Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Lucas Tomasi

[Resolvido!] Anti-vírus acusa vírus na memória RAM

Recommended Posts

Olá,

 

Possuo o anti-vírus Avast e ele já deu o alerta de vírus na memória RAM umas 3 vezes. Ele solicita que eu reinicie o computador para que seja feito um escaneamento no boot.

Nas duas primeiras vezes, escaneando no boot, ele não achou nada, já na terceira apareceu e eu mandei excluir, mas quando subiu o windows deu o alerta novamente.

O Avast acusa os arquivos rdtcgn.sys e tyzsoujf.sys na pasta Windows/System32/Drivers/

Depois que começou a dar esses alertas, a internet fica lenta em alguns momentos.

 

Abaixo o log do HiJackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:59:21, on 11/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Hijack\HiJackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Arquivos de programas\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://www.bancobrasil.com.br

O15 - Trusted Zone: http://www.bb.com.br

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

 

--

End of file - 6177 bytes

 

 

Desde já,

Obrigado pela sua atenção.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa tarde....

 

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avast que fica rodando ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Baixe o ComboFix e salve-o no desktop

 

*Execute o Combofix e aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique em [sIM] para a sua instalação.

 

recovery-console-prompt.jpg

 

*Clique em [sIM] para continuar.

 

recovery-console-installed.jpg

 

*Aguarde a conclusão de todas as etapas

 

etapas.jpg

 

*Enquanto o ComboFix estiver em execução, evite usar o mouse e o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente e um relatório (C:\combofix.txt) será apresentado. Cole-o na próxima resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Quando chegou na etapa de "Processando relatório" sumiu a barra inciar e os atalhos do desktop, e já está a uns 20 minutos nessa etapa. Parece que o computador não está processando nada.. o led vermelho nem pisca... é assim meso?

Compartilhar este post


Link para o post
Compartilhar em outros sites

Não deu de interromper o procedimento, tive que reiniciar o computador na força... vou tentar fazer o procedimento do ComboFix novamente.

 

Fiz de novo e agora deu certo, segue abaixo o log gerado:

 

ComboFix 10-07-11.02 - geral 11/07/2010 18:13:16.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2038.1556 [GMT -3:00]

Executando de: c:\documents and settings\geral\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 100711-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

ADS - drivers: deleted 204 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Execuções precedente -------

.

c:\documents and settings\All Users\Dados de aplicativos\dkwork.ini

c:\documents and settings\All Users\Dados de aplicativos\UpApp32.dll

c:\documents and settings\geral\Cookies\geral@managerzone.uol.com[2].txt

c:\documents and settings\sadir\Dados de aplicativos\avdrn.dat

c:\documents and settings\sadir\Menu Iniciar\Programas\Inicializar\srvklw32.exe

c:\windows\system32\AutoRun.inf

c:\windows\system32\fjhdyfhsn.bat

c:\windows\system32\Ijl11.dll

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-06-11 to 2010-07-11 ))))))))))))))))))))))))))))

.

 

2010-07-11 17:56 . 2010-07-11 17:59 -------- d-----w- C:\Hijack

2010-07-10 13:23 . 2010-07-11 21:18 540672 ----a-w- c:\windows\system32\drivers\rdtcgn.sys

2010-07-09 19:35 . 2010-07-11 21:18 767488 ----a-w- c:\windows\system32\drivers\tyzsoujf.sys

2010-07-04 18:28 . 2010-07-05 12:41 478 ---ha-w- C:\os282379.bin

2010-07-04 18:23 . 2010-07-04 18:23 -------- d-----w- c:\windows\Vbox

2010-07-04 18:23 . 2010-07-04 18:23 -------- d-----w- c:\arquivos de programas\TI Education

2010-07-04 13:56 . 2010-07-04 13:56 -------- d-----w- c:\arquivos de programas\Maxima-5.21.1

2010-07-01 22:49 . 2010-07-01 22:49 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macromedia

2010-07-01 22:49 . 2010-07-01 22:49 -------- d-----w- c:\arquivos de programas\Macromedia

2010-07-01 22:48 . 2010-07-01 22:48 -------- d-----w- c:\windows\Downloaded Installations

2010-07-01 14:56 . 2010-07-01 14:56 -------- d-----w- c:\arquivos de programas\SSH Communications Security

2010-06-30 13:08 . 2010-06-30 13:08 -------- d-----w- c:\documents and settings\fabricio\.receitanet

2010-06-28 12:07 . 2010-06-28 12:07 -------- d-----w- c:\documents and settings\sadir\Dados de aplicativos\HP

2010-06-24 00:18 . 2010-07-09 19:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symantec Shared

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Norton

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\windows\system32\drivers\NSS

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Symantec

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\arquivos de programas\Norton Security Scan

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NortonInstaller

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\arquivos de programas\NortonInstaller

2010-06-21 16:12 . 2010-06-21 16:12 503808 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4ac712cc-n\msvcp71.dll

2010-06-21 16:12 . 2010-06-21 16:12 499712 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4ac712cc-n\jmc.dll

2010-06-21 16:12 . 2010-06-21 16:12 348160 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4ac712cc-n\msvcr71.dll

2010-06-21 16:12 . 2010-06-21 16:12 61440 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-69fb8f77-n\decora-sse.dll

2010-06-21 16:12 . 2010-06-21 16:12 12800 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-69fb8f77-n\decora-d3d.dll

2010-06-21 15:11 . 2010-06-21 15:11 503808 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26947860-n\msvcp71.dll

2010-06-21 15:11 . 2010-06-21 15:11 499712 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26947860-n\jmc.dll

2010-06-21 15:11 . 2010-06-21 15:11 348160 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26947860-n\msvcr71.dll

2010-06-21 15:11 . 2010-06-21 15:11 61440 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48758a43-n\decora-sse.dll

2010-06-21 15:11 . 2010-06-21 15:11 12800 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48758a43-n\decora-d3d.dll

2010-06-20 22:58 . 2010-06-20 22:58 -------- d-----w- c:\documents and settings\geral\.m2

2010-06-20 21:25 . 2010-06-20 21:30 -------- d-----w- c:\documents and settings\geral\.netbeans

2010-06-20 21:24 . 2010-06-20 21:24 -------- d-----w- c:\documents and settings\geral\.netbeans-registration

2010-06-20 21:23 . 2010-06-20 21:24 -------- d-----w- c:\arquivos de programas\NetBeans 6.9

2010-06-20 21:22 . 2010-06-20 21:22 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2010-06-20 21:21 . 2010-06-20 21:21 -------- d-----w- c:\arquivos de programas\Sun

2010-06-20 21:21 . 2010-06-20 21:21 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-20 21:03 . 2010-06-20 21:29 -------- d-----w- c:\documents and settings\geral\.nbi

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-11 10:04 . 2009-11-08 11:42 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2010-07-10 13:23 . 2010-07-10 13:23 16 ----a-w- c:\windows\system32\config\systemprofile\Dados de aplicativos\hwzypv.dat

2010-07-09 19:35 . 2010-07-09 19:35 12 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat

2010-07-04 14:13 . 2009-10-09 10:36 151591 ----a-w- c:\windows\hpoins14.dat

2010-07-01 14:56 . 2008-10-16 02:00 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2010-07-01 14:56 . 2008-10-16 01:59 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2010-06-20 21:19 . 2009-10-18 13:01 -------- d-----w- c:\arquivos de programas\Java

2010-06-08 17:50 . 2010-06-08 17:50 -------- d-----w- c:\documents and settings\geral\Dados de aplicativos\Unity

2010-06-07 22:45 . 2010-06-07 22:45 -------- d-----w- c:\arquivos de programas\Microsoft

2010-06-07 22:45 . 2010-06-07 22:45 -------- d-----w- c:\arquivos de programas\Windows Live

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\arquivos de programas\QuickTime

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Apple Computer

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Apple

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\arquivos de programas\Apple Software Update

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Apple

2010-06-02 10:07 . 2009-11-08 11:42 -------- d-----w- c:\arquivos de programas\GbPlugin

2010-05-29 14:46 . 2010-05-29 14:45 -------- d-----w- c:\arquivos de programas\Google

2010-05-26 13:48 . 2009-11-08 11:43 45472 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2010-04-17 01:12 . 2010-04-17 01:12 48464 ----a-w- c:\windows\system32\sirenacm.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2010-03-18 421888]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

HP Digital Imaging Monitor.lnk - c:\arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-05-26 13:47 335136 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^sadir^Menu Iniciar^Programas^Inicializar^srvklw32.exe]

path=c:\documents and settings\sadir\Menu Iniciar\Programas\Inicializar\srvklw32.exe

backup=c:\windows\pss\srvklw32.exeStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-03-11 23:34 49152 ----a-w- c:\arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-13 22:21 1695232 ----a-w- c:\arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-17 01:12 3872080 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"MDM"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [8/11/2009 08:43 45472]

R0 rseb;rseb;c:\windows\system32\drivers\rseb.sys [1/6/2004 19:44 15266]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/10/2008 22:46 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/10/2008 22:46 20560]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [8/11/2009 08:43 55072]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [29/5/2010 11:45 136176]

 

--- =Outros Serviços/Drivers Na Memória ---

 

*Deregistered* - rdtcgn

*Deregistered* - tyzsoujf

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-05-29 14:45]

 

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-05-29 14:45]

 

2010-07-10 c:\windows\Tasks\Norton Security Scan for sadir.job

- c:\arquivos de programas\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-22 12:48]

.

.

------- Scan Suplementar -------

.

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: bancobrasil.com.br\www

Trusted Zone: bancobrasil.com.br\www14

Trusted Zone: bancobrasil.com.br\www2

Trusted Zone: bb.com.br\www

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

FF - ProfilePath - c:\documents and settings\geral\Dados de aplicativos\Mozilla\Firefox\Profiles\cy23hb98.default\

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORFÃOS REMOVIDOS - - - -

 

MSConfigStartUp-SunJavaUpdateSched - c:\arquivos de programas\Java\jre6\bin\jusched.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-11 18:18

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdtcgn]

 

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tyzsoujf]

 

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(736)

c:\arquivos de programas\GBPLUGIN\gbieh.dll

.

Tempo para conclusão: 2010-07-11 18:19:42

ComboFix-quarantined-files.txt 2010-07-11 21:19

 

Pré-execução: 2.130.456.576 bytes disponíveis

Pós execução: 2.093.535.232 bytes disponíveis

 

- - End Of File - - A362536AAE3CEBB77FF908509E4887E8

 

 

Desde já,

Obrigado pela atenção.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Envie os arquivos abaixo para análise em http://www.virustotal.com.br

 

c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat

c:\documents and settings\sadir\Menu Iniciar\Programas\Inicializar\srvklw32.exe

Cole os links do resultado da análise de cada um.

Compartilhar este post


Link para o post
Compartilhar em outros sites

*Abra o bloco de notas e cole nele todo o conteúdo do código abaixo:

 

File::

c:\windows\system32\drivers\rdtcgn.sys

c:\windows\system32\drivers\tyzsoujf.sys

c:\documents and settings\sadir\Menu Iniciar\Programas\Inicializar\srvklw32.exe

c:\windows\pss\srvklw32.exe

FileLook::

c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat

Registry::

[-HKLM\~\startupfolder\C:^Documents and Settings^sadir^Menu Iniciar^Programas^Inicializar^srvklw32.exe]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdtcgn]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tyzsoujf]

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

CFScript.gif

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 10-07-11.02 - geral 12/07/2010 11:00:16.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2038.1572 [GMT -3:00]

Executando de: c:\documents and settings\geral\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\geral\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1368 [VPS 100711-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

 

FILE ::

"c:\documents and settings\sadir\Menu Iniciar\Programas\Inicializar\srvklw32.exe"

"c:\windows\pss\srvklw32.exe"

"c:\windows\system32\drivers\rdtcgn.sys"

"c:\windows\system32\drivers\tyzsoujf.sys"

.

ADS - drivers: deleted 154 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\drivers\rdtcgn.sys

c:\windows\system32\drivers\tyzsoujf.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_rdtcgn

-------\Legacy_tyzsoujf

-------\Service_rdtcgn

-------\Service_tyzsoujf

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-06-12 to 2010-07-12 ))))))))))))))))))))))))))))

.

 

2010-07-11 17:56 . 2010-07-11 17:59 -------- d-----w- C:\Hijack

2010-07-04 18:28 . 2010-07-05 12:41 478 ---ha-w- C:\os282379.bin

2010-07-04 18:23 . 2010-07-04 18:23 -------- d-----w- c:\windows\Vbox

2010-07-04 18:23 . 2010-07-04 18:23 -------- d-----w- c:\arquivos de programas\TI Education

2010-07-04 13:56 . 2010-07-04 13:56 -------- d-----w- c:\arquivos de programas\Maxima-5.21.1

2010-07-01 22:49 . 2010-07-01 22:49 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Macromedia

2010-07-01 22:49 . 2010-07-01 22:49 -------- d-----w- c:\arquivos de programas\Macromedia

2010-07-01 22:48 . 2010-07-01 22:48 -------- d-----w- c:\windows\Downloaded Installations

2010-07-01 14:56 . 2010-07-01 14:56 -------- d-----w- c:\arquivos de programas\SSH Communications Security

2010-06-30 13:08 . 2010-06-30 13:08 -------- d-----w- c:\documents and settings\fabricio\.receitanet

2010-06-28 12:07 . 2010-06-28 12:07 -------- d-----w- c:\documents and settings\sadir\Dados de aplicativos\HP

2010-06-24 00:18 . 2010-07-09 19:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symantec Shared

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Norton

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\windows\system32\drivers\NSS

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Symantec

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\arquivos de programas\Norton Security Scan

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\NortonInstaller

2010-06-22 13:17 . 2010-06-22 13:17 -------- d-----w- c:\arquivos de programas\NortonInstaller

2010-06-20 22:58 . 2010-06-20 22:58 -------- d-----w- c:\documents and settings\geral\.m2

2010-06-20 21:25 . 2010-06-20 21:30 -------- d-----w- c:\documents and settings\geral\.netbeans

2010-06-20 21:24 . 2010-06-20 21:24 -------- d-----w- c:\documents and settings\geral\.netbeans-registration

2010-06-20 21:23 . 2010-06-20 21:24 -------- d-----w- c:\arquivos de programas\NetBeans 6.9

2010-06-20 21:22 . 2010-06-20 21:22 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java

2010-06-20 21:21 . 2010-06-20 21:21 -------- d-----w- c:\arquivos de programas\Sun

2010-06-20 21:21 . 2010-06-20 21:21 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-20 21:03 . 2010-06-20 21:29 -------- d-----w- c:\documents and settings\geral\.nbi

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-12 14:06 . 2009-11-08 11:42 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2010-07-12 04:19 . 2001-10-28 15:07 82770 ----a-w- c:\windows\system32\perfc016.dat

2010-07-12 04:19 . 2001-10-28 15:07 476876 ----a-w- c:\windows\system32\perfh016.dat

2010-07-10 13:23 . 2010-07-10 13:23 16 ----a-w- c:\windows\system32\config\systemprofile\Dados de aplicativos\hwzypv.dat

2010-07-09 19:35 . 2010-07-09 19:35 12 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat

2010-07-04 14:13 . 2009-10-09 10:36 151591 ----a-w- c:\windows\hpoins14.dat

2010-07-01 14:56 . 2008-10-16 02:00 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2010-07-01 14:56 . 2008-10-16 01:59 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield

2010-06-21 16:12 . 2010-06-21 16:12 503808 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4ac712cc-n\msvcp71.dll

2010-06-21 16:12 . 2010-06-21 16:12 499712 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4ac712cc-n\jmc.dll

2010-06-21 16:12 . 2010-06-21 16:12 348160 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4ac712cc-n\msvcr71.dll

2010-06-21 16:12 . 2010-06-21 16:12 61440 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-69fb8f77-n\decora-sse.dll

2010-06-21 16:12 . 2010-06-21 16:12 12800 ----a-w- c:\documents and settings\sadir\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-69fb8f77-n\decora-d3d.dll

2010-06-21 15:11 . 2010-06-21 15:11 503808 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26947860-n\msvcp71.dll

2010-06-21 15:11 . 2010-06-21 15:11 499712 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26947860-n\jmc.dll

2010-06-21 15:11 . 2010-06-21 15:11 348160 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26947860-n\msvcr71.dll

2010-06-21 15:11 . 2010-06-21 15:11 61440 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48758a43-n\decora-sse.dll

2010-06-21 15:11 . 2010-06-21 15:11 12800 ----a-w- c:\documents and settings\geral\Dados de aplicativos\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-48758a43-n\decora-d3d.dll

2010-06-20 21:19 . 2009-10-18 13:01 -------- d-----w- c:\arquivos de programas\Java

2010-06-08 17:50 . 2010-06-08 17:50 -------- d-----w- c:\documents and settings\geral\Dados de aplicativos\Unity

2010-06-07 22:45 . 2010-06-07 22:45 -------- d-----w- c:\arquivos de programas\Microsoft

2010-06-07 22:45 . 2010-06-07 22:45 -------- d-----w- c:\arquivos de programas\Windows Live

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\arquivos de programas\QuickTime

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Apple Computer

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Apple

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\arquivos de programas\Apple Software Update

2010-06-04 18:17 . 2010-06-04 18:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Apple

2010-06-02 10:07 . 2009-11-08 11:42 -------- d-----w- c:\arquivos de programas\GbPlugin

2010-05-29 14:46 . 2010-05-29 14:45 -------- d-----w- c:\arquivos de programas\Google

2010-05-26 13:48 . 2009-11-08 11:43 45472 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2010-05-04 17:17 . 2008-10-15 23:05 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:17 . 2008-10-15 23:21 78336 ------w- c:\windows\system32\ieencode.dll

2010-05-04 17:17 . 2001-10-28 15:06 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 08:08 . 2001-10-28 15:07 1851392 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:31 . 2001-10-28 15:06 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 01:12 . 2010-04-17 01:12 48464 ----a-w- c:\windows\system32\sirenacm.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

--- c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat ---

Company: ------

File Description: ------

File Version: ------

Product Name: ------

Copyright: ------

Original Filename: ------

File size: 12

Created time: 2010-07-09 19:35

Modified time: 2010-07-09 19:35

MD5: 92E22C532DF3567061DAE395C33E9FC2

SHA1: D327E6EC5859CD4099ABF58393D3DE44C530C287

 

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2010-03-18 421888]

"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2010-02-18 248040]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

HP Digital Imaging Monitor.lnk - c:\arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2010-05-26 13:47 335136 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-03-11 23:34 49152 ----a-w- c:\arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-13 22:21 1695232 ----a-w- c:\arquivos de programas\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-04-17 01:12 3872080 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"MDM"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [8/11/2009 08:43 45472]

R0 rseb;rseb;c:\windows\system32\drivers\rseb.sys [1/6/2004 19:44 15266]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/10/2008 22:46 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/10/2008 22:46 20560]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [8/11/2009 08:43 55072]

S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [29/5/2010 11:45 136176]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-05-29 14:45]

 

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-05-29 14:45]

 

2010-07-10 c:\windows\Tasks\Norton Security Scan for sadir.job

- c:\arquivos de programas\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-22 12:48]

.

.

------- Scan Suplementar -------

.

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: bancobrasil.com.br\www

Trusted Zone: bancobrasil.com.br\www14

Trusted Zone: bancobrasil.com.br\www2

Trusted Zone: bb.com.br\www

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

FF - ProfilePath - c:\documents and settings\geral\Dados de aplicativos\Mozilla\Firefox\Profiles\cy23hb98.default\

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-12 11:07

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

 

c:\windows\system32\drivers:IncompleteBoot.cnt 8 bytes hidden from API

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 1

 

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(712)

c:\arquivos de programas\GBPLUGIN\gbieh.dll

 

- - - - - - - > 'explorer.exe'(532)

c:\windows\system32\WININET.dll

c:\arquivos de programas\GBPLUGIN\gbieh.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe

c:\windows\system32\SearchIndexer.exe

c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-07-12 11:11:26 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-07-12 14:11

ComboFix2.txt 2010-07-11 21:19

 

Pré-execução: 1.345.298.432 bytes disponíveis

Pós execução: 1.318.060.032 bytes disponíveis

 

- - End Of File - - FBDD7F439F33070850156CEE7EBE9CAF

Compartilhar este post


Link para o post
Compartilhar em outros sites

*Abra o bloco de notas e cole nele todo o conteúdo do código abaixo:

 

File::

c:\windows\system32\config\systemprofile\Dados de aplicativos\hwzypv.dat

c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

CFScript.gif

 

*Importante: enquanto o combofix estiver em execução, evite usar o mouse e o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Eu arrastei o arquivo CFScript.txt pra cima do ComboFix, aí aparece uma barra de progresso do ComboFix, ela some e não passa disso... Não abre aquela janela com fundo azul e tal..

