Ir ao conteúdo
  • Cadastre-se
Entre para seguir isso  
leoer

Análise de Log (Suspeita de Banker)

Recommended Posts

Olá!

Ontem eu abri um e-mail da TIM, com o assunto fotomensagem para mim. O e-mail era muito bem feito e vinha com um link com terminação .php. Displicentemente cliquei no tal link, e só depois me liguei que a TIM não manda esse tipo de e-mail.

Enfim, o site que foi aberto não me pediu para salvar nenhum arquivo no meu pc. Era um site de "página não encontrada" mas cheio de pop-ups.

Estou achando que fui contaminado, já que andei lendo que existem alguns bankers que são baixados para o pc sem nenhuma permissão.

Eu baixei o BankerFix, mas como não conheço muito bem o programa, continuo desconfiado.

Aqui está o log do HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 14:55:21, on 23/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66010

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66010

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66010

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66010

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66010

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ADSTechnology module - {831CBAC0-8283-4653-9D81-FEB9F3F6E47C} - C:\Arquivos de programas\ADSTechnology\ADSTechnology.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Obrigado, até mais.

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Abra o Painel de Controle > Adicionar ou remover programas e desinstale:

ADSTechnology

- Gere novo log e cole na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Obrigado por responder.

Aqui está:

Logfile of HijackThis v1.99.1

Scan saved at 12:44:31, on 25/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66010

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66010

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66010

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66010

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66010

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Ok, o log está limpo :)

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner:

  • Abra o programa e clique em Executar Limpeza;
  • Após isto, clique em Registro > Procurar erros > Corrigir erros selecionados

- Desative e ative novamente a Restauração do Sistema

- Leia o artigo Proteja seu PC para mais informações sobre como evitar infecções.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ah que bom, obrigado!

eu farei o orientado.

ps: Esse tipo de vírus que mencionei realmente aparece nos logs do hijack this? é que sou meio leigo e meu Avg não encontra nada...

bom, talvez meu IE estava atualizado de forma que conseguiu barrar a infecção deste e-mail.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Se deu página não encontrada é porque o vírus já tinha sido removido da página. Caso tivesse executado o arquivo, aí sim seria contaminado.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ah sim.

mas não era uma notificação de erro 404 do IE... tinham até propagandas na página.

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Faça o download do ComboFix

  • Desative, temporariamente, o antivírus;
  • Feche todas as janelas abertas;
  • Dê um duplo-clique no ComboFix.exe, clique em "Executar" e digite "1" + Enter para prosseguir o Fix. Pode demorar algum tempo.
  • O ComboFix poderá reiniciar o PC automaticamente para completar o processo de remoção.
  • Quando terminar, será gerado um log, que estará em C:\ComboFix.txt.
  • Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, não mova o mouse e não use o teclado, pois senão irá parar e seu desktop ficará em branco.
  • Para parar ou sair do ComboFix, tecle "N".
  • Cole o ComboFix.txt na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Aqui está:

ComboFix 08-03-30.2 - familia 2008-03-30 11:55:09.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.617 [GMT -3:00]

Executando de: C:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Arquivos de programas\ActivationManager

C:\Arquivos de programas\ActivationManager\Uninstall.exe

.

((((((((((((((((((((((( Ficheiros criados de 2008-02-28 to 2008-03-30 ))))))))))))))))))))))))))))))))

.

2008-03-30 11:48 . 2008-03-30 11:48 1,603,366 --a------ C:\ComboFix.exe

2008-03-29 09:26 . 2008-03-29 09:26 <DIR> d-------- C:\LinhaDefensiva

2008-03-29 09:26 . 2008-03-29 09:26 180,719 --a------ C:\bankerfix.exe

2008-03-28 12:58 . 2008-03-28 13:13 <DIR> d-------- C:\Downloads

2008-03-26 21:47 . 2008-03-26 21:47 <DIR> d-------- C:\Arquivos de programas\uTorrent

2008-03-23 20:25 . 2008-03-23 20:25 244 --ah----- C:\sqmnoopt13.sqm

2008-03-23 20:25 . 2008-03-23 20:25 232 --ah----- C:\sqmdata14.sqm

2008-03-22 10:35 . 2008-03-29 15:47 <DIR> d-------- C:\Video-Games

2008-03-20 23:01 . 2008-03-20 23:01 <DIR> d-------- C:\Recnet

2008-03-20 23:01 . 2006-10-31 13:12 128,000 --a------ C:\WINDOWS\DesinstWRecnet.exe

