Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

bossnia

[Arquivado] Conta wow hackeada

Recommended Posts

Hackearam a conta do wow e o antivirus encontrou virus na máquina e no pendrive. Formatei a máquina depois de limpar o pen pelo antivirus e agora, com o windows limpo o hijackthis encontrou virus novamente.

 

A máquina está somente com o windows e o virus, preciso dela e não posso usa-la antes de resolver este problema.

 

Lendo o forum vi que existe um software chamado usbfix que gera um log também. Rodei e estou enviando o lod do hijackthis e do usbfix.

 

Mestres, como devo proceder?

 

Segue o log do hijack this:

 

Logfile of HijackThis v1.99.1

Scan saved at 18:12:21, on 20/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPStart.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Bibi\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [synTPStart] C:\Arquivos de programas\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [bisonHK] C:\WINDOWS\BisonCam\BisonHK.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

 

 

log do usbfix:

 

 

 

-------------- UsbFix V2.410 ---------------

 

* User : Bibi - BIBIA

* Outils mis a jours le 20/11/2008 par Chiquitine29 et Chimay8

* Recherche effectuée à 18:57:27 le qui 20/11/2008

* Windows Xp - Internet Explorer 7.0.5730.13

 

 

--------------- [ Processus actifs ] ----------------

 

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\DOCUME~1\Bibi\CONFIG~1\Temp\1.tmp\b2e.exe

C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPStart.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\kamsoft.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\sistray.exe

 

--------------- [ Informations lecteurs ] ----------------

 

C: - Unidade de disco fixo

 

E: - Unidade de disco remov¡vel

 

 

+- Contenu de l'autorun : C:\autorun.inf

 

;7a4ok2DCSdpd3307Dps8KA23w60mUerSsHrDOw9d0fwLeJ8kafl0oDae7kLk7srsLkdioDd05KiS4ls

24j

[AutoRun]

;S4lLDwosij32lo1DlLLKedqaL7kK1Oie22k88saaDr8wDakKwXi4qoird9k0l0IsiZoSkKiHnDiKk3D

aAw2d42wK

open=abk.bat

;l4330s42LLaAJas025Lafaa4DsijLswkwok4rCia3lj3OldwdwXwiD4rKSZAd37SAkwk7kes2Kc

shell\open\Command=abk.bat

;kpjlqdAdss0aaZ5jwrKOoSsafAAa43reSrD2lJ01q2q74jJ1raw4e3sw2ii3

shell\open\Default=1

;FDnA071sso329Kd383kjK2K

shell\explore\Command=abk.bat

;52fZl77qJkw5lw5Ja1mkDa3keLwk44drk4iD9Dd32qjs21spkadajlAiaJka4a22wf6dl4kqio0rrKS

3q5lLslk3dAi3i3LOwSdiaqKi4r9KeLl

 

 

+- Contenu de l'autorun : E:\autorun.inf

 

;7a4ok2DCSdpd3307Dps8KA23w60mUerSsHrDOw9d0fwLeJ8kafl0oDae7kLk7srsLkdioDd05KiS4ls

24j

[AutoRun]

;S4lLDwosij32lo1DlLLKedqaL7kK1Oie22k88saaDr8wDakKwXi4qoird9k0l0IsiZoSkKiHnDiKk3D

aAw2d42wK

open=abk.bat

;l4330s42LLaAJas025Lafaa4DsijLswkwok4rCia3lj3OldwdwXwiD4rKSZAd37SAkwk7kes2Kc

shell\open\Command=abk.bat

;kpjlqdAdss0aaZ5jwrKOoSsafAAa43reSrD2lJ01q2q74jJ1raw4e3sw2ii3

shell\open\Default=1

;FDnA071sso329Kd383kjK2K

shell\explore\Command=abk.bat

;52fZl77qJkw5lw5Ja1mkDa3keLwk44drk4iD9Dd32qjs21spkadajlAiaJka4a22wf6dl4kqio0rrKS

3q5lLslk3dAi3i3LOwSdiaqKi4r9KeLl

 

 

--------------- [ Lecteur C ] ----------------

 

C: - Unidade de disco fixo

 

 

+- Listing des fichiers présents :

 

