[Arquivado] Vírus

Túlio-RJ · Outubro 21, 2008

Caros,

Gostaria da ajuda de vocês, pois meu filho recebeu uma mensassem em seu MSN que foi a seguinte:

olha a comunidade que fiz pra ti

www.orkutcommunityaspxcm45117.br30.com

mas nao briga comigo depois rss

Estando online em meu trabalho percebi logo que minha máquina domicilar foi infectada.

Já tentei de várias formas, inclusive com o ClearMSN, ele mostra o vírus e faço a deleção do mesmo, mas quando ligo novamente o PC o vírus é ativado novamente, pois quando mando mensagem no MSN para amigos aparece a frase acima citado.

O vírus que aparece é: "c:\windows\help2k\helpwin.exe ( Trojan.dowloader.36245 ).

Desde já agradeço a atenção.

Grato,

Everaldo.

Mário Monteiro · Outubro 21, 2008

Conforme o aviso nas regras deste forum post um log conforme este topico

Regra Nº 02 - Utilizando O Hijackthis.

Túlio-RJ · Outubro 21, 2008

Olá Mário,

Desculpe-me esqueci de postar o log. Segue abaixo.

Desde já obrigado pela atenção.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:42:35, on 21/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cmpe.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Vtune\TBPanel.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe

C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe

C:\Arquivos de programas\mobile PhoneTools\WatchDog.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\WINDOWS\system32\bios.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Internet Explorer\PLUGINS\iedw.exe

C:\WINDOWS\system32\jumpers.exe

C:\WINDOWS\systemq.exe

C:\WINDOWS\system32\kutdll.exe

C:\WINDOWS\system32\cscript.exe

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bios.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Arquivos de programas\Java\jre1.6.0\bin\jucheck.exe

C:\Hijack\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odia.com.br/

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Arquivos de programas\Dealio\kb124\Dealio.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Arquivos de programas\Dealio\kb124\Dealio.dll

O4 - HKLM\..\Run: [Gainward] C:\Arquivos de programas\Vtune\TBPanel.exe /A

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [desp2k] C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe

O4 - HKLM\..\Run: [WatchDog] C:\Arquivos de programas\mobile PhoneTools\WatchDog.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [au] C:\Arquivos de programas\Dealio\DealioAU.exe

O4 - HKLM\..\Run: [bios] C:\WINDOWS\system32\bios.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [pluginiedw] C:\Arquivos de programas\Internet Explorer\PLUGINS\iedw.exe

O4 - HKCU\..\Run: [iexplorer] C:\WINDOWS\system32\jumpers.exe

O4 - HKCU\..\Run: [explorer] C:\WINDOWS\systemq.exe

O4 - HKCU\..\Run: [iexplorerskut] C:\WINDOWS\system32\kutdll.exe

O4 - HKLM\..\Policies\Explorer\Run: [uSER-B2A31EA60F] .vbe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: bios.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\user\Dados de aplicativos\Dealio\kb124\res\DealioSearch.html

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Arquivos de programas\Dealio\kb124\Dealio.dll

O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Arquivos de programas\Dealio\kb124\Dealio.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6567EB37-AC23-4A19-BDDE-9FB90E24C01E}: NameServer = 200.149.55.142 200.165.132.154

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Context Manager Process Extension (cmpe) - LightComm - C:\WINDOWS\system32\cmpe.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\arquivos de programas\arquivos comuns\logishrd\lvmvfm\LVPrcSrv.exe (file missing)

O23 - Service: LVSrvLauncher - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LogiShrd\SrvLnch\SrvLnch.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

--

End of file - 11451 bytes

PedroN · Outubro 22, 2008

Seu computador está infectado por um trojan Banker (roubam senhas), sugiro que você não acesse nenhum site de banco, MSN, Orkut, até que eu diga que seu computador está limpo.

- Baixe: < ComboFix.exe >

- Salve-o no Desktop!

- Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

- Feche todas as janelas e execute a ferramenta!

- Na solicitação: "Negação de garantia de software" --> Clique em Sim!

-- Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.
-- Salve-a no desktop,renomeada como: Kombo.exe

-- Ps: Nomeie durante o salvamento,e não após salvá-la!

-- Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

-- Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

- Abrir-se-á a janela Auto Scan. --> Aguarde!

- Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter.

- Aguarde a conclusão!

- Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

- Para parar ou sair do ComboFix,tecle "N".

----------------------

- Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Túlio-RJ · Outubro 23, 2008

Sr. Perfect,

Segue abaixo os log's gerados.

