Ir ao conteúdo
  • Cadastre-se
Entre para seguir isso  
Riba

ieupdr2.exe

Posts recomendados

Meu PC tá completamente tomado;

:confused:Do nada foi instalado o pragrama "ieupdr2.exe" na minha área de trabalho,

:confused:O internet explorer fica sendo executado do nada para páginas como

http: // nadadevirus.com/detetor/?cmpnamegeo=brgeogav&gai=swavsnull_br_ptswavsnull_br_ptgidt&gli=61906190&mt_info=4524_0_5581&cmpnamegeo=null&48050502"

:confused: Janelas são abertas com a mensagem: "Windows Security Alert" "Warning Potencial Spyware Operation! Your computer is making unauthorized copies of your system and internet files. Run full scan to pervert any unauthorized access to your files! Click here to download spyware remover..."

:confused: vários arquivos "_install.exe" estão instalados em vários diretórios

Segue o log:

Logfile of HijackThis v1.99.1

Scan saved at 19:48:47, on 28/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\shell.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ntfyapp.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashSimpl.exe

C:\Arquivos de programas\Opera\Opera.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\regwiz.exe,userinit.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {850D3E77-5B47-4BBD-A60A-9D483D74F2AE} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\Hpc7YoFf.dll

O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll (file missing)

O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Arquivos de programas\Helper\Helper8.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [kdfgj9odjkg904gffdftdf] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\winlogan.exe

O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe

O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe

O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe

O4 - HKLM\..\Run: [smgr] mgrs.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\winlogon.exe

O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe

O4 - HKCU\..\Run: [kdfgj9odjkg904gffdftdf] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\winlogan.exe

O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exe

O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\winsto.exe

O4 - Startup: findfast.exe

O4 - Startup: _install.exe

O4 - Global Startup: autorun.exe

O4 - Global Startup: _install.exe

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O17 - HKLM\System\CS2\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O17 - HKLM\System\CS3\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O17 - HKLM\System\CS4\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do BankerFix

Importante: A ferramenta irá finalizar o Internet Explorer. Salve qualquer link que você precisa acessar depois antes de executá-la.

Clique em OK na primeira e na segunda vez que aparecerem caixas de mensagem. Se você estiver executando o BankerFix pela segunda vez, ele irá pedir para verificar por uma atualização. Diga que Sim e depois clique em OK.

Quando ele executar, aparecerá uma tela preta pedindo para que aperte qualquer tecla. Tecle Enter e espere ele terminar. Pode levar algum tempo.

Ao terminar, leia a mensagem na tela e aperte Enter novamente. Quando ele terminar, anexe o arquivo C:\LinhaDefensiva\relatorio.txt de acordo com essas instruções:

http://linhadefensiva.uol.com.br/forum/index.php?showtopic=595

- Apague a pasta:

C:\LinhaDefensiva

- Faça o download do ComboFix

  • Desative, temporariamente, o antivírus;
  • Feche todas as janelas abertas;
  • Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir o Fix. Pode demorar algum tempo.
  • O ComboFix poderá reiniciar o PC automaticamente para completar o processo de remoção.
  • Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
  • Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, não mova o mouse e não use o teclado, pois senão irá parar e seu desktop ficará em branco.
  • Para parar ou sair do ComboFix, tecle "N".
  • Cole o ComboFix.txt na sua resposta.

- Gere novo log do HijackThis e cole na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

:lol:Pôxa "JoseMelo" valeu mesmo pela força, aqui vai:

:mellow::mellow:

ComboFix 07-12-21.4 - Administrador 2007-12-29 18:34:07.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.278 [GMT -4:00]

Executando de: C:\Documents and Settings\Administrador\Meus documentos\Meus arquivos recebidos\ComboFix.exe

* Criado um novo ponto de restauro

.

ADS - svchost.exe: deleted 25600 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\4.tmp

C:\Arquivos de programas\Helper

C:\Arquivos de programas\Helper\Helper8.dll

C:\Arquivos de programas\ucleaner_setup.exe

C:\Arquivos de programas\Ultimate Cleaner

C:\Documents and Settings\Administrador\Dados de aplicativos\printer.exe

C:\Documents and Settings\Administrador\Dados de aplicativos\ultra

C:\Documents and Settings\Administrador\Dados de aplicativos\ultra\ultra.inf

C:\Documents and Settings\Administrador\Dados de aplicativos\ultra\uninstall.bat

C:\Documents and Settings\Administrador\Menu Iniciar\Programas\Inicializar\findfast.exe

C:\Documents and Settings\Administrador\ravmonlog

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\autorun.exe

C:\WINDOWS\Casino.ico

C:\WINDOWS\Free Online Dating.ico

C:\WINDOWS\inf\ultra.inf

C:\WINDOWS\msettings.ini

C:\WINDOWS\shell.exe

C:\WINDOWS\Spyware Remover.ico

C:\WINDOWS\system32\5_exception.nls

C:\WINDOWS\system32\drivers\Ivj25.sys

C:\WINDOWS\system32\Frjkfl4g.dll

C:\WINDOWS\system32\kr_done1

C:\WINDOWS\system32\shift.exe.exe

C:\WINDOWS\system32\svcp.csv

C:\WINDOWS\system32\updates260.exe

C:\WINDOWS\system32\updates280.exe

C:\WINDOWS\system32\winsub.xml

C:\WINDOWS\system32\wowfx.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_SYSLIBRARY

-------\SysLibrary

((((((((((((((((((((((( Ficheiros criados de 2007-11-28 to 2007-12-29 ))))))))))))))))))))))))))))))))

.

2007-12-29 18:29 . 2007-12-29 18:30 <DIR> d-------- C:\LinhaDefensiva

2007-12-28 23:34 . 2007-12-29 18:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2007-12-28 20:12 . 2005-04-28 03:50 25,600 --a------ C:\Documents and Settings\Administrador\Dados de aplicativos\mcrupdate.exe

2007-12-22 23:25 . 2007-12-21 21:31 135,168 --a--c--- C:\WINDOWS\system32\dllcache\_install.exe

2007-12-22 23:23 . 2007-12-21 21:31 135,168 --a------ C:\Documents and Settings\Administrador\Dados de aplicativos\_install.exe

2007-12-22 20:23 . 2007-12-29 17:54 29,946 --a------ C:\WINDOWS\ntfyapp.config

2007-12-21 21:44 . 2004-08-03 23:45 84,992 --a------ C:\WINDOWS\system32\bidisp.dll

2007-12-21 21:37 . 1782-01-18 23:14 84,992 --a------ C:\WINDOWS\system32\deskmo.dll

2007-12-21 21:37 . 2007-12-21 21:37 16,896 --------- C:\WINDOWS\system32\updates298.exe

2007-12-21 21:36 . 2007-12-21 21:37 36 --a------ C:\WINDOWS\system32\svchost.t__

2007-12-21 21:34 . 2004-08-03 23:45 84,992 --a------ C:\WINDOWS\system32\d3d.dll

2007-12-21 21:34 . 2004-08-03 23:45 84,992 --a------ C:\WINDOWS\system32\cfgbken.dll

2007-12-21 21:34 . 2007-12-21 21:34 65,536 --a------ C:\11.tmp

2007-12-21 21:34 . 2007-12-21 21:34 35,840 --------- C:\10.tmp

2007-12-21 21:34 . 2007-12-21 22:00 6,144 --a------ C:\Documents and Settings\Administrador\ie_updates3r.exe

2007-12-21 21:34 . 2007-12-22 00:20 363 --a------ C:\WINDOWS\system32\svchost.tmp

2007-12-21 21:34 . 2007-12-21 21:34 4 --a------ C:\13.tmp

2007-12-21 21:31 . 2007-12-21 21:31 135,168 --------- C:\WINDOWS\ntfyapp.exe

2007-12-21 21:31 . 2007-12-21 21:31 65,536 --a------ C:\7.tmp

2007-12-21 21:31 . 2007-12-21 21:31 540 --a------ C:\8.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\F.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\D.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\C.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\B.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\A.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\2.tmp

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-29 22:37 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Skype

2007-12-29 02:07 --------- d-----w C:\Arquivos de programas\eMule

2007-12-28 23:53 --------- d-----w C:\Arquivos de programas\GbPlugin

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\SRP

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Opera

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Microsoft LifeCam

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Microsoft Keyboard Layout Creator 1.4

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\CDisplay

2007-12-22 01:34 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2007-12-22 01:31 135,168 ----a-w C:\WINDOWS\inf\_install.exe

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{850D3E77-5B47-4BBD-A60A-9D483D74F2AE}]

2004-08-03 23:45 84992 --a------ C:\WINDOWS\system32\d3d.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC27C0B1-E20E-4C38-B721-8E16B48FFFC8}]

2004-08-03 23:45 84992 --a------ C:\WINDOWS\system32\d3d.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-08-06 12:43]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45]

