Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Leandroctp

[Arquivado] Analise de log

Recommended Posts

sempre quando ligo o pc o Avira detecta o sknc.dll, mas se eu deixo o Avira bloquear ele não consigo me contectar a internet nem abrir varios programas, ai tenho que desativar a proteção do Avira.

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:25:18, on 31/5/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Arquivos de programas\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Java\jre6\bin\jucheck.exe

C:\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\RunServices: [csrcs] C:\WINDOWS\system32\csrcs.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\leandro.PESSOAL\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35A03B08-0A09-4F67-A951-B61F702D5965}: NameServer = 200.165.132.148 200.165.132.155

O17 - HKLM\System\CS1\Services\Tcpip\..\{35A03B08-0A09-4F67-A951-B61F702D5965}: NameServer = 200.165.132.148 200.165.132.155

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate1ca2d8e9b0d77bc) (gupdate1ca2d8e9b0d77bc) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

 

--

End of file - 9493 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde! Leandroctp

 

<!> Você possui infecção,por cavalo de tróia,que compromete a partição NTFS do Windows.

<!> Recomenda-se a formatação ou..caso queira,tente esta correção.

<!> Faça backups,para uma possível formatação ou tente,também,estas orientações: < Buzzle.com >

00000000000000000000000

ooooooooooooooooooooooo

<@> Baixe: < ws2_32.zip >

<@> Descompacte-o para o diretório: C:\WINDOWS\ServicePackFiles\i386 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

<@> Descompacte-o,também,para o diretório: C:\WINDOWS\system32 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\system32\ws2_32.dll

00000000000000000000000

ooooooooooooooooooooooo

<@> Baixe: < Capture6-13-2009-1_01_22_PM.jpg > ( ...by sUBs )

<@> Salve-o no desktop!

<@> Desabilite o Avira!

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

File::

C:\WINDOWS\system32\csrcs.exe

C:\WINDOWS\system32\sknc.dll

C:\WINDOWS\system32\old_ws2.old

RESTORE::

C:\WINDOWS\system32\ws2_32.dll

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"csrcs.exe"=-

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

2872959479_997d4500c4_o.gif

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

Compartilhar este post


Link para o post
Compartilhar em outros sites

desculpe a demora para responder, tive alguns problemas pessoais e não pude fazer o procedimento

aparentemente está tudo ok com o pc agora

muito obrigado

 

edit: nao consegui realizar o procedimento:

<@> Baixe: < ws2_32.zip >

<@> Descompacte-o para o diretório: C:\WINDOWS\ServicePackFiles\i386 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

<@> Descompacte-o,também,para o diretório: C:\WINDOWS\system32 <--

<@> Ps: Onde teremos o caminho: C:\WINDOWS\system32\ws2_32.dll

 

nao existe a pasta C:\WINDOWS\ServicePackFiles\i386 e na pasta "system32" nao consegui substituir o arquivo ja existente

 

logs:

 

 

ComboFix 10-06-17.02 - leandro 18/06/2010 10:27:05.1.1 - x86

Executando de: c:\documents and settings\leandro.PESSOAL\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\leandro.PESSOAL\Desktop\CFScript.txt

* Criado um novo ponto de restauração

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

"c:\windows\system32\csrcs.exe"

"c:\windows\system32\old_ws2.old"

"c:\windows\system32\sknc.dll"

.

ADS - drivers: deleted 204 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\arquivos de programas\Cheat Engine\dbk32.sys

c:\windows\system32\AutoRun.inf

c:\windows\system32\csrcs.exe

c:\windows\system32\msconfig.exe

c:\windows\system32\old_ws2.old

c:\windows\system32\sknc.dll

c:\windows\system32\win.com

 

A cópia de c:\windows\system32\ws2_32.dll foi encontrada e desinfectada

Cópia restaurada de - c:\windows\system32\dllcache\ws2_32.dll

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-05-18 to 2010-06-18 ))))))))))))))))))))))))))))

.

 

2010-06-17 21:37 . 2007-05-16 04:00 42368 ----a-r- c:\windows\system32\drivers\SiSGbeXP.sys

2010-06-17 21:37 . 2010-06-17 21:37 -------- d-----w- c:\arquivos de programas\On-line Help Console

2010-06-17 21:36 . 2010-06-17 21:36 -------- d-----w- c:\windows\system32\Tools

2010-06-17 21:35 . 2006-12-25 20:31 4864 ----a-r- c:\windows\system32\drivers\PortIo.sys

2010-06-13 00:36 . 2010-06-13 00:36 -------- d-----w- C:\found.001

2010-06-10 06:49 . 2010-06-10 06:49 -------- d-----w- C:\gPotato.com

2010-06-09 13:36 . 2010-05-06 10:34 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-08 16:24 . 2008-07-31 13:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll

2010-06-08 16:24 . 2008-07-31 13:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll

2010-06-08 16:24 . 2008-07-31 13:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll

2010-06-08 16:24 . 2008-07-10 14:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll

2010-06-08 16:24 . 2008-07-10 14:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

2010-06-08 16:24 . 2008-07-10 14:00 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll

2010-06-08 16:23 . 2010-06-08 16:23 -------- d-----w- c:\arquivos de programas\TrueGames

2010-06-02 14:03 . 2010-06-02 14:03 -------- d-----w- C:\found.000

2010-05-31 16:21 . 2010-05-31 16:21 401720 ----a-w- C:\HiJackThis.exe

2010-05-30 14:38 . 2010-05-30 14:38 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Malwarebytes

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-18 13:35 . 2009-06-25 17:52 -------- d-----w- c:\arquivos de programas\Cheat Engine

2010-06-17 21:37 . 2009-06-12 17:57 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2010-06-17 18:51 . 2010-03-26 10:34 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\uTorrent

2010-06-16 17:19 . 2009-08-10 19:00 -------- d-----w- c:\arquivos de programas\Minilyrics

2010-06-13 04:11 . 2010-01-01 17:08 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PMB Files

2010-06-13 00:39 . 2010-02-09 19:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2010-06-13 00:39 . 2010-02-09 19:12 -------- d-----w- c:\arquivos de programas\GbPlugin

2010-06-13 00:14 . 2009-11-08 16:17 -------- d-----w- c:\arquivos de programas\Unlocker

2010-06-10 06:15 . 2008-04-14 07:00 80246 ----a-w- c:\windows\system32\perfc016.dat

2010-06-10 06:15 . 2008-04-14 07:00 473318 ----a-w- c:\windows\system32\perfh016.dat

2010-06-05 14:19 . 2010-05-06 15:22 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight

2010-05-30 14:42 . 2009-06-12 18:04 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-05-26 13:48 . 2010-02-09 19:12 45472 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2010-05-19 05:20 . 2009-09-04 18:24 -------- d-----w- c:\arquivos de programas\Google

2010-05-18 19:07 . 2010-05-16 04:34 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\sqlitestudio

2010-05-18 18:42 . 2010-05-15 20:38 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Tibia

2010-05-17 17:43 . 2010-05-17 17:43 -------- d-----w- c:\arquivos de programas\PingOut - by Machine

2010-05-17 14:56 . 2010-05-17 14:56 -------- d-----w- c:\arquivos de programas\Tibia 854

2010-05-17 14:23 . 2009-06-12 19:54 -------- d-----w- c:\arquivos de programas\uTorrent

2010-05-16 18:03 . 2009-06-13 15:08 -------- d-----w- c:\arquivos de programas\Tibia

2010-05-16 16:15 . 2010-05-16 16:15 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Remere's Map Editor

2010-05-16 16:15 . 2010-05-16 16:15 -------- d-----w- c:\arquivos de programas\Remere's Map Editor

2010-05-16 02:29 . 2010-05-16 02:29 -------- d-----w- c:\arquivos de programas\No-IP

2010-05-14 13:07 . 2010-05-14 13:07 -------- d-----w- c:\arquivos de programas\1C Company

2010-05-13 13:54 . 2010-05-13 13:54 -------- d-----w- c:\arquivos de programas\WinDirStat

2010-05-13 13:50 . 2010-05-13 13:50 -------- d-----w- c:\arquivos de programas\SystemRequirementsLab

2010-05-12 17:37 . 2010-05-12 17:37 -------- d-----w- c:\arquivos de programas\Firebird

2010-05-11 15:40 . 2010-05-11 15:40 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Nero

2010-05-06 10:34 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 08:02 . 2009-03-21 14:20 1860480 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 18:39 . 2009-06-12 18:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 18:39 . 2009-06-12 18:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 02:56 . 2010-04-29 02:46 12006784 ----a-w- c:\windows\system32\drivers\snp2sxp.sys.off

2010-04-29 02:46 . 2010-04-29 02:46 -------- d-----w- c:\arquivos de programas\Arquivos comuns\snp2std

2010-04-29 02:45 . 2010-04-29 02:45 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\InstallShield

2010-04-23 00:13 . 2010-03-26 10:08 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\MessengerDiscovery 2

2010-04-20 05:31 . 2008-04-14 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 03:41 . 2010-04-20 03:41 -------- d-----w- c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Avira

2010-03-24 15:28 . 2009-06-12 01:03 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys

2010-03-24 15:28 . 2009-06-12 01:03 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-03-24 15:28 . 2009-06-12 01:03 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-03-24 15:28 . 2009-06-12 01:03 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys

.

 

------- Sigcheck -------

 

 

[-] 2009-04-17 . 2A293D04F15B5D25FF3615D8ED8DD1B7 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

 

 

c:\windows\System32\wscntfy.exe ... está faltando !!

c:\windows\System32\regsvc.dll ... está faltando !!

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-12-23 3883840]

"Google Update"="c:\documents and settings\leandro.PESSOAL\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2010-03-24 282792]

"nwiz"="nwiz.exe" [2009-04-30 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"tsnp2std"="c:\windows\tsnp2std.exe" [2006-11-02 258048]

"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]

"UnlockerAssistant"="c:\arquivos de programas\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-05-26 13:47 335136 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2010-04-29 18:39 437584 ----a-w- c:\arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"c:\\Arquivos de programas\\DNA\\btdna.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=

"c:\\Arquivos de programas\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Arquivos de programas\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\launcher.ui.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\MytheonClientR.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\ClientLauncherG.exe"=

"c:\\Arquivos de programas\\TrueGames\\Mytheon\\ClientLauncherR.exe"=

"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\gPotato.com\\Allods Online\\bin\\Launcher0.exe"=

"c:\\gPotato.com\\Allods Online\\bin\\Launcher.exe"=

"c:\\gPotato.com\\Allods Online\\bin\\AOgame.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56112:TCP"= 56112:TCP:Pando Media Booster

"56112:UDP"= 56112:UDP:Pando Media Booster

"3834:TCP"= 3834:TCP:3834

"7171:UDP"= 7171:UDP:otserv

"58422:TCP"= 58422:TCP:Pando Media Booster

"58422:UDP"= 58422:UDP:Pando Media Booster

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [9/2/2010 16:12 45472]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24/6/2009 07:51 721904]

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [11/6/2009 22:03 102856]

R2 AntiVirFirewallService;Avira Firewall;c:\arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe [11/6/2009 22:03 536232]

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\arquivos de programas\Avira\AntiVir Desktop\avmailc.exe [11/6/2009 22:03 337064]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [11/6/2009 22:03 135336]

R2 AntiVirWebService;Avira AntiVir WebGuard;c:\arquivos de programas\Avira\AntiVir Desktop\avwebgrd.exe [11/6/2009 22:03 405672]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe [12/5/2010 14:37 81920]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [9/2/2010 16:12 55072]

R2 MBAMService;MBAMService;c:\arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe [12/6/2009 15:04 304464]

R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [11/6/2009 22:03 79432]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe [12/5/2010 14:37 2723840]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/6/2009 15:04 20952]

S2 gupdate1ca2d8e9b0d77bc;Google Update Service (gupdate1ca2d8e9b0d77bc);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [4/9/2009 15:36 133104]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/6/2009 15:04 38224]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva286;XDva286;\??\c:\windows\system32\XDva286.sys --> c:\windows\system32\XDva286.sys [?]

 

--- =Outros Serviços/Drivers Na Memória ---

 

*NewlyCreated* - HELPSVC

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-09-04 18:35]

 

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-09-04 18:35]

 

2010-05-15 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-06-14 17:48]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

LSP: c:\arquivos de programas\Avira\AntiVir Desktop\avsda.dll

FF - ProfilePath - c:\documents and settings\leandro.PESSOAL\Dados de aplicativos\Mozilla\Firefox\Profiles\ex332ge4.default\

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORFÃOS REMOVIDOS - - - -

 

MSConfigStartUp-ares - c:\arquivos de programas\Ares\Ares.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 10:40

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sppn.sys >>UNKNOWN [0x8A301938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7e66cb8

\Driver\atapi -> atapi.sys @ 0xb7dfbb40

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(1312)

c:\arquivos de programas\GBPLUGIN\gbieh.dll

 

- - - - - - - > 'lsass.exe'(1368)

c:\arquivos de programas\Avira\AntiVir Desktop\avsda.dll

 

- - - - - - - > 'explorer.exe'(3948)

c:\windows\system32\WININET.dll

c:\arquivos de programas\Unlocker\UnlockerHook.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\arquivos de programas\GBPLUGIN\gbieh.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe

c:\arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Google\Update\1.2.183.29\GoogleCrashHandler.exe

c:\arquivos de programas\CDBurnerXP\NMSAccessU.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\SOUNDMAN.EXE

.

**************************************************************************

.

Tempo para conclusão: 2010-06-18 10:49:57 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-06-18 13:49

 

Pré-execução: 11 pasta(s) 23.844.777.984 bytes disponíveis

Pós execução: 15 pasta(s) 23.869.812.736 bytes disponíveis

 

- - End Of File - - 095F54B949518C1308000C082C9BE473

 

 

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:56:43, on 18/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Arquivos de programas\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\HiJackThis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\leandro.PESSOAL\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avfwsvc.exe

O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avmailc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\AVWEBGRD.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Arquivos de programas\Firebird\Firebird_2_1\bin\fbserver.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate1ca2d8e9b0d77bc) (gupdate1ca2d8e9b0d77bc) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

 

--

End of file - 8361 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Noite! Leandroctp

 

desculpe a demora para responder, tive alguns problemas pessoais e não pude fazer o procedimento

aparentemente está tudo ok com o pc agora

<!> Sim! Mas o log do ComboFix aponta para algumas restaurações,necessárias.

 

nao existe a pasta C:\WINDOWS\ServicePackFiles\i386 e na pasta "system32" nao consegui substituir o arquivo ja existente

<!> Não se preocupe,pois o cache foi encontrado e o arquivo copiado.

0000000000000000000

ooooooooooooooooooo

<@> Ps: Gmer_MBR,incorporado ao ComboFix,detectou rootkit de boot.

<@> Ps: Pode ser um "falso positivo",relacionado à driver(s) emuladores de CD ou "bootkit".

 

- Detected MBR rootkit hooks <-- Consta em ComboFix.txt

- Os drivers de emuladores de CDs,podem interferir nos scans das ferramentas anti-rootkits,gerando falsos-positivo.

- Ps: Além de outros,podemos citar: "DaemonTools" ou "Alcohol"

- Ps: Defogger,é uma ferramenta que desabilita/habilita todos os drivers emuladores de CDs.

- Ps: A ferramenta anota todas as modificações efetuadas,em backups,e salva-as no arquivo: "%userprofile%\defogger_reenable"

- Ps: Ao reabilitar os drivers,a ferramenta buscará esse arquivo.

- Portanto,não o remova!

<@> Baixe: < DeFogger > ( by jpshortstuff )

<@> Salve-o no desktop!

<@> Feche todas as janelas/programas e execute-o. ( DeFogger.exe )

<@> Clique no botão "Disable",para desativar todos os drivers emuladores de CDs.

<@> Posteriormente,clique em "Yes" --> "OK".

<@> Permita que seu computador seja reiniciado.

<@> Ps: Caso apareça alguma mensagem de erro,em seu scan,copie e poste o conteúdo do arquivo defogger_disable.

0000000000000000000

ooooooooooooooooooo

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

RESTORE::

c:\windows\system32\sfcfiles.dll

SRPEEK::

c:\windows\System32\wscntfy.exe

c:\windows\System32\regsvc.dll

FOLDER::

C:\found.001

C:\found.000

REGISTRY::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 1 (0x0)

DRIVER::

"npggsvc"

"XDva286"

"HELPSVC"

<@> Ps: É recomendável que esteja desconectado,ao rodar o script.

<@> Ps: Desabilite,temporariamente,seu antivírus.

<@> Ps: Não utilizem este script em outra máquina!

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

2872959479_997d4500c4_o.gif

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

Compartilhar este post


Link para o post
Compartilhar em outros sites

nao consegui abrir o combofix, depois do loading (o que aparece na imagem) nao aparece mais nada (tentei varias vezes)

///////// Boa Noite! Leandroctp \\\\\\\\\

 

<!> Ps: Delete a ferramenta ComboFix,segundo o procedimento logo abaixo,e faça o download novamente.

000000000000000000

oooooooooooooooooo

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /uninstall --> Clique OK.

 

< 92674490.jpg >

 

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

<@> Ou,vá em Iniciar --> Executar --> Digite ou cole:

 

"%userprofile%\desktop\combofix" /uninstall

 

<@> Clique OK.

<@> Agora,baixe-o novamente e execute seu script :seta: Poste o relatório!

 

Abraços!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.