[20/11/2008 00:00][-r-hs----] C:\abk.bat

[20/11/2008 00:00][-r-hs----] C:\AUTOEXEC.BAT

[14/04/2008 09:00][-rahs----] C:\NTDETECT.COM

[19/11/2008 22:51][---hs----] C:\boot.ini

[20/11/2008 18:56][-r-hs----] C:\autorun.inf

[20/11/2008 18:57][--a------] C:\UsbFix.txt

[19/11/2008 22:56][--a------] C:\CONFIG.SYS

[19/11/2008 22:56][--a------] C:\IO.SYS

[19/11/2008 22:56][--a------] C:\MSDOS.SYS

 

--------------- [ Lecteur E ] ----------------

 

E: - Unidade de disco remov¡vel

 

 

+- Listing des fichiers présents :

 

[20/11/2008 00:00][-r-hs----] E:\abk.bat

[20/11/2008 18:56][-r-hs----] E:\autorun.inf

 

--------------- [ Registre / Startup ] ----------------

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

 

CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe

kamsoft=C:\WINDOWS\system32\kamsoft.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

 

SunJavaUpdateSched="C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"

SiSPower=Rundll32.exe SiSPower.dll,ModeAgent

SynTPStart=C:\Arquivos de programas\Synaptics\SynTP\SynTPStart.exe

SMSERIAL=C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

BisonHK=C:\WINDOWS\BisonCam\BisonHK.exe

RTHDCPL=RTHDCPL.EXE

Alcmtr=ALCMTR.EXE

 

--------------- [ Registre / Mountpoint2 ] ----------------

 

 

-> Recherche négative.

 

--------------- [ Nettoyage des disques ] ----------------

 

Echec de la supression !! - [20/11/2008 00:00] C:\WINDOWS\system32\kamsoft.exe

C:\autorun.inf ~> fichier appelé : "C:\abk.bat" ( présent ! )

Supprimé ! - C:\abk.bat

E:\autorun.inf ~> fichier appelé : "E:\abk.bat" ( présent ! )

Supprimé ! - E:\abk.bat

Supprimé ! - [20/11/2008 18:56][-r-hs----] C:\autorun.inf

Supprimé ! - [20/11/2008 18:56][-r-hs----] E:\autorun.inf

 

--------------- [ Resumé ] ----------------

 

-> /!\ Le resultat doit etre [http://www.virustotal.com/fr/ interprété] par un spécialiste /!\

 

[19/11/2008 22:56][--a------] C:\AUTOEXEC.BAT

[14/04/2008 09:00][-rahs----] C:\NTDETECT.COM

[19/11/2008 22:51][---hs----] C:\boot.ini

 

--------------- ! Fin du rapport ! ----------------

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Impressionante a sua velocidade de resposta!!!

 

segue o log:

 

ComboFix 08-11-19.08 - Bibi 2008-11-20 20:08:21.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.2575 [GMT -2:00]

Executando de: c:\documents and settings\Bibi\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\gasretyw0.dll

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-10-20 to 2008-11-20 ))))))))))))))))))))))))))))

.

 

2008-11-20 18:54 . 2008-11-20 20:04 <DIR> d-------- c:\arquivos de programas\UsbFix

2008-11-20 18:17 . 2008-11-20 18:17 0 --a------ c:\windows\nsreg.dat

2008-11-20 00:00 . 2008-11-20 00:00 85,504 -r-hs---- c:\windows\system32\gasretyw1.dll

2008-11-19 23:33 . 2008-11-19 23:33 <DIR> d-------- c:\arquivos de programas\AVG

2008-11-19 23:22 . 2008-11-19 23:22 <DIR> d-------- c:\windows\system32\Lang

2008-11-19 23:22 . 2008-11-19 23:22 940,794 --a------ c:\windows\system32\LoopyMusic.wav

2008-11-19 23:22 . 2008-11-19 23:22 146,650 --a------ c:\windows\system32\BuzzingBee.wav

2008-11-19 23:21 . 2008-11-19 23:21 <DIR> d-------- c:\arquivos de programas\Realtek

2008-11-19 23:20 . 2008-11-19 23:20 <DIR> d----c--- c:\windows\system32\DRVSTORE

2008-11-19 23:19 . 2008-11-19 23:20 <DIR> d-------- c:\windows\OPTIONS

2008-11-19 23:19 . 2008-11-19 23:19 <DIR> d-------- c:\arquivos de programas\Motorola

2008-11-19 23:19 . 2007-12-26 00:20 288,000 --a------ c:\windows\system32\drivers\rtl8187B.sys

2008-11-19 23:19 . 2007-12-26 00:20 288,000 --a------ c:\windows\system\rtl8187B.sys

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\documents and settings\Bibi\Dados de aplicativos\InstallShield

