Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Scaico

[Arquivado] Analise de Log

Por , em Tópicos Arquivados (Seguranca & Malwares)

Recommended Posts

Scaico    0

Scaico
Postado

Fala galerinha que salva a nossa vida. Beleza?

 

Seguinte: Como eu não uso o Internet Explorer, não havia percebido antes... Mas pude notar hoje que o meu computador está com algum spyware ou algo do tipo, pois ao liga-lo, recebi uma mensagem de que "O Internet Explorer não pode abrir a página X" (não me recordo o endereço).

 

Para testar, resolvi abrir o dito cujo e navegar um pouco... Eis que começa a abrir uma centena de janelas em branco. Dei um Ctrl-Alt-Del e fechei tudo. Passei um HiJackThis e vim postar o Log.

 

Fico no aguardo do retorno de vocês.

Abração!

 

Log:

 

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:26:10, on 25/2/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Arquivos de programas\GbPlugin\GbpSv.exeC:\WINDOWS\system32\spoolsv.exeC:\Apache\bin\httpd.exeC:\Arquivos de programas\Bonjour\mDNSResponder.exeC:\Apache\bin\httpd.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\Google\Gmail Notifier\gnotify.exeC:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exeC:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exeC:\Arquivos de programas\FlashGet\FlashGet.exeC:\Arquivos de programas\QuickTime\qttask.exeC:\WINDOWS\system32\wscntfy.exeC:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeC:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Apache\bin\ApacheMonitor.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\taskmagr.exeC:\Arquivos de programas\Internet Explorer\iexplore.exec:\arquivos de programas\arquivos comuns\installshield\updateservice\isuspm.exeC:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\agent.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\Arquivos de programas\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXEC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: ssh2 Class - {2e3c3651-b19c-4dd9-a979-901ec3e930af} - C:\Arquivos de programas\Scpad\scpsssh2.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Arquivos de programas\FlashGet\jccatch.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: G-Buster Browser Defense CEF - {c41a1c0e-ea6c-11d4-b1b8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dllO2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dllO2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Arquivos de programas\FlashGet\getflash.dllO4 - HKLM\..\Run: [\\PPSERVER\EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADL.EXE /P37 "\\PPSERVER\EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700"O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [ISUSPM Startup] "c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [Flashget] C:\Arquivos de programas\FlashGet\FlashGet.exe /minO4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Fábio\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exeO8 - Extra context menu item: &Download All with FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htmO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cabO20 - Winlogon Notify:  gbplugincef - C:\Arquivos de programas\GbPlugin\gbiehcef.dllO20 - Winlogon Notify:  GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dllO22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service (adobe lm service) - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache\bin\httpd.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 8475 bytes

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

• Baixe: < ComboFix.exe >

• Salve-o no Desktop!

Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

Feche todas as janelas e execute a ferramenta!

• Na solicitação: "Negação de garantia de software" --> Clique em Sim!

• Não possuindo o "Console de Recuperação",aceite optar pela instalação do mesmo!

 

<!> Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

-- Salve-a no desktop,renomeada como: Kombo.exe

-- Ps: Nomeie durante o salvamento,e não após salvá-la!

-- Ps: Surgindo alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

-- Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador. <-- Aguarde!

-- Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

• Abrir-se-á a janela Auto Scan. --> Aguarde!

• Àfim de completar as remoções,o ComboFix poderá reiniciar o computador.

• Se houver necessidade,digite a opção para continuar! --> ( 1 ) --> Aperte Enter.

Aguarde a conclusão!

Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

• Para parar ou sair do ComboFix,tecle "N" --> Enter.

----------------------

• Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Não consigo usar o Combofix.

 

Primeiro, ele não funciona com o nome ComboFix.

Mudo o nome para Kombo e ele diz que o Virus Ranger está em uso, mas eu desinstalei esse programa MESES atras.

Eu mando executar mesmo assim e ele diz que não pode executar com esse nome, fala para usar outro. Teste Combo e dá o mesmo problema.

 

Não existe alguma outra forma de resolver?

 

[]s

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

Tente executar o combofix novamente, mais dessa vez em modo segurança;

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Com o WINDOWS no modo de segurança ou o ARQUIVO no modo de segurança?

 

Se for com o WINDOWS no modo de segurança, dá o mesmo problema. :(

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

• Vá a este Link,e baixe: < Malwarebytes >

Atualize o programa!

• Escolha o escaneamento Rápido!

Desabilite programas de proteção,ao executar o malwarebytes.

• Procure enviar os ítens detectados para a quarentena,clicando em Remover itens.

• Para maiores detalhes: < Link >

-----------------------

• Poste,os relatórios: mbam-log-2008-xx-xx (00-00-00).txt + HijackThis,atualizado.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Opa, vamos lá:

 

mbam-log-2009-03-02 (09-20-07).txt:

Malwarebytes' Anti-Malware 1.34Versão do banco de dados: 1749Windows 5.1.2600 Service Pack 22/3/2009 09:20:07mbam-log-2009-03-02 (09-20-07).txtTipo de Verificação: RápidaObjetos verificados: 68646Tempo decorrido: 5 minute(s), 41 second(s)Processos da Memória infectados: 1Módulos de Memória Infectados: 1Chaves do Registro infectadas: 11Valores do Registro infectados: 3Ítens do Registro infectados: 5Pastas infectadas: 1Arquivos infectados: 15Processos da Memória infectados:C:\WINDOWS\system32\taskmagr.exe (Trojan.Agent) -> Unloaded process successfully.Módulos de Memória Infectados:C:\Arquivos de programas\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.Chaves do Registro infectadas:HKEY_CLASSES_ROOT\CLSID\{427b1fd8-2123-4334-a7d8-7a497363914b} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Quarantined and deleted successfully.Valores do Registro infectados:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.Ítens do Registro infectados:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.Pastas infectadas:C:\WINDOWS\system32\158117 (Trojan.BHO) -> Quarantined and deleted successfully.Arquivos infectados:C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\fnhoje (Rootkit.Rustock) -> Delete on reboot.C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\taskmagr.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.C:\Arquivos de programas\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Delete on reboot.C:\Arquivos de programas\GbPlugin\gbiehcef.dll (Trojan.BHO) -> Delete on reboot.

 

e novo HijackThis:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:21:36, on 2/3/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Arquivos de programas\GbPlugin\GbpSv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Google\Gmail Notifier\gnotify.exeC:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exeC:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exeC:\Arquivos de programas\FlashGet\FlashGet.exeC:\Arquivos de programas\QuickTime\qttask.exeC:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Arquivos de programas\Bonjour\mDNSResponder.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Microsoft Office\OFFICE11\OUTLOOK.EXEc:\arquivos de programas\arquivos comuns\installshield\updateservice\isuspm.exeC:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXEC:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\agent.exeC:\Apache\bin\ApacheMonitor.exeC:\Apache\bin\httpd.exeC:\Apache\bin\httpd.exeC:\Arquivos de programas\Malwarebytes' Anti-Malware\bam.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: ssh2 Class - {2e3c3651-b19c-4dd9-a979-901ec3e930af} - C:\Arquivos de programas\Scpad\scpsssh2.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Arquivos de programas\FlashGet\jccatch.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dllO2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dllO2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Arquivos de programas\FlashGet\getflash.dllO4 - HKLM\..\Run: [\\PPSERVER\EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADL.EXE /P37 "\\PPSERVER\EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700"O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [ISUSPM Startup] "c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [Flashget] C:\Arquivos de programas\FlashGet\FlashGet.exe /minO4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\bam.exe" /runcleanupscriptO4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Fábio\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exeO8 - Extra context menu item: &Download All with FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htmO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cabO20 - Winlogon Notify:  gbplugincef - C:\Arquivos de programas\GbPlugin\gbiehcef.dllO20 - Winlogon Notify:  GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dllO22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service (adobe lm service) - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache\bin\httpd.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 8546 bytes

 

Espero que esteja tudo OK...

