Ir ao conteúdo
  • Comunicados

    • diego_moicano

      Gostaria de se tornar um analista em Remoção de Malware?   07-12-2015

      Gostaria de se tornar um analista em Remoção de Malware? O Fórum Clube do Hardware deu início a um programa de treinamento em análises de log. Os interessados deverão enviar um email para aprendizes (arroba) clubedohardware (ponto) com (ponto) br respondendo as seguintes perguntas: Por que você gostaria de aprender a analisar logs? Possui tempo hábil para o treinamento? Tem conhecimentos em informática? Se sim descreva-os. Possui inglês para leitura? Qual seu objetivo após completar o treinamento?   Não se esqueça de incluir no e-mail o seu nome de usuário (fornecer o link também), idade e cidade onde vive. Adicione também qualquer experiência e/ou razão sobre o porquê você seria um bom Analista. É digno de nota que apenas os que forem selecionados receberão resposta por MP (Mensagem Pessoal), não existe um padrão na escolha dos futuros aprendizes, todos os e-mails serão lidos e serão analisados de forma imparcial, portanto não será permitido reclamações neste aspecto. O treinamento é dado no próprio fórum. Quando um aprendiz é selecionado ele é movido para um novo grupo, onde terá acesso a fóruns fechados para os demais usuários onde poderá dar inicio ao seu treinamento. Importante: A cada 30 dias os e-mails não selecionados serão apagados, portanto você pode enviar um novo e-mail após 1 mês, e-mails enviados antes serão desconsiderados.  
    • Gabriel Torres

      Seja um moderador do Clube do Hardware!   12-02-2016

      Prezados membros do Clube do Hardware, Está aberto o processo de seleção de novos moderadores para diversos setores ou áreas do Clube do Hardware. Os requisitos são:   Pelo menos 500 posts e um ano de cadastro; Boa frequência de participação; Ser respeitoso, cordial e educado com os demais membros; Ter bom nível de português; Ter razoável conhecimento da área em que pretende atuar; Saber trabalhar em equipe (com os moderadores, coordenadores e administradores).   Os interessados deverão enviar uma mensagem privada para o usuário @Equipe Clube do Hardware com o título "Candidato a moderador". A mensagem deverá conter respostas às perguntas abaixo:   Qual o seu nome completo? Qual sua data de nascimento? Qual sua formação/profissão? Já atuou como moderador em algo outro fórum, se sim, qual? De forma sucinta, explique o porquê de querer ser moderador do fórum e conte-nos um pouco sobre você.   OBS: Não se trata de função remunerada. Todos que fazem parte do staff são voluntários.
borgesu

Ajuda com malware (diversos) please!

Recommended Posts

Olá amigos, meu computador está com virus/malware, diversos problemas acontecendo, por exemplo: janelas do IE aparecendo toda hora com sites estranhos, mensagens de erro de sistema, vários arquivos .tmp na raiz da minha pasta Documentos (não consigo apagar!) e dois ícones surgiram no Desktop (fingindo ser o Windows Update, mas os atalhos apontam para sites desconhecidos), computador extremamente lento (é um Core Duo com 2GB RAM). Por favor alguém que puder ajudar ficarei muito agradecido!! O log do Hijackthis é o seguinte:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:09:46, on 20/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de Programas\ISS\DesktopProtection\blackd.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\PSIService.exe

C:\Arquivos de Programas\ISS\DesktopProtection\RapApp.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Arquivos de programas\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de Programas\ISS\DesktopProtection\vpatch.exe

C:\Arquivos de programas\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\Arquivos de programas\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\System32\alg.exe

C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

C:\Arquivos de programas\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Arquivos de programas\ISS\DesktopProtection\blackice.exe

C:\Arquivos de programas\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\aikrfrsw.exe

D:\Documents and Settings\ctpb.EP\Meus documentos\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\ARQUIV~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [TkBellExe] C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [60de859e] rundll32.exe "C:\WINDOWS\system32\eihpfdcb.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [stnn] "D:\DOCUME~1\ctpb.EP\MEUSDO~1\ICROSO~1\regsvr32.exe" -vt yazb

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O23 - Service: DomainService - - C:\WINDOWS\system32\aikrfrsw.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\tmlisten.exe

--

End of file - 6826 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do ComboFix

  • Desative, temporariamente, o antivírus;
  • Feche todas as janelas abertas;
  • Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir o Fix. Pode demorar algum tempo.
  • O ComboFix poderá reiniciar o PC automaticamente para completar o processo de remoção.
  • Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  • Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, não mova o mouse e não use o teclado, pois senão irá parar e seu desktop ficará em branco.
  • Para parar ou sair do ComboFix, tecle "N".
  • Cole o ComboFix.txt na sua resposta.

- Gere novo log do HijackThis e cole na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites
  • Autor do tópico
  • Obrigado pela ajuda, Melo! Desculpe a demora, eu estava viajando.

    Seguem os logs do ComboFix e HijackThis:

    ComboFix 07-12-21.4 - CTPB 2008-01-01 13:21:36.1 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1264 [GMT -3:00]

    Executando de: D:\Documents and Settings\ctpb.EP\Meus documentos\Utility Tools\ComboFix.exe

    * Criado um novo ponto de restauro

    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\Temp\1cb

    C:\Temp\1cb\syscheck.log

    C:\Temp\abW9

    C:\Temp\abW9\tPho.log

    C:\WINDOWS\cookies.ini

    C:\WINDOWS\Downloaded Program Files\dolcontrol

    C:\WINDOWS\Downloaded Program Files\dolcontrol\lotusdownloader.inf

    C:\WINDOWS\Downloaded Program Files\dolcontrol\npdolctl.dll

    C:\WINDOWS\Downloaded Program Files\dolcontrol\Regsvr32.exe

    C:\WINDOWS\Downloaded Program Files\q2

    C:\WINDOWS\Downloaded Program Files\q2\qp2.dll

    C:\WINDOWS\Downloaded Program Files\q2\qp2.inf

    C:\WINDOWS\Downloaded Program Files\q2\Regsvr32.exe

    C:\WINDOWS\system32\n5

    C:\WINDOWS\system32\pac.txt

    C:\WINDOWS\system32\rMa01yy

    C:\WINDOWS\system32\v2

    C:\WINDOWS\system32\yahjqevs.dllbox

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\LEGACY_DOMAINSERVICE

    -------\DomainService

    ((((((((((((((((((((((( Ficheiros criados de 2007-12-01 to 2008-01-01 ))))))))))))))))))))))))))))))))

    .

    2008-01-01 13:14 . 2008-01-01 13:14 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Dados de aplicativos\DeepBurner

    2008-01-01 01:58 . 2008-01-01 02:00 <DIR> d-------- C:\Arquivos de programas\BitLord

    2007-12-26 17:10 . 2007-12-26 17:10 <DIR> d--h----- C:\WINDOWS\PIF

    2007-12-22 14:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

    2007-12-22 14:29 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

    2007-12-22 14:29 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

    2007-12-21 21:05 . 2007-12-21 21:05 <DIR> d-------- C:\Arquivos de programas\SopCast

    2007-12-21 20:08 . 2007-12-21 20:08 <DIR> d-------- C:\Arquivos de programas\Google

    2007-12-21 16:14 . 2007-12-21 16:14 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Contacts

    2007-12-21 16:14 . 2007-12-21 16:14 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

    2007-12-21 16:10 . 2007-12-21 16:12 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

    2007-12-21 16:00 . 2007-12-21 16:14 <DIR> d-------- C:\Arquivos de programas\Windows Live

    2007-12-21 15:59 . 2007-12-21 15:59 <DIR> d-------- D:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

    2007-12-21 15:42 . 2007-12-21 15:42 <DIR> d-------- C:\Arquivos de programas\MSXML 6.0

    2007-12-21 15:42 . 2007-12-21 15:42 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

    2007-12-21 15:38 . 2007-12-21 15:38 <DIR> d-------- C:\Arquivos de programas\Synaptics

    2007-12-21 15:29 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

    2007-12-21 15:29 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

    2007-12-21 15:29 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

    2007-12-21 15:29 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui

    2007-12-21 15:29 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

    2007-12-21 02:19 . 2007-12-21 02:20 14,033 --a------ C:\posFB8.tmp

    2007-12-21 02:03 . 2007-12-21 02:03 14,033 --a------ C:\posF9F.tmp

    2007-12-21 02:02 . 2007-12-21 02:02 14,033 --a------ C:\posF7E.tmp

    2007-12-21 01:41 . 2007-12-21 01:41 14,033 --a------ C:\posDA2.tmp

    2007-12-21 00:23 . 2008-01-01 12:24 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Dados de aplicativos\AVG7

    2007-12-21 00:22 . 2007-12-21 00:22 <DIR> d-------- D:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

    2007-12-21 00:22 . 2007-12-21 00:22 <DIR> d-------- D:\Documents and Settings\All Users\Dados de aplicativos\Grisoft

    2007-12-21 00:22 . 2007-12-21 15:13 <DIR> d-------- D:\Documents and Settings\All Users\Dados de aplicativos\avg7

    2007-12-21 00:22 . 2007-12-21 00:22 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

    2007-12-21 00:22 . 2007-12-21 00:22 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

    2007-12-21 00:04 . 2007-12-21 00:04 14,033 --a------ C:\pos9C1.tmp

    2007-12-20 23:22 . 2007-12-20 23:22 14,033 --a------ C:\pos7C2.tmp

    2007-12-20 20:34 . 2007-12-20 20:34 14,033 --a------ C:\pos5D3.tmp

    2007-12-20 20:33 . 2007-12-20 20:34 14,033 --a------ C:\pos47D.tmp

    2007-12-20 18:48 . 2007-12-20 18:48 14,033 --a------ C:\pos3E5.tmp

    2007-12-20 18:47 . 2007-12-20 18:47 14,033 --a------ C:\pos9.tmp

    2007-12-20 15:21 . 2007-12-21 00:11 985,695 ---hs---- C:\WINDOWS\system32\bcdfphie.ini

    2007-12-20 11:49 . 2007-12-20 15:19 990,633 ---hs---- C:\WINDOWS\system32\djcdgvqn.ini

    2007-12-18 23:10 . 2007-12-20 11:42 986,292 ---hs---- C:\WINDOWS\system32\yhmnltig.ini

    2007-12-17 21:10 . 2007-12-18 23:07 971,198 ---hs---- C:\WINDOWS\system32\tymrwqqh.ini

    2007-12-16 21:12 . 2007-12-17 21:00 970,521 ---hs---- C:\WINDOWS\system32\uxqgirqe.ini

    2007-12-16 21:05 . 2007-12-20 15:15 297,150 ---hs---- C:\WINDOWS\system32\gjkkj.bak2

    2007-12-10 12:56 . 2007-12-18 23:09 295,766 ---hs---- C:\WINDOWS\system32\gjkkj.bak1

    2007-12-10 12:55 . 2007-12-21 01:11 285,690 ---hs---- C:\WINDOWS\system32\gjkkj.ini

    2007-12-06 21:05 . 2007-12-06 21:05 <DIR> d-------- C:\Arquivos de programas\Positivo

    .

    ((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2007-12-18 00:24 --------- d-----w D:\Documents and Settings\ctpb.EP\Dados de aplicativos\SUPERAntiSpyware.com

    2007-12-18 00:24 --------- d-----w C:\Arquivos de programas\SUPERAntiSpyware

    2007-12-10 20:20 --------- d-----w C:\Arquivos de programas\GbPlugin

    2007-12-07 00:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

    2007-12-01 23:41 --------- d-----w C:\Arquivos de programas\Ixia

    2007-11-29 06:02 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

    2007-11-29 05:04 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com

    2007-11-29 05:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

    2007-11-28 19:08 8,133 --sh--w C:\WINDOWS\system32\kjkmp.bak2

    2007-11-27 23:44 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\WinZip

    2007-11-15 21:48 6,510 --sh--w C:\WINDOWS\system32\kjkmp.bak1

    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

    2007-11-06 00:18 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

    2007-11-06 00:17 --------- d-----w D:\Documents and Settings\ctpb.EP\Dados de aplicativos\Apple Computer

    2007-11-06 00:16 --------- d-----w C:\Arquivos de programas\QuickTime

    2007-11-06 00:15 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\Apple

    2007-11-06 00:15 --------- d-----w C:\Arquivos de programas\Apple Software Update

    2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

    2007-10-20 09:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

    2007-10-18 14:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    REGEDIT4

    *Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]

    @={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

    [HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]

    2005-03-05 17:28 131072 --a------ C:\WINDOWS\system32\AcSignIcon.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-12-15 13:19]

    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 12:55]

    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 12:52]

    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 12:55]

    "TPHOTKEY"="C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 13:00]

    "PWRMGRTR"="C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 00:12]

    "BLOG"="C:\ARQUIV~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 00:12]

    "OfficeScanNT Monitor"="C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe" [2007-01-08 20:20]

    "TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2007-06-20 13:00]

    "QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 06:24]

    "AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 00:22]

    "SynTPLpr"="C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34]

    "SynTPEnh"="C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]

    "AVG7_Run"="C:\ARQUIV~1\Grisoft\AVG7\avgw.exe" [2007-12-21 00:22]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "disablecad"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

    "{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll [2007-11-20 16:51 347464]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

    notifyf2.dll 2005-07-05 22:45 28672 C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

    tphklock.dll 2005-11-30 19:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]

    C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2007-11-20 16:51 347464 C:\Arquivos de programas\GbPlugin\gbieh.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

    Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-12-07 00:12]

    R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Arquivos de Programas\ISS\DesktopProtection\vpatch.exe [2006-06-09 16:09]

    R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys [2005-12-15 13:19]

    R3 atmeltpm;atmeltpm;C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 09:20]

    R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\MakoNT.sys [2006-06-09 16:10]

    R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-09-20 13:54]

    R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-09-20 13:54]

    S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-08 13:54]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e0e8acc-7b56-11dc-b31d-0018deca5a80}]

    \Shell\Auto\command - ah.exe

    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ah.exe

    .

    Conte£do da pasta 'Tarefas Agendadas'

    "2008-01-01 16:26:00 C:\WINDOWS\Tasks\PMTask.job"

    - C:\ARQUIV~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE

    .

    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-01-01 13:26:42

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializ veis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe

    -> C:\WINDOWS\system32\tphklock.dll

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

    -> C:\ARQUIV~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL

    -> C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL

    .

    Tempo para conclusÆo: 2008-01-01 13:27:44 - machine was rebooted

    .

    2007-12-23 22:52:21 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 13:46, on 2008-01-01

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\csrss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\ibmpmsvc.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Arquivos de programas\GbPlugin\GbpSv.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

    C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

    C:\Arquivos de Programas\ISS\DesktopProtection\blackd.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\ntrtscan.exe

    C:\Arquivos de programas\Citrix\ICA Client\ssonsvr.exe

    C:\WINDOWS\system32\PSIService.exe

    C:\Arquivos de Programas\ISS\DesktopProtection\RapApp.exe

    C:\WINDOWS\system32\tcpsvcs.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\tmlisten.exe

    C:\WINDOWS\system32\wdfmgr.exe

    C:\Arquivos de Programas\ISS\DesktopProtection\vpatch.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

    C:\WINDOWS\system32\igfxtray.exe

    C:\WINDOWS\system32\hkcmd.exe

    C:\WINDOWS\system32\igfxpers.exe

    C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe

    C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

    C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe

    C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

    C:\WINDOWS\TEMP\QY428B.EXE

    C:\WINDOWS\system32\ctfmon.exe

    C:\Arquivos de programas\ISS\DesktopProtection\blackice.exe

    C:\Arquivos de programas\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

    C:\Arquivos de programas\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

    C:\WINDOWS\System32\alg.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\pccntupd.exe

    C:\Arquivos de programas\Internet Explorer\iexplore.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

    D:\Documents and Settings\ctpb.EP\Meus documentos\Utility Tools\HiJackThis.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.br/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

    O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

    O4 - HKLM\..\Run: [TPHOTKEY] C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

    O4 - HKLM\..\Run: [bLOG] rundll32 C:\ARQUIV~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow

    O4 - HKLM\..\Run: [TkBellExe] C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [synTPLpr] C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe

    O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

    O4 - Global Startup: Proventia Desktop Agent.lnk = ?

    O4 - Global Startup: VPN Client.lnk = ?

    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198261741687

    O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

    O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\ntrtscan.exe

    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\tmlisten.exe

    --

    End of file - 8561 bytes

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    - Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

    - Faça o download do ComboFix e salve-o na área de trabalho;

    - Selecione o texto abaixo e copie para o bloco de notas. Salve-o como CFScript.txt;


    File::
    C:\WINDOWS\system32\bcdfphie.ini
    C:\WINDOWS\system32\djcdgvqn.ini
    C:\WINDOWS\system32\yhmnltig.ini
    C:\WINDOWS\system32\tymrwqqh.ini
    C:\WINDOWS\system32\uxqgirqe.ini
    C:\WINDOWS\system32\gjkkj.bak2
    C:\WINDOWS\system32\gjkkj.bak1
    C:\WINDOWS\system32\gjkkj.ini
    C:\WINDOWS\system32\kjkmp.bak2
    C:\WINDOWS\system32\kjkmp.bak1

    - Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

    - Arraste o CFScript.txt para o ComboFix conforme a imagem abaixo:

    CFScript.gif

    O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

    Não use o mouse nem o teclado quando o ComboFix estiver rodando.

    Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

    Obs: Se o Combofix não reiniciar seu computador automaticamente, faça-o manualmente.

    Cole o novo log do Combofix e do HijackThis na sua resposta.

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Melo, não consigo entrar em modo de segurança pois tenho que logar num domínio de rede nesse micro (mesmo estando fisicamente desconectado). De qualquer forma, o micro parece estar funcionando bem agora. Caso seja necessário deletar os arquivos que você listou no CFScript.txt, existe outro meio sem ser em modo de segurança (Killbox talvez..)?

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Fiz o que você orientou, segue o novo log do Combofix.

    ComboFix 07-12-31.4 - CTPB 2008-01-05 13:43:32.2 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1481 [GMT -3:00]

    Executando de: D:\Documents and Settings\ctpb.EP\Desktop\ComboFix.exe

    Command switches used :: D:\Documents and Settings\ctpb.EP\Desktop\CFScript.txt

    * Criado um novo ponto de restauro

    FILE

    C:\WINDOWS\system32\bcdfphie.ini

    C:\WINDOWS\system32\djcdgvqn.ini

    C:\WINDOWS\system32\gjkkj.bak1

    C:\WINDOWS\system32\gjkkj.bak2

    C:\WINDOWS\system32\gjkkj.ini

    C:\WINDOWS\system32\kjkmp.bak1

    C:\WINDOWS\system32\kjkmp.bak2

    C:\WINDOWS\system32\tymrwqqh.ini

    C:\WINDOWS\system32\uxqgirqe.ini

    C:\WINDOWS\system32\yhmnltig.ini

    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\WINDOWS\system32\bcdfphie.ini

    C:\WINDOWS\system32\djcdgvqn.ini

    C:\WINDOWS\system32\gjkkj.bak1

    C:\WINDOWS\system32\gjkkj.bak2

    C:\WINDOWS\system32\gjkkj.ini

    C:\WINDOWS\system32\kjkmp.bak1

    C:\WINDOWS\system32\kjkmp.bak2

    C:\WINDOWS\system32\kjkmp.ini

    C:\WINDOWS\system32\tymrwqqh.ini

    C:\WINDOWS\system32\uxqgirqe.ini

    C:\WINDOWS\system32\yhmnltig.ini

    .

    ((((((((((((((((((((((( Ficheiros criados de 2007-12-05 to 2008-01-05 ))))))))))))))))))))))))))))))))

    .

    2008-01-05 13:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\y868\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\NetworkService\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\LocalService\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\ctpb\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\aey1mu\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\aey0pw\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- D:\Documents and Settings\Administrador\Configurações locais

    2008-01-01 13:27 . 2008-01-01 13:27 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configurações locais

    2008-01-01 13:14 . 2008-01-01 13:14 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Dados de aplicativos\DeepBurner

    2008-01-01 01:58 . 2008-01-01 02:00 <DIR> d-------- C:\Arquivos de programas\BitLord