Desde Já, obrigado.

Logo do ComboFix:

ComboFix 08-10-22.02 - user 2008-10-22 23:29:14.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1625 [GMT -2:00]

Executando de: C:\Documents and Settings\user\Desktop\Combo.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bios.exe

C:\Documents and Settings\user\Dados de aplicativos\inst.exe

C:\WINDOWS\pi.exe

C:\WINDOWS\system32\bios.exe

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\wpcap.dll

C:\WINDOWS\TRANSFORMERS.DLL

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GBPSV

-------\Legacy_NPF

-------\Service_GbpSv

-------\Service_NPF

(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-23 to 2008-10-23 ))))))))))))))))))))))))))))

.

2008-10-22 22:45 . 2008-10-22 23:28 <DIR> d-------- C:\ComboFix

2008-10-22 01:19 . 2008-10-22 01:19 268 --ah----- C:\sqmdata14.sqm

2008-10-22 01:19 . 2008-10-22 01:19 244 --ah----- C:\sqmnoopt14.sqm

2008-10-21 22:48 . 2008-10-21 22:48 268 --ah----- C:\sqmdata13.sqm

2008-10-21 22:48 . 2008-10-21 22:48 244 --ah----- C:\sqmnoopt13.sqm

2008-10-21 19:41 . 2008-10-21 19:42 <DIR> d-------- C:\Hijack

2008-10-17 20:06 . 2008-10-17 20:06 268 --ah----- C:\sqmdata12.sqm

2008-10-17 20:06 . 2008-10-17 20:06 244 --ah----- C:\sqmnoopt12.sqm

2008-10-16 20:00 . 2008-10-22 22:26 <DIR> d-------- C:\WINDOWS\Help2k

2008-10-15 21:05 . 2008-10-15 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avg7

2008-10-14 23:17 . 2008-10-14 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Lavasoft

2008-10-14 23:17 . 2008-10-14 23:17 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2008-10-14 23:14 . 2008-10-14 23:14 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

2008-10-14 23:00 . 2008-10-14 23:00 19,153,264 --a------ C:\Temp\aaw2008.exe

2008-10-09 00:30 . 2008-10-09 00:47 <DIR> d-------- C:\fiscal

2008-10-07 22:09 . 2008-10-07 22:09 970,570 --a------ C:\Temp\mvc2006es.zip

2008-10-07 21:19 . 2008-10-07 21:19 <DIR> d-------- C:\Temp\viruskeeperpro

2008-10-07 21:19 . 2008-10-07 21:19 6,520,033 --a------ C:\Temp\viruskeeperpro.zip

2008-10-06 21:46 . 2008-10-06 21:46 <DIR> d-------- C:\Temp\CRISTINA_MEL_-_PRA_SEMPRE_-PLAY_BACK_BY_ME

2008-10-06 20:39 . 2008-10-06 20:39 <DIR> d-------- C:\Arquivos de programas\Eric's TelNet98

2008-10-05 21:29 . 2008-10-07 21:33 <DIR> d-------- C:\Temp\cleanvirusmsn

2008-10-05 21:29 . 2008-10-14 21:47 <DIR> d-------- C:\Arquivos de programas\AxBx

2008-10-05 21:20 . 2008-10-07 21:48 2,837,530 --a------ C:\Temp\cleanvirusmsn.zip

2008-10-01 15:33 . 2008-10-01 15:40 <DIR> d-------- C:\Arquivos de programas\Windows Live Safety Center

2008-09-30 19:34 . 2008-10-19 18:08 <DIR> d-------- C:\WINDOWS\system32\Prefetchxs

2008-09-30 19:32 . 2008-09-30 19:32 1,443,328 ---hs---- C:\WINDOWS\system32\jumpers.exe

2008-09-30 19:32 . 2008-09-30 19:34 549,376 ---hs---- C:\WINDOWS\system32\kutdll.exe

2008-09-30 19:32 . 2008-09-30 19:32 360,300 ---hs---- C:\WINDOWS\systemq.exe

2008-09-30 19:32 . 2008-09-30 19:32 200,192 --a------ C:\WINDOWS\system32\wte383.exe

2008-09-30 17:00 . 2008-10-07 12:32 <DIR> d-------- C:\Arquivos de programas\PhotoScape

2008-09-26 21:31 . 2008-10-04 00:49 <DIR> d-------- C:\Documents and Settings\user\Dados de aplicativos\Eric's TelNet98

