[Arquivado] Vírus que desinstala anti-virus

KarlaBH · Setembro 9, 2009

Peguei um vírus de um pendrive infectado, meu antivirus detectou mas não conseguiu apagar. Após reiniciei e o explorer.exe não executava, nem pelo gerenciador de tarefas do windowns. Consegui restaurar o arquivo, mas depois disso meu antivirus foi desinstalado, incluindo o ccleaner, e não consigo também baixar mais antivirus. Por favor me ajudem a retirar esse vírus, os arquivos executáveis aparecem na pasta temp, mas eu deleto e eles sempre voltam.

Logfile of HijackThis v1.99.1

Scan saved at 21:45:24, on 8/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40ST7.EXE

C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\DOCUME~1\xp\CONFIG~1\Temp\winljhq.exe

C:\DOCUME~1\xp\CONFIG~1\Temp\winmpsvxq.exe

C:\WINDOWS\explorer.exe

C:\DOCUME~1\xp\CONFIG~1\Temp\w4502f.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\verclsid.exe

C:\DOCUME~1\xp\CONFIG~1\Temp\Rar$EX00.687\HijackTh is.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DL L

O20 - Winlogon Notify: GbPluginUni - C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40ST7.EXE

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Arquivos de programas\Java\jre6\bin\jqs.exe" -service -config "C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: TurboFTP Sync Service (TBFTPSyncService) - TurboSoft,Inc - C:\Arquivos de programas\TurboFTP\tftpsvc.exe

ComboFix 09-09-06.06 - xp 08/09/2009 21:27.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.569 [GMT -3:00]

Executando de: f:\download programas\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

ADS - drivers: deleted 208 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))) )

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AIC32P

-------\Service_aic32p

(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-09 to 2009-09-09 ))))))))))))))))))))))))))))

.

2009-09-08 23:02 . 2009-09-08 23:02 -------- d-----w- C:\LinhaDefensiva

2009-09-07 22:08 . 2009-09-07 22:08 -------- d-----w- c:\arquivos de programas\Marcos Velasco Security

2009-09-07 22:06 . 2009-09-08 22:45 -------- d-----w- c:\arquivos de programas\CCleaner

2009-09-07 21:15 . 2009-09-08 02:01 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-09-07 21:15 . 2009-09-07 21:16 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy

2009-09-07 20:13 . 2009-09-07 20:13 -------- d-----w- C:\WUTemp

2009-09-07 15:57 . 2009-09-07 15:57 -------- d-----w- C:\PenClean

2009-09-07 15:43 . 2009-09-07 15:43 -------- d-s---w- c:\documents and settings\Karla Beatriz\UserData

2009-09-07 04:32 . 2009-09-07 04:32 -------- d-----w- c:\documents and settings\Administrador

2009-09-07 04:23 . 2009-09-08 02:35 -------- d--h--w- c:\documents and settings\LocalService.AUTORIDADE NT\Configurações locais

2009-09-07 04:23 . 2009-09-07 04:23 -------- d-sh--w- c:\documents and settings\LocalService.AUTORIDADE NT

2009-09-07 04:23 . 2009-09-07 04:23 -------- d-----w- c:\documents and settings\LocalService.AUTORIDADE NT\Dados de aplicativos

2009-09-07 04:23 . 2009-09-08 02:35 -------- d--h--w- c:\documents and settings\NetworkService.AUTORIDADE NT\Configurações locais

2009-09-07 04:23 . 2009-09-07 04:23 -------- d-sh--w- c:\documents and settings\NetworkService.AUTORIDADE NT

2009-09-07 04:23 . 2009-09-07 04:23 -------- d-----w- c:\documents and settings\NetworkService.AUTORIDADE NT\Dados de aplicativos

2009-09-07 04:16 . 2008-04-14 02:21 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe

2009-09-07 04:15 . 2008-04-14 02:21 24576 -c--a-w- c:\windows\system32\dllcache\icwrmind.exe

2009-09-07 01:18 . 1999-03-23 12:12 299520 ----a-w- c:\windows\uninst.exe

2009-09-07 01:18 . 2009-09-07 01:18 -------- d-----w- c:\documents and settings\xp\WINDOWS

2009-08-31 13:14 . 2009-09-08 20:08 96 ---ha-w- c:\windows\system32\HsInfo.dat

2009-08-31 12:29 . 2009-08-31 12:29 -------- d-----w- C:\alaplaya

2009-08-12 13:39 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))

.

