Ir ao conteúdo
  • Cadastre-se
caddumello

Virus, Tavo.exe e Kavo.exe, como tirar?

Recommended Posts

Olá galera!

Tenