[Resolvido!] Virus Avg.exe dificil de remover

[bartho 0]

pessoal, eu li um topico sobre como tirar esse virus, segui os passos, mas deu mais ou menos certo..

1) o karpesky online system scan nao esta funcionando...

2) ao tentar usar o killbox ele diz que ''pendingfilerenameoperations registry data has been removed by external process'' e nao tira nem o c:\windows\avg.exe nem sua versao no system32\avg.exe

desse modo eu nao sei se estou livre do virus, alias, nao estou porque no meu msconfig aind está ele lá..

 

alguem me ajuda?

estou enviando um hijackthis log file:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:29:29, on 26/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\userini.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\userini.exe

C:\WINDOWS\system32\userini.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\userini.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Opera\opera.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrador\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://m.busca.uol.com.br/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.the-west.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ig.com.br/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: CUOLSearchHook Object - {1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3} - C:\Arquivos de programas\Arquivos comuns\uol\urlsearch\UOLSearchHook.dll

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O1 - Hosts: om

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Arquivos de programas\GetRight\xx2gr.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.7.4.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Auxiliar de Conex? do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [process] C:\windows\Avg.exe

O4 - HKLM\..\Run: [] C:\Windows\System32\avg.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "L:\ASC3\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe

O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm

O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.7.4.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\FRONTP~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab

O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/pt-BR/filesharingctrl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BA8E5F3-9077-448C-9AEB-6A7CB0696763}: NameServer = 200.149.55.140 200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BA8E5F3-9077-448C-9AEB-6A7CB0696763}: NameServer = 200.149.55.140 200.165.132.147

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de programas\iEvony\Skype4COM.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[wings 22]

Boa noite bartho....

 

Bem vindo ao Fórum...

 

1.

*Baixe o Bankerfix e salve-o no desktop

*Desative temporariamente seu antivírus

 

Botão direito no ícone do NOD32 ao lado do relógio > Centro de Controle > AMON > Desmarque "Módulo Residente (AMON)"

*Duplo clique em bankerfix.exe.

*Clique [OK] > [sIM] (se pedir alguma atualização) > [OK]

*Tecle [ENTER] e aguarde.

*Ao término tecle [ENTER]

*Cole o relatório criado em C:\LinhaDefensiva\relatorio.txt e novo log do hijack

[bartho 0]

ola! muito obrigado pela atençao amigo!

 

fiz o que você mandou, e aqui vao os relatorios

 

hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:45:00, on 26/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\userini.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\userini.exe

C:\WINDOWS\system32\userini.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\userini.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Opera\opera.exe

C:\Documents and Settings\Administrador\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://m.busca.uol.com.br/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.the-west.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ig.com.br/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: CUOLSearchHook Object - {1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3} - C:\Arquivos de programas\Arquivos comuns\uol\urlsearch\UOLSearchHook.dll

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O1 - Hosts: om

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Arquivos de programas\GetRight\xx2gr.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.7.4.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Auxiliar de Conex? do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [process] C:\windows\Avg.exe

O4 - HKLM\..\Run: [] C:\Windows\System32\avg.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "L:\ASC3\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe

O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe

O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm

O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.7.4.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\FRONTP~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab

O16 - DPF: {F1835D04-7CCF-489E-8184-C08A1F682169} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/pt-BR/filesharingctrl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BA8E5F3-9077-448C-9AEB-6A7CB0696763}: NameServer = 200.149.55.140 200.165.132.147

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BA8E5F3-9077-448C-9AEB-6A7CB0696763}: NameServer = 200.149.55.140 200.165.132.147

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de programas\iEvony\Skype4COM.dll

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

log do bunker

 

 

-------------------------------------------------------

BankerFix 3.1 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2009-11-26 - 23:43

-------------------------------------------------------

Lista de Definição: 2009-10-26-1 | CORE: 2009-07-24-1

=======================================================

 

 

 

----- Fim -------------------------

 

 

 

 

acho importante lembrar que, durante a execuçao do bunker, o meu spybot search and destroy acusou atividade e mudança no registro feitas pelo avg.exe

 

 

e agora?

[wings 22]

1.

Abra o Spybot

No menu superior, clique em [Modo] > [Avançado] e confirme.

Clique em [Ferramentas] > [Residente]

Desmarque a opção Ativar "TeaTimer" do Residente (proteção geral das configurações de sistema).

Feche o programa.

 

2.

*Desative temporariamente seu antivírus

*Execute novamente o Bankerfix

 

3.

*Mantenha desativado seu antivírus e a proteção do spybot

*Baixe o ComboFix e salve-o no desktop

*Feche o Internet Explorer e o Windows Explorer

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N.

*O programa será fechado automaticamente

*Cole os relatórios criados em C:\combofix.txt e em C:\LinhaDefensiva\relatorio.txt

[bartho 0]

bem, prmierio o relatorio do combofix:

 

ComboFix 09-11-26.02 - Administrador 27/11/2009 11:11.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.479.230 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* AV residente está ativo

 

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

ADS - explorer.exe: deleted 21504 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

c:\windows\jestertb.dll

c:\windows\prefetch\explorer.exe

c:\windows\smdat32m.sys

c:\windows\system32\Data

c:\windows\system32\update80825781.exe

c:\windows\system32\update81425890.exe

c:\windows\system32\update81427671.exe

c:\windows\system32\update81429562.exe

c:\windows\system32\userini.exe

c:\windows\wind.ini

 

c:\windows\System32\Drivers\d347prt.sys . . . está infectado!!

 

c:\windows\System32\Drivers\Vax347s.sys . . . está infectado!!

 

c:\windows\System32\Drivers\xmasscsi.sys . . . está infectado!!

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_PCCHIPS

-------\Legacy_PROTECT

-------\Service_glaide32

-------\Service_protect

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-10-27 to 2009-11-27 ))))))))))))))))))))))))))))

.

 

2009-11-27 12:44 . 2009-11-27 12:46 -------- d-----w- C:\LinhaDefensiva

2009-11-26 21:08 . 2009-11-26 21:08 -------- d-----w- C:\!KillBox

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\TeaTimer (Spybot - Search & Destroy)

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\SDHelper (Spybot - Search & Destroy)

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\File Scanner Library (Spybot - Search & Destroy)

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\Misc. Support Library (Spybot - Search & Destroy)

2009-11-23 01:53 . 2009-11-23 01:53 -------- d-sh--w- c:\documents and settings\Administrador\IECompatCache

2009-11-20 23:38 . 2009-11-20 23:38 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\TeamViewer

2009-11-20 23:36 . 2009-11-20 23:36 1795823 ----a-w- c:\windows\winl.exe

2009-11-20 23:35 . 2009-11-20 23:35 212224 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2009-11-20 23:33 . 2009-11-20 23:33 14336 ----a-w- C:\oiskyee.exe

2009-11-20 23:33 . 2009-11-20 23:36 217838 ----a-w- C:\bahbqlm.exe

2009-11-20 23:33 . 2009-11-20 23:35 195988 ----a-w- C:\wlcxoal.exe

2009-11-17 23:57 . 2009-11-17 23:57 -------- d-----w- c:\arquivos de programas\Microsoft

2009-10-28 20:55 . 2009-11-01 14:46 1 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-10-28 20:54 . 2009-10-28 20:54 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\OpenOffice.org

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-27 12:30 . 2005-09-02 02:57 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Azureus

2009-11-26 01:21 . 2005-04-28 22:48 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Skype

2009-11-25 23:52 . 2009-05-27 00:36 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2009-11-24 16:16 . 2007-11-06 02:21 169936 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fs113qcg.Perfil 1\FlashGot.exe

2009-11-24 00:22 . 2005-06-03 00:11 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-11-23 23:42 . 2005-06-03 00:10 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy

2009-11-20 23:35 . 2004-08-04 02:14 212224 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-11-20 07:47 . 2005-09-02 02:56 -------- d-----w- c:\arquivos de programas\Azureus

2009-11-17 23:47 . 2004-08-04 03:45 1035776 ----a-w- c:\windows\explorer.exe

2009-11-08 17:23 . 2001-10-28 18:07 61868 ----a-w- c:\windows\system32\perfc016.dat

2009-11-08 17:23 . 2001-10-28 18:07 414696 ----a-w- c:\windows\system32\perfh016.dat

2009-11-01 19:57 . 2008-11-17 21:54 -------- d-----w- c:\arquivos de programas\Opera

2009-09-28 22:34 . 2007-12-27 05:49 7154255 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Azureus\plugins\azemp\azmplay.exe

2009-09-28 22:32 . 2008-10-31 01:48 10686001 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Azureus\plugins\azump\mplayer.exe

2009-09-11 14:19 . 2004-08-04 03:45 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:04 . 2004-08-04 03:45 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-06-08 02:19 . 2009-06-05 20:57 4986912 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-06-08 02:19 . 2009-06-05 20:57 38432 --sha-w- c:\windows\system32\drivers\fidbox2.dat

.

 

------- Sigcheck -------

 

[-] 2009-11-20 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2009-11-20 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2004-08-04 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="c:\arquivos de programas\Eset\nod32kui.exe" [2008-02-07 949376]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^Kremlin Sentry.LNK]

backup=c:\windows\pss\Kremlin Sentry.LNKStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^OpenOffice.org 3.0.lnk]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Firewall Client Management.lnk]

backup=c:\windows\pss\Microsoft Firewall Client Management.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\27nB

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh EDN Client

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\ICQLite\\ICQLite.exe"=

"c:\\Arquivos de programas\\BitComet\\BitComet.exe"=

"c:\\Arquivos de programas\\InPulse Team\\InLink\\InLink.exe"=

"c:\\Documents and Settings\\Administrador\\Meus documentos\\Meus arquivos recebidos\\inlinkv1.3.7\\InLinkv1.3.7_PC CLIENT_atualizacao\\InLink.exe"=

"c:\\Arquivos de programas\\Java\\jre1.5.0_03\\bin\\javaw.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Documents and Settings\\Administrador\\Meus documentos\\Meus arquivos recebidos\\utorrent\\utorrent.exe"=

"c:\\Arquivos de programas\\Azureus\\Azureus.exe"=

"c:\\Documents and Settings\\Administrador\\Meus documentos\\mIRC\\mirc.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Arquivos de programas\\DremTeamShare\\DreMule\\emule.exe"=

"c:\\Arquivos de programas\\Universal Messenger Plus\\UIMplus\\UnimessPlus.exe"=

"c:\\Arquivos de programas\\K-LiteNitro\\giFT\\giFTl.exe"=

"c:\\games\\playnow\\PlayNowClient.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\MultiProxy\\MProxy.exe"=

"c:\\Arquivos de programas\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=

"c:\\Arquivos de programas\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\games\\Soldat\\Soldat.exe"=

"c:\\Arquivos de programas\\Opera\\opera.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Documents and Settings\\Administrador\\Dados de aplicativos\\Thinstall\\Advanced WindowsCare 2.55 Personal\\4000001b00002h\\opera.exe"=

"c:\\Arquivos de programas\\Vuze\\Azureus.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\windows\\winl.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:RSP

"1080:TCP"= 1080:TCP:*:Disabled:1080

"19348:TCP"= 19348:TCP:BitComet 19348 TCP

"19348:UDP"= 19348:UDP:BitComet 19348 UDP

"6346:TCP"= 6346:TCP:sahreaza

"6346:UDP"= 6346:UDP:shareaza

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [6/2/2006 15:15 5248]

R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [30/7/2005 00:17 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [7/2/2008 19:49 15424]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\arquivos de programas\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [13/5/2008 19:50 98488]

R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [18/4/2005 17:44 152576]

S2 LF30FS;LF30FS;\??\c:\arquivos de programas\Everstrike Software\Lock Folder XP 3.3\LF30XP.sys --> c:\arquivos de programas\Everstrike Software\Lock Folder XP 3.3\LF30XP.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [30/5/2008 19:20 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/4/2008 20:38 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [30/5/2008 19:20 42112]

S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [6/2/2006 15:15 159616]