2009-09-09 00:35 . 2009-06-11 17:47 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-09-07 22:34 . 2009-06-04 23:36 -------- d-----w- c:\arquivos de programas\MSN Messenger

2009-09-05 03:30 . 2009-06-11 17:48 -------- d-----w- c:\documents and settings\xp\Dados de aplicativos\TurboFTP

2009-08-30 23:49 . 2009-08-02 22:45 -------- d-----w- c:\arquivos de programas\VDOWNLOADER

2009-08-30 22:18 . 2009-06-10 22:05 -------- d-----w- c:\arquivos de programas\AuditionBR

2009-08-28 23:16 . 2009-07-10 02:16 -------- d-----w- c:\arquivos de programas\Windows Live Safety Center

2009-08-23 15:37 . 2009-06-04 23:34 -------- d-----w- c:\arquivos de programas\Java

2009-08-15 16:09 . 2009-06-06 02:36 -------- d-----w- c:\documents and settings\xp\Dados de aplicativos\DivX

2009-08-11 00:07 . 2009-06-04 23:17 2568 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-08-07 20:03 . 2009-08-07 20:03 -------- d-----w- c:\documents and settings\xp\Dados de aplicativos\teamspeak2

2009-08-07 20:03 . 2009-08-07 20:02 -------- d-----w- c:\arquivos de programas\Teamspeak2_RC2

2009-08-05 13:35 . 2009-07-04 17:15 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-08-05 09:00 . 2004-08-04 03:45 205312 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 02:34 . 2009-06-06 00:06 -------- d-----w- c:\documents and settings\xp\Dados de aplicativos\Any Video Converter

2009-08-04 02:31 . 2009-06-06 00:06 -------- d-----w- c:\arquivos de programas\Any Video Converter

2009-07-31 14:11 . 2009-07-04 17:27 -------- d-----w- c:\arquivos de programas\GbPlugin

2009-07-25 08:23 . 2009-06-04 23:35 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-25 02:30 . 2009-06-06 00:13 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live

2009-07-24 21:26 . 2009-06-04 22:55 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-07-17 19:03 . 2004-08-04 03:45 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 02:43 . 2004-08-04 03:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-10 19:18 . 2001-10-28 15:07 49586 ----a-w- c:\windows\system32\perfc016.dat

2009-07-10 19:18 . 2001-10-28 15:07 347294 ----a-w- c:\windows\system32\perfh016.dat

2009-07-03 16:59 . 2004-08-04 03:45 915456 ------w- c:\windows\system32\wininet.dll

2009-07-01 18:23 . 2009-07-04 17:27 26624 ----a-w- c:\windows\system32\drivers\GbpKm.sys

2009-06-25 08:27 . 2004-08-04 03:45 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:27 . 2004-08-04 03:45 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:27 . 2004-08-04 03:45 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:27 . 2004-08-04 03:45 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:27 . 2004-08-04 03:45 732672 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:27 . 2004-08-04 03:45 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-04 01:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:39 . 2004-08-04 03:45 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:39 . 2001-10-28 15:06 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-15 10:44 . 2004-08-04 03:45 77824 ----a-w- c:\windows\system32\telnet.exe

2009-06-15 10:44 . 2004-08-04 03:45 81408 ----a-w- c:\windows\system32\tlntsess.exe

.