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\Synaptics

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\sisagp

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\REALTEK RTL8187B Wireless LAN Driver

2008-11-19 23:18 . 2008-11-19 23:21 <DIR> d--h----- c:\arquivos de programas\InstallShield Installation Information

2008-11-19 23:17 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\SiS VGA Utilities V3.83

2008-11-19 23:11 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\InstallShield

2008-11-19 23:11 . 2008-11-19 23:18 128,869 --a------ c:\windows\system32\VGAunistlog.ini

2008-11-19 23:08 . 2007-01-19 01:38 983,936 --a------ c:\windows\system32\drivers\smserial.sys

2008-11-19 23:08 . 2007-01-19 01:34 196,608 --a------ c:\windows\system32\sm56co6a.dll

2008-11-19 23:08 . 2008-01-23 00:07 77,968 --a------ c:\windows\system32\drivers\jmcr.sys

2008-11-19 23:08 . 2008-03-03 02:00 43,392 --a------ c:\windows\system32\drivers\SiSGbeXP.sys

2008-11-19 23:07 . 2008-04-13 11:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d---s---- c:\windows\system32\Microsoft

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d-------- c:\documents and settings\LocalService\Dados de aplicativos

2008-11-19 23:04 . 2008-11-20 20:08 <DIR> d--h----- c:\documents and settings\LocalService\Configurações locais

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d--hs---- c:\documents and settings\LocalService

2008-11-19 23:04 . 2008-11-19 22:53 <DIR> d--h----- c:\documents and settings\Bibi\Modelos

2008-11-19 23:04 . 2008-11-19 23:05 <DIR> dr------- c:\documents and settings\Bibi\Meus documentos

2008-11-19 23:04 . 2008-11-19 20:48 <DIR> dr------- c:\documents and settings\Bibi\Menu Iniciar

2008-11-19 23:04 . 2008-11-19 23:05 <DIR> dr------- c:\documents and settings\Bibi\Favoritos

2008-11-19 23:04 . 2008-11-20 18:17 <DIR> dr-h----- c:\documents and settings\Bibi\Dados de aplicativos

2008-11-19 23:04 . 2008-11-20 20:08 <DIR> d--h----- c:\documents and settings\Bibi\Configurações locais

2008-11-19 23:04 . 2008-11-19 20:48 <DIR> d--h----- c:\documents and settings\Bibi\Ambiente de rede

2008-11-19 23:04 . 2008-11-19 20:48 <DIR> d--h----- c:\documents and settings\Bibi\Ambiente de impressão

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d-------- c:\documents and settings\Bibi

2008-11-19 23:03 . 2008-11-19 23:03 <DIR> d-------- c:\documents and settings\NetworkService\Dados de aplicativos

2008-11-19 23:03 . 2008-11-20 20:08 <DIR> d--h----- c:\documents and settings\NetworkService\Configurações locais

2008-11-19 23:03 . 2008-11-19 23:03 <DIR> d--hs---- c:\documents and settings\NetworkService

2008-11-19 23:03 . 2008-11-19 23:03 8,192 --a------ c:\windows\REGLOCS.OLD

2008-11-19 23:02 . 2008-11-19 22:53 <DIR> d--h----- c:\windows\system32\config\systemprofile\Modelos

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d-------- c:\windows\system32\config\systemprofile\Meus documentos

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> dr------- c:\windows\system32\config\systemprofile\Menu Iniciar

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d-------- c:\windows\system32\config\systemprofile\Favoritos

2008-11-19 23:02 . 2008-11-19 22:58 <DIR> dr-h----- c:\windows\system32\config\systemprofile\Dados de aplicativos

2008-11-19 23:02 . 2008-11-20 20:08 <DIR> dr-h----- c:\windows\system32\config\systemprofile\Configurações locais

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d--h----- c:\windows\system32\config\systemprofile\Ambiente de rede

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d--h----- c:\windows\system32\config\systemprofile\Ambiente de impressão

2008-11-19 23:01 . 2008-04-14 09:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2008-11-19 23:00 . 2008-11-19 23:00 <DIR> d-------- c:\windows\system32\xircom

2008-11-19 23:00 . 2008-11-19 23:00 <DIR> d-------- c:\arquivos de programas\Windows Media Connect 2

2008-11-19 23:00 . 2008-11-19 23:00 <DIR> d-------- c:\arquivos de programas\microsoft frontpage

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-20 01:21 315,392 ----a-w c:\windows\HideWin.exe