2008-03-20 23:01 . 2008-02-12 14:27 122,880 --a------ C:\WINDOWS\DesinstRecnet.exe

2008-03-20 23:01 . 2006-10-31 13:12 5,361 --a------ C:\WINDOWS\DesinstWRecnet.ini

2008-03-20 23:01 . 2008-03-20 23:01 127 --a------ C:\WINDOWS\REC-NET.INI

2008-03-20 22:47 . 2008-03-20 22:47 <DIR> d-------- C:\Documents and Settings\familia\.receitanet

2008-03-18 16:22 . 2006-11-10 01:42 84,512 -ra------ C:\WINDOWS\system32\drivers\ssm_mdm.sys

2008-03-18 16:22 . 2006-11-10 01:42 6,112 -ra------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys

2008-03-18 16:22 . 2006-11-10 01:42 6,112 -ra------ C:\WINDOWS\system32\drivers\ssm_cm.sys

2008-03-18 16:22 . 2006-11-10 01:42 6,096 -ra------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys

2008-03-18 16:21 . 2006-11-10 01:42 52,416 -ra------ C:\WINDOWS\system32\drivers\ssm_bus.sys

2008-03-18 16:21 . 2006-11-10 01:42 5,776 -ra------ C:\WINDOWS\system32\drivers\ssm_whnt.sys

2008-03-18 16:21 . 2006-11-10 01:42 5,776 -ra------ C:\WINDOWS\system32\drivers\ssm_wh.sys

2008-03-18 16:20 . 2005-05-12 13:09 556,544 --------- C:\WINDOWS\system32\NexPlayerX.dll

2008-03-14 17:02 . 2008-03-14 18:08 <DIR> d--h----- C:\Documents and Settings\All Users\Dados de aplicativos\ActiveSMART

2008-03-11 13:25 . 2006-08-10 15:16 2,435,613 --a------ C:\WINDOWS\system32\Avc.ax

2008-03-11 13:25 . 2005-09-09 16:51 54,193 --a------ C:\WINDOWS\system32\pthreadGC2.dll

2008-03-11 13:25 . 2005-01-19 18:23 25,600 --a------ C:\WINDOWS\system32\AVSredirect.dll

2008-03-11 13:24 . 2008-03-11 13:27 <DIR> d-------- C:\Arquivos de programas\Okoker MP3 To AMR Converter

2008-03-11 13:24 . 2008-03-11 13:24 34 --ah----- C:\WINDOWS\system32\MP3ToAMRConverter_sysquict.dat

2008-03-09 18:26 . 2008-03-09 18:26 244 --ah----- C:\sqmnoopt12.sqm

2008-03-09 18:26 . 2008-03-09 18:26 232 --ah----- C:\sqmdata13.sqm

2008-03-08 21:35 . 2008-03-08 21:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Dados de aplicativos\AVG7

2008-03-08 21:05 . 2008-03-08 21:05 <DIR> d-------- C:\Arquivos de programas\Guitar Pro 5

2008-03-08 21:00 . 2008-03-08 21:00 <DIR> d-------- C:\Arquivos de programas\D'Accord Afinador 3.0

2008-03-07 21:09 . 2008-03-20 22:56 <DIR> d-------- C:\Arquivos de programas\Programas RFB

2008-03-04 13:49 . 2008-03-04 13:49 244 --ah----- C:\sqmnoopt11.sqm

2008-03-04 13:49 . 2008-03-04 13:49 232 --ah----- C:\sqmdata12.sqm

2008-03-04 13:48 . 2008-03-04 13:48 244 --ah----- C:\sqmnoopt10.sqm

2008-03-04 13:48 . 2008-03-04 13:48 232 --ah----- C:\sqmdata11.sqm

2008-03-04 13:42 . 2008-03-04 13:42 268 --ah----- C:\sqmdata08.sqm

2008-03-04 13:42 . 2008-03-04 13:42 244 --ah----- C:\sqmnoopt08.sqm

2008-03-04 13:42 . 2008-03-04 13:42 148 --ah----- C:\sqmdata10.sqm

2008-03-04 13:42 . 2008-03-04 13:42 148 --ah----- C:\sqmdata09.sqm

2008-03-04 13:42 . 2008-03-04 13:42 136 --ah----- C:\sqmnoopt09.sqm

2008-02-28 22:51 . 2008-03-08 21:01 <DIR> d-------- C:\Arquivos de programas\MP3 Player Utilities 4.00