Meu, 26 arquivos pra Quarentena... Não sabia que estava tão infectado assim. :(

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Reiniciei o computador e fiz um novo scan com o Malwarebyte:

Malwarebytes' Anti-Malware 1.34Versão do banco de dados: 1749Windows 5.1.2600 Service Pack 22/3/2009 10:04:07mbam-log-2009-03-02 (10-04-07).txtTipo de Verificação: RápidaObjetos verificados: 68312Tempo decorrido: 4 minute(s), 39 second(s)Processos da Memória infectados: 0Módulos de Memória Infectados: 0Chaves do Registro infectadas: 0Valores do Registro infectados: 0Ítens do Registro infectados: 0Pastas infectadas: 0Arquivos infectados: 2Processos da Memória infectados:(Nenhum ítem malicioso foi detectado)Módulos de Memória Infectados:(Nenhum ítem malicioso foi detectado)Chaves do Registro infectadas:(Nenhum ítem malicioso foi detectado)Valores do Registro infectados:(Nenhum ítem malicioso foi detectado)Ítens do Registro infectados:(Nenhum ítem malicioso foi detectado)Pastas infectadas:(Nenhum ítem malicioso foi detectado)Arquivos infectados:C:\Documents and Settings\Fábio\Configurações locais\Temp\TDSSb207.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Fábio\Configurações locais\Temp\TDSSb217.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

O computador até ligou mais rápido já...

:)

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

Tente agora, executar o programa combofix

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Aeee, agora o ComboFix funcionou.

Olha o Log:

ComboFix 09-03-03.01 - Fábio 2009-03-04  8:59:05.2 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.991.607 [GMT -3:00]Executando de: c:\documents and settings\Fábio\Desktop\ComboFix.exeAV: VirusRanger 3.2 *On-access scanning enabled* (Outdated) * Criado um novo ponto de restauroATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!.(((((((((((((((((((((((((((((((((((((   Outras Exclusões   ))))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Fábio\Dados de aplicativos\inst.exec:\documents and settings\Fábio\Dados de aplicativos\unins000.exec:\documents and settings\Fábio\err.logc:\documents and settings\Fábio\ResErrors.logc:\windows\system32\bgpbmhyy.ini.----  -------.c:\windows\system32\msporc.dllc:\windows\system32\SkypeComm.dllc:\windows\system32\stera.logc:\windows\system32\TDSSosvd.dat.(((((((((((((((((((((((((((((((((((((((   Drivers/Serviços   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_GBPSV-------\Legacy_TDSSSERV.SYS-------\Service_fnhoje-------\Service_GbpSv-------\Service_TDSSserv.sys((((((((((((((((   Arquivos/Ficheiros criados de 2009-02-04 to 2009-03-04  )))))))))))))))))))))))))))).2009-03-03 15:11 . 2009-03-03 15:31	<DIR>	d--------	c:\arquivos de programas\ScrnShotsDesktop2009-03-02 09:12 . 2009-03-02 09:12	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\Malwarebytes2009-03-02 09:12 . 2009-03-02 09:12	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\Malwarebytes2009-03-02 09:12 . 2009-03-02 09:12	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\Malwarebytes2009-03-02 09:10 . 2009-03-02 09:10	<DIR>	d--------	c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes2009-03-02 09:10 . 2009-03-02 09:12	<DIR>	d--------	c:\arquivos de programas\Malwarebytes' Anti-Malware2009-03-02 09:10 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys2009-03-02 09:10 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys2009-02-19 10:26 . 2009-02-19 10:26	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.12009-02-19 10:26 . 2009-02-19 10:26	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.12009-02-19 10:26 . 2009-02-19 10:26	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.12009-02-13 12:22 . 2009-02-13 12:22	<DIR>	d--------	c:\documents and settings\All Users\Dados de aplicativos\Apple2009-02-13 12:22 . 2009-02-13 12:22	<DIR>	d--------	c:\arquivos de programas\Safari2009-02-13 12:22 . 2009-02-13 12:22	<DIR>	d--------	c:\arquivos de programas\Apple Software Update2009-02-05 09:24 . 2009-02-05 09:24	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\TourDeFlex.4875E02D9FB21EE389F73B8D1702B320485DF8CE.12009-02-05 09:24 . 2009-02-05 09:24	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\TourDeFlex.4875E02D9FB21EE389F73B8D1702B320485DF8CE.12009-02-05 09:24 . 2009-02-05 09:24	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\TourDeFlex.4875E02D9FB21EE389F73B8D1702B320485DF8CE.12009-02-05 09:24 . 2009-02-17 14:09	41,000	--ah-----	c:\windows\system32\mlfcache.dat.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-04 12:01	---------	d-----w	c:\arquivos de programas\FlashGet2009-03-03 20:25	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\FileZilla2009-03-03 20:25	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\FileZilla2009-03-03 20:25	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\FileZilla2009-03-02 14:46	---------	d-----w	c:\arquivos de programas\Arquivos comuns\Adobe2009-03-02 14:05	---------	d-----w	c:\arquivos de programas\Macromedia2009-03-02 14:05	---------	d-----w	c:\arquivos de programas\K-Lite Codec Pack2009-03-02 14:03	---------	d-----w	c:\arquivos de programas\Google2009-03-02 14:00	---------	d-----w	c:\arquivos de programas\Arquivos comuns\Macromedia2009-03-02 12:39	---------	d-----w	c:\documents and settings\All Users\Dados de aplicativos\GbPlugin2009-03-02 12:39	---------	d-----w	c:\arquivos de programas\GbPlugin2009-02-25 16:43	---------	d-----w	c:\arquivos de programas\FileZilla FTP Client2009-02-16 20:49	---------	d---a-w	c:\documents and settings\All Users\Dados de aplicativos\TEMP2009-02-13 15:23	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\Apple Computer2009-02-13 15:23	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\Apple Computer2009-02-13 15:23	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\Apple Computer2009-01-29 12:39	---------	d-----w	c:\arquivos de programas\DCETools2009-01-06 14:40	---------	d-----w	c:\arquivos de programas\SUPERAntiSpyware2008-10-09 12:59	47,360	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\pcouffin.sys2008-10-09 12:59	47,360	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\pcouffin.sys2008-10-09 12:59	47,360	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\pcouffin.sys2008-06-19 13:07	10,338	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\unins000.dat2008-06-19 13:07	10,338	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\unins000.dat2008-06-19 13:07	10,338	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\unins000.dat2007-09-05 01:29	16,133,352	----a-w	c:\documents and settings\All Users\avast.exe2006-05-03 09:06	163,328	--sh--r	c:\windows\system32\flvDX.dll2007-02-21 10:47	31,232	--sh--r	c:\windows\system32\msfDX.dll.------- Sigcheck -------2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c	c:\windows\system32\dllcache\tcpip.sys2004-08-03 23:14  359040  6a603809f598332dbedd535bdbce313e	c:\windows\system32\drivers\tcpip.sys2004-08-04 00:45  57856  56368f0e3929d77c0a3da150192b0f4d	c:\windows\system32\spoolsv.exe2004-08-04 00:45  57856  3971289fa7072812caf4d053bbc6352b	c:\windows\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..*Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]"SUPERAntiSpyware"="c:\arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"\\PPSERVER\EPSON Stylus CX4700 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADL.EXE" [2005-02-02 98304]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\arquivos de programas\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]"ISUSPM Startup"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]"Flashget"="c:\arquivos de programas\FlashGet\FlashGet.exe" [2007-09-25 2007088]"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2007-02-16 282624]"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"AdobeCS4ServiceManager"="c:\arquivos de programas\Arquivos comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Acrobat Assistant.lnk - c:\arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-14 113664]Monitor Apache Servers.lnk - c:\apache\bin\ApacheMonitor.exe [2008-12-09 41042][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\arquivos de programas\GbPlugin\gbiehuni.dll" [2008-01-29 345504]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]2008-01-29 16:34 345504 c:\arquivos de programas\GbPlugin\gbiehuni.