2008-11-20 00:59 --------- d-----w c:\arquivos de programas\Java

2008-11-20 00:59 --------- d-----w c:\arquivos de programas\Arquivos comuns\Java

2008-11-20 00:55 --------- d-----w c:\arquivos de programas\Serviços on-line

2008-11-20 00:55 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0\bin\jusched.exe" [2008-11-19 77824]

"SynTPStart"="c:\arquivos de programas\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-19 634880]

"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]

"SiSPower"="SiSPower.dll" [2007-10-03 c:\windows\system32\SiSPower.dll]

"RTHDCPL"="RTHDCPL.EXE" [2008-02-19 c:\windows\RTHDCPL.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2008-05-27 c:\windows\system32\advpack.dll]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-19 262144]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-11-19 77968]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-11-19 288000]

 

*Newly Created Service* - PROCEXP90

.

.

------- Scan Suplementar -------

.

FireFox -: Profile - c:\documents and settings\Bibi\Dados de aplicativos\Mozilla\Firefox\Profiles\7ym14fgo.default\

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npjava11.dll

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npjava12.dll

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npjava13.dll

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npjava14.dll

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npjava32.dll

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npjpi160.dll

FF -: plugin - c:\arquivos de programas\Java\jre1.6.0\bin\npoji610.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-20 20:09:05

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-11-20 20:09:24

ComboFix-quarantined-files.txt 2008-11-20 22:09:22

 

Pré-execução: 8 pasta(s) 157.530.030.080 bytes disponíveis

Pós execução: 8 pasta(s) 157,627,072,512 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

137

Compartilhar este post


Link para o post
Compartilhar em outros sites

Delete a pasta C:\Qoobox e o arquivo C:\ComboFix.txt. Vá em Adicionar ou Remover Programas e desinstale o software USBFix.

 

Selecione e copie este conteúdo aqui abaixo (começando de File). Cole em seu bloco de notas e salve-o na área de trabalho com o nome de CFScript.txt

 

File::

c:\windows\system32\gasretyw1.dll

Folder::

c:\arquivos de programas\UsbFix

 

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

 

CFScript.gif

 

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;

Não use o mouse nem o teclado quando o ComboFix estiver rodando;

● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;

● Seu computador será reiniciado automaticamente;

 

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

seguem logs novos:

 

ComboFix 08-11-19.08 - Bibi 2008-11-21 7:35:42.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.2506 [GMT -2:00]

Executando de: c:\documents and settings\Bibi\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Bibi\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

FILE ::

c:\windows\system32\gasretyw1.dll

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\arquivos de programas\UsbFix

c:\arquivos de programas\UsbFix\Tools\Ico.ico

c:\arquivos de programas\UsbFix\Tools\Ico2.ico

c:\arquivos de programas\UsbFix\Tools\Kill.exe

c:\arquivos de programas\UsbFix\Tools\nircmd.exe

c:\arquivos de programas\UsbFix\Tools\Proc.exe

c:\arquivos de programas\UsbFix\Tools\swreg.exe

c:\arquivos de programas\UsbFix\Uninstal.exe

c:\arquivos de programas\UsbFix\UsbFix.exe

c:\windows\system32\gasretyw1.dll

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-10-21 to 2008-11-21 ))))))))))))))))))))))))))))

.

 

2008-11-20 18:17 . 2008-11-20 18:17 0 --a------ c:\windows\nsreg.dat

2008-11-19 23:33 . 2008-11-19 23:33 <DIR> d-------- c:\arquivos de programas\AVG

2008-11-19 23:22 . 2008-11-19 23:22 <DIR> d-------- c:\windows\system32\Lang

2008-11-19 23:22 . 2008-11-19 23:22 940,794 --a------ c:\windows\system32\LoopyMusic.wav

2008-11-19 23:22 . 2008-11-19 23:22 146,650 --a------ c:\windows\system32\BuzzingBee.wav

2008-11-19 23:21 . 2008-11-19 23:21 <DIR> d-------- c:\arquivos de programas\Realtek

2008-11-19 23:20 . 2008-11-19 23:20 <DIR> d----c--- c:\windows\system32\DRVSTORE

2008-11-19 23:19 . 2008-11-19 23:20 <DIR> d-------- c:\windows\OPTIONS

2008-11-19 23:19 . 2008-11-19 23:19 <DIR> d-------- c:\arquivos de programas\Motorola

2008-11-19 23:19 . 2007-12-26 00:20 288,000 --a------ c:\windows\system32\drivers\rtl8187B.sys