2008-02-28 22:32 . 2008-03-08 21:01 <DIR> d-------- C:\Arquivos de programas\AviSynth 2.5

2008-02-27 13:11 . 2006-04-06 11:14 745,472 --a------ C:\WINDOWS\system32\OutlookGPRS.mdb

2008-02-27 13:03 . 2008-03-18 16:15 <DIR> d-------- C:\Arquivos de programas\Samsung

2008-02-25 16:16 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2008-02-25 16:16 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

2008-02-25 16:15 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys

2008-02-25 16:15 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys

2008-02-22 19:56 . 2008-02-22 19:56 42 --a------ C:\WINDOWS\boxworld.ini

2008-02-22 17:02 . 2008-02-22 17:02 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-02-22 17:02 . 2004-08-16 21:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe

2008-02-21 23:56 . 2008-02-21 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Office Genuine Advantage

2008-02-20 20:08 . 2008-02-20 20:08 <DIR> d-------- C:\Arquivos de programas\Watchtower

2008-02-10 20:38 . 2008-02-10 20:38 <DIR> d-------- C:\Documents and Settings\familia\Dados de aplicativos\Move Networks

2008-02-10 19:50 . 2008-02-10 19:50 <DIR> d-------- C:\Arquivos de programas\Microsoft Silverlight

2008-02-07 16:38 . 2008-03-10 17:40 <DIR> d-------- C:\Arquivos de programas\Violaopopular4

2008-02-07 15:43 . 2008-02-07 15:44 8 --a------ C:\Documents and Settings\All Users\Dados de aplicativos\SDGLYBMPWPP.SYS

2008-02-07 13:28 . 2008-03-18 16:08 38 --a------ C:\WINDOWS\avisplitter.INI

2008-02-05 12:57 . 2008-02-05 12:57 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack

2008-02-05 12:01 . 2008-02-05 12:01 <DIR> d-------- C:\Documents and Settings\familia\Dados de aplicativos\Media Player Classic

2008-02-05 11:53 . 2008-02-05 11:55 <DIR> d-------- C:\Arquivos de programas\NET Radio Rip Or Play V4.0.0

2008-02-05 11:53 . 1999-08-27 15:53 184,320 --a------ C:\WINDOWS\system32\ARFrmExt.ocx

2008-02-05 11:53 . 2001-06-26 17:35 131,072 --a------ C:\WINDOWS\system32\ARButton.ocx

2008-02-05 11:53 . 2001-02-23 20:12 102,400 --a------ C:\WINDOWS\system32\MRActLabel.ocx

2008-02-05 11:53 . 2007-02-14 21:29 81,920 --a------ C:\WINDOWS\system32\GkSui20.EXE

2008-02-05 11:53 . 2001-06-26 17:10 69,632 --a------ C:\WINDOWS\system32\ARFlatButton.ocx

2008-02-05 11:53 . 2008-02-05 11:53 3 ---h----- C:\WINDOWS\system32\NR40

2008-02-04 20:23 . 2008-02-04 20:23 <DIR> d-------- C:\BLUEBYTE

2008-02-04 18:23 . 2008-02-04 18:23 693,792 --a------ C:\WINDOWS\system32\OGACheckControl.DLL

2008-02-04 12:55 . 2008-02-04 20:14 <DIR> d-------- C:\Arquivos de programas\Violaopopular4(2)

2008-02-01 02:21 . 2008-02-01 02:21 245,408 --a------ C:\WINDOWS\system32\unicows.dll

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-30 14:32 --------- d-----w C:\Documents and Settings\familia\Dados de aplicativos\uTorrent

2008-03-28 21:10 --------- d-----w C:\Arquivos de programas\eMule

2008-03-28 16:12 --------- d-----w C:\Documents and Settings\familia\Dados de aplicativos\AVG7

2008-03-23 19:16 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-03-18 20:11 --------- d-----w C:\Arquivos de programas\Real Alternative

2008-03-10 20:41 --------- d-----w C:\Arquivos de programas\Neat Image

2008-03-10 20:40 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-03-09 22:57 --------- d-----w C:\Arquivos de programas\Java

2008-03-09 10:29 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-03-09 00:42 --------- d-----w C:\Arquivos de programas\Macromedia

2008-03-09 00:42 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Macromedia

2008-02-20 09:44 --------- d-----w C:\Arquivos de programas\DVD Decrypter

2008-02-20 01:47 --------- d-----w C:\Arquivos de programas\Digital Guitar Tuner 2.3