"ntfyapp"="C:\WINDOWS\ntfyapp.exe" [2007-12-21 21:31]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LifeCam"="C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe" [2007-01-12 21:48]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-08-08 14:29 209224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]

C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll 2007-12-21 21:36 13201 C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

2007-12-04 09:00 79224 --a------ C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2004-08-03 23:45 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 01:41 49152 --a------ C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

C:\WINDOWS\AdobeR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2004-10-14 08:11 1388544 --a------ C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

1999-05-12 12:22 390144 --a------ C:\Arquivos de programas\MicroPower Software\Delta Translator\DWinTrsl.exe

R2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe [2007-08-08 14:29]

R2 MSCamSvc;MSCamSvc;"C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 18:13]

R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-05 19:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c2f645-59ae-11dc-8aa4-001731649972}]

\Shell\AutoRun\command - fooool.exe

\Shell\explore\Command - fooool.exe

\Shell\open\Command - fooool.exe

.

**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-29 18:37:58

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ*veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll

.

Tempo para conclusÆo: 2007-12-29 18:38:39 - machine was rebooted

.

2007-12-29 03:35:03 --- E O F ---

:mellow::mellow:

Logfile of HijackThis v1.99.1

Scan saved at 18:40:14, on 29/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\ntfyapp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Opera\Opera.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: (no name) - {850D3E77-5B47-4BBD-A60A-9D483D74F2AE} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: (no name) - {CC27C0B1-E20E-4C38-B721-8E16B48FFFC8} - C:\WINDOWS\system32\d3d.dll

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

:mellow::mellow:

BankerFix 2.4 - Removedor de Bankers

Linha Defensiva - http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

Data: 29/12/2007 - 18:30

-------------------------------------------------------

Lista de Definição: 2007-12-25-1

=======================================================

Killando arquivos em Help

-----------------------------------

Killing '*'

Removendo Arquivos em Help

-----------------------------------

----- Fim -------------------------

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do Killbox e execute-o:

  • Marque a opção Delete on Reboot. Copie a lista abaixo (selecione e clique em Editar > Copiar ou pressione Ctrl + C):

C:\WINDOWS\system32\d3d.dll
C:\WINDOWS\ntfyapp.exe
  • Volte ao KillBox. Clique em File > Paste from clipboard. Clique no botão All Files;
  • Clique no killbox.png e responda Não à pergunta.

- Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

- Abra o HijackThis, clique em Do a system scan only e marque as entradas abaixo:

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: (no name) - {850D3E77-5B47-4BBD-A60A-9D483D74F2AE} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: (no name) - {CC27C0B1-E20E-4C38-B721-8E16B48FFFC8} - C:\WINDOWS\system32\d3d.dll

O4 - HKCU\..\Run: [ntfyapp] C:\WINDOWS\ntfyapp.exe

- Feche todas as janelas, clique em ht-fix.png e em Sim;

- Reinicie em modo normal, gere novo log e cole na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tá resolvendo, segue aqui:

Logfile of HijackThis v1.99.1

Scan saved at 20:13:43, on 30/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Abra o HijackThis, clique em Do a system scan only e marque a entrada abaixo:

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

- Feche todas as janelas, clique em ht-fix.png e em Sim;

- Gere novo log e cole na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Oi JoseMelo, tudo bem? Vejo só isso:

------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 16:20:08, on 2/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\eMule\emule.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documentos\Settings\partnership.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

-------------------------------------------------------------------------

No "HijackThis" marco a entrada e depois aperto o "Fix checked", ele dá essa mensagem:

"HijackThis is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer windows AND all Windows Explorer windows before continuing for the best chance of sucess."

Coloco "OK" mas a entrada...

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

... sempre permanece.

E mesmo eu não o tendo iniciado, o IEXPLORE.EXE fica aparecendo no gerenciador de tarefas (não conseguindo finalizar o processo).

Será q é por isso que não apaga a entrada? Tb não consigo deletar de forma normal ou pelo "KillBox" o arquivo "C:\WINDOWS\system32\d3d.dll" ele continua lá.

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

- Faça o download do ComboFix e salve-o na área de trabalho;

- Selecione o texto abaixo e copie para o bloco de notas. Salve-o como CFScript.txt;


File::
C:\WINDOWS\system32\d3d.dll

- Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

- Arraste o CFScript.txt para o ComboFix conforme a imagem abaixo:

CFScript.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Obs: Se o Combofix não reiniciar seu computador automaticamente, faça-o manualmente.