2008-11-19 23:19 . 2007-12-26 00:20 288,000 --a------ c:\windows\system\rtl8187B.sys

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\documents and settings\Bibi\Dados de aplicativos\InstallShield

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\Synaptics

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\sisagp

2008-11-19 23:18 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\REALTEK RTL8187B Wireless LAN Driver

2008-11-19 23:18 . 2008-11-19 23:21 <DIR> d--h----- c:\arquivos de programas\InstallShield Installation Information

2008-11-19 23:17 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\SiS VGA Utilities V3.83

2008-11-19 23:11 . 2008-11-19 23:18 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\InstallShield

2008-11-19 23:11 . 2008-11-19 23:18 128,869 --a------ c:\windows\system32\VGAunistlog.ini

2008-11-19 23:08 . 2007-01-19 01:38 983,936 --a------ c:\windows\system32\drivers\smserial.sys

2008-11-19 23:08 . 2007-01-19 01:34 196,608 --a------ c:\windows\system32\sm56co6a.dll

2008-11-19 23:08 . 2008-01-23 00:07 77,968 --a------ c:\windows\system32\drivers\jmcr.sys

2008-11-19 23:08 . 2008-03-03 02:00 43,392 --a------ c:\windows\system32\drivers\SiSGbeXP.sys

2008-11-19 23:07 . 2008-04-13 11:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d---s---- c:\windows\system32\Microsoft

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d-------- c:\documents and settings\LocalService\Dados de aplicativos

2008-11-19 23:04 . 2008-11-20 20:09 <DIR> d--h----- c:\documents and settings\LocalService\Configurações locais

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d--hs---- c:\documents and settings\LocalService

2008-11-19 23:04 . 2008-11-19 22:53 <DIR> d--h----- c:\documents and settings\Bibi\Modelos

2008-11-19 23:04 . 2008-11-19 23:05 <DIR> dr------- c:\documents and settings\Bibi\Meus documentos

2008-11-19 23:04 . 2008-11-19 20:48 <DIR> dr------- c:\documents and settings\Bibi\Menu Iniciar

2008-11-19 23:04 . 2008-11-19 23:05 <DIR> dr------- c:\documents and settings\Bibi\Favoritos

2008-11-19 23:04 . 2008-11-20 18:17 <DIR> dr-h----- c:\documents and settings\Bibi\Dados de aplicativos

2008-11-19 23:04 . 2008-11-20 20:09 <DIR> d--h----- c:\documents and settings\Bibi\Configurações locais

2008-11-19 23:04 . 2008-11-19 20:48 <DIR> d--h----- c:\documents and settings\Bibi\Ambiente de rede

2008-11-19 23:04 . 2008-11-19 20:48 <DIR> d--h----- c:\documents and settings\Bibi\Ambiente de impressão

2008-11-19 23:04 . 2008-11-19 23:04 <DIR> d-------- c:\documents and settings\Bibi

2008-11-19 23:03 . 2008-11-19 23:03 <DIR> d-------- c:\documents and settings\NetworkService\Dados de aplicativos

2008-11-19 23:03 . 2008-11-20 20:09 <DIR> d--h----- c:\documents and settings\NetworkService\Configurações locais

2008-11-19 23:03 . 2008-11-20 20:09 <DIR> d--hs---- c:\documents and settings\NetworkService

2008-11-19 23:03 . 2008-11-19 23:03 8,192 --a------ c:\windows\REGLOCS.OLD

2008-11-19 23:02 . 2008-11-19 22:53 <DIR> d--h----- c:\windows\system32\config\systemprofile\Modelos

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d-------- c:\windows\system32\config\systemprofile\Meus documentos

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> dr------- c:\windows\system32\config\systemprofile\Menu Iniciar

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d-------- c:\windows\system32\config\systemprofile\Favoritos

2008-11-19 23:02 . 2008-11-19 22:58 <DIR> dr-h----- c:\windows\system32\config\systemprofile\Dados de aplicativos

2008-11-19 23:02 . 2008-11-21 07:36 <DIR> dr-h----- c:\windows\system32\config\systemprofile\Configurações locais

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d--h----- c:\windows\system32\config\systemprofile\Ambiente de rede

2008-11-19 23:02 . 2008-11-19 20:48 <DIR> d--h----- c:\windows\system32\config\systemprofile\Ambiente de impressão