S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [30/7/2005 00:17 140800]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.the-west.com.br/

uInternet Connection Wizard,ShellNext = hxxp://www.ig.com.br/

uInternet Settings,ProxyOverride = local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Abrir com o GetRight Browser - c:\arquiv~1\GetRight\GRbrowse.htm

IE: Baixar link usando &BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddLink.htm

IE: Baixar todos os links usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

IE: Download com o GetRight - c:\arquiv~1\GetRight\GRdownload.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\imon.dll

DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} - hxxp://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\gv79i39m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Camfrog

FF - prefs.js: keyword.URL - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.defaulturl - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Camfrog

FF - prefs.js: keyword.URL - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.defaulturl - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Camfrog

FF - prefs.js: keyword.URL - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Google

 

---- FIREFOX POLICIES ----

FF - user.js: network.proxy.type - 0

FF - user.js: network.proxy.http -

user_pref(network.proxy.http_port,);

FF - user.js: network.proxy.no_proxies_on -

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-userini - c:\windows\system32\userini.exe

HKCU-Run-Advanced SystemCare 3 - l:\asc3\Advanced SystemCare 3\AWC.exe

HKLM-Run-userini - c:\windows\system32\userini.exe

HKLM-Explorer_Run-userini - c:\windows\system32\userini.exe

HKCU-Explorer_Run-userini - c:\windows\system32\userini.exe

AddRemove-Advanced SystemCare 3_is1 - l:\asc3\Advanced SystemCare 3\unins000.exe

AddRemove-RealJukebox 1.0 - c:\arquivos de programas\Arquivos comuns\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

AddRemove-RealPlayer 6.0 - c:\arquivos de programas\Arquivos comuns\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-27 11:31

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos:

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe >>UNKNOWN [0x85F74530]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7798f28

\Driver\ACPI -> ACPI.sys @ 0xf76e5cb8

\Driver\atapi -> 0x85beff00

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

NDIS: VIA PCI 10/100Mb Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0x85e10bb0

PacketIndicateHandler -> NDIS.sys @ 0x85e1da21

SendHandler -> NDIS.sys @ 0x85dfb87b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,d0,7c,14,4a,b3,50,48,8e,de,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,d0,7c,14,4a,b3,50,48,8e,de,7b,\

 

[HKEY_USERS\S-1-5-21-823518204-630328440-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,b4,95,32,cc,6d,01,45,8b,be,ea,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,b4,95,32,cc,6d,01,45,8b,be,ea,\

 

[HKEY_USERS\S-1-5-21-823518204-630328440-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:b1,c2,cb,92,2e,2a,e3,9d,6f,85,cf,bd,d9,13,2e,b2,be,c9,2b,d6,dd,9e,59,

28,95,42,28,b4,2e,23,68,69,40,f8,fe,50,dc,76,36,46,7b,cd,c2,7c,cf,4e,b8,de,\

"??"=hex:ea,e5,4f,ae,ac,92,b5,7b,8b,61,3a,4d,2b,7c,36,b1

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(2100)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\arquiv~1\FRONTP~1\OFFICE11\MCPS.DLL

c:\arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

c:\arquivos de programas\GetRight\xx2gr.dll

c:\arquivos de programas\BitComet\tools\BitCometBHO_1.1.7.4.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Ahead\InCD\InCDsrv.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\CTsvcCDA.EXE

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

c:\arquivos de programas\Eset\nod32krn.exe

c:\arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-11-27 11:34 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-11-27 13:34

 

Pré-execução: 5.569.314.816 bytes disponíveis

Pós execução: 5.461.221.376 bytes disponíveis

 

- - End Of File - - C0FDD7BC80D12C8F4B5D88EB75F296DF

 

 

agora o do banker:

 

BankerFix 3.1 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2009-11-27 - 10:45

-------------------------------------------------------

Lista de Definição: 2009-10-26-1 | CORE: 2009-07-24-1

=======================================================

 

 

 

----- Fim -------------------------

 

 

 

 

 

e agora? to limpo já?

 

 

arbaço

[wings 22]

Por favor...