2008-02-15 22:28 --------- d-----w C:\Arquivos de programas\MDK2

2008-02-15 22:28 --------- d-----w C:\Arquivos de programas\FrameShow

2008-02-15 22:28 --------- d-----w C:\Arquivos de programas\FaxTools

2008-02-15 22:28 --------- d-----w C:\Arquivos de programas\BraZip

2008-02-05 15:22 737,280 ----a-w C:\WINDOWS\iun6002.exe

2008-02-05 13:36 --------- d-----w C:\Arquivos de programas\vd

2008-02-05 00:02 --------- d-----w C:\Arquivos de programas\CCleaner

2008-02-04 23:28 --------- d-----w C:\Arquivos de programas\MP3 Player Utilities 4.15

2008-02-04 23:27 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer

2008-02-04 23:27 --------- d-----w C:\Arquivos de programas\QuickTime

2008-02-04 23:23 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-02-04 23:23 --------- d-----w C:\Arquivos de programas\Microsoft Bootvis

2008-02-04 23:22 --------- d-----w C:\Arquivos de programas\Liatro

2008-02-04 23:19 --------- d-----w C:\Arquivos de programas\MP3 to WAV Decoder

2008-02-04 23:17 --------- d-----w C:\Arquivos de programas\Sub Station Alpha v4.08

2008-02-04 23:16 --------- d-----w C:\Arquivos de programas\WinAVI Video Converter

2008-02-04 23:16 --------- d-----w C:\Arquivos de programas\DivX

2008-02-04 23:15 --------- d-----w C:\Arquivos de programas\TweakNow RegCleaner Std

2008-02-04 23:15 --------- d-----w C:\Arquivos de programas\DVD Shrink

2008-02-04 23:15 --------- d-----w C:\Arquivos de programas\CPU-Z

2008-01-28 19:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-01-06 22:15 7,168 --sha-w C:\Arquivos de programas\Thumbs.db

2007-12-24 15:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll

2007-12-16 19:42 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-12-10 11:46 713,728 ----a-w C:\WINDOWS\system32\opengl32.dll.tmp

2007-12-07 02:09 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll

2007-12-04 04:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll

2007-07-15 14:26 79 ----a-w C:\Arquivos de programas\Mostrar área de trabalho.scf

2006-03-14 03:52 18,321 ----a-w C:\Arquivos de programas\copying

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"WMPNSCFG"="C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe" [2006-11-02 23:32 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2008-02-05 07:52 579072]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]

"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-19 22:11 925696]

"SoundMAX"="C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35 716800]

"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]

"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-09-23 23:08 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"AVG7_Run"="C:\ARQUIV~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:33 219136]

C:\Documents and Settings\familia\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

PowerReg Scheduler.exe [2007-07-16 17:32:16 225280]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^familia^Menu Iniciar^Programas^Inicializar^Registration The Settlers II - 10th Anniversary.LNK]

path=C:\Documents and Settings\familia\Menu Iniciar\Programas\Inicializar\Registration The Settlers II - 10th Anniversary.LNK

backup=C:\WINDOWS\pss\Registration The Settlers II - 10th Anniversary.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2006-10-09 11:28 139264 C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

--------- 2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]

-r------- 2006-08-13 23:51 352256 C:\WINDOWS\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2006-12-05 22:55 54832 C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]

--a------ 2006-07-13 02:34 57344 C:\Arquivos de programas\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 16:40 155648 C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-09-23 23:08 286720 C:\Arquivos de programas\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2006-11-23 15:10 56928 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]

-ra------ 2006-07-10 15:33 176128 C:\WINDOWS\system32\S3Trayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-02-22 04:25 144784 C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2006-08-03 03:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RichVideo"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Shareaza\\Shareaza.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\WINDOWS\\system32\\rundll32.exe"=

"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"=

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Arquivos de programas\\VideoLAN\\VLC\\vlc.exe"=

"C:\\Arquivos de programas\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 00:38]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 00:39]

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-11 23:43]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-30 11:58:07

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-03-30 11:59:02

ComboFix-quarantined-files.txt 2008-03-30 14:58:45

Pre-Run: 17,077,911,552 bytes disponíveis

Post-Run: 17,068,449,792 bytes disponíveis

.

2008-03-12 16:16:29 --- E O F ---

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Log limpo :)

- Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa.

Compartilhar este post


Link para o post
Compartilhar em outros sites
Entre para seguir isso  





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×