2008-11-19 23:01 . 2008-04-14 09:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2008-11-19 23:00 . 2008-11-19 23:00 <DIR> d-------- c:\windows\system32\xircom

2008-11-19 23:00 . 2008-11-19 23:00 <DIR> d-------- c:\arquivos de programas\Windows Media Connect 2

2008-11-19 23:00 . 2008-11-19 23:00 <DIR> d-------- c:\arquivos de programas\microsoft frontpage

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-20 01:21 315,392 ----a-w c:\windows\HideWin.exe

2008-11-20 00:59 --------- d-----w c:\arquivos de programas\Java

2008-11-20 00:59 --------- d-----w c:\arquivos de programas\Arquivos comuns\Java

2008-11-20 00:55 --------- d-----w c:\arquivos de programas\Serviços on-line

2008-11-20 00:55 --------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0\bin\jusched.exe" [2008-11-19 77824]

"SynTPStart"="c:\arquivos de programas\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-19 634880]

"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]

"SiSPower"="SiSPower.dll" [2007-10-03 c:\windows\system32\SiSPower.dll]

"RTHDCPL"="RTHDCPL.EXE" [2008-02-19 c:\windows\RTHDCPL.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2008-05-27 c:\windows\system32\advpack.dll]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-19 262144]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-11-19 77968]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-11-19 288000]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-21 07:37:17

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-11-21 7:37:50 - Máquina reiniciou

ComboFix-quarantined-files.txt 2008-11-21 09:37:47

 

Pré-execução: 8 pasta(s) 157.597.470.720 bytes disponíveis

Pós execução: 8 pasta(s) 157,592,088,576 bytes disponíveis

 

134

 

 

Logfile of HijackThis v1.99.1

Scan saved at 07:39:31, on 21/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPStart.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\WINDOWS\BisonCam\BisonHK.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Bibi\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [synTPStart] C:\Arquivos de programas\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [bisonHK] C:\WINDOWS\BisonCam\BisonHK.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

Compartilhar este post


Link para o post
Compartilhar em outros sites

Vá em Iniciar > Executar, digite: combofix /u e tecle Enter. Remova a pasta Qoobox em C:.

 

Os logs estã limpos.

 

Há algum problema com a máquina ainda?

Compartilhar este post


Link para o post
Compartilhar em outros sites

Farei isso a noite em casa (a máquina esta lá) e passarei alguns anti virus pra me certificar.... mas se você diz que está limpo já acredito que sim...

 

 

A questão agora é a maquina do trabalho, que acredito que esteja infectada (o virus veio pelo pendrive não?)

 

Vou colar um log do hijackthis da maquina do trabalho.

 

Logfile of HijackThis v1.99.1

Scan saved at 09:18:35, on 21/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\ARQUIV~1\Borland\INTERB~1\Bin\ibguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\ARQUIV~1\Borland\INTERB~1\Bin\ibserver.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\ARQUIV~1\WinZip\winzip32.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"

O4 - HKLM\..\Run: [cmrss] C:\WINDOWS\system32\cmrss.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Arquivos de programas\Registry Cleaner\RegClean.exe"

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http://67.15.101.3/g_bin/eng/billardt_2_0_0_28.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/eng/billard8UK_2_0_0_28.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D68877DE-2070-40AD-98FD-737FFD3417C9}: NameServer = 201.10.120.2,201.10.128.3

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Gbp Service (GbpSv) - Banco Unibanco - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\ARQUIV~1\Borland\INTERB~1\Bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\ARQUIV~1\Borland\INTERB~1\Bin\ibserver.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do BankerFix e salve-o no desktop;

 

● Desabilite o seu antivírus temporariamente para não detectar a ferramenta como vírus;

● Dê um duplo clique em bankerfix.exe;

● Surgirá uma mensagem dizendo que o mesmo será baixado via internet;

● Clique em OK > OK. Tecle Enter e aguarde o término do scan;

● Terminado o scan, leia a mensagem na tela e tecle Enter novamente.

● Será gerado um log em C:\LinhaDefensiva\relatorio.txt.

 

Cole este log em sua próxima resposta.

 

Delete a pasta C:\LinhaDefensiva após colar seu log aqui.

Compartilhar este post


Link para o post
Compartilhar em outros sites

segue o log :

 

BankerFix 3.0 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2008-11-25 - 13:57

-------------------------------------------------------

Lista de Definição: 2008-10-08-1 | CORE: 2008-09-30-2

=======================================================

 

Arquivo infectado detectado: C:\WINDOWS\system32\simdataconf.dll

Arquivo infectado removido com sucesso!