 

Envie o arquivo abaixo para análise em http://virscan.org

 

c:\windows\winl.exe

 

Cole o link contendo o resultado.

[bartho 0]

desculpe a demora, estava fora da cidade. aqui esta o resultado

 

Nome do Arquivo : winl.exe

Tamanho do Arquivo : 1795823 byte

Tipo do Arquivo : MS-DOS executable, MZ for MS-DOS

MD5 : 14712ac791c98cd446a9f7ec939df1c7

SHA1 : 3f84e19d1f7984882d31c357efd1c30a182d7b3e

 

 

Resultado da VerificaçãoResultado da Verificação : 19% Software(7/37) encontrou código malicioso!

Tempo : 2009/12/01 20:15:05 (ACT)

Software Versão Versão Ass. Data Ass. Resultado da verificação Tempo

a-squared 4.5.0.8 20091202040138 2009-12-02 Riskware.Win32.VBInject!IK 4.548

AhnLab V3 2009.12.01.01 2009.12.01 2009-12-01 - 1.181

AntiVir 8.2.1.92 7.10.1.152 2009-12-01 - 0.311

Antiy 2.0.18 20091201.3332096 2009-12-01 - 0.125

Arcavir 2009 200912011251 2009-12-01 - 0.005

Authentium 5.1.1 200912011727 2009-12-01 - 2.814

AVAST! 4.7.4 091201-1 2009-12-01 Win32:Trojan-gen 0.067

AVG 8.5.288 270.14.89/2539 2009-12-02 - 2.873

BitDefender 7.81008.4673058 7.29249 2009-12-02 - 8.263

CA (VET) 35.1.0 7150 2009-11-30 - 7.852

ClamAV 0.95.2 10100 2009-12-01 - 0.268

Comodo 3.12 3103 2009-12-01 Heur.Suspicious 0.843

CP Secure 1.3.0.5 2009.12.02 2009-12-02 - 0.405

Dr.Web 4.44.0.9170 2009.12.01 2009-12-01 BackDoor.Pigeon.8828 15.515

F-Prot 4.4.4.56 20091201 2009-12-01 - 4.271

F-Secure 7.02.73807 2009.12.01.10 2009-12-01 - 0.192

Fortinet 11.115- 11.115 2009-12-01 - 0.536

GData 19.9120/19.600 20091202 2009-12-02 Win32:Trojan-gen [Engine:B] 6.251

Ikarus T3.1.01.74 2009.12.01.74633 2009-12-01 VirTool.Win32.VBInject 9.443

JiangMin 11.0.800 2009.12.01 2009-12-01 - 7.306

Kaspersky 5.5.10 2009.12.01 2009-12-01 - 0.188

KingSoft 2009.2.5.15 2009.12.1.19 2009-12-01 - 2.187

McAfee 5.3.00 5819 2009-12-01 - 6.555

Microsoft 1.5302 2009.12.02 2009-12-02 VirTool:Win32/VBInject.gen!CH 6.844

Norman 6.01.09 6.01.00 2009-12-01 - 8.011

nProtect 20091127.01 6396533 2009-11-27 - 4.283

Panda 9.05.01 2009.12.01 2009-12-01 - 2.504

Quick Heal 10.00 2009.12.01 2009-12-01 - 2.747

Rising 20.0 22.24.01.09 2009-12-01 - 1.259

Sophos 3.02.0 4.48 2009-12-02 - 4.792

Sunbelt 3.9.2381.2 5539 2009-12-01 - 4.646

Symantec 1.3.0.24 20091201.006 2009-12-01 - 0.157

The Hacker 6.5.0.2 v00083 2009-12-01 - 0.833

Trend Micro 9.000-1003 6.664.05 2009-12-01 - 0.000

VBA32 3.12.12.0 20091130.1546 2009-11-30 - 3.058

ViRobot 20091201 2009.12.01 2009-12-01 - 0.485

VirusBuster 4.5.11.10 10.114.6/2021099 2009-12-01 - 5.158

 

■Heuristic/Suspicious ■Exact

AVISO: Alguns softwares podem apresentar um falso positivo quando reportam um código malicioso, por isso você deve julgá-la por si mesmo.

[wings 22]

1.

*Desinstale o Alcohol e o Daemon Tools.

 

2.

*Baixe o MBR e salve-o em C:\

*Clique em Iniciar > Executar > digite: c:\mbr.exe -f

*Clique OK. Caso seja perguntado, permita o programa ser executado.

 

3.

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

c:\windows\winl.exe

C:\oiskyee.exe

C:\bahbqlm.exe

C:\wlcxoal.exe

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

[bartho 0]

fiz como você mandou!

ComboFix 09-12-02.03 - Administrador 02/12/2009 13:25.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.479.260 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

"C:\bahbqlm.exe"

"C:\oiskyee.exe"

"c:\windows\winl.exe"

"C:\wlcxoal.exe"

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\bahbqlm.exe

C:\oiskyee.exe

c:\windows\winl.exe

C:\wlcxoal.exe

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-02 to 2009-12-02 ))))))))))))))))))))))))))))

.

 

2009-12-02 14:15 . 2009-12-02 14:15 77312 ----a-w- C:\mbr.exe

2009-11-27 12:44 . 2009-11-27 12:46 -------- d-----w- C:\LinhaDefensiva

2009-11-26 21:08 . 2009-11-26 21:08 -------- d-----w- C:\!KillBox

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\TeaTimer (Spybot - Search & Destroy)

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\SDHelper (Spybot - Search & Destroy)

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\File Scanner Library (Spybot - Search & Destroy)

2009-11-23 22:05 . 2009-11-23 22:05 -------- d-----w- c:\arquivos de programas\Misc. Support Library (Spybot - Search & Destroy)

2009-11-23 01:53 . 2009-11-23 01:53 -------- d-sh--w- c:\documents and settings\Administrador\IECompatCache

2009-11-20 23:38 . 2009-11-20 23:38 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\TeamViewer

2009-11-20 23:35 . 2009-11-20 23:35 212224 -c--a-w- c:\windows\system32\dllcache\ndis.sys

2009-11-17 23:57 . 2009-11-17 23:57 -------- d-----w- c:\arquivos de programas\Microsoft

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-02 15:37 . 2005-04-28 22:48 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Skype

2009-12-02 13:36 . 2009-05-27 00:36 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\skypePM

2009-11-27 12:30 . 2005-09-02 02:57 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Azureus

2009-11-24 16:16 . 2007-11-06 02:21 169936 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\fs113qcg.Perfil 1\FlashGot.exe

2009-11-24 00:22 . 2005-06-03 00:11 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-11-23 23:42 . 2005-06-03 00:10 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy

2009-11-20 23:35 . 2004-08-04 02:14 212224 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-11-20 07:47 . 2005-09-02 02:56 -------- d-----w- c:\arquivos de programas\Azureus

2009-11-17 23:47 . 2004-08-04 03:45 1035776 ------w- c:\windows\explorer.exe

2009-11-08 17:23 . 2001-10-28 18:07 61868 ----a-w- c:\windows\system32\perfc016.dat

2009-11-08 17:23 . 2001-10-28 18:07 414696 ----a-w- c:\windows\system32\perfh016.dat

2009-11-01 19:57 . 2008-11-17 21:54 -------- d-----w- c:\arquivos de programas\Opera

2009-11-01 14:46 . 2009-10-28 20:55 1 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-10-28 20:54 . 2009-10-28 20:54 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\OpenOffice.org

2009-09-28 22:34 . 2007-12-27 05:49 7154255 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Azureus\plugins\azemp\azmplay.exe

2009-09-28 22:32 . 2008-10-31 01:48 10686001 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Azureus\plugins\azump\mplayer.exe

2009-09-11 14:19 . 2004-08-04 03:45 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:04 . 2004-08-04 03:45 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-06-08 02:19 . 2009-06-05 20:57 4986912 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-06-08 02:19 . 2009-06-05 20:57 38432 --sha-w- c:\windows\system32\drivers\fidbox2.dat

.

 

------- Sigcheck -------

 

[-] 2009-11-20 23:35 . 1C59624D193228E4E4363EB727D06002 . 212224 . . [------] . . c:\windows\system32\drivers\ndis.sys

[-] 2009-11-20 23:35 . 1C59624D193228E4E4363EB727D06002 . 212224 . . [------] . . c:\windows\system32\dllcache\ndis.sys

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys

[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-11-27_13.28.08 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-11-27 13:28 . 2009-12-02 15:22 278528 c:\windows\Temporary Internet Files\Content.IE5\index.dat

+ 2004-12-30 19:42 . 2009-11-28 01:14 2248192 c:\windows\Installer\22510b.msi

- 2004-12-30 19:42 . 2009-11-24 13:30 2248192 c:\windows\Installer\22510b.msi

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nod32kui"="c:\arquivos de programas\Eset\nod32kui.exe" [2008-02-07 949376]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^Kremlin Sentry.LNK]

backup=c:\windows\pss\Kremlin Sentry.LNKStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrador^Menu Iniciar^Programas^Inicializar^OpenOffice.org 3.0.lnk]

path=c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Firewall Client Management.lnk]

backup=c:\windows\pss\Microsoft Firewall Client Management.lnkCommon Startup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\ICQLite\\ICQLite.exe"=

"c:\\Arquivos de programas\\BitComet\\BitComet.exe"=

"c:\\Arquivos de programas\\InPulse Team\\InLink\\InLink.exe"=

"c:\\Documents and Settings\\Administrador\\Meus documentos\\Meus arquivos recebidos\\inlinkv1.3.7\\InLinkv1.3.7_PC CLIENT_atualizacao\\InLink.exe"=

"c:\\Arquivos de programas\\Java\\jre1.5.0_03\\bin\\javaw.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Documents and Settings\\Administrador\\Meus documentos\\Meus arquivos recebidos\\utorrent\\utorrent.exe"=

"c:\\Arquivos de programas\\Azureus\\Azureus.exe"=

"c:\\Documents and Settings\\Administrador\\Meus documentos\\mIRC\\mirc.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Arquivos de programas\\DremTeamShare\\DreMule\\emule.exe"=

"c:\\Arquivos de programas\\Universal Messenger Plus\\UIMplus\\UnimessPlus.exe"=

"c:\\Arquivos de programas\\K-LiteNitro\\giFT\\giFTl.exe"=

"c:\\games\\playnow\\PlayNowClient.exe"=

"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"c:\\Arquivos de programas\\MultiProxy\\MProxy.exe"=

"c:\\Arquivos de programas\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=

"c:\\Arquivos de programas\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\games\\Soldat\\Soldat.exe"=

"c:\\Arquivos de programas\\Opera\\opera.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Documents and Settings\\Administrador\\Dados de aplicativos\\Thinstall\\Advanced WindowsCare 2.55 Personal\\4000001b00002h\\opera.exe"=

"c:\\Arquivos de programas\\Vuze\\Azureus.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:RSP

"1080:TCP"= 1080:TCP:*:Disabled:1080

"19348:TCP"= 19348:TCP:BitComet 19348 TCP

"19348:UDP"= 19348:UDP:BitComet 19348 UDP

"6346:TCP"= 6346:TCP:sahreaza

"6346:UDP"= 6346:UDP:shareaza

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [29/7/2005 23:35 155136]

R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [29/7/2005 23:35 5248]

R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [6/2/2006 15:15 5248]

R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [30/7/2005 00:17 5504]

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [7/2/2008 19:49 15424]

R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\arquivos de programas\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [13/5/2008 19:50 98488]

R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [18/4/2005 17:44 152576]

S2 LF30FS;LF30FS;\??\c:\arquivos de programas\Everstrike Software\Lock Folder XP 3.3\LF30XP.sys --> c:\arquivos de programas\Everstrike Software\Lock Folder XP 3.3\LF30XP.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [30/5/2008 19:20 18176]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/4/2008 20:38 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [30/5/2008 19:20 42112]

S4 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [6/2/2006 15:15 159616]

S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [30/7/2005 00:17 140800]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.the-west.com.br/

uInternet Connection Wizard,ShellNext = hxxp://www.ig.com.br/

uInternet Settings,ProxyOverride = local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Abrir com o GetRight Browser - c:\arquiv~1\GetRight\GRbrowse.htm

IE: Baixar link usando &BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddLink.htm

IE: Baixar todos os links usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

IE: Download com o GetRight - c:\arquiv~1\GetRight\GRdownload.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\imon.dll

TCP: {0BA8E5F3-9077-448C-9AEB-6A7CB0696763} = 200.149.55.140 200.165.132.147

DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} - hxxp://download.uol.com.br/discadorUOL/light/UOLActiveInstall.cab

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\gv79i39m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Camfrog

FF - prefs.js: keyword.URL - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.defaulturl - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Camfrog

FF - prefs.js: keyword.URL - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.defaulturl - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Camfrog

FF - prefs.js: keyword.URL - hxxp://search.camfrog.com/search.php?q=

FF - prefs.js: browser.search.selectedEngine - Google

 

---- FIREFOX POLICIES ----

FF - user.js: network.proxy.type - 0

FF - user.js: network.proxy.http -

user_pref(network.proxy.http_port,);

FF - user.js: network.proxy.no_proxies_on -

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-02 13:37

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos:

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85BA9AE8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf778df28

\Driver\ACPI -> ACPI.sys @ 0xf76dacb8

\Driver\atapi -> 0x85ba9ae8

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

NDIS: VIA PCI 10/100Mb Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0x85e00bb0

PacketIndicateHandler -> NDIS.sys @ 0x85e0da21

SendHandler -> NDIS.sys @ 0x85deb87b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,d0,7c,14,4a,b3,50,48,8e,de,7b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,d0,7c,14,4a,b3,50,48,8e,de,7b,\

 

[HKEY_USERS\S-1-5-21-823518204-630328440-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,b4,95,32,cc,6d,01,45,8b,be,ea,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,b4,95,32,cc,6d,01,45,8b,be,ea,\

 

[HKEY_USERS\S-1-5-21-823518204-630328440-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:b1,c2,cb,92,2e,2a,e3,9d,6f,85,cf,bd,d9,13,2e,b2,be,c9,2b,d6,dd,9e,59,

28,95,42,28,b4,2e,23,68,69,40,f8,fe,50,dc,76,36,46,7b,cd,c2,7c,cf,4e,b8,de,\

"??"=hex:ea,e5,4f,ae,ac,92,b5,7b,8b,61,3a,4d,2b,7c,36,b1

.

Tempo para conclusão: 2009-12-02 13:39

ComboFix-quarantined-files.txt 2009-12-02 15:39

ComboFix2.txt 2009-11-27 13:34

 

Pré-execução: 4.915.638.272 bytes disponíveis

Pós execução: 4.898.316.288 bytes disponíveis

 

- - End Of File - - E619BB005C261C0DBE5425862436CC40

[wings 22]

1.

*Delete as pastas:

 

C:\LinhaDefensiva e C:\!KillBox

 

2.

*Clique em [iniciar] > [Executar] > digite: combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Surgirá a mensagem: "ComboFix está desinstalado"

*Clique [OK]

*Delete a pasta C:\Combofix e o arquivo C:\combofix.txt, se ainda existirem.

 

3.

*Clique em Iniciar > Executar > digite: c:\mbr.exe -f

*Observe que há um espaço entre mbr.exe e -f

*Clique OK. Caso seja perguntado, permita o programa ser executado.

 

4.

*Duplo clique em mbr.exe

*Cole o relatório criado em C:\MBR.Log

[bartho 0]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

 

 

pronto

 

e agora?

 

já to limpo?

[wings 22]

Boa noite bartho

 

 

OK..log limpo.

 

1.

*Delete o arquivo C:\mbr.exe e o seu relatório (C:\mbr.txt)

 

 

Um abraço.

[bartho 0]

Boa noite bartho

 

 

OK..log limpo.

 

1.

*Delete o arquivo C:\mbr.exe e o seu relatório (C:\mbr.txt)

 

 

Um abraço.

 

 

valeu cara!

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.