------- Sigcheck -------

[7] F40BC97996B8E53799EEF1D63996674B [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] c:\windows\$NtServicePackUninstall$\ctfmon.exe

[7] 4E486ADFE3A0B9ED0EB0639902E9F64F [5.1.2600.5512 (xpsp.080413-2105)] c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 727EE2F1E73ED4C64D20D70AC0AF90BB [5.1.2600.5512 (xpsp.080413-2105)] c:\windows\system32\ctfmon.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-09-08_02.31.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-09 00:35 . 2009-09-09 00:35 16384 c:\windows\temp\Perflib_Perfdata_350.dat

+ 2004-08-04 03:45 . 2008-04-14 02:21 94720 c:\windows\system32\rundll32.exe

+ 2004-08-04 03:45 . 2008-04-14 02:20 72192 c:\windows\system32\dumprep.exe

+ 2004-08-04 03:45 . 2008-04-14 02:21 33280 c:\windows\system32\dllcache\rundll32.exe

- 2009-06-04 15:29 . 2008-04-14 02:21 70144 c:\windows\system32\dllcache\notepad.exe

+ 2004-08-04 03:45 . 2008-04-14 02:21 70144 c:\windows\system32\dllcache\notepad.exe

+ 2009-06-04 18:36 . 2008-04-14 02:21 20480 c:\windows\system32\dllcache\inetwiz.exe

+ 2009-06-04 18:36 . 2008-04-14 02:21 86016 c:\windows\system32\dllcache\icwconn2.exe

+ 2004-08-04 03:45 . 2008-04-14 02:20 10752 c:\windows\system32\dllcache\dumprep.exe

+ 2004-08-04 03:45 . 2008-04-14 02:20 400896 c:\windows\system32\zipfldr.dll

+ 2004-08-04 03:45 . 2008-05-08 11:24 217088 c:\windows\system32\wscript.exe

+ 2004-08-04 03:45 . 2008-04-14 02:21 202752 c:\windows\system32\taskmgr.exe

+ 2004-08-04 03:45 . 2008-04-14 02:20 500736 c:\windows\system32\shimgvw.dll

+ 2004-08-04 03:45 . 2008-04-14 02:21 112640 c:\windows\system32\reg.exe

+ 2004-08-04 03:45 . 2008-04-14 02:21 131584 c:\windows\system32\notepad.exe

+ 2009-06-04 18:34 . 2008-04-14 02:21 407040 c:\windows\system32\mspaint.exe

+ 2004-08-04 03:45 . 2008-04-14 02:21 100864 c:\windows\system32\grpconv.exe

+ 2004-08-04 03:45 . 2008-04-14 02:20 339456 c:\windows\system32\dllcache\zipfldr.dll

+ 2004-08-04 03:45 . 2008-04-14 02:21 141312 c:\windows\system32\dllcache\taskmgr.exe

+ 2004-08-04 03:45 . 2008-04-14 02:20 439296 c:\windows\system32\dllcache\shimgvw.dll

+ 2009-06-04 18:34 . 2008-04-14 02:21 345600 c:\windows\system32\dllcache\mspaint.exe

+ 2009-06-04 18:36 . 2008-04-14 02:21 217600 c:\windows\system32\dllcache\icwconn1.exe

+ 2009-09-08 22:03 . 2009-09-08 22:03 262144 c:\windows\system32\config\systemprofile\NtUser.da t

+ 2004-08-04 03:45 . 2008-04-14 02:20 462336 c:\windows\system32\cmd.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 76800]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\arquiv~1\GbPlugin\gbiehUni.dll" [2009-07-02 297376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]

2009-07-02 18:37 297376 ----a-w- c:\arquiv~1\GbPlugin\gbiehUni.dll

A chave SafeBoot necessita de ser reparada. Esta máquina não pode entrar em Modo de Segurança.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\File system]

@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vgasave.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\WgaTray.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Arquivos de programas\\WinRAR\\WinRAR.exe"=