Cole novo novo log do HijackThis na sua reposta, juntamente com o log do ComboFix.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Desculpe a demora no retorno. Tive problemas com o servidor da Internet.

Caramba não consegui me livrar do trojan, o arquivo "C:\WINDOWS\system32\d3d.dll" ainda persiste, não consigo excluir.

O Avast acusa infecção pelo Win32:BHO-KD [Trj]

Tô quase desistindo.

Segue os log:

ComboFix 08-01-07.5 - Administrador 2008-01-10 14:48:53.7 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.378 [GMT -4:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrador\Desktop\CFScript.txt

.

((((((((((((((((((((((( Ficheiros criados de 2007-12-10 to 2008-01-10 ))))))))))))))))))))))))))))))))

.

2008-01-10 14:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-10 00:34 . 2008-01-10 00:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-01-07 19:02 . 2008-01-07 19:02 <DIR> d-------- C:\LinhaDefensiva

2007-12-31 21:19 . 2008-01-08 19:17 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2007-12-30 20:26 . 2007-12-30 20:41 1,187,564 --a------ C:\WINDOWS\system32\d3dim700.rar

2007-12-30 03:01 . 2007-12-30 03:01 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2007-12-29 18:51 . 19,456 C:\WINDOWS\system32\drivers\htlevwwr.dat

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\Administrador\Configuraþ§es locais

2007-12-28 23:34 . 2007-12-30 03:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2007-12-21 21:36 . 2007-12-21 21:37 36 --a------ C:\WINDOWS\system32\svchost.t__

2007-12-21 21:34 . 2004-08-03 23:45 84,992 --a------ C:\WINDOWS\system32\d3d.dll

2007-12-21 21:34 . 2007-12-21 21:34 65,536 --a------ C:\11.tmp

2007-12-21 21:34 . 2007-12-21 21:34 35,840 --------- C:\10.tmp

2007-12-21 21:34 . 2007-12-22 00:20 363 --a------ C:\WINDOWS\system32\svchost.tmp

2007-12-21 21:34 . 2007-12-21 21:34 4 --a------ C:\13.tmp

2007-12-21 21:31 . 2007-12-21 21:31 65,536 --a------ C:\7.tmp

2007-12-21 21:31 . 2007-12-21 21:31 540 --a------ C:\8.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\F.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\D.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\C.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\B.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\A.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\2.tmp

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-10 18:45 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Skype

2008-01-10 18:37 --------- d-----w C:\Arquivos de programas\eMule

2007-12-28 23:53 --------- d-----w C:\Arquivos de programas\GbPlugin

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\SRP

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Opera

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Microsoft LifeCam

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\CDisplay

2007-12-22 01:34 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E58833A-A875-427A-9583-72C08BD3D484}]

2004-08-03 23:45 84992 --a------ C:\WINDOWS\system32\d3d.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LifeCam"="C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe" [2007-01-12 21:48 275800]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-08-08 14:29 209224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

--a------ 2007-12-04 09:00 79224 C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 01:41 49152 C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

C:\WINDOWS\AdobeR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a------ 2004-09-23 11:41 860160 C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2004-10-14 08:11 1388544 C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

--a------ 1999-05-12 12:22 390144 C:\Arquivos de programas\MicroPower Software\Delta Translator\DWinTrsl.exe

R0 mteiempf;mteiempf;C:\WINDOWS\system32\drivers\htlevwwr.dat []

S2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe [2007-08-08 14:29]

S2 MSCamSvc;MSCamSvc;"C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 18:13]

S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-05 19:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c2f645-59ae-11dc-8aa4-001731649972}]

\Shell\AutoRun\command - fooool.exe

\Shell\explore\Command - fooool.exe

\Shell\open\Command - fooool.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-10 14:50:19

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-01-10 14:50:48

.

2007-12-31 00:15:07 --- E O F ---

-----------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 14:55:17, on 10/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

- Faça o download do ComboFix e salve-o na área de trabalho;

- Selecione o texto abaixo e copie para o bloco de notas. Salve-o como CFScript.txt;

File::
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\d3dim700.rar
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\d3d.dll
C:\WINDOWS\system32\svchost.tmp

- Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

- Arraste o CFScript.txt para o ComboFix conforme a imagem abaixo:

CFScript.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Obs: Se o Combofix não reiniciar seu computador automaticamente, faça-o manualmente.

Cole novo novo log do HijackThis na sua reposta, juntamente com o log do ComboFix.

Compartilhar este post


Link para o post
Compartilhar em outros sites

ComboFix 08-01-11.3 - Administrador 2008-01-12 13:25:59.9 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.373 [GMT -4:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

Command switches used :: and Settings\Administrador\Desktop\ComboFix.exe C:\Documents and Settings\Administrador\Desktop\CFScript.txt

.

((((((((((((((((((((((( Ficheiros criados de 2007-12-12 to 2008-01-12 ))))))))))))))))))))))))))))))))

.

2008-01-12 13:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 01:46 . 2008-01-11 01:46 <DIR> d-------- C:\kav

2008-01-10 00:34 . 2008-01-10 00:34 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

2008-01-07 19:02 . 2008-01-07 19:02 <DIR> d-------- C:\LinhaDefensiva

2007-12-31 21:19 . 2008-01-08 19:17 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2007-12-30 20:26 . 2007-12-30 20:41 1,187,564 --a------ C:\WINDOWS\system32\d3dim700.rar

2007-12-30 03:01 . 2007-12-30 03:01 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2007-12-29 18:51 . 19,456 C:\WINDOWS\system32\drivers\htlevwwr.dat

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\Administrador\Configuraþ§es locais

2007-12-28 23:34 . 2007-12-30 03:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2007-12-21 21:36 . 2007-12-21 21:37 36 --a------ C:\WINDOWS\system32\svchost.t__

2007-12-21 21:34 . 2004-08-03 23:45 84,992 --a------ C:\WINDOWS\system32\d3d.dll

2007-12-21 21:34 . 2007-12-21 21:34 65,536 --a------ C:\11.tmp

2007-12-21 21:34 . 2007-12-21 21:34 35,840 --------- C:\10.tmp

2007-12-21 21:34 . 2007-12-22 00:20 363 --a------ C:\WINDOWS\system32\svchost.tmp

2007-12-21 21:34 . 2007-12-21 21:34 4 --a------ C:\13.tmp

2007-12-21 21:31 . 2007-12-21 21:31 65,536 --a------ C:\7.tmp

2007-12-21 21:31 . 2007-12-21 21:31 540 --a------ C:\8.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\F.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\D.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\C.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\B.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\A.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\2.tmp

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-12 17:13 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Skype

2008-01-12 17:13 --------- d-----w C:\Arquivos de programas\eMule

2007-12-28 23:53 --------- d-----w C:\Arquivos de programas\GbPlugin

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\SRP

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Opera

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Microsoft LifeCam

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\CDisplay

2007-12-22 01:34 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E58833A-A875-427A-9583-72C08BD3D484}]

2004-08-03 23:45 84992 --a------ C:\WINDOWS\system32\d3d.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LifeCam"="C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe" [2007-01-12 21:48 275800]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-08-08 14:29 209224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

--a------ 2007-12-04 09:00 79224 C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 01:41 49152 C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

C:\WINDOWS\AdobeR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a------ 2004-09-23 11:41 860160 C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2004-10-14 08:11 1388544 C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

--a------ 1999-05-12 12:22 390144 C:\Arquivos de programas\MicroPower Software\Delta Translator\DWinTrsl.exe

R0 mteiempf;mteiempf;C:\WINDOWS\system32\drivers\htlevwwr.dat []

S2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe [2007-08-08 14:29]

S2 MSCamSvc;MSCamSvc;"C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 18:13]

S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-05 19:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c2f645-59ae-11dc-8aa4-001731649972}]

\Shell\AutoRun\command - fooool.exe

\Shell\explore\Command - fooool.exe

\Shell\open\Command - fooool.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-12 13:27:32

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-01-12 13:28:10

ComboFix2.txt 2008-01-10 19:07:16

.

2007-12-31 00:15:07 --- E O F ---

:confused:---------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 13:34:18, on 12/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Opera\Opera.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4E58833A-A875-427A-9583-72C08BD3D484} - C:\WINDOWS\system32\d3d.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

- Faça o download do ComboFix e salve-o na área de trabalho;

- Selecione o texto abaixo e copie para o bloco de notas. Salve-o como CFScript.txt;


Driver::
mteiempf
RootKit::
C:\WINDOWS\system32\drivers\htlevwwr.dat
File::
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\d3dim700.rar
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\d3d.dll
C:\WINDOWS\system32\svchost.tmp

- Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

- Arraste o CFScript.txt para o ComboFix conforme a imagem abaixo:

CFScript.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Obs: Se o Combofix não reiniciar seu computador automaticamente, faça-o manualmente.