2008-09-26 21:22 . 2008-09-26 21:22 <DIR> d-------- C:\Temp\t98setup

2008-09-26 21:19 . 2008-09-26 21:19 1,246,756 --a------ C:\Temp\t98setup.zip

2008-09-26 20:49 . 2008-10-09 00:59 <DIR> d-------- C:\Arquivos de programas\ValidaPR

2008-09-26 20:49 . 2008-09-26 20:49 286,720 --------- C:\WINDOWS\Setup1.exe

2008-09-26 20:49 . 2008-09-26 20:49 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

2008-09-25 17:03 . 2008-09-25 17:03 268 --ah----- C:\sqmdata11.sqm

2008-09-25 17:03 . 2008-09-25 17:03 244 --ah----- C:\sqmnoopt11.sqm

2008-09-25 08:26 . 2008-09-25 08:26 <DIR> d-------- C:\Documents and Settings\Mirian e Ana Clara\Dados de aplicativos\Dealio

2008-09-24 08:41 . 2008-09-24 08:41 <DIR> d-------- C:\Arquivos de programas\Free WMA to MP3 Converter

2008-09-24 08:21 . 2005-06-28 19:31 499,712 --a------ C:\WINDOWS\system32\LameEncoderX.ocx

2008-09-24 08:21 . 2005-01-13 17:52 389,120 --a------ C:\WINDOWS\system32\PulseSoundTouchForVB.ocx

2008-09-24 08:21 . 2001-10-05 13:25 139,264 --a------ C:\WINDOWS\system32\SmartNetButton.ocx

2008-09-24 08:21 . 2001-04-27 17:11 24,576 --a------ C:\WINDOWS\system32\SmartSubClass.dll

2008-09-24 00:08 . 1999-05-10 09:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll

2008-09-24 00:08 . 1999-05-10 09:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys

2008-09-24 00:08 . 1999-05-10 09:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll

2008-09-24 00:08 . 1999-05-10 09:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe

2008-09-24 00:01 . 2008-09-24 00:01 <DIR> d-------- C:\conversor

2008-09-23 23:50 . 2008-09-23 23:50 <DIR> d-------- C:\Documents and Settings\user\Dados de aplicativos\Dealio

2008-09-23 23:50 . 2008-09-23 23:50 <DIR> d-------- C:\Arquivos de programas\Dealio

2008-09-23 23:40 . 2008-09-23 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Pianosoft

2008-09-23 23:40 . 2005-01-13 17:28 6,832 --a------ C:\WINDOWS\system32\PulseSoundTouchForVB.tlb

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-21 22:01 --------- d-----w C:\Documents and Settings\user\Dados de aplicativos\Skype

2008-10-21 22:00 --------- d-----w C:\Documents and Settings\user\Dados de aplicativos\skypePM

2008-10-20 22:20 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-10-19 20:43 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-10-19 20:42 --------- d-----w C:\Arquivos de programas\Norton Security Scan

2008-10-16 09:33 --------- d-----w C:\Documents and Settings\user\Dados de aplicativos\Vso

2008-10-09 01:45 --------- d-----w C:\Documents and Settings\Mirian e Ana Clara\Dados de aplicativos\AVG7

2008-10-05 20:42 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\vsosdk

2008-09-30 21:52 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-09-26 23:25 --------- d-----w C:\Arquivos de programas\Serviços on-line

2008-09-26 00:44 --------- d-----w C:\Arquivos de programas\Arquivos comuns\logishrd

2008-09-25 20:42 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\LogiShrd

2008-09-24 21:45 --------- d-----w C:\Documents and Settings\user\Dados de aplicativos\uTorrent

2008-09-16 20:09 --------- d-----w C:\Arquivos de programas\eMule

2008-09-15 16:56 --------- d-----w C:\Arquivos de programas\Google

2008-09-15 16:02 --------- d-----w C:\Documents and Settings\user\Dados de aplicativos\Lightcomm

2008-09-14 23:12 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE

2008-06-22 00:09 47,360 ----a-w C:\Documents and Settings\user\Dados de aplicativos\pcouffin.sys

2008-03-15 08:50 10,000 --sh--r C:\WINDOWS\.vbe

2008-07-16 16:35 18,217 --sh--r C:\WINDOWS\system32\.vbe

2008-04-13 18:36 18,217 --sh--r C:\WINDOWS\system32\.vbs

2008-04-13 18:36 18,217 --sh--r C:\WINDOWS\system32\wbem\.vbe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"MessengerPlus3"="C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [2008-06-20 190024]

"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-13 68856]

"pluginiedw"="C:\Arquivos de programas\Internet Explorer\PLUGINS\iedw.exe" [2008-06-23 463872]

"iexplorerskut"="C:\WINDOWS\system32\kutdll.exe" [2008-09-30 549376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="C:\Arquivos de programas\Vtune\TBPanel.exe" [2007-10-02 2158592]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-05 8491008]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-05 81920]

"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe" [2008-05-06 77824]

"desp2k"="C:\Arquivos de programas\Oi Velox\Manager\desp2k.exe" [2006-08-03 65536]

"WatchDog"="C:\Arquivos de programas\mobile PhoneTools\WatchDog.exe" [2004-08-13 36864]

"MessengerPlus3"="C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [2008-06-20 190024]

"au"="C:\Arquivos de programas\Dealio\DealioAU.exe" [2007-10-09 492896]

"nwiz"="nwiz.exe" [2007-10-05 C:\WINDOWS\system32\nwiz.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2007-06-15 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"USER-B2A31EA60F"=".vbe" [2008-07-16 C:\WINDOWS\system32\.vbe]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

WinZip Quick Pick.lnk - C:\Arquivos de programas\WinZip\WZQKPICK.EXE [2008-04-01 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"C:\\desen\\programas\\MyEclipse 6.0\\jre\\bin\\javaw.exe"=

"C:\\Jdk1.6.0\\bin\\javaw.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\javaw.exe"=

"C:\\UnrealTournament\\System\\UnrealTournament.exe"=

"C:\\Arquivos de programas\\eMule\\eMule.exe"=

"C:\\Arquivos de programas\\Eric's TelNet98\\Telnet98.exe"=

"C:\\WINDOWS\\system32\\ftp.exe"=

"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

R2 cmpe;Context Manager Process Extension;C:\WINDOWS\system32\cmpe.exe [2007-02-26 61440]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 31232]

S3 XDva193;XDva193;C:\WINDOWS\system32\XDva193.sys [ ]

S3 XDva194;XDva194;C:\WINDOWS\system32\XDva194.sys [ ]

S3 XDva195;XDva195;C:\WINDOWS\system32\XDva195.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2534a0ba-373f-11dd-b7fb-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{531dc1ea-80e2-11dd-b8c9-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{550c30be-ffd6-11dc-b7af-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0dcf07f-1164-11dd-b7c1-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be3bc490-f26c-11dc-b7a4-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca38e087-2845-11dd-b7e3-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca38e088-2845-11dd-b7e3-001e8cbcca12}]

\Shell\AutoRun\command - wscript.exe .\.vbs

\Shell\open\command - wscript.exe .\.vbs

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-10-19 C:\WINDOWS\Tasks\Norton Security Scan for user.job

- C:\Arquivos de programas\Norton Security Scan\Nss.exe [2008-09-19 04:18]

2008-10-23 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

.

- - - - ORFÃOS REMOVIDOS - - - -

ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll

Notify- GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll

.

------- Scan Suplementar -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.odia.com.br/

R0 -: HKCU-Main,Search Page = hxxp://www.google.com

R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: &Windows Live Search - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 -: Compare Prices with &Dealio - C:\Documents and Settings\user\Dados de aplicativos\Dealio\kb124\res\DealioSearch.html

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O17 -: HKLM\CCS\Interface\{6567EB37-AC23-4A19-BDDE-9FB90E24C01E}: NameServer = 200.149.55.142 200.165.132.154

O16 -: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

C:\WINDOWS\Downloaded Program Files\GbPluginABN.inf

O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

C:\WINDOWS\Downloaded Program Files\GoPetsWeb.inf

C:\WINDOWS\Downloaded Program Files\GoPetsWeb.ocx

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-22 23:30:39

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]

"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

Tempo para conclusão: 2008-10-22 23:33:09

ComboFix-quarantined-files.txt 2008-10-23 01:33:07

Pré-execução: 25 pasta(s) 29,909,618,688 bytes disponíveis

Pós execução: 25 pasta(s) 29,900,976,128 bytes disponíveis

229

Novo log do Hijack:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:39:03, on 22/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cmpe.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Arquivos de programas\Vtune\TBPanel.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe

C:\Arquivos de programas\mobile PhoneTools\WatchDog.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\cscript.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Internet Explorer\PLUGINS\iedw.exe

C:\WINDOWS\system32\kutdll.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Java\jre1.6.0\bin\jucheck.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Windows Live Toolbar\msn_sl.exe

C:\Hijack\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odia.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896