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lmiinit]2008-10-16 19:35 87352 c:\windows\system32\LMIinit.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.I420"= i420vfw.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute	REG_MULTI_SZ   	autocheck autochk *\[u]0[/u]stera[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]@=""[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]-ra------ 2003-05-07 05:32 36864 c:\windows\system32\VTTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"NMIndexingService"=3 (0x3)"GbpSv"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="c:\\Arquivos de programas\\Messenger\\msmsgs.exe"="c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="c:\\Arquivos de programas\\FlashGet\\FlashGet.exe"="c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"="c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"="c:\\Arquivos de programas\\FileZilla FTP Client\\filezilla.exe"="c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"6891:TCP"= 6891:TCP:1"1863:TCP"= 1863:TCP:2"1863:UDP"= 1863:UDP:3"5190:UDP"= 5190:UDP:4"6901:UDP"= 6901:UDP:5"6901:TCP"= 6901:TCP:6"6892:TCP"= 6892:TCP:7"6893:TCP"= 6893:TCP:8"6894:TCP"= 6894:TCP:9"6895:TCP"= 6895:TCP:10"6896:TCP"= 6896:TCP:11"6897:TCP"= 6897:TCP:12"6898:TCP"= 6898:TCP:13"6899:TCP"= 6899:TCP:14"6900:TCP"= 6900:TCP:15"5353:TCP"= 5353:TCP:Adobe CSI CS4R1 SASDIFSV;SASDIFSV;c:\arquivos de programas\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]R1 SASKUTIL;SASKUTIL;c:\arquivos de programas\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]R2 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2008-12-09 24636]R2 lmirfsdriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-08 47640]R3 SASENUM;SASENUM;c:\arquivos de programas\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]S0 Esuu86;Esuu86; [x]S1 e827f1df;e827f1df;c:\windows\system32\drivers\e827f1df.sys --> c:\windows\system32\drivers\e827f1df.sys [?]S2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\arquivos de programas\LogMeIn\x86\RaInfo.sys --> c:\arquivos de programas\LogMeIn\x86\RaInfo.sys [?]S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2007-05-15 61504]S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2007-05-15 9328]S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2007-05-15 97056]S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2007-05-15 88560]S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2007-05-15 86368]S4 lmirfsclientnp;LMIRfsClientNP; [x]UnknownUnknown GbpSv;GbpSv; [x]---  ---*NewlyCreated* - GBPSV[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b7a9ae4-e82a-11db-9ef0-000ea671fc1a}]\Shell\AutoRun\command - RavMon.exe\Shell\explore\Command - RavMon.exe -e\Shell\open\Command - RavMon.exe.Conteúdo da pasta 'Tarefas Agendadas'2009-03-03 c:\windows\Tasks\Lembrete.job- c:\documents and settings\F [].- - - - ORFÃOS REMOVIDOS - - - -HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exeHKCU-Run-Google Update - c:\documents and settings\Fábio\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exeHKLM-Run-LogMeIn GUI - c:\arquivos de programas\LogMeIn\x86\LogMeInSystray.exeShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399003} - c:\arquivos de programas\GbPlugin\gbiehcef.dllNotify- gbplugincef - c:\arquivos de programas\GbPlugin\gbiehcef.dll.------- Scan Suplementar -------.uStart Page = about:blankuSearch Page = mStart Page = hxxp://www.google.com/igmSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2fuInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/keyword/%smSearchAssistant = hxxp://internetsearchservice.comIE: &Download All with FlashGet - c:\arquivos de programas\FlashGet\jc_all.htmIE: &Download with FlashGet - c:\arquivos de programas\FlashGet\jc_link.htmIE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Sothink SWF Catcher - c:\arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmDPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} - hxxps://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cabFF - ProfilePath - c:\documents and settings\Fábio\Dados de aplicativos\Mozilla\Firefox\Profiles\ic0egan1.default\FF - prefs.js: browser.search.selectedEngine - Wikipedia (pt)FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig---- FIREFOX POLICIES ----c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-04 09:04:25Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucessoarquivos/ficheiros ocultos: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GbpSv]@Denied: (A 2 3 6) (LocalSystem)@Denied: (A C D 2 3 6) (S-1-2-0)@Allowed: (B C D 1 4 5) (LocalSystem)@Allowed: (Read) (S-1-2-0)"Type"=dword:00000010"Start"=dword:00000002"ErrorControl"=dword:00000001"ImagePath"=expand:"c:\\ARQUIV~1\\GbPlugin\\GbpSv.exe""DisplayName"="Gbp Service""Group"="GbPlugin Group""ObjectName"="LocalSystem""FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,   00,01,00,00,00,e8,03,00,00"Description"="Service for G-Buster Browser Defense".--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------- - - - - - - > 'winlogon.exe'(632)c:\arquivos de programas\GbPlugin\gbiehuni.dllc:\windows\system32\LMIinit.dll.------------------------ Outros Processos em Execução ------------------------.c:\arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exec:\arquivos de programas\Bonjour\mDNSResponder.exec:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\arquivos de programas\GbPlugin\gbpsv.exec:\arquivos de programas\Mozilla Firefox\firefox.exec:\arquivos de programas\Microsoft Office\OFFICE11\OUTLOOK.EXEc:\arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXEc:\arquivos de programas\Macromedia\Dreamweaver 8\Dreamweaver.exe.**************************************************************************.Tempo para conclusão: 2009-03-04  9:12:06 - Máquina reiniciou [Fábio]ComboFix-quarantined-files.txt  2009-03-04 12:12:03Pré-execução: 6,237,114,368 bytes disponíveisPós execução: 6,150,516,736 bytes disponíveis264