 

 

 

----- Fim -------------------------

 

 

e agora????

Compartilhar este post


Link para o post
Compartilhar em outros sites

bossnia, desculpe pela demora. Estava sem acesso à Internet na minha cidade.

 

Bom então vamos continuar...

 

Delete a pasta C:\LinhaDefensiva.

 

Peço que por favor, poste um novo log do HijackThis aqui.

Compartilhar este post


Link para o post
Compartilhar em outros sites

segue log:

 

Logfile of HijackThis v1.99.1

Scan saved at 14:06:54, on 2/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\ARQUIV~1\Borland\INTERB~1\Bin\ibguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\ARQUIV~1\Borland\INTERB~1\Bin\ibserver.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\AutoCAD 2006\acad.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\AdskCleanup.0001

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\WSCommCntr1.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jucheck.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Arquivos de programas\Registry Cleaner\RegClean.exe"

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http://67.15.101.3/g_bin/eng/billardt_2_0_0_28.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/eng/billard8UK_2_0_0_28.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D68877DE-2070-40AD-98FD-737FFD3417C9}: NameServer = 201.10.120.2,201.10.128.3

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Gbp Service (GbpSv) - Banco Unibanco - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\ARQUIV~1\Borland\INTERB~1\Bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\ARQUIV~1\Borland\INTERB~1\Bin\ibserver.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

 

 

e ai? to livre?

Compartilhar este post


Link para o post
Compartilhar em outros sites

Execute o HijackThis, clique em Do a system scan only e marque as entradas abaixo no log. Clique no botão Fix Checked.

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

 

- Faça o download do Malwarebytes Anti-Malware e salve-o no desktop;

 

● Dê dois cliques no programa para iniciar a instalação. Selecione o idioma Português (Brasil);

● No meio da instalação, marque as opções "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em Concluir;

● Após a instalação execute o programa;

● Marque a opção Verificação Completa e depois clique em Verificar. Selecione sua unidade C: e clique no botão Iniciar Verificação;

● Quando o scan terminar, clique em OK e o log será automaticamente aberto para você;

● Se algo for detectado, verifique se todos os itens estão marcados e clique no botão Remover;

● O log pode ser consultado clicando em Logs do menu principal também;

 

Copie e cole o conteúdo desse log na sua próxima resposta, juntamente com um novo log do HijackThis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Log do Malwarebyte:

 

Malwarebytes' Anti-Malware 1.30

Versão do banco de dados: 1454

Windows 5.1.2600 Service Pack 2

 

4/12/2008 13:57:04

mbam-log-2008-12-04 (13-57-04).txt

 

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 136768

Tempo decorrido: 1 hour(s), 12 minute(s), 59 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 1

Valores do Registro infectados: 1

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 2

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uni.gpc (Trojan.Agent) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\Uni.gpc (Trojan.Agent) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

C:\WINDOWS\Downloaded Program Files\Uni.gpc (Trojan.Agent) -> Delete on reboot.

C:\Arquivos de programas\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

 

 

 

 

do HijackThis:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:14:42, on 4/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\ARQUIV~1\Borland\INTERB~1\Bin\ibguard.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\ARQUIV~1\Borland\INTERB~1\Bin\ibserver.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\AutoCAD 2006\acad.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\AdskCleanup.0001

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\WSCommCntr1.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jucheck.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

 

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Arquivos de programas\Registry Cleaner\RegClean.exe"

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http://67.15.101.3/g_bin/eng/billardt_2_0_0_28.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6} (GameDesire Pool 8UK) - http://67.15.101.3/g_bin/eng/billard8UK_2_0_0_28.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D68877DE-2070-40AD-98FD-737FFD3417C9}: NameServer = 201.10.120.2,201.10.128.3

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Gbp Service (GbpSv) - Banco Unibanco - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\ARQUIV~1\Borland\INTERB~1\Bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\ARQUIV~1\Borland\INTERB~1\Bin\ibserver.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

 

e agora?

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

log do Combofix:

 

ComboFix 08-12-07.04 - Administrador 2008-12-09 10:34:17.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.671 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\IE4 Error Log.txt

c:\windows\system32\cfx32.ocx

c:\windows\system32\shellexec

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_GBPSV

-------\Service_GbpSv

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))

.

