Ir ao conteúdo
  • Cadastre-se
krustty1

Virus 69gan373

Recommended Posts

Bom, meu pc foi infectado, o vírus não deixa abrir muitos arquivos e programas do computador, Internet explorer, Google Chrome, CCleaner, gerenciador de tarefas, outlook e etc. Consegui achar o diretório dele e tentei excluir, sem sucesso. Reiniciei o computador, entrei em modo de segurança e só ai consegui excluir o diretorio (69gan373) que ficava em C:\ProgramData, mas como é a segunda vez que é infectado peço a ajuda de vocês;

Grato.

Segue logs:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.7600.16912

Run by Guto at 23:19:24 on 2013-10-03

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.55.1046.18.3293.2189 [GMT -3:00]

.

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Microsoft\BingBar\7.2.241.0\BBSvc.exe

C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe

C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\System32\WScript.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\program files\avira\antivir desktop\avconfig.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.dosearches.com/?utm_source=b&utm_medium=slbnew&utm_campaign=eXQ&utm_content=hp&from=slbnew&uid=HDS728080PLAT20_PFD8V3SERZJNUHRZJNUHX&ts=1379872867

uDefault_Page_URL = hxxp://www.dosearches.com/?utm_source=b&utm_medium=slbnew&utm_campaign=eXQ&utm_content=hp&from=slbnew&uid=HDS728080PLAT20_PFD8V3SERZJNUHRZJNUHX&ts=1379872867

mStart Page = hxxp://www.dosearches.com/?utm_source=b&utm_medium=slbnew&utm_campaign=eXQ&utm_content=hp&from=slbnew&uid=HDS728080PLAT20_PFD8V3SERZJNUHRZJNUHX&ts=1379872867

mDefault_Page_URL = hxxp://www.dosearches.com/?utm_source=b&utm_medium=slbnew&utm_campaign=eXQ&utm_content=hp&from=slbnew&uid=HDS728080PLAT20_PFD8V3SERZJNUHRZJNUHX&ts=1379872867

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRun: [c1] c:\users\guto\appdata\roaming\d795\c1.js

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"

mRun: [c99c] c:\program files\c8\c99c.js

StartupFolder: c:\users\guto\appdata\roaming\microsoft\windows\start menu\programs\startup\96c29.js

StartupFolder: c:\users\guto\appdata\roaming\microsoft\windows\start menu\programs\startup\97.js

StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\96c29.js

StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\97.js

uPolicies-Explorer: NoWindowsUpdate = 1

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-System: DisableRegistryTools = 1

uPolicies-System: DisableTaskMgr = 1

uPolicies-Windows\System: disablecmd = 1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: EnableVirtualization = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

mPolicies-System: DisableTaskMgr = 1

IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll

LSP: c:\program files\avira\antivir desktop\avsda.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

.

INFO: HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

TCP: NameServer = 192.168.1.1 192.168.2.1

TCP: Interfaces\{2038CC3F-8DC5-4CBB-9FD4-F57E4EEA8F7A} : DHCPNameServer = 192.168.1.1 192.168.2.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: SDWinLogon - SDWinLogon.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\guto\appdata\roaming\mozilla\firefox\profiles\lw2k636m.default\

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-9-25 37352]

R2 AntiVirSchedulerService;Avira Agendamento;c:\program files\avira\antivir desktop\sched.exe [2013-9-25 84024]

R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-9-25 108088]

R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-9-25 815160]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-9-25 88840]

R2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]

R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-9-25 1103392]

R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-9-25 1369624]

R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-9-25 168384]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-6-10 50688]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-7-25 162672]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]

S3 btmhsf;btmhsf;c:\windows\system32\drivers\btmhsf.sys [2011-7-19 225280]

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\drivers\iBtFltCoex.sys [2011-7-20 47104]

S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\wat\WatAdminSvc.exe [2011-12-27 1343400]

.

=============== File Associations ===============

.

FileExt: .ini: Applications\ACCICONS.EXE="c:\program files\microsoft office\office12\ACCICONS.EXE" "%1" [userChoice]

.

=============== Created Last 30 ================

.

2013-10-04 02:07:34 -------- d-----w- c:\users\guto\appdata\local\ElevatedDiagnostics

2013-09-26 21:08:11 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll

2013-09-26 21:07:59 440080 ----a-w- c:\windows\system32\d3dx10.dll

2013-09-25 20:09:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2013-09-25 20:09:40 15224 ----a-w- c:\windows\system32\sdnclean.exe

2013-09-25 20:09:35 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2013-09-25 19:49:20 -------- d-----w- c:\program files\VS Revo Group

2013-09-25 19:24:54 -------- d-----w- c:\users\guto\appdata\roaming\Avira

2013-09-25 19:23:11 -------- d-----w- c:\programdata\AMMYY

2013-09-25 19:23:04 66144 ----a-w- c:\windows\system32\drivers\avnetflt.sys

2013-09-25 19:21:50 -------- d-----w- c:\programdata\APN

2013-09-25 19:20:26 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2013-09-25 19:20:25 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2013-09-25 19:20:25 -------- d-----w- c:\programdata\Avira

2013-09-25 19:20:25 -------- d-----w- c:\program files\Avira

2013-09-25 19:06:04 -------- d-sh--w- C:\$RECYCLE.BIN

2013-09-25 19:05:15 -------- d-s---w- C:\ComboFix

2013-09-16 00:07:24 -------- d-----w- C:\AdwCleaner

2013-09-15 23:58:03 -------- d-----w- c:\program files\CCleaner

2013-09-15 23:30:27 -------- d-----w- c:\windows\pss

2013-09-15 20:30:24 98816 ----a-w- c:\windows\sed.exe

2013-09-15 20:30:24 256000 ----a-w- c:\windows\PEV.exe

2013-09-15 20:30:24 208896 ----a-w- c:\windows\MBR.exe

2013-09-15 20:15:49 -------- d-----w- c:\users\guto\appdata\roaming\Malwarebytes

2013-09-15 20:15:47 -------- d-----w- c:\programdata\Malwarebytes

2013-09-15 20:15:41 -------- d-----w- c:\users\guto\appdata\local\Programs

2013-09-12 21:20:33 -------- d-sh--w- c:\users\guto\appdata\roaming\d795

2013-09-12 21:20:33 -------- d-sh--w- c:\program files\c8

2013-09-10 23:29:26 -------- d-sh--w- C:\d6

2013-09-06 02:56:01 -------- d-----w- c:\program files\Vimicro

2013-09-06 02:49:46 634880 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iKernel.dll

2013-09-06 02:49:46 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\ctor.dll

2013-09-06 02:49:46 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\DotNetInstaller.exe

2013-09-06 02:49:46 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll

2013-09-06 02:49:46 270468 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\Setup.dll

2013-09-06 02:49:46 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iscript.dll

2013-09-06 02:49:46 159876 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\IGdi.dll

2013-09-06 02:49:46 151552 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iuser.dll

.

==================== Find3M ====================

.

2013-09-25 20:06:25 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-09-25 20:06:25 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

============= FINISH: 23:19:44,01 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 26/12/2011 14:28:35

System Uptime: 03/10/2013 23:08:15 (0 hours ago)

.

Motherboard: MSI | | G41M-S01 (MS-7592)

Processor: Intel® Celeron® CPU E3300 @ 2.50GHz | CPU 1 | 2500/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 74 GiB total, 27,338 GiB free.

D: is FIXED (NTFS) - 77 GiB total, 30,59 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.5 - Português

Arquivo do WinRAR

Avira Free Antivirus

Bing Bar

CCleaner

HP Deskjet 3510 series Ajuda

HP Deskjet 3510 series Estudo de aprimoramento de produtos

HP Deskjet 3510 series Software básico do dispositivo

HP FWUpdateEDO2

HP Photo Creations

HP Update

HPDiagnosticAlert

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile PTB Language Pack

Microsoft Application Error Reporting

Microsoft Office Access MUI (Portuguese (Brazil)) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (Portuguese (Brazil)) 2007

Microsoft Office Groove MUI (Portuguese (Brazil)) 2007

Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007

Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007

Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007

Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (Portuguese (Brazil)) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (Portuguese (Brazil)) 2007

Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007

Microsoft Office Shared MUI (Portuguese (Brazil)) 2007

Microsoft Office Word MUI (Portuguese (Brazil)) 2007

Microsoft Silverlight

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 24.0 (x86 pt-BR)

Mozilla Maintenance Service

Pacote de Idiomas do Microsoft .NET Framework 4 Client Profile - Português (Brasil)

Rep! 3.0 - Representação Comercial

Revo Uninstaller 1.95

Skype™ 6.7

Spybot - Search & Destroy

.

==== End Of File ===========================

Compartilhar este post


Link para o post
Compartilhar em outros sites

Leia as instruções contidas neste link:

Nas instruções contidas no link acima, poderá verificar quais os fóruns onde os Analistas estão devidamente habilitados a utilizar corretamente a ferramenta:"Fóruns para receber ajuda com logs do ComboFix"

  1. Faça o download do ComboFix de um dos links oficiais listados abaixo e salve no seu desktop:

[*]Temporariamente e durante a execução destas instruções, é muito importante que mantenha desabilitados os seus programas de proteção (Antivirus, Antispyware e Firewall). Reative as proteções após a execução do(s) procedimento(s) abaixo mencionado(s).[*]Duplo clique no icone desktopicon.png que está no desktop.[*]Leia e aceite as condições, digitando 1 e enter.[*]Computadores com Windows XP deverão instalar o Console de Recuperação:

  • Se o seu computador tem instalado o Windows XP e ainda não tem instalado o Console de Recuperação, por favor certifique-se que está conectado à Internet, e clique em "Sim".
  • Clique em "OK" ao EULA.
  • Quando o Console de Recuperação estiver já instalado, clique em "SIM" para continuar.

[*]O ComboFix será executado, por favor seja paciente e aguarde. [*]Atenção: Não utilize o mouse nem o teclado enquanto a ferramenta estiver sendo executada, isso pode fazer com que o computador pare.[*]Poderá surgir o aviso que é necessário reiniciar o computador.

NÃO REINICIE!!! O ComboFix reiniciará o computador automaticamente.[*]Quando a ferramenta terminar de rodar, gerará um log (o arquivo C:\ComboFix.txt). Copie e cole o conteúdo desse arquivo na sua proxima resposta.

NÃO utilize a ferramenta por conta própria. É uma ferramenta poderosa criada pra lidar com infecções sofisticadas e caso não a utilize corretamente poderá danificar o seu computador.

  • Existem vários malwares que impedem a execução correta da ferramenta e com isso danificar gravemente o computador. Analistas habilitados a utilizar o ComboFix conhecem esses casos e sabem lidar com estas situações.
  • Muitos dos Analistas não respondem a topicos em que vejam que o ComboFix foi utilizado sem supervisão.
  • Existem varias ferramentas anti-malware generalistas em que os autores ao elaborarem a programação das mesmas, estão pensando nos usuários finais e para serem usadas sem supervisão. O Combofix não é uma ferramenta desse tipo, e assim sendo e até por respeito ao autor da ferramenta, não utilize sem supervisão.

Compartilhar este post


Link para o post
Compartilhar em outros sites





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×