[Resolvido!] Virtumonde

[AndGoe 0]

Boa noite.

Por Favor, alguém pode me ajudar?

Fui infectado pelo Virtumonde.

Passo o SpyBot e ele encontra duas entradas e diz que eliminou, mas quando passo de novo continua encontrando.

Já passei o VundoFix que não encontrou nada.

Não consigo abrir pesquisas no Google nem este site do iMasters. (estou usando outra maquina).

Segue o Log do Hijackthis:

 

Logfile of HijackThis v1.99.1

Scan saved at 20:54:41, on 16/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Andre Goes\Meus documentos\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easynvest.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.dpf.gov.br:3128;http=proxy.dpf.gov.br:3128;https=proxy.dpf.gov.br:3128

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [a0767b93] rundll32.exe "C:\WINDOWS\system32\nbucqwnk.dll",b

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [bMa345480f] Rundll32.exe "C:\WINDOWS\system32\pjwtpedq.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDUCACIONAL.ANP.DPF

O17 - HKLM\Software\..\Telephony: DomainName = EDUCACIONAL.ANP.DPF

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDUCACIONAL.ANP.DPF

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EDUCACIONAL.ANP.DPF

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: crzynl.dll

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

 

Agradeço desde já.

Obrigado

[PedroN 1]

Baixe o Combofix e salve no seu desktop.

 

Feche todas as janelas e programas

Dê um duplo-clique no combofix e tecle "1" em seguida enter para prosseguir com o fix. Vai durar uma média de 10 minutos (seja paciente). O combofix reiniciará o PC automaticamente para completar o processo de remoção.

 

Quando acabar, será gerado um log, que vai estar em C:\ComboFix.txt.

 

Atenção:

Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, pois senão irá parar e seu desktop ficará em branco.

 

Para parar ou sair do ComboFix, tecle "2" e Enter.

 

Depois gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

[AndGoe 0]

Obrigado pela atenção.

Segue o log do ComboFix:

 

ComboFix 08-09-16.03 - Andre Goes 2008-09-17 5:07:15.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.265 [GMT -3:00]

Executando de: C:\Documents and Settings\Andre Goes\Meus documentos\ComboFix.exe

* Criado um novo ponto de restauro

* Resident AV is active

 

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\BMa345480f.txt

C:\WINDOWS\BMa345480f.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\cdwbojje.dll

C:\WINDOWS\system32\crzynl.dll

C:\WINDOWS\system32\fbwijgih.dll

C:\WINDOWS\system32\imvscudf.ini

C:\WINDOWS\system32\jbggof.dll

C:\WINDOWS\system32\jsgojylr.dll

C:\WINDOWS\system32\knwqcubn.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\nbucqwnk.dll

C:\WINDOWS\system32\pjwtpedq.dll

C:\WINDOWS\system32\pksaswdy.dll

C:\WINDOWS\system32\qrBdLRqr.ini

C:\WINDOWS\system32\qrBdLRqr.ini2

C:\WINDOWS\system32\rlnrgkux.ini

C:\WINDOWS\system32\rlyjogsj.ini

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-08-17 to 2008-09-17 ))))))))))))))))))))))))))))))))

.

 

2008-09-16 20:23 . 2008-09-16 20:23 <DIR> d-------- C:\!KillBox

2008-09-16 20:23 . 2006-02-08 03:02 73,728 --a------ C:\KillBox.exe

2008-09-16 20:01 . 2008-09-16 20:01 154,624 --a------ C:\WINDOWS\system32\tlhgyqua.dll

2008-09-16 19:59 . 2008-09-16 20:02 354 ---hs---- C:\WINDOWS\system32\xtgkhmbp.ini

2008-09-16 19:34 . 2008-09-16 19:34 <DIR> d-------- C:\VundoFix Backups

2008-09-16 08:00 . 2008-08-01 19:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2008-09-16 05:03 . 2008-09-16 05:03 95 --a------ C:\WINDOWS\wininit.ini