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

c:\windows\Tasks\Lembrete.job

Folder::

c:\arquivos de programas\GbPlugin

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b7a9ae4-e82a-11db-9ef0-000ea671fc1a}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

cfscript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Aqui vai...

 

Combo Fix:

ComboFix 09-03-04.01 - Fábio 2009-03-05 13:43:47.4 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.991.678 [GMT -3:00]Executando de: c:\documents and settings\Fábio\Desktop\ComboFix.exeComandos utilizados :: c:\documents and settings\Fábio\Desktop\CFScript.txtAV: VirusRanger 3.2 *On-access scanning enabled* (Outdated) * Criado um novo ponto de restauroATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!FILE ::c:\windows\Tasks\Lembrete.job.(((((((((((((((((((((((((((((((((((((   Outras Exclusões   )))))))))))))))))))))))))))))))))))))))))))))))))))..----  -------.c:\arquivos de programas\GbPluginc:\arquivos de programas\GbPlugin\cef.gpcc:\arquivos de programas\GbPlugin\gbieh.gmdc:\arquivos de programas\GbPlugin\gbiehuni.dllc:\arquivos de programas\GbPlugin\gbpdist.dllc:\arquivos de programas\GbPlugin\gbpkm.sysc:\arquivos de programas\GbPlugin\gbpsv.exec:\arquivos de programas\GbPlugin\uni.gpcc:\windows\Tasks\Lembrete.job.(((((((((((((((((((((((((((((((((((((((   Drivers/Serviços   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_GBPSV-------\Service_GbpSv((((((((((((((((   Arquivos/Ficheiros criados de 2009-02-05 to 2009-03-05  )))))))))))))))))))))))))))).2009-03-05 09:37 . 2009-03-05 09:37	<DIR>	d--------	c:\arquivos de programas\Lavalys2009-03-03 15:11 . 2009-03-03 15:31	<DIR>	d--------	c:\arquivos de programas\ScrnShotsDesktop2009-03-02 09:12 . 2009-03-02 09:12	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\Malwarebytes2009-03-02 09:10 . 2009-03-02 09:10	<DIR>	d--------	c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes2009-03-02 09:10 . 2009-03-02 09:12	<DIR>	d--------	c:\arquivos de programas\Malwarebytes' Anti-Malware2009-03-02 09:10 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys2009-03-02 09:10 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys2009-02-19 10:26 . 2009-02-19 10:26	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.12009-02-13 12:22 . 2009-02-13 12:22	<DIR>	d--------	c:\documents and settings\All Users\Dados de aplicativos\Apple2009-02-13 12:22 . 2009-02-13 12:22	<DIR>	d--------	c:\arquivos de programas\Safari2009-02-13 12:22 . 2009-02-13 12:22	<DIR>	d--------	c:\arquivos de programas\Apple Software Update2009-02-05 09:24 . 2009-02-05 09:24	<DIR>	d--------	c:\documents and settings\Fábio\Dados de aplicativos\TourDeFlex.4875E02D9FB21EE389F73B8D1702B320485DF8CE.12009-02-05 09:24 . 2009-02-17 14:09	41,000	--ah-----	c:\windows\system32\mlfcache.dat.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-05 16:41	---------	d-----w	c:\arquivos de programas\FlashGet2009-03-05 15:10	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\FileZilla2009-03-05 13:59	---------	d-----w	c:\documents and settings\All Users\Dados de aplicativos\FLEXnet2009-03-02 19:46	2,516	--sha-w	c:\windows\system32\KGyGaAvL.sys2009-03-02 14:46	---------	d-----w	c:\arquivos de programas\Arquivos comuns\Adobe2009-03-02 14:05	---------	d-----w	c:\arquivos de programas\Macromedia2009-03-02 14:05	---------	d-----w	c:\arquivos de programas\K-Lite Codec Pack2009-03-02 14:03	---------	d-----w	c:\arquivos de programas\Google2009-03-02 14:00	---------	d-----w	c:\arquivos de programas\Arquivos comuns\Macromedia2009-03-02 12:39	---------	d-----w	c:\documents and settings\All Users\Dados de aplicativos\GbPlugin2009-02-25 16:43	---------	d-----w	c:\arquivos de programas\FileZilla FTP Client2009-02-16 20:49	---------	d---a-w	c:\documents and settings\All Users\Dados de aplicativos\TEMP2009-02-13 15:23	---------	d-----w	c:\documents and settings\Fábio\Dados de aplicativos\Apple Computer2009-01-29 12:39	---------	d-----w	c:\arquivos de programas\DCETools2009-01-06 14:40	---------	d-----w	c:\arquivos de programas\SUPERAntiSpyware2008-10-09 12:59	47,360	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\pcouffin.sys2008-06-19 13:07	10,338	----a-w	c:\documents and settings\Fábio\Dados de aplicativos\unins000.dat2007-09-05 01:29	16,133,352	----a-w	c:\documents and settings\All Users\avast.exe2006-05-03 09:06	163,328	--sh--r	c:\windows\system32\flvDX.dll2007-02-21 10:47	31,232	--sh--r	c:\windows\system32\msfDX.dll.------- Sigcheck -------2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c	c:\windows\system32\dllcache\tcpip.sys2004-08-03 23:14  359040  6a603809f598332dbedd535bdbce313e	c:\windows\system32\drivers\tcpip.sys2004-08-04 00:45  57856  56368f0e3929d77c0a3da150192b0f4d	c:\windows\system32\spoolsv.exe2004-08-04 00:45  57856  3971289fa7072812caf4d053bbc6352b	c:\windows\system32\dllcache\spoolsv.exe.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..*Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MsnMsgr"="c:\arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]"SUPERAntiSpyware"="c:\arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 1318912]"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [BU]"Google Update"="c:\documents and settings\Fábio\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [BU][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"\\PPSERVER\EPSON Stylus CX4700 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADL.EXE" [2005-02-02 98304]"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\arquivos de programas\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]"ISUSPM Startup"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]"Flashget"="c:\arquivos de programas\FlashGet\FlashGet.exe" [2007-09-25 2007088]"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2007-02-16 282624]"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"AdobeCS4ServiceManager"="c:\arquivos de programas\Arquivos comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]"LogMeIn GUI"="c:\arquivos de programas\LogMeIn\x86\LogMeInSystray.exe" [BU]c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Acrobat Assistant.lnk - c:\arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-14 113664]Monitor Apache Servers.lnk - c:\apache\bin\ApacheMonitor.exe [2008-12-09 41042][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lmiinit]2008-10-16 19:35 87352 c:\windows\system32\LMIinit.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.I420"= i420vfw.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute	REG_MULTI_SZ   	autocheck autochk *\[u]0[/u]stera[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]-ra------ 2003-05-07 05:32 36864 c:\windows\system32\VTTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"NMIndexingService"=3 (0x3)"GbpSv"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="c:\\Arquivos de programas\\Messenger\\msmsgs.exe"="c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="c:\\Arquivos de programas\\FlashGet\\FlashGet.exe"="c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"="c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"="c:\\Arquivos de programas\\FileZilla FTP Client\\filezilla.exe"="c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"6891:TCP"= 6891:TCP:1"1863:TCP"= 1863:TCP:2"1863:UDP"= 1863:UDP:3"5190:UDP"= 5190:UDP:4"6901:UDP"= 6901:UDP:5"6901:TCP"= 6901:TCP:6"6892:TCP"= 6892:TCP:7"6893:TCP"= 6893:TCP:8"6894:TCP"= 6894:TCP:9"6895:TCP"= 6895:TCP:10"6896:TCP"= 6896:TCP:11"6897:TCP"= 6897:TCP:12"6898:TCP"= 6898:TCP:13"6899:TCP"= 6899:TCP:14"6900:TCP"= 6900:TCP:15"5353:TCP"= 5353:TCP:Adobe CSI CS4R1 SASDIFSV;SASDIFSV;c:\arquivos de programas\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]R1 SASKUTIL;SASKUTIL;c:\arquivos de programas\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]R2 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2008-12-09 24636]R2 lmirfsdriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-08 47640]R3 SASENUM;SASENUM;c:\arquivos de programas\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]S0 Esuu86;Esuu86; [x]S1 e827f1df;e827f1df;c:\windows\system32\drivers\e827f1df.sys --> c:\windows\system32\drivers\e827f1df.sys [?]S2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\arquivos de programas\LogMeIn\x86\RaInfo.sys --> c:\arquivos de programas\LogMeIn\x86\RaInfo.sys [?]S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2007-05-15 61504]S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2007-05-15 9328]S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2007-05-15 97056]S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2007-05-15 88560]S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2007-05-15 86368]S4 lmirfsclientnp;LMIRfsClientNP; [x].- - - - ORFÃOS REMOVIDOS - - - -ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399008} - c:\arquivos de programas\GbPlugin\gbiehuni.dllNotify- GbPluginUni - c:\arquivos de programas\GbPlugin\gbiehuni.dll.------- Scan Suplementar -------.uStart Page = about:blankmStart Page = hxxp://www.google.com/igmSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2fuInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: &Download All with FlashGet - c:\arquivos de programas\FlashGet\jc_all.htmIE: &Download with FlashGet - c:\arquivos de programas\FlashGet\jc_link.htmIE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Sothink SWF Catcher - c:\arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmDPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} - hxxps://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cabFF - ProfilePath - c:\documents and settings\Fábio\Dados de aplicativos\Mozilla\Firefox\Profiles\ic0egan1.default\FF - prefs.js: browser.search.selectedEngine - Wikipedia (pt)FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig---- FIREFOX POLICIES ----c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-05 13:45:22Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... **************************************************************************.--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------- - - - - - - > 'winlogon.exe'(632)c:\windows\system32\LMIinit.dll.Tempo para conclusão: 2009-03-05 13:48:51ComboFix-quarantined-files.txt  2009-03-05 16:47:34ComboFix2.txt  2009-03-04 12:12:07Pré-execução: 6,084,210,688 bytes disponíveisPós execução: 6,074,413,056 bytes disponíveis200

