946]

"AzMixerSel"="C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 16:51 53248]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 12:55 98304]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 12:52 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 12:55 118784]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 14:23 15961088 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

C:\Documents and Settings\Bruno Quintella\Menu Iniciar\Programas\Inicializar\

Atalho para Script.lnk - C:\Script.bat [2008-06-16 16:25:11 69]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GBPLUGIN\gbieh.dll" [2008-04-15 09:37 378696]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "C:\Arquivos de programas\GbPlugin\gbiehcef.dll" [2008-06-11 14:47 366672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2008-06-11 14:47 366672 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayHabil

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 18:54 3735552 C:\Arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-11-28 12:52 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-11-28 12:55 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

--a------ 2005-11-28 12:55 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2006-01-09 17:23 589824 C:\ARQUIV~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2007-01-20 03:09 200704 C:\Arquivos de programas\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-05-30 15:54 21718312 C:\Arquivos de programas\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-01-15 18:54 37376 C:\Arquivos de programas\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 15:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-01-11 14:23 15961088 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"idsvc"=3 (0x3)

"GbpSv"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"ose"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\LeapFTP\\LeapFTP.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:TCP"= 80:TCP:Web

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe [2007-03-02 14:05]

S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe [2007-03-02 14:05]

S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-23 20:13]

S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Arquivos de programas\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 07:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

\Shell\AutoRun\command - C:\g2pfnid.com

\Shell\explore\Command - C:\g2pfnid.com

\Shell\open\Command - C:\g2pfnid.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\g2pfnid.com

\Shell\explore\Command - D:\g2pfnid.com

\Shell\open\Command - D:\g2pfnid.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

\Shell\AutoRun\command - I:\1rfw8hjr.com

\Shell\explore\Command - I:\1rfw8hjr.com

\Shell\open\Command - I:\1rfw8hjr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]

\Shell\AutoRun\command - Q:\1rfw8hjr.com

\Shell\explore\Command - Q:\1rfw8hjr.com

\Shell\open\Command - Q:\1rfw8hjr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\T]

\Shell\AutoRun\command - T:\1rfw8hjr.com

\Shell\explore\Command - T:\1rfw8hjr.com

\Shell\open\Command - T:\1rfw8hjr.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05cb3340-ddbe-11dc-b108-0016d4af6fc0}]

\Shell\AutoRun\command - ntde1ect.com

\Shell\explore\Command - ntde1ect.com

\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05cb3341-ddbe-11dc-b108-0016d4af6fc0}]

\Shell\AutoRun\command - ntde1ect.com

\Shell\explore\Command - ntde1ect.com

\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cbcc68a-4c4e-11dd-b216-0016d4af6fc0}]

\Shell\AutoRun\command - t9peum02.exe

\Shell\explore\Command - t9peum02.exe

\Shell\open\Command - t9peum02.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0b6b2b8-418f-11dd-b1ff-0016d4af6fc0}]

\Shell\AutoRun\command - F:\g2pfnid.com

\Shell\explore\Command - F:\g2pfnid.com

\Shell\open\Command - F:\g2pfnid.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fceb94a0-e2f3-11dc-b118-0016d4af6fc0}]

\Shell\AutoRun\command - ntde1ect.com

\Shell\explore\Command - ntde1ect.com

\Shell\open\Command - ntde1ect.com

*Newly Created Service* - CATCHME

*Newly Created Service* - MDMXSDK

*Newly Created Service* - PARPORT

.

- - - - ORFAOS REMOVIDOS - - - -

HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe

Notify-NavLogon - (no file)

Notify-WgaLogon - (no file)

MSConfigStartUp-kamsoft - C:\WINDOWS\system32\ckvo.exe

.

------- Ccan Suplementar -------

.

R0 -: HKCU-Main,Start Page = about:blank

R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://d/

R1 -: HKCU-Internet Settings,ProxyOverride = *.local

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O17 -: HKLM\CCS\Interface\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 -: HKLM\CCS\Interface\{B26DE35F-7594-4CB8-A3E2-C129CE635825}: NameServer = 10.1.1.1,200.140.114.136

O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

C:\WINDOWS\Downloaded Program Files\gbpdist.inf

C:\WINDOWS\Downloaded Program Files\gbpdist.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-27 23:00:59

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-07-27 23:03:56

ComboFix-quarantined-files.txt 2008-07-28 03:03:26

Pre-Run: 7 pasta(s) 45,595,766,784 bytes disponíveis

Post-Run: 10 pasta(s) 45,616,406,528 bytes disponíveis

252 --- E O F --- 2008-06-21 21:00:59

Esse trem é bom mesmo, se concluir que realmente os vírus foram removidos fique a vontade para mudar o status do tópico para resolvido.

Abraços...

DigRam · Julho 28, 2008

Bom Dia! quintelab

Estou postando o log aqui do ComboFix, mas deixo a miha opnião de um leigo que acredito que os vírus já eram, os problemas que tive na máquina todos foram selecionados.

<!> Ainda caminharemos mais um pouco e,para agilizar,não instalaremos o Console de Recuperação.

Insira sua(s) unidade(s) removíveis,na entrada USB.( pendrive,mp3,mp4,ipods,etc... )

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

<@> Desabilite a proteção residente do Spybot. ( TeaTimer ) <-- Importante!

File::
C:\WINDOWS\system32\ckvo1.dll

C:\autorun.MSNFix

C:\g2pfnid.com

C:\WINDOWS\Alcmtr.exe

C:\g2pfnid.com

D:\g2pfnid.com

I:\1rfw8hjr.com

Q:\1rfw8hjr.com

T:\1rfw8hjr.com

F:\g2pfnid.com

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\T]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05cb3340-ddbe-11dc-b108-0016d4af6fc0}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05cb3341-ddbe-11dc-b108-0016d4af6fc0}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cbcc68a-4c4e-11dd-b216-0016d4af6fc0}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0b6b2b8-418f-11dd-b1ff-0016d4af6fc0}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fceb94a0-e2f3-11dc-b118-0016d4af6fc0}]

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

<@> Reinicie o computador!

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HJT,atualizado.

Abraços!

quintelab · Julho 28, 2008

ComboFix.txt

ComboFix 08-07-27.5 - Bruno Quintella 2008-07-28 9:02:51.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.785 [GMT -4:00]

Executando de: C:\Documents and Settings\Bruno Quintella\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Bruno Quintella\Desktop\CFScript.txt

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::

C:\autorun.MSNFix

C:\g2pfnid.com

C:\WINDOWS\Alcmtr.exe

C:\WINDOWS\system32\ckvo1.dll

D:\g2pfnid.com

F:\g2pfnid.com

I:\1rfw8hjr.com

Q:\1rfw8hjr.com

T:\1rfw8hjr.com

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\1rfw8hjr.com

C:\Autorun.inf

C:\autorun.MSNFix

C:\g2pfnid.com

C:\WINDOWS\Alcmtr.exe

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\ckvo1.dll

D:\Autorun.inf

D:\g2pfnid.com

F:\g2pfnid.com

I:\1rfw8hjr.com

I:\Autorun.inf

Q:\1rfw8hjr.com

Q:\Autorun.inf

T:\1rfw8hjr.com

T:\Autorun.inf

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-28 ))))))))))))))))))))))))))))))))

.

2008-07-25 00:00 . 2008-07-25 00:00 <DIR> d-------- C:\Documents and Settings\Bruno Quintella\Contacts

2008-07-24 23:59 . 2008-07-25 00:00 <DIR> d-------- C:\Arquivos de programas\Windows Live

2008-07-24 13:07 . 2008-07-24 23:59 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-07-24 13:06 . 2008-07-24 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-07-24 13:06 . 2008-07-24 13:09 <DIR> d-------- C:\Arquivos de programas\Valve

2008-07-24 10:53 . 2005-11-28 12:56 143,360 --a------ C:\WINDOWS\system32\igfxres.dll

2008-07-24 10:45 . 2004-08-03 21:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime

2008-07-24 10:44 . 2001-10-28 11:06 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll

2008-07-24 10:43 . 2001-10-28 11:06 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-07-24 10:42 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2008-07-24 10:39 . 2001-10-28 11:06 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe

2008-07-24 10:36 . 2001-10-28 11:06 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe

2008-07-24 05:54 . 2008-07-28 08:49 1,063,403,520 --a------ C:\WINDOWS\MEMORY.DMP

2008-07-23 16:24 . 2008-07-23 16:24 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2008-07-23 11:49 . 2008-07-28 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-07-23 11:49 . 2008-07-28 08:38 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy

2008-07-18 08:04 . 2008-07-18 08:04 <DIR> d-------- C:\WINDOWS\system32\WinNTDlls

2008-07-18 08:04 . 2008-07-18 08:04 <DIR> d-------- C:\WINDOWS\system32\Win98Dlls

2008-07-18 08:04 . 2008-07-18 08:24 <DIR> d-------- C:\Arquivos de programas\Microsoft Press Training Kit Exam Prep

2008-07-15 14:54 . 2008-07-15 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avg8

2008-07-11 16:56 . 2008-07-11 16:56 <DIR> d-------- C:\Arquivos de programas\Google

2008-07-10 11:18 . 2006-12-11 09:44 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll

2008-07-10 11:18 . 2006-12-11 09:44 116,736 --a------ C:\WINDOWS\system32\aaclient.dll

2008-07-10 11:18 . 2006-12-11 09:44 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll

2008-07-10 08:02 . 2008-07-10 08:02 2,923 --a------ C:\WINDOWS\RBuilder.ini

2008-07-09 17:13 . 2003-10-16 19:11 867,328 --a------ C:\WINDOWS\system\IBOLE.dll

2008-07-08 21:57 . 2008-07-08 21:59 <DIR> d-------- C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\GetRightToGo

2008-07-08 14:21 . 2008-07-08 14:21 <DIR> d-------- C:\Arquivos de programas\Lavalys

2008-07-07 08:42 . 2008-07-07 08:42 <DIR> d-------- C:\WINDOWS\SchCache

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-28 13:00 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-07-28 12:44 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\Skype

2008-07-24 15:28 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Symantec

2008-07-24 15:28 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-07-24 15:27 --------- d-----w C:\Arquivos de programas\Symantec

2008-07-23 16:08 --------- d-----w C:\Arquivos de programas\PowerISO

2008-07-23 13:07 --------- d-----w C:\Arquivos de programas\Launch Manager

2008-07-18 19:02 --------- d-----w C:\Arquivos de programas\eMule

2008-07-14 21:26 69 ------w C:\Script.bat

2008-07-11 17:55 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-07-08 20:03 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\skypePM

2008-06-28 20:24 --------- d-----w C:\Arquivos de programas\PKR

2008-06-16 21:43 --------- d-----w C:\Arquivos de programas\TortoiseCVS

2008-06-16 21:35 --------- d-----w C:\Arquivos de programas\FirebirdClient 2.0

2008-06-16 21:02 --------- d-----w C:\Arquivos de programas\GExperts for Delphi 7

2008-06-16 21:00 --------- d-----w C:\Arquivos de programas\Indy 9 for Delphi 6

2008-06-16 20:55 --------- d-----w C:\Arquivos de programas\Steema Software

2008-06-16 20:52 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\HK-Software

2008-06-16 20:52 --------- d-----w C:\Arquivos de programas\Woll2Woll

2008-06-16 20:50 --------- d-----w C:\Arquivos de programas\HK-Software

2008-06-16 20:49 --------- d-----w C:\Arquivos de programas\Firebird

2008-06-16 20:41 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Borland Shared

2008-06-16 20:34 --------- d-----w C:\Arquivos de programas\Borland

2008-06-16 03:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\DVDVideoSoft

2008-06-16 03:03 --------- d-----w C:\Arquivos de programas\DVDVideoSoft

2008-02-09 01:16 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat

.

((((((((((((((((((((((((((((( snapshot@2008-07-27_23.03.06.85 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-07-28 02:51:11 212,788 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

+ 2008-07-28 12:58:26 212,776 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

- 2008-07-28 02:58:15 97,042 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-07-28 13:04:36 97,042 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-07-28 02:58:15 107,658 ----a-w C:\WINDOWS\system32\perfc016.dat

+ 2008-07-28 13:04:36 107,658 ----a-w C:\WINDOWS\system32\perfc016.dat

- 2008-07-28 02:58:15 520,384 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-07-28 13:04:36 520,384 ----a-w C:\WINDOWS\system32\perfh009.dat

- 2008-07-28 02:58:15 557,674 ----a-w C:\WINDOWS\system32\perfh016.dat

+ 2008-07-28 13:04:36 557,674 ----a-w C:\WINDOWS\system32\perfh016.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:07 761946]

"AzMixerSel"="C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 16:51 53248]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 12:55 98304]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 12:52 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 12:55 118784]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 14:23 15961088 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

C:\Documents and Settings\Bruno Quintella\Menu Iniciar\Programas\Inicializar\

Atalho para Script.lnk - C:\Script.bat [2008-06-16 16:25:11 69]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GBPLUGIN\gbieh.dll" [2008-04-15 09:37 378696]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "C:\Arquivos de programas\GbPlugin\gbiehcef.dll" [2008-06-11 14:47 366672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2008-06-11 14:47 366672 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayHabil

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 18:54 3735552 C:\Arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-11-28 12:52 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-11-28 12:55 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

--a------ 2005-11-28 12:55 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2006-01-09 17:23 589824 C:\ARQUIV~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2007-01-20 03:09 200704 C:\Arquivos de programas\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-05-30 15:54 21718312 C:\Arquivos de programas\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-01-15 18:54 37376 C:\Arquivos de programas\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-01-11 14:23 15961088 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"idsvc"=3 (0x3)

"GbpSv"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"ose"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\LeapFTP\\LeapFTP.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:TCP"= 80:TCP:Web

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe [2007-03-02 14:05]

S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe [2007-03-02 14:05]

S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-23 20:13]

S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Arquivos de programas\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 07:58]

*Newly Created Service* - MDMXSDK

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-28 09:07:19

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-07-28 9:10:44

ComboFix-quarantined-files.txt 2008-07-28 13:10:37

ComboFix2.txt 2008-07-28 03:03:57

Pre-Run: 7 pasta(s) 45,605,314,560 bytes disponíveis

Post-Run: 10 pasta(s) 45,589,725,184 bytes disponíveis

220 --- E O F --- 2008-06-21 21:00:59

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:18:12, on 28/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\DOCUME~1\BRUNOQ~1\CONFIG~1\Temp\RtkBtMnt.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://d/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Atalho para Script.lnk = C:\Script.bat

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.terra.com.br/games/applets...mjolauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\Software\..\Telephony: DomainName = DURAII.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{B26DE35F-7594-4CB8-A3E2-C129CE635825}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS2\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

--

End of file - 7059 bytes

Abraços...

DigRam · Julho 28, 2008

Boa Tarde! quintelab

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

File::
C:\WINDOWS\system32\ckvo.exe

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"kamsoft"=-

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

<@> Reinicie o computador!

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HJT,atualizado.

Abraços!

quintelab · Julho 29, 2008

ComboFix

ComboFix 08-07-27.5 - Bruno Quintella 2008-07-29 8:55:22.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.787 [GMT -4:00]

Executando de: C:\Documents and Settings\Bruno Quintella\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Bruno Quintella\Desktop\CFScript.txt

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::

C:\WINDOWS\system32\ckvo.exe

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-29 ))))))))))))))))))))))))))))))))

.

2008-07-28 14:08 . 2008-07-29 00:19 <DIR> d-------- C:\Arquivos de programas\DeMolay System

2008-07-25 00:00 . 2008-07-25 00:00 <DIR> d-------- C:\Documents and Settings\Bruno Quintella\Contacts

2008-07-24 23:59 . 2008-07-25 00:00 <DIR> d-------- C:\Arquivos de programas\Windows Live

2008-07-24 13:07 . 2008-07-24 23:59 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-07-24 13:06 . 2008-07-24 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-07-24 13:06 . 2008-07-24 13:09 <DIR> d-------- C:\Arquivos de programas\Valve

2008-07-24 10:53 . 2005-11-28 12:56 143,360 --a------ C:\WINDOWS\system32\igfxres.dll

2008-07-24 10:45 . 2004-08-03 21:31 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime

2008-07-24 10:44 . 2001-10-28 11:06 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll

2008-07-24 10:43 . 2001-10-28 11:06 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-07-24 10:42 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2008-07-24 10:40 . 2008-07-24 10:40 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2008-07-24 10:39 . 2001-10-28 11:06 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe

2008-07-24 10:36 . 2001-10-28 11:06 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe

2008-07-24 05:54 . 2008-07-28 08:49 1,063,403,520 --a------ C:\WINDOWS\MEMORY.DMP

2008-07-23 16:24 . 2008-07-23 16:24 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2008-07-23 11:49 . 2008-07-28 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-07-23 11:49 . 2008-07-28 08:38 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy

2008-07-18 08:04 . 2008-07-18 08:04 <DIR> d-------- C:\WINDOWS\system32\WinNTDlls

2008-07-18 08:04 . 2008-07-18 08:04 <DIR> d-------- C:\WINDOWS\system32\Win98Dlls

2008-07-18 08:04 . 2008-07-18 08:24 <DIR> d-------- C:\Arquivos de programas\Microsoft Press Training Kit Exam Prep

2008-07-15 14:54 . 2008-07-15 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avg8

2008-07-11 16:56 . 2008-07-11 16:56 <DIR> d-------- C:\Arquivos de programas\Google

2008-07-10 11:18 . 2006-12-11 09:44 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll

2008-07-10 11:18 . 2006-12-11 09:44 116,736 --a------ C:\WINDOWS\system32\aaclient.dll

2008-07-10 11:18 . 2006-12-11 09:44 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll

2008-07-10 08:02 . 2008-07-10 08:02 2,923 --a------ C:\WINDOWS\RBuilder.ini

2008-07-09 17:13 . 2003-10-16 19:11 867,328 --a------ C:\WINDOWS\system\IBOLE.dll

2008-07-08 21:57 . 2008-07-08 21:59 <DIR> d-------- C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\GetRightToGo

2008-07-08 14:21 . 2008-07-08 14:21 <DIR> d-------- C:\Arquivos de programas\Lavalys

2008-07-07 08:42 . 2008-07-07 08:42 <DIR> d-------- C:\WINDOWS\SchCache

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-29 12:53 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-07-29 12:51 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\Skype

2008-07-28 18:08 --------- d-----w C:\Arquivos de programas\HK-Software

2008-07-24 15:28 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Symantec

2008-07-24 15:28 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-07-24 15:27 --------- d-----w C:\Arquivos de programas\Symantec

2008-07-23 16:08 --------- d-----w C:\Arquivos de programas\PowerISO

2008-07-23 13:07 --------- d-----w C:\Arquivos de programas\Launch Manager

2008-07-18 19:02 --------- d-----w C:\Arquivos de programas\eMule

2008-07-14 21:26 69 ------w C:\Script.bat

2008-07-11 17:55 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-07-08 20:03 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\skypePM

2008-06-28 20:24 --------- d-----w C:\Arquivos de programas\PKR

2008-06-16 21:43 --------- d-----w C:\Arquivos de programas\TortoiseCVS

2008-06-16 21:35 --------- d-----w C:\Arquivos de programas\FirebirdClient 2.0

2008-06-16 21:02 --------- d-----w C:\Arquivos de programas\GExperts for Delphi 7

2008-06-16 21:00 --------- d-----w C:\Arquivos de programas\Indy 9 for Delphi 6

2008-06-16 20:55 --------- d-----w C:\Arquivos de programas\Steema Software

2008-06-16 20:52 --------- d-----w C:\Documents and Settings\Bruno Quintella\Dados de aplicativos\HK-Software

2008-06-16 20:52 --------- d-----w C:\Arquivos de programas\Woll2Woll

2008-06-16 20:49 --------- d-----w C:\Arquivos de programas\Firebird

2008-06-16 20:41 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Borland Shared

2008-06-16 20:34 --------- d-----w C:\Arquivos de programas\Borland

2008-06-16 03:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\DVDVideoSoft

2008-06-16 03:03 --------- d-----w C:\Arquivos de programas\DVDVideoSoft

2008-02-09 01:16 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 12:07 761946]

"AzMixerSel"="C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 16:51 53248]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 12:55 98304]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 12:52 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 12:55 118784]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 14:23 15961088 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

C:\Documents and Settings\Bruno Quintella\Menu Iniciar\Programas\Inicializar\

Atalho para Script.lnk - C:\Script.bat [2008-06-16 16:25:11 69]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\ARQUIV~1\GBPLUGIN\gbieh.dll" [2008-04-15 09:37 378696]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "C:\Arquivos de programas\GbPlugin\gbiehcef.dll" [2008-06-11 14:47 366672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2008-04-15 09:37 378696 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2008-06-11 14:47 366672 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayHabil

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

--a------ 2007-01-01 18:54 3735552 C:\Arquivos de programas\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a------ 2005-11-28 12:52 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a------ 2005-11-28 12:55 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

--a------ 2005-11-28 12:55 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2006-01-09 17:23 589824 C:\ARQUIV~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2007-01-20 03:09 200704 C:\Arquivos de programas\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-05-30 15:54 21718312 C:\Arquivos de programas\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-01-15 18:54 37376 C:\Arquivos de programas\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-01-11 14:23 15961088 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"idsvc"=3 (0x3)

"GbpSv"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"ose"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\LeapFTP\\LeapFTP.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:TCP"= 80:TCP:Web

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe [2007-03-02 14:05]

S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe [2007-03-02 14:05]

S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2007-03-23 20:13]

S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Arquivos de programas\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 07:58]

*Newly Created Service* - MDMXSDK

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-29 08:59:43

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-07-29 9:03:35

ComboFix-quarantined-files.txt 2008-07-29 13:03:15

ComboFix2.txt 2008-07-28 13:10:44

ComboFix3.txt 2008-07-28 03:03:57

Pre-Run: 7 pasta(s) 45,544,222,720 bytes disponíveis

Post-Run: 10 pasta(s) 45,532,327,936 bytes disponíveis

180 --- E O F --- 2008-06-21 21:00:59

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:05:47, on 29/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\DOCUME~1\BRUNOQ~1\CONFIG~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\userinit.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://d/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Atalho para Script.lnk = C:\Script.bat

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://atrativa.terra.com.br/games/applets...mjolauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\Software\..\Telephony: DomainName = DURAII.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{B26DE35F-7594-4CB8-A3E2-C129CE635825}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS2\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

--

End of file - 6874 bytes

Abraços...

DigRam · Julho 29, 2008

Boa Noite! quintelab

<!> O computador,não mais apresenta a infecção de "pendrive",mas...existe a probabilidade,destes IPs não serem legítimos!

<!> Não encontrei qualquer referência no @ABUSAR.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DURAII.local
O17 - HKLM\Software\..\Telephony: DomainName = DURAII.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{B26DE35F-7594-4CB8-A3E2-C129CE635825}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DURAII.local

O17 - HKLM\System\CS2\Services\Tcpip\..\{3FC654B6-D789-4716-A8F8-4F32AA2D2DF7}: NameServer = 10.1.1.1,200.140.114.136

<!> É de seu conhecimento,o estabelecimento destes DNS e domínio?

Abraços!

quintelab · Julho 29, 2008

Sim DigRam o dominio é da empresa onde trabalho.

Acredito que o tópico esteja resolvido então!!

Obrigado DigRam e Silas pelo auxílio.

Abraços...

DigRam · Julho 29, 2008

PROBLEMA RESOLVIDO!

Caso o autor necessite que o Tópico seja reaberto é preciso enviar uma Mensagem Privada,para um Moderador,com um Link para o Tópico.

Arquivado

[Resolvido!] Nâo consigo apagar virus

Recommended Posts

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

Silas Martins 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

Silas Martins 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

Silas Martins 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

DigRam 144

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

DigRam 144

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

DigRam 144

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

DigRam 144

Compartilhar este post

Link para o post

Compartilhar em outros sites

quintelab 91

Compartilhar este post

Link para o post

Compartilhar em outros sites

DigRam 144

Compartilhar este post

Link para o post

Compartilhar em outros sites

PHP+Codeigniter - Adicionar Registro Plano de Contas

Javascript - Passar Parâmetros para uma Função.

PHP - Consulta MySql para prazo de dias

Fóruns

Tempo Real

Informação importante