Compartilhar este post


Link para o post
Compartilhar em outros sites

OK....

 

*Baixe o Avenger e extraia o conteúdo para o desktop

*Selecione e copie (Ctrl+C) todo o código abaixo:

 

Files to delete:

c:\windows\system32\config\systemprofile\Dados de aplicativos\hwzypv.dat

c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat

*Execute o Avenger

*Clique em [Load Script] > [Paste from Clipboard]

*Clique em [Execute] > [OK]

*O PC será reiniciado

*Cole o relatório criado em C:\avenger.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

File "c:\windows\system32\config\systemprofile\Dados de aplicativos\hwzypv.dat" deleted successfully.

File "c:\documents and settings\NetworkService\Dados de aplicativos\hwzypv.dat" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Compartilhar este post


Link para o post
Compartilhar em outros sites

OK...o PC está limpo. :)

 

 

1.

*Delete o Avenger, a pasta C:\avenger e o arquivo C:\avenger.txt

 

2.

*Clique em [iniciar] > [Executar] > digite: Combofix /uninstall

*Clique [OK]

 

92674490.jpg

 

*Clique em [Executar]

*Aguarde até surgir a mensagem: "ComboFix está desinstalado"

*Clique [OK]

 

3.

Remova da inicialização do PC a opção do Microsoft Windows Recovery Console (Console de Recuperação)

 

e77719d869.jpg

*Clique em [iniciar] > [Executar] > digite: msconfig

*Clique OK

*Clique na aba "BOOT.INI"

*Selecione a linha C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

removercombofix1.jpg

 

*Clique em [Verificar caminhos de inicialização]

*Clique em [sIM] > [OK]

 

removercombofix2.jpg

 

*Reinicie o PC

*Ao iniciar o Windows, o utilitário de configuração informará que foi alterado.

*Clique em "Não mostrar esta mensagem ou iniciar o utilitário de configuração do sistema ao iniciar o Windows"

 

 

Um abraço.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Não consigo desinstalar o ComboFix seguindo o procedimento que você passou...

Tá igual antes, aparece a barra de progresso, ele pede pra eu desativar o anti-vírus e depois nada acontece.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Rapport Supress'tools

Supress'tools a été éxécuté le 12/07/2010 à 19 : 15

Par geral

Système d'exploitation : WIN_XP / X86 / Service Pack 3

Mode | Suppression |

 

 

¤¤¤¤¤¤¤ C:\ ¤¤¤¤¤¤¤

 

ComboFix.txt Supprimé

Qoobox Supprimé !

 

¤¤¤¤¤¤¤ C:\Documents and Settings\geral\Desktop\ ¤¤¤¤¤¤¤

 

CFScript.txt Supprimé !

ComboFix.exe Supprimé !

 

¤¤¤¤¤¤¤ C:\Documents and Settings\geral\Meus documentos\Téléchargements ¤¤¤¤¤¤¤

 

 

¤¤¤¤¤¤¤ C:\WINDOWS\ ¤¤¤¤¤¤¤

 

mbr.exe Supprimé !

 

¤¤¤¤¤¤¤ C:\Documents and Settings\All Users\Menu Iniciar\Programmes\ ¤¤¤¤¤¤¤

 

 

¤¤¤¤¤¤¤ C:\Arquivos de programas\ ¤¤¤¤¤¤¤

 

 

¤¤¤¤¤¤¤ C:\WINDOWS\Prefetch\ ¤¤¤¤¤¤¤

 

COMBOFIX.EXE-194A3814.pf Supprimé !

 

¤¤¤¤¤¤¤ Registre ¤¤¤¤¤¤¤

 

 

((((((((((((((( EOF )))))))))))))))

Compartilhar este post


Link para o post
Compartilhar em outros sites

OK...o Combofix está desinstalado.

 

*Duplo clique em Supresstools

*Clique em [Désinstaller] > OK

*Delete o programa Supresstools salvo no desktop

 

 

Um abraço.

Compartilhar este post


Link para o post
Compartilhar em outros sites

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.