2008-09-15 05:49 . 2008-09-15 08:00 <DIR> d-------- C:\Documents and Settings\Andre Goes\Dados de aplicativos\MailFrontier

2008-09-15 05:46 . 2008-09-17 05:17 2,019,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-09-15 05:46 . 2008-09-17 05:12 33,296 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-09-15 05:41 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe

2008-09-15 05:40 . 2008-09-15 05:40 <DIR> d-------- C:\Arquivos de programas\Zone Labs

2008-09-15 05:40 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll

2008-09-15 05:40 . 2008-09-17 05:14 355,091 --a------ C:\WINDOWS\system32\vsconfig.xml

2008-09-14 19:56 . 2008-09-14 19:56 111,616 --a------ C:\WINDOWS\system32\hdsqrq.dll

2008-09-14 19:56 . 2008-09-14 19:56 111,616 --a------ C:\WINDOWS\system32\cfuqoahv.dll

2008-09-14 13:58 . 2008-09-14 13:58 111,616 --a------ C:\WINDOWS\system32\eytaqgku.dll

2008-09-14 13:58 . 2008-09-14 13:58 111,616 --a------ C:\WINDOWS\system32\cnofeg.dll

2008-09-14 13:49 . 2008-09-14 13:49 257,024 --a------ C:\WINDOWS\system32\rqRLdBrq.dll

2008-09-14 12:39 . 2008-09-16 12:07 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs

2008-09-12 23:40 . 2008-09-15 17:41 <DIR> d-------- C:\Documents and Settings\Andre Goes\Dados de aplicativos\uTorrent

2008-09-12 23:40 . 2008-09-12 23:40 <DIR> d-------- C:\Arquivos de programas\uTorrent

2008-09-11 08:33 . 2008-09-11 08:37 10,379 --a------ C:\WINDOWS\hpdj3840.his

2008-09-11 08:33 . 2008-09-11 08:37 1,980 --a------ C:\WINDOWS\hpdj3840.ini

2008-09-10 21:49 . 2008-09-15 20:13 <DIR> d-------- C:\Documents and Settings\Andre Goes\Dados de aplicativos\Audacity

2008-09-09 19:04 . 2001-08-17 21:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-09-09 19:04 . 2001-08-17 21:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

2008-09-06 11:21 . 2008-09-06 11:21 <DIR> d-------- C:\Arquivos de programas\XP Codec Pack

2008-09-06 11:21 . 2008-07-09 05:05 421,888 --a------ C:\WINDOWS\system32\ac3filter.acm

2008-09-06 09:59 . 2008-09-06 09:59 <DIR> d-------- C:\Arquivos de programas\GFX

2008-09-06 09:59 . 2008-09-06 09:59 24 --a------ C:\WINDOWS\wsd.ini

2008-09-06 09:54 . 2008-09-06 09:54 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

2008-09-06 09:20 . 2008-09-06 09:20 <DIR> d-------- C:\Arquivos de programas\EODTrader

2008-09-06 06:33 . 2008-09-06 06:37 <DIR> d-------- C:\Arquivos de programas\GrafixJava

2008-09-05 22:04 . 2008-09-05 22:04 <DIR> d-------- C:\Arquivos de programas\MSECache

2008-08-31 14:26 . 2008-09-11 18:55 <DIR> d-------- C:\Arquivos de programas\eMule

2008-08-31 13:22 . 2008-08-31 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-08-31 13:22 . 2008-08-31 13:28 <DIR> d-------- C:\Arquivos de programas\Spybot - Search & Destroy

2008-08-26 16:11 . 2008-08-26 16:11 987,136 --a------ C:\WINDOWS\system32\VSFilter.dll

2008-08-26 12:34 . 2008-09-05 07:06 <DIR> d-------- C:\Arquivos de programas\MetaTrader 4

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-13 02:44 --------- d-----w C:\Documents and Settings\Andre Goes\Dados de aplicativos\Azureus