    2007-12-26 17:10 . 2007-12-26 17:10 <DIR> d--h----- C:\WINDOWS\PIF

    2007-12-22 14:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

    2007-12-22 14:29 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

    2007-12-22 14:29 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

    2007-12-21 21:05 . 2007-12-21 21:05 <DIR> d-------- C:\Arquivos de programas\SopCast

    2007-12-21 20:08 . 2007-12-21 20:08 <DIR> d-------- C:\Arquivos de programas\Google

    2007-12-21 16:14 . 2007-12-21 16:14 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Contacts

    2007-12-21 16:14 . 2007-12-21 16:14 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

    2007-12-21 16:10 . 2007-12-21 16:12 <DIR> d--hsc--- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

    2007-12-21 16:00 . 2007-12-21 16:14 <DIR> d-------- C:\Arquivos de programas\Windows Live

    2007-12-21 15:59 . 2007-12-21 15:59 <DIR> d-------- D:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

    2007-12-21 15:42 . 2007-12-21 15:42 <DIR> d-------- C:\Arquivos de programas\MSXML 6.0

    2007-12-21 15:42 . 2007-12-21 15:42 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

    2007-12-21 15:38 . 2007-12-21 15:38 <DIR> d-------- C:\Arquivos de programas\Synaptics

    2007-12-21 15:29 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

    2007-12-21 15:29 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

    2007-12-21 15:29 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

    2007-12-21 15:29 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui

    2007-12-21 15:29 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

    2007-12-21 00:23 . 2008-01-05 13:41 <DIR> d-------- D:\Documents and Settings\ctpb.EP\Dados de aplicativos\AVG7

    2007-12-21 00:22 . 2007-12-21 00:22 <DIR> d-------- D:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

    2007-12-21 00:22 . 2007-12-21 00:22 <DIR> d-------- D:\Documents and Settings\All Users\Dados de aplicativos\Grisoft

    2007-12-21 00:22 . 2007-12-21 15:13 <DIR> d-------- D:\Documents and Settings\All Users\Dados de aplicativos\avg7

    2007-12-21 00:22 . 2007-12-21 00:22 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

    2007-12-21 00:22 . 2007-12-21 00:22 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

    2007-12-06 21:05 . 2007-12-06 21:05 <DIR> d-------- C:\Arquivos de programas\Positivo

    .

    ((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-01-05 02:44 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

    2008-01-04 00:53 --------- d-----w D:\Documents and Settings\ctpb.EP\Dados de aplicativos\Corel

    2007-12-18 00:24 --------- d-----w D:\Documents and Settings\ctpb.EP\Dados de aplicativos\SUPERAntiSpyware.com

    2007-12-18 00:24 --------- d-----w C:\Arquivos de programas\SUPERAntiSpyware

    2007-12-10 20:20 --------- d-----w C:\Arquivos de programas\GbPlugin

    2007-12-07 00:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

    2007-12-01 23:41 --------- d-----w C:\Arquivos de programas\Ixia

    2007-11-29 05:04 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com

    2007-11-29 05:04 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

    2007-11-27 23:44 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\WinZip

    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

    2007-11-06 00:18 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

    2007-11-06 00:17 --------- d-----w D:\Documents and Settings\ctpb.EP\Dados de aplicativos\Apple Computer

    2007-11-06 00:16 --------- d-----w C:\Arquivos de programas\QuickTime

    2007-11-06 00:15 --------- d-----w D:\Documents and Settings\All Users\Dados de aplicativos\Apple

    2007-11-06 00:15 --------- d-----w C:\Arquivos de programas\Apple Software Update

    2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

    2007-10-20 09:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

    2007-10-18 14:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll

    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

    .

    .

    REGEDIT4

    *Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-12-15 13:19 925696]

    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 12:55 98304]

    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 12:52 77824]

    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 12:55 118784]

    "TPHOTKEY"="C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 13:00 94208]

    "PWRMGRTR"="C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 00:12 151552]

    "BLOG"="C:\ARQUIV~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 00:12 208896]

    "OfficeScanNT Monitor"="C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe" [2007-01-08 20:20 356429]

    "TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2007-06-20 13:00 151552]

    "QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

    "AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 00:22 579072]

    "SynTPLpr"="C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34 126976]

    "SynTPEnh"="C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33 561152]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]

    "AVG7_Run"="C:\ARQUIV~1\Grisoft\AVG7\avgw.exe" [2007-12-21 00:22 219136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "disablecad"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

    "{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 15:30 347976]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

    C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 15:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

    notifyf2.dll 2005-07-05 22:45 28672 C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

    tphklock.dll 2005-11-30 19:16 24576 C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]

    C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 2007-12-03 15:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

    Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

    R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-12-07 00:12]

    R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Arquivos de Programas\ISS\DesktopProtection\vpatch.exe [2006-06-09 16:09]

    R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\MakoNT.sys [2006-06-09 16:10]

    R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-09-20 13:54]

    R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-09-20 13:54]

    S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-08 13:54]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e0e8acc-7b56-11dc-b31d-0018deca5a80}]

    \Shell\Auto\command - ah.exe

    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ah.exe

    .

    Conte£do da pasta 'Tarefas Agendadas'

    "2008-01-05 16:48:15 C:\WINDOWS\Tasks\PMTask.job"

    - C:\ARQUIV~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE

    .

    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-01-05 13:48:53

    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializ veis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso

    Ficheiros ocultos: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe

    -> C:\WINDOWS\system32\tphklock.dll

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

    -> C:\ARQUIV~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL

    -> C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL

    .

    Tempo para conclusÆo: 2008-01-05 13:50:02 - machine was rebooted

    C:\qoobox\ComboFix-quarantined-files.txt 2008-01-05 16:49:56

    .

    2007-12-23 22:52:21 --- E O F ---

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Desculpe, esqueci de anexar o log do Hijackthis, aí vai:

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 16:51, on 2008-01-05

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\csrss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\ibmpmsvc.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Arquivos de programas\GbPlugin\GbpSv.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

    C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

    C:\Arquivos de Programas\ISS\DesktopProtection\blackd.exe

    C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\ntrtscan.exe

    C:\Arquivos de programas\Citrix\ICA Client\ssonsvr.exe

    C:\WINDOWS\system32\PSIService.exe

    C:\Arquivos de Programas\ISS\DesktopProtection\RapApp.exe

    C:\WINDOWS\system32\tcpsvcs.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\tmlisten.exe

    C:\WINDOWS\system32\wdfmgr.exe

    C:\Arquivos de Programas\ISS\DesktopProtection\vpatch.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

    C:\WINDOWS\system32\igfxtray.exe

    C:\WINDOWS\TEMP\RL76.EXE

    C:\WINDOWS\system32\hkcmd.exe

    C:\WINDOWS\system32\igfxpers.exe

    C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe

    C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

    C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe

    C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Arquivos de programas\ISS\DesktopProtection\blackice.exe

    C:\Arquivos de programas\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

    C:\Arquivos de programas\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

    C:\WINDOWS\System32\alg.exe

    C:\Arquivos de programas\Trend Micro\OfficeScan Client\pccntupd.exe

    C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

    C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

    D:\Documents and Settings\ctpb.EP\Meus documentos\Utility Tools\HiJackThis.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.br/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll

    O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

    O4 - HKLM\..\Run: [TPHOTKEY] C:\ARQUIV~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\ARQUIV~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

    O4 - HKLM\..\Run: [bLOG] rundll32 C:\ARQUIV~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Arquivos de programas\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow

    O4 - HKLM\..\Run: [TkBellExe] C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [synTPLpr] C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe

    O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198261741687

    O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

    O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll

    O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

    O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\ntrtscan.exe

    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Arquivos de programas\Trend Micro\OfficeScan Client\tmlisten.exe

    --

    End of file - 8590 bytes

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites

    - Ok, o log está limpo :)

    - Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

    - Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner:

    • Abra o programa e clique em Executar Limpeza;
    • Após isto, clique em Registro > Procurar erros > Corrigir Erros

    - Desative e ative novamente a Restauração do Sistema

    - Leia o artigo Proteja seu PC para mais informações sobre como evitar infecções.

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites
  • Autor do tópico
  • Muito obrigado pela ajuda, Melo! Caso resolvido!!

    Compartilhar este post


    Link para o post
    Compartilhar em outros sites





    Sobre o Clube do Hardware

    No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

    Direitos autorais

    Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

    ×