Cole novo log do Combofix e do HijackThis na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Aqui vai...

ComboFix 08-01-14.1 - Administrador 2008-01-13 20:17:46.10 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.372 [GMT -4:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrador\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE

C:\WINDOWS\system32\d3d.dll

C:\WINDOWS\system32\d3d8caps.dat

C:\WINDOWS\system32\d3d9caps.dat

C:\WINDOWS\system32\d3dim700.rar

C:\WINDOWS\system32\svchost.t__

C:\WINDOWS\system32\svchost.tmp

.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\d3d.dll

C:\WINDOWS\system32\d3d9caps.dat

C:\WINDOWS\system32\drivers\htlevwwr.dat

C:\WINDOWS\system32\msacm32.drv

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_MTEIEMPF

-------\mteiempf

((((((((((((((((((((((( Ficheiros criados de 2007-12-14 to 2008-01-14 ))))))))))))))))))))))))))))))))

.

2008-01-13 20:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-12 13:51 . 2008-01-12 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-01-11 01:46 . 2008-01-11 01:46 <DIR> d-------- C:\kav

2008-01-07 19:02 . 2008-01-07 19:02 <DIR> d-------- C:\LinhaDefensiva

2007-12-30 03:01 . 2007-12-30 03:01 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configurações locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\Default User\Configurações locais

2007-12-29 18:38 . 2007-12-29 18:38 <DIR> d-------- C:\Documents and Settings\Administrador\Configurações locais

2007-12-28 23:34 . 2007-12-30 03:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2007-12-21 21:34 . 2007-12-21 21:34 65,536 --a------ C:\11.tmp

2007-12-21 21:34 . 2007-12-21 21:34 35,840 --------- C:\10.tmp

2007-12-21 21:34 . 2007-12-21 21:34 4 --a------ C:\13.tmp

2007-12-21 21:31 . 2007-12-21 21:31 65,536 --a------ C:\7.tmp

2007-12-21 21:31 . 2007-12-21 21:31 540 --a------ C:\8.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\F.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\D.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\C.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\B.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\A.tmp

2007-12-21 21:31 . 2007-12-21 21:31 0 --a------ C:\2.tmp

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-14 00:14 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Skype

2008-01-14 00:06 --------- d-----w C:\Arquivos de programas\eMule

2007-12-28 23:53 --------- d-----w C:\Arquivos de programas\GbPlugin

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\SRP

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Opera

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\Microsoft LifeCam

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2007-12-28 23:51 --------- d-----w C:\Arquivos de programas\CDisplay

2007-12-22 01:34 14,336 ----a-w C:\WINDOWS\system32\svchost.exe

2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-10-29 22:44 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LifeCam"="C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe" [2007-01-12 21:48 275800]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]

"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-08-08 14:29 209224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

--a------ 2007-12-04 09:00 79224 C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-03 23:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 01:41 49152 C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

C:\WINDOWS\AdobeR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--a------ 2004-09-23 11:41 860160 C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2004-10-14 08:11 1388544 C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

--a------ 1999-05-12 12:22 390144 C:\Arquivos de programas\MicroPower Software\Delta Translator\DWinTrsl.exe

R2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe [2007-08-08 14:29]

R2 MSCamSvc;MSCamSvc;"C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 18:13]

R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-05 19:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03c2f645-59ae-11dc-8aa4-001731649972}]

\Shell\AutoRun\command - fooool.exe

\Shell\explore\Command - fooool.exe

\Shell\open\Command - fooool.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 20:21:29

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ*veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusÆo: 2008-01-13 20:22:41 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-14 00:22:39

ComboFix2.txt 2008-01-12 17:28:10

.

2007-12-31 00:15:07 --- E O F ---

:aranha:---------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 20:23:09, on 13/1/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{079B14C5-C8FA-40B1-9B96-A1286C8BC195}: NameServer = 201.10.128.2,201.10.1.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Ok, o log está limpo :)

- Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner:

  • Abra o programa e clique em Executar Limpeza;
  • Após isto, clique em Registro > Procurar erros > Corrigir Erros

- Desative e ative novamente a Restauração do Sistema

- Leia o artigo Proteja seu PC para mais informações sobre como evitar infecções.

Compartilhar este post


Link para o post
Compartilhar em outros sites

:lol: Valeu pela força JoseMelo, não ia conseguir sem orientação.

Abraços e muito obrigado mesmo.

Compartilhar este post


Link para o post
Compartilhar em outros sites
Entre para seguir isso  





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×
×
  • Criar novo...