 

2008-12-03 11:24 . 2008-12-03 11:24 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2008-12-03 11:24 . 2008-12-03 11:24 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes

2008-12-03 11:24 . 2008-12-03 11:24 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2008-12-03 11:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-03 11:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-21 11:19 --------- d-----w c:\documents and settings\Administrador\Dados de aplicativos\AVG7

2008-10-29 10:00 --------- d-----w c:\documents and settings\LocalService\Dados de aplicativos\AVG7

2008-10-28 10:40 --------- d-----w c:\arquivos de programas\Google

2008-10-28 09:22 --------- d-----w c:\arquivos de programas\Java

2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-02-13 16:20 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat

2007-04-13 17:58 48,776 ----a-w c:\documents and settings\Administrador\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2004-03-19 13:32 8,628 ---ha-w c:\arquivos de programas\HNRHELP.GID

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-24 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="c:\arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]

"Ink Monitor"="c:\arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe" [2002-08-05 258116]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVG7_CC"="c:\arquiv~1\Grisoft\AVG7\avgcc.exe" [2008-10-21 590848]

"EPSON Stylus C43 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE" [2002-12-25 75776]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"nwiz"="nwiz.exe" [2003-10-06 c:\windows\system32\nwiz.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

"AVG7_Run"="c:\arquiv~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

AutoCAD Startup Accelerator.lnk - c:\arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe [2005-03-05 10872]

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\windows\Downloaded Program Files\gbiehuni.dll" [2007-01-12 222376]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Documents and Settings\\Administrador\\Dados de aplicativos\\SopCast\\adv\\SopAdver.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=

"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe"=

"c:\\Arquivos de programas\\Shareaza\\Shareaza.exe"=

 

S GbpSv;GbpSv; []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa594916-cfee-11dc-92f1-000ea637564e}]

\Shell\Auto\command - MicrosoftPowerPoint.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-Registry Cleaner - c:\arquivos de programas\Registry Cleaner\RegClean.exe

Notify-WgaLogon - (no file)

 

 

.

------- Scan Suplementar -------

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000

TCP: {D68877DE-2070-40AD-98FD-737FFD3417C9} = 201.10.120.2,201.10.128.3

 

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

 

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

c:\windows\Downloaded Program Files\gbpdist.dll - O16 -: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}

hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

c:\windows\Downloaded Program Files\GbpDist.inf

 

c:\windows\Downloaded Program Files\Uni.gpc - c:\windows\Downloaded Program Files\gbiehuni.dll

O16 -: {E37CB5F0-51F5-4395-A808-5FA49E399008}

hxxps://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab

c:\windows\Downloaded Program Files\GbPluginuni.inf

 

c:\windows\Downloaded Program Files\BillardT.dll - O16 -: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4}

hxxp://67.15.101.3/g_bin/eng/billardt_2_0_0_28.cab

c:\windows\Downloaded Program Files\BillardT.inf

 

c:\windows\Downloaded Program Files\Billard8UK.dll - O16 -: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C6}

hxxp://67.15.101.3/g_bin/eng/billard8UK_2_0_0_28.cab

c:\windows\Downloaded Program Files\Billard8UK.inf

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-09 10:39:16

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(628)

c:\windows\Downloaded Program Files\gbiehuni.dll

c:\windows\Downloaded Program Files\gbieh.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquiv~1\Grisoft\AVG7\avgamsvr.exe

c:\arquiv~1\Grisoft\AVG7\avgupsvc.exe

c:\arquiv~1\Grisoft\AVG7\avgemc.exe

c:\arquiv~1\Borland\INTERB~1\Bin\ibguard.exe

c:\windows\system32\nvsvc32.exe

c:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

c:\arquiv~1\Borland\INTERB~1\Bin\ibserver.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-12-09 10:42:25 - Máquina reiniciou [Administrador]

ComboFix-quarantined-files.txt 2008-12-09 12:41:56

 

Pré-execução: 18 pasta(s) 15,606,448,128 bytes disponíveis

Pós execução: 18 pasta(s) 15,893,704,704 bytes disponíveis

 

139 --- E O F --- 2008-11-17 10:32:17

 

e agora?

Compartilhar este post


Link para o post
Compartilhar em outros sites

Selecione e copie o texto abaixo dentro do quote. Cole-o dentro do bloco de notas e salve no desktop como CFScript.txt

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa594916-cfee-11dc-92f1-000ea637564e}]

 

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

 

CFScript.gif

 

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;

Não use o mouse nem o teclado quando o ComboFix estiver rodando;

● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;

● Seu computador será reiniciado automaticamente;

 

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.