2008-09-07 13:46 --------- d-----w C:\Arquivos de programas\Winamp

2008-08-01 00:37 --------- d-----w C:\Documents and Settings\Andre Goes\Dados de aplicativos\TrueCrypt

2008-08-01 00:33 235,840 ----a-w C:\WINDOWS\system32\drivers\truecrypt.sys

2008-08-01 00:33 --------- d-----w C:\Arquivos de programas\TrueCrypt

2008-07-31 23:54 --------- d-----w C:\Arquivos de programas\Axon Data

2008-07-31 02:08 --------- d-----w C:\Arquivos de programas\TIM Web Banda Larga

2008-07-30 23:12 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Azureus

2008-07-28 21:01 --------- dcsh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-07-28 21:01 --------- d-----w C:\Arquivos de programas\Windows Live

2008-07-28 20:48 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-07-25 01:13 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-07-24 01:01 --------- d-----w C:\Arquivos de programas\Marcos Velasco Security

2008-07-17 00:12 --------- d-----w C:\Arquivos de programas\TIM Web Movel

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F7EF89-CD94-42DD-989F-B17FA23383Ab}]

2008-09-16 20:01 154624 --a------ C:\WINDOWS\system32\tlhgyqua.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1EFDF130-CD94-42DD-989F-B17FA23383Ab}]

2008-09-16 20:01 154624 --a------ C:\WINDOWS\system32\tlhgyqua.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62EFE2DF-E555-475A-923A-5045FCFE769D}]

2008-09-14 13:49 257024 --a------ C:\WINDOWS\system32\rqRLdBrq.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=crzynl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

 

[HKLM\~\startupfolder\C:^Documents and Settings^Andre Goes^Menu Iniciar^Programas^Inicializar^Battery Doubler.lnk]

backup=C:\WINDOWS\pss\Battery Doubler.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2003-10-02 14:19 118784 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2003-10-02 14:37 155648 C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 11:34 5724184 C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 04:27 144784 C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2003-03-27 16:34 53248 C:\WINDOWS\SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

 

.

- - - - ORFAOS REMOVIDOS - - - -

 

BHO-{5a1c96d0-1528-400d-9678-5dad262a8250} - C:\WINDOWS\system32\crzynl.dll

BHO-{9E563692-6E8F-4DB6-BA56-42EF3BA3F84F} - (no file)

HKLM-Run-BMa345480f - C:\WINDOWS\system32\pjwtpedq.dll

ShellExecuteHooks-{9E563692-6E8F-4DB6-BA56-42EF3BA3F84F} - (no file)

Notify-ljJCrSJa - ljJCrSJa.dll

MSConfigStartUp-a0767b93 - C:\WINDOWS\system32\nbucqwnk.dll

MSConfigStartUp-BMa345480f - C:\WINDOWS\system32\pjwtpedq.dll

 

 

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Andre Goes\Dados de aplicativos\Mozilla\Firefox\Profiles\hff9ce4i.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.terra.com.br/capa/

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-17 05:15:02

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execu‡Æo ------------------------

.

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

C:\WINDOWS\system32\wdfmgr.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-09-17 5:19:42 - Maquina reiniciou [Andre Goes]

ComboFix-quarantined-files.txt 2008-09-17 08:19:35

 

Pre-Run: 7,245,275,136 bytes disponíveis

Post-Run: 7,160,250,368 bytes dispon¡veis

 

174 --- E O F --- 2008-07-31 02:43:38

 

 

Agora do HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 05:23:52, on 17/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Andre Goes\Meus documentos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easynvest.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.dpf.gov.br:3128;http=proxy.dpf.gov.br:3128;https=proxy.dpf.gov.br:3128

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [bMa345480f] Rundll32.exe "C:\WINDOWS\system32\jvoulmku.dll",s

O4 - HKLM\..\Run: [a0767b93] rundll32.exe "C:\WINDOWS\system32\rxwqlflo.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDUCACIONAL.ANP.DPF

O17 - HKLM\Software\..\Telephony: DomainName = EDUCACIONAL.ANP.DPF

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDUCACIONAL.ANP.DPF

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EDUCACIONAL.ANP.DPF

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: crzynl.dll

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[PedroN 1]

Faça um scan on line na Kaspersky

 

Acesse o site, clique em .

 

Obs: O site só funciona com o Internet Explorer.

 

Aceite o download do Java, depois clique em Accept para permitir a instalação do controle activeX, e quando terminar, clique em Run para permitir a execução do ActiveX.

O site atualizará a base de dados.

Clique em Settings para configurar o scan. Marque todas as opções e clique em Save para salvar as configurações.

Clique no botão Scan e selecione My Computer

 

É demorado, portanto, seja paciente.

 

Quando terminar, clique em Save Report As... para salvar o log.

 

Salve o resultado como .txt, segundo a imagem abaixo:

 

[AndGoe 0]

Olá

Desculpe a demora: Segue o log do KasperSky:

 

Obrigado,

 

 

 

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, September 18, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, September 18, 2008 21:26:34

Records in database: 1248384

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

 

Scan statistics:

Files scanned: 30308

Threat name: 5

Infected objects: 7

Suspicious objects: 0

Duration of the scan: 01:00:10

 

 

File name / Threat name / Threats count

C:\WINDOWS\system32\tlhgyqua.dll/C:\WINDOWS\system32\tlhgyqua.dll Infected: Trojan.Win32.Agent.adyl 1

C:\QooBox\Quarantine\C\WINDOWS\system32\nbucqwnk.dll.vir Infected: Trojan.Win32.Monder.pgo 1

C:\QooBox\Quarantine\C\WINDOWS\system32\pjwtpedq.dll.vir Infected: Trojan.Win32.Monder.pgp 1

C:\QooBox\Quarantine\C\WINDOWS\system32\pksaswdy.dll.vir Infected: Trojan.Win32.Monder.pgp 1

C:\WINDOWS\system32\jvoulmku.dll Infected: Trojan.Win32.Monder.plc 1

C:\WINDOWS\system32\rxwqlflo.dll Infected: Trojan.Win32.Monder.pky 1

C:\WINDOWS\system32\tlhgyqua.dll Infected: Trojan.Win32.Agent.adyl 1

 

The selected area was scanned.

[PedroN 1]

Faça o download do Kill Box

 

- Copie as instruções para o bloco de notas ou imprima!

 

- Faça a descompactação do KillBox e reserve-o numa pasta ou em seu desktop;

 

- Execute a Ferramenta KillBox. Marque a opção Delete on Reboot. Copie toda a lista abaixo em negrito, selecionando-a e clicando com o botão direito do mouse -> copiar...

 

C:\WINDOWS\system32\tlhgyqua.dll

C:\WINDOWS\system32\jvoulmku.dll

C:\WINDOWS\system32\rxwqlflo.dll

C:\WINDOWS\system32\tlhgyqua.dll

 

...No KillBox, com os arquivos já copiados para área de transferência, clique em File -> Paste from clipboard... Clique no botão All Files, agora, no . ... e responda Não à pergunta.

 

Feito todo o procedimento e repita o scan com o kaspersky e na sua proxima resposta poste o log do hijackthis junto com o scan do kaspersky.

 

:)

[AndGoe 0]

Olá.

Não teve jeito.

Segui seus procedimentos, mas o killBox não aceitava colar esses

caminhos que você me falou. Eu seguia sua orientação, mas ele dizia

que eu não havia selecionado um arquivo para o procedimento. Tentei

várias vezes e nada.

Arranquei o HD e coloquei ele como escravo em outra máquina.

Passei o KasperSky Full (original). Ele encontrava os trojans mas não

conseguia eliminar. Então usei o FREE Avira e .... pow!

Arrancou tudo.

Esse Avira é porreta mesmo.

Agradeço muito sua dedicação e até a próxima.

 

Obrigado,

 

AndGoe

[PedroN 1]

PROBLEMA RESOLVIDO

[Mário Monteiro 179]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.