 

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:56:18, on 5/3/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Apache\bin\httpd.exeC:\Arquivos de programas\Bonjour\mDNSResponder.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\Apache\bin\httpd.exeC:\WINDOWS\system32\wscntfy.exeC:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\msiexec.exeC:\Arquivos de programas\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXEC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: ssh2 Class - {2e3c3651-b19c-4dd9-a979-901ec3e930af} - C:\Arquivos de programas\Scpad\scpsssh2.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Arquivos de programas\FlashGet\jccatch.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: GbIehObj Class - {c41a1c0e-ea6c-11d4-b1b8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll (file missing)O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Arquivos de programas\FlashGet\getflash.dllO4 - HKLM\..\Run: [\\PPSERVER\EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADL.EXE /P37 "\\PPSERVER\EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700"O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [Flashget] C:\Arquivos de programas\FlashGet\FlashGet.exe /minO4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Arquivos de programas\Arquivos comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Fábio\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exeO8 - Extra context menu item: &Download All with FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htmO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} - O20 - Winlogon Notify:  GbPluginUni - C:\WINDOWS\O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service (adobe lm service) - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache\bin\httpd.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 7866 bytes

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

Com o navegador Internet Explorer, acesse o Kaspersky Online Scanner e faça um scan online seguindo o tutorial abaixo.

 

Tutorial Kaspersky Online Scanner

 

Ao término do scan, salve o relatório com a extensão .txt (como mostra no final do tutorial) e poste em sua próxima resposta.

Compartilhar este post

Link para o post
Compartilhar em outros sites

Scaico    0

Scaico
Postado

Pelos meus calculos, o Scan vai demorar mais de 10 horas...

Portanto, vou ter que deixar para semana que vem... Deixar scaneando segunda as 18.00 e e pegar o resultado na terça de manhã...

 

Portanto, por favor, não tranquem o tópico até lá. :)

Compartilhar este post

Link para o post
Compartilhar em outros sites

PedroN    1

PedroN
Postado

Ok,

Compartilhar este post

Link para o post
Compartilhar em outros sites
Ir para a lista de tópicos Tópicos Arquivados (Seguranca & Malwares)
×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.

  Aceito