"c:\\Arquivos de programas\\Arquivos comuns\\Real\\Update_OB\\realsched.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"f:\\Download Programas\\setuppor.exe"=

"f:\\Download Programas\\ccsetup223.exe"=

"c:\\WINDOWS\\system32\\CF3337.exe"=

"c:\\DOCUME~1\\xp\\CONFIG~1\\Temp\\winljhq.exe "=

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [4/7/2009 14:27 26624]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [4/7/2009 14:27 53120]

S1 aswSP;avast! Self Protection; [x]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswF sBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]

S2 fxzqjicm;System Shell;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 00:45 14336]

S2 sophe;Image System;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 00:45 14336]

S2 TBFTPSyncService;TurboFTP Sync Service;c:\arquivos de programas\TurboFTP\tftpsvc.exe [7/6/2009 23:56 1384448]

S3 XDva268;XDva268; [x]

S4 AYDOPAPEQL;AYDOPAPEQL;c:\docume~1\xp\CONFIG~1\Temp \AYDOPAPEQL.exe --> c:\docume~1\xp\CONFIG~1\Temp\AYDOPAPEQL.exe [?]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - AIC32P

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

sophe

fxzqjicm

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-09-08 c:\windows\Tasks\User_Feed_Synchronization-{D6C5AD8E-F9D3-463D-BBCB-BEEA5A96F530}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 07:31]

.

------- Scan Suplementar -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\xp\Dados de aplicativos\Mozilla\Firefox\Profiles\hes6u1rs.defa ult\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.brogui.com/

FF - prefs.js: keyword.URL - hxxp://mystart.hiyo.com/?loc=ff_address&search=

FF - plugin: c:\arquivos de programas\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-08 21:35

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

************************************************** ************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(664)

c:\arquiv~1\GbPlugin\gbiehUni.dll

- - - - - - - > 'explorer.exe'(220)

c:\windows\system32\WININET.dll

c:\arquivos de programas\Windows Media Player\wmpband.dll

c:\arquiv~1\GbPlugin\gbiehUni.dll

c:\windows\system32\webcheck.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\documents and settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40ST7.EXE

c:\documents and settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE

c:\arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\CyberLink\Shared Files\RichVideo.exe

c:\docume~1\xp\CONFIG~1\temp\winljhq.exe

c:\docume~1\xp\CONFIG~1\temp\winmpsvxq.exe

c:\docume~1\xp\CONFIG~1\temp\w4502f.exe

.

************************************************** ************************

.

Tempo para conclusão: 2009-09-09 21:39 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-09-09 00:39

ComboFix2.txt 2009-09-08 02:35

Pré-execução: 10 pasta(s) 112.359.776.256 bytes disponíveis

Pós execução: 10 pasta(s) 112.352.022.528 bytes disponíveis

237 --- E O F --- 2009-09-07 21:28

PedroN · Setembro 9, 2009

Faça o download do SafeBootKeyRepair.exe

Execute-o;

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000000

"FirewallOverride"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]

"EnableFirewall"= 1 (0x0)

NetSvc::

"sophe"

"fxzqjicm"

Driver::

"sophe"

"fxzqjicm"

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Poste-o junto com o novo log do hijackthis

KarlaBH · Setembro 10, 2009

Muito obrigado pela ajuda PedroN... já estava desesperada! rsrsrs

Segui exatamente os passos que você me pediu... acho q n retirou completamente os vírus, mas já ajudou, apareceu o alerta de segurança do windowns informando que eu n tenho nenhum anti-virus.

Segue os logs:

Logfile of HijackThis v1.99.1

Scan saved at 21:43:22, on 9/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40ST7.EXE

C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\DOCUME~1\xp\CONFIG~1\Temp\winapwo.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\verclsid.exe

C:\DOCUME~1\xp\CONFIG~1\Temp\Rar$EX00.484\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\ARQUIV~1\GbPlugin\gbiehUni.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL