immonem 0 Denunciar post Postado Agosto 27, 2008 gostaria de ajuda p/ limpa mu laptop, segue o log do hijack this Logfile of HijackThis v1.99.1 Scan saved at 07:32:50, on 27/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\GbPlugin\GbpSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe C:\Acer\Empowering Technology\admServ.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Program Files\Launch Manager\LaunchAp.exe C:\Program Files\Launch Manager\PowerKey.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\OSDCtrl.exe C:\Program Files\Launch Manager\Wbutton.exe C:\acer\Empowering Technology\ePower\epm-dm.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe C:\WINDOWS\system32\svchost.exe C:\Acer\Empowering Technology\admtray.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Ardamax Keylogger Lite\akl.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\BrOffice.org 2.0\program\soffice.exe C:\Program Files\BrOffice.org 2.0\program\soffice.BIN C:\VIRUS\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: CrsHO Class - {5843A29E-1246-11D4-BA8C-0050DA707ACD} - C:\WINDOWS\system32\crs32.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\PROGRA~1\GBPLUGIN\gbieh.dll O3 - Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe" O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe" O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe" O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe" O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe" O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe" O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: BrOffice.org 2.0.lnk = C:\Program Files\BrOffice.org 2.0\program\quickstart.exe O4 - Startup: HP JetSpeed Autostart.lnk = C:\Program Files\jetspeed\AUTOSTAR.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212670022000 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll O20 - Winlogon Notify: GbPluginBb - C:\PROGRA~1\GBPLUGIN\gbieh.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r (file missing) O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 27, 2008 Bom Dia! immonem <@> Faça o download do ComboFix.exe. <@> Baixe-o para o Desktop! <@> Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! ) <@> Feche todas as janelas e execute a ferramenta! Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.Salve-a no desktop,renomeada como: Kombo.exe Ps: Nomeie durante o salvamento,e não após salvá-la! Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança. <@> Abrirá a janela Auto Scan. Aguarde! <@> Digite a opção para continuar! >> Enter <@> Aguarde a conclusão! <@> Durante o scan,evite manusear o mouse ou teclado! <@> Para parar ou sair do ComboFix,tecle "N". ---------------------- <@> Poste os relatórios: C:\ComboFix.txt + Log do HJT,atualizado. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 27, 2008 entao, baixei o combofix e instalei depois de uma peleja, botei para rodar, ele começa, o pc reinicia e aparece uma janela do windows dizendo: THE SYSTEM HAS RECOVERED A SERIOUS ERRO A LOG OF THIS ERROR HAS BEEN CREATED... e nenhum log e criado... Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 27, 2008 entao, baixei o combofix e instalei depois de uma peleja, botei para rodar, ele começa, o pc reinicia e aparece uma janela do windows dizendo:THE SYSTEM HAS RECOVERED A SERIOUS ERRO A LOG OF THIS ERROR HAS BEEN CREATED... e nenhum log e criado... ----------------------- Opa! immonem <!> Execute o ComboFix,em Modo de Segurança e poste o relatório. ( ComboFix.txt ) Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 27, 2008 em modo seguro consegui o seguinte: ComboFix 08-08-26.02 - Immonem Barros 2008-08-27 10:05:50.2 - FAT32x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.360 [GMT -3:00] Running from: C:\VIRUS\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Immonem Barros\Application Data\macromedia\Flash Player\#SharedObjects\WXV2RPS2\bin.clearspring.com C:\Documents and Settings\Immonem Barros\Application Data\macromedia\Flash Player\#SharedObjects\WXV2RPS2\bin.clearspring.com\clearspring.sol C:\Documents and Settings\Immonem Barros\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\Immonem Barros\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\Documents and Settings\Immonem Barros\Cookies\immonem barros@acesso.uol.com[3].txt C:\Documents and Settings\Immonem Barros\Cookies\immonem barros@adclient-uol.lp.uol.com[2].txt C:\Documents and Settings\Immonem Barros\Cookies\immonem barros@uol.com[5].txt C:\WINDOWS\Temp\log.txt . ((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 ))))))))))))))))))))))))))))))) . 2008-08-27 09:55 . 2008-08-27 09:55 <DIR> d--hs---- C:\FOUND.016 2008-08-27 09:13 . 2008-08-27 09:13 <DIR> d--hs---- C:\FOUND.015 2008-08-21 14:58 . 2008-08-21 14:58 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-08-20 14:23 . 2008-08-20 14:23 <DIR> d---s---- C:\Documents and Settings\Immonem Barros\UserData 2008-08-20 09:01 . 2008-08-20 09:01 <DIR> d-------- C:\Documents and Settings\Immonem Barros\Application Data\Malwarebytes 2008-08-20 09:01 . 2008-08-20 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-20 09:01 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-20 09:01 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-20 09:00 . 2008-08-20 09:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-20 08:59 . 2008-06-03 01:15 167,936 --a------ C:\Program Files\AutoPlayConfig.exe 2008-08-20 08:59 . 2008-08-18 07:04 132,597 --a------ C:\Program Files\Flash_Disinfector.exe 2008-08-16 08:56 . 2008-08-16 08:56 <DIR> d-------- C:\VIRUS 2008-08-14 06:25 . 2008-08-14 06:26 0 --a------ C:\WINDOWS\nsreg.dat 2008-08-10 18:29 . 2008-08-10 18:29 <DIR> d-------- C:\Program Files\Monitor Calibration Wizard 2008-08-10 18:29 . 2008-08-10 18:29 7 --a------ C:\WINDOWS\INI2=No 2008-08-10 18:29 . 2008-08-10 18:29 7 --a------ C:\WINDOWS\INI1=No . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 13:02 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-08-27 13:02 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-08-27 13:02 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-08-27 13:02 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-08-14 07:52 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat 2008-07-29 14:49 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat 2008-07-11 23:23 88 --sh--r C:\Documents and Settings\All Users\Application Data\4BB46ED19F.sys 2008-07-11 23:23 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys 2008-07-10 16:49 --------- d-----w C:\Documents and Settings\Immonem Barros\Application Data\Corel 2008-06-08 12:45 79,872 ----a-w C:\WINDOWS\jetspeed.scr 2008-06-08 12:45 39,424 ----a-w C:\WINDOWS\rmhpjs.exe 2005-01-14 08:07 40,960 ----a-w C:\Program Files\FPacfrmt.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-08-24 12:50 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-08-24 12:47 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-08-24 12:51 114688] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698] "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456] "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768] "PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208] "LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2005-11-08 10:45 69632] "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480] "LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664] "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-11-08 10:19 81920] "EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 19:09 212992] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 11:36 69632] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [2003-11-12 13:23 344064] "wcmdmgr"="C:\WINDOWS\wt\updater\wcmdmgrl.exe" [2001-01-25 18:00 20480] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360] C:\Documents and Settings\Immonem Barros\Start Menu\Programs\Startup\ BrOffice.org 2.0.lnk - C:\Program Files\BrOffice.org 2.0\program\quickstart.exe [2006-01-10 01:26:54 61440] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\PROGRA~1\GBPLUGIN\gbieh.dll" [2008-04-15 09:37 378696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb] 2008-04-15 09:37 378696 C:\PROGRA~1\GbPlugin\gbieh.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"= "C:\\Sierra\\Counter-strike1.6\\hl.exe"= R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29] R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27] R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20] R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10] R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07] R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34] R3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29] S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a58ae-dd7d-11da-8ec3-0014a470145a}] \Shell\Auto\command - msnmsgr_plus.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msnmsgr_plus.exe . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com.br/ R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore R1 -: HKCU-Internet Settings,ProxyOverride = *.local O8 -: &Sample Toolband Serach - C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-27 10:12:10 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GbpSv] "ImagePath"="C:\Program Files\GbPlugin\GbpSv.exe" . ------------------------ Other Running Processes ------------------------ . C:\ACER\EMPOWERING TECHNOLOGY\ADMSERV.EXE C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\TV\CLCAPSVC.EXE C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVER.EXE C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVICE.EXE C:\PROGRAM FILES\CYBERLINK\SHARED FILES\RICHVIDEO.EXE C:\PROGRAM FILES\PHOTODEX\PROSHOWPRODUCER\SCSIACCESS.EXE C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\TV\CLSCHED.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\Program Files\BrOffice.org 2.0\program\soffice.exe C:\Program Files\BrOffice.org 2.0\program\soffice.BIN . ************************************************************************** . Completion time: 2008-08-27 10:18:17 - machine was rebooted [immonem Barros] ComboFix-quarantined-files.txt 2008-08-27 13:16:58 Pre-Run: 11,114,643,456 bytes free Post-Run: 12,147,523,584 bytes free 164 ___________________________________________________________________________ ___________________________________________________________________________ Logfile of HijackThis v1.99.1 Scan saved at 10:19:48, on 27/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\GbPlugin\GbpSv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe C:\Acer\Empowering Technology\admServ.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Program Files\Launch Manager\LaunchAp.exe C:\Program Files\Launch Manager\PowerKey.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\OSDCtrl.exe C:\Program Files\Launch Manager\Wbutton.exe C:\acer\Empowering Technology\ePower\epm-dm.exe C:\Acer\Empowering Technology\admtray.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Ardamax Keylogger Lite\akl.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\BrOffice.org 2.0\program\soffice.exe C:\Program Files\BrOffice.org 2.0\program\soffice.BIN C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\VIRUS\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\PROGRA~1\GBPLUGIN\gbieh.dll O3 - Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe" O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe" O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe" O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe" O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe" O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe" O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Ardamax Keylogger] C:\Program Files\Ardamax Keylogger Lite\akl.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - Startup: BrOffice.org 2.0.lnk = C:\Program Files\BrOffice.org 2.0\program\quickstart.exe O4 - Startup: HP JetSpeed Autostart.lnk = C:\Program Files\jetspeed\AUTOSTAR.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212670022000 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O20 - Winlogon Notify: GbPluginBb - C:\PROGRA~1\GBPLUGIN\gbieh.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r (file missing) O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 27, 2008 Boa Tarde! immonem <!> Abra o Editor do Registro,e navegue até a pasta,em destaque: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a58ae-dd7d-11da-8ec3-0014a470145a} <-- Delete! <!> Encontrando,pode deletar! --------------------- <@> Baixe: < PenClean > <@> Salve-o no Desktop! <@> Insira a sua(s) unidade(s) removíveis,na entrada USB. ( pendrive,mp3,mp4,iPods,etc... ) <@> Rode a ferramenta e selecione a opção: Verificar o computador <@> Clique no botão Verificar,e aguarde! <@> Caso haja necessidade,atenda a solicitação de reiniciar o computador. <@> Clique em Sim! <@> Poste o relatório do PenClean,que estará em: C:\PenClean\PenClean.txt + HJT,atualizado. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 27, 2008 <!> Abra o Editor do Registro,e navegue até a pasta,em destaque: como abro o Editor do Registro? --------------------- <@> Baixe: < PenClean > o,link nao abre ... ok, consegui: Através do menu Iniciar: Clica-se no botão INICIAR e seleciona-se a opção EXECUTAR; No campo Abrir digita-se REGEDIT; mas nao localizo a pasta... HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a58ae-dd7d-11da-8ec3-0014a470145a} consegui baixar o penclean... Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 27, 2008 Boa Tarde! immonem consegui baixar o penclean... <!> Ótimo! ----------------------- <@> Selecione e copie,o conteúdo que está entre os XXXXX,para o Bloco de Notas. <@> Salve-o,no Desktop,com o nome: CFScript.txt XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a58ae-dd7d-11da-8ec3-0014a470145a}] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <@> Reinicie o computador,em Modo de Segurança. <@> Arraste,o CFScript.txt para o ícone/interior do ComboFix. <@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix. <@> Ps: Faça o arraste,até surgir essa solicitação! ( janela ) <@> Terminando,poste os relatórios: C:\ComboFix.txt + Relatório do PenClean. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 27, 2008 ok, seguem os log´´s: ComboFix 08-08-26.02 - Immonem Barros 2008-08-27 17:48:47.3 - FAT32x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.362 [GMT -3:00] Running from: C:\VIRUS\ComboFix.exe Command switches used :: C:\Documents and Settings\Immonem Barros\Desktop\cfscript.lnk WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 ))))))))))))))))))))))))))))))) . 2008-08-27 09:55 . 2008-08-27 09:55 <DIR> d--hs---- C:\FOUND.016 2008-08-27 09:13 . 2008-08-27 09:13 <DIR> d--hs---- C:\FOUND.015 2008-08-21 14:58 . 2008-08-21 14:58 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-08-20 14:23 . 2008-08-20 14:23 <DIR> d---s---- C:\Documents and Settings\Immonem Barros\UserData 2008-08-20 09:01 . 2008-08-20 09:01 <DIR> d-------- C:\Documents and Settings\Immonem Barros\Application Data\Malwarebytes 2008-08-20 09:01 . 2008-08-20 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-20 09:01 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-20 09:01 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-20 09:00 . 2008-08-20 09:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-20 08:59 . 2008-06-03 01:15 167,936 --a------ C:\Program Files\AutoPlayConfig.exe 2008-08-20 08:59 . 2008-08-18 07:04 132,597 --a------ C:\Program Files\Flash_Disinfector.exe 2008-08-16 08:56 . 2008-08-16 08:56 <DIR> d-------- C:\VIRUS 2008-08-14 06:25 . 2008-08-14 06:26 0 --a------ C:\WINDOWS\nsreg.dat 2008-08-10 18:29 . 2008-08-10 18:29 <DIR> d-------- C:\Program Files\Monitor Calibration Wizard 2008-08-10 18:29 . 2008-08-10 18:29 7 --a------ C:\WINDOWS\INI2=No 2008-08-10 18:29 . 2008-08-10 18:29 7 --a------ C:\WINDOWS\INI1=No . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 20:40 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-08-27 20:40 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-08-27 20:40 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-08-27 20:40 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-08-14 07:52 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat 2008-07-29 14:49 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat 2008-07-11 23:23 88 --sh--r C:\Documents and Settings\All Users\Application Data\4BB46ED19F.sys 2008-07-11 23:23 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys 2008-07-10 16:49 --------- d-----w C:\Documents and Settings\Immonem Barros\Application Data\Corel 2008-06-08 12:45 79,872 ----a-w C:\WINDOWS\jetspeed.scr 2008-06-08 12:45 39,424 ----a-w C:\WINDOWS\rmhpjs.exe 2005-01-14 08:07 40,960 ----a-w C:\Program Files\FPacfrmt.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-08-24 12:50 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-08-24 12:47 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-08-24 12:51 114688] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698] "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456] "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768] "PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208] "LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2005-11-08 10:45 69632] "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480] "LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664] "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-11-08 10:19 81920] "EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 19:09 212992] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 11:36 69632] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "Ardamax Keylogger"="C:\Program Files\Ardamax Keylogger Lite\akl.exe" [2003-11-12 13:23 344064] "wcmdmgr"="C:\WINDOWS\wt\updater\wcmdmgrl.exe" [2001-01-25 18:00 20480] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360] C:\Documents and Settings\Immonem Barros\Start Menu\Programs\Startup\ BrOffice.org 2.0.lnk - C:\Program Files\BrOffice.org 2.0\program\quickstart.exe [2006-01-10 01:26:54 61440] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= "C:\PROGRA~1\GBPLUGIN\gbieh.dll" [2008-04-15 09:37 378696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb] 2008-04-15 09:37 378696 C:\PROGRA~1\GbPlugin\gbieh.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"= "C:\\Sierra\\Counter-strike1.6\\hl.exe"= S0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29] S1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27] S1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20] S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys [] S2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10] S2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08] S2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] S2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57] S3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07] S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34] S3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a58ae-dd7d-11da-8ec3-0014a470145a}] \Shell\Auto\command - msnmsgr_plus.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msnmsgr_plus.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-27 17:51:08 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-27 17:51:44 ComboFix-quarantined-files.txt 2008-08-27 20:51:42 ComboFix2.txt 2008-08-27 13:18:26 Pre-Run: 12,802,457,600 bytes free Post-Run: 12,786,008,064 bytes free 128 _____________________________________________________________________ _____________________________________________________________________ Iniciando relatório do PenClean 2.0.3 Por Renato Victor Mejias renatomejias@yahoo.com.br 27/8/2008 17:52:27 ----------------------------------------------------------- Arquivos e chaves excluídos do computador: Malware não detectado no computador! ----------------------------------------------------------- Fim da análise no computador. ----------------------------------------------------------- Arquivos e chaves excluídos do computador: Malware não detectado no computador! ----------------------------------------------------------- Fim da análise no computador. ----------------------------------------------------------- Arquivos e chaves excluídos do computador: Malware não detectado no computador! ----------------------------------------------------------- Fim da análise no computador. ----------------------------------------------------------- Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 28, 2008 Bom Dia! immonem Command switches used :: C:\Documents and Settings\Immonem Barros\Desktop\cfscript.lnk <!> O CFScript,deveria ser salvo na extenção .txt ----------------------- <@> Vá em Iniciar --> Executar --> Digite: combofix.exe /u --> Clique: OK <@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança ) <@> Clique em Executar --> Aguarde! <@> Surgirá,finalmente,a mensagem: ComboFix desinstalado! <@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório! ----------------------- <@> Faça um scan online em: < Kaspersky > <!> Acesse o site,e clique em: < > <@> Na próxima página,clique em: I Accept <@> Isto,para que se instale o controle ActiveX e,em seguida,atualize o banco de dados. <@> Na próxima página,clique em: My Computer e faça o scan. <@> Tenha paciência! <@> Aguarde a atualização da base de dados,e também do exame,que é demorado. <@> Terminando,salve e poste o relatório. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 28, 2008 bom dia DigRam com relaçao ao COMBOFIX nao foi bem assim mas desinstalei. desabiblitei o KASPERSKY e entrei no link, ele começou a instalar e aparece a mensagem: STARTING JAVA APPLET HAS FAILED! PLEASE GO ONLINE TO THE USE THIS PROGRAM. tentei varias vezes e sempre a mesma mensagem, tenho atualizado periodicamente o KASPERSKY mas nao estou confiando muito nao... Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 28, 2008 Boa Tarde! immonem <!> Vá em Iniciar --> Executar --> Digite: notepad <!> Copie (Ctrl + C) --> Cole (Ctrl + V),o texto entre os XXXXXX,para o Bloco de Notas. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4 [HKEY_CLASSES_ROOT\lnkfile] "NeverShowExt"="" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <!> Vá em Arquivo --> Salvar como...,na opção "Salvar como tipo" escolha: "Todos os arquivos" <!> Nomeie como: Fixlink.reg <!> Salve,o arquivo,no Desktop! <!> Execute-o,com um duplo clique,e aceite a incorporação ao registro. <!> Reinicie o computador! ------------------------ <@> Baixe: < > < ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe > <@> Salve-o no Desktop! <@> Execute o arquivo: drweb-cureit.exe <@> Clique em Iniciar e escolha a verificação express scan. <@> Se for encontrado,algum ficheiro infectado,clique no botão yes,para acionar a cura. <@> Quando o scan rápido terminar,clique em Opções --> Alterar Definições. <@> Na aba Verificação,desmarque a Análise Heurística e confirme! <@> De volta à janela principal,marque os drives que você deseja examinar. <@> Selecione todos! Um ponto vermelho,vai indicar os drives selecionados. <@> Clique na seta verde,para iniciar o exame. <@> Caso haja uma solicitação,para curar/mover o arquivo,clique em Sim,para todos. <@> Quando o exame terminar,observe se o ícone "objetos encontrados" < > está habilitado. <@> Se estiver,clique nele! <@> À seguir clique no ícone,logo abaixo,e selecione: Mover incuráveis <@> Caso o programa não possa curá-los,ele irá move-los para a pasta Quarentena,no diretório DoctorWeb. <@> Feito isto, vá no menu superior e clique na opção Ficheiros --> Guardar listas de arquivos. <@> Salve a lista no desktop. ( DrWeb.csv ) <-- Relatório à ser postado! <@> Feche o programa! <@> Reinicie o computador,para que o programa termine de deletar/mover,os arquivos que estavam sendo utilizados. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 29, 2008 bom dia DigRam entao, começei fazendo tudo como você orientou, o DRWEB fez a verredura rapida encontrando o ardamax q estava instalado por mim, marquei os drives C e D e cliquei na seta verde, iniciou a varredura completa e o pc depois de alguns instantes reiniciou aparecendo de novo: THE SYSTEM HAS RECOVERED A SERIOUS ERRO A LOG OF THIS ERROR HAS BEEN CREATED... abri novamente o DRWEB e começei a passar mas resolvi parar a varredura e aguardar sua opiniao. em tempo, instalei APENAS o DRWEB no meu pc e o mesmo aconteceu. DUVIDA: meu hd e particionado, posso formatar apenas o drive C? isso seria uma soluçao? Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 29, 2008 Bom Dia! immonem DUVIDA: meu hd e particionado, posso formatar apenas o drive C? isso seria uma soluçao? <!> Sim! Pode formatar a partição C,já que temos muitos bugs/erros,na utilização de programas. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 29, 2008 ok, poderia me ajudar nesse processo entao? ha risco de o drive d estar infectado? Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 29, 2008 ok, poderia me ajudar nesse processo entao?ha risco de o drive d estar infectado? ----------------------- Opa! immonem Bom Dia! <!> Busque o auxílio de um técnico,na formatação. ----------------------- <!> O drive D,poderá estar infectado.Recomendo um scan online,em BitDefender,nesta averiguação. <!> Não tendo êxito,formate também a partição D. ----------------------- <@> Faça um escaneamento de desinfecção,em < BitDefender > e poste o relatório. <@> Abrirá a página: < BitDefender OnLine Scanner > <@> Clique em: < > <@> Aguarde! <@> Permita a instalação do ActiveX,para que possa ocorrer o scan. <!> Leia o Tutorial: < Link > <@> Terminando,poste: C:\Windows\BDOSCAN8\bdoscan.log <-- Relatório! Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
immonem 0 Denunciar post Postado Agosto 29, 2008 pois e, nenhuma verificaçao online e possivel: Could not load the Online Scanner! Click here for other possible fixes. acho melhor formatar mesmo, de qq fora agradeço pela ajuda. Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Agosto 29, 2008 pois e, nenhuma verificaçao online e possivel:Could not load the Online Scanner! Click here for other possible fixes. acho melhor formatar mesmo, de qq fora agradeço pela ajuda. --------------------- Opa! immonem <!> Muitas vezes,a formatação,é o melhor meio para uma solução mais rápida. <!> Além destes bugs,temos a opinião de colegas analistas,indicando-a em infecções por Trojans Backdoor. --------------------- BOA SORTE! :thumbsup: DigRam Compartilhar este post Link para o post Compartilhar em outros sites
Mário Monteiro 179 Denunciar post Postado Setembro 30, 2008 Tópico Arquivado Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado. Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura. Compartilhar este post Link para o post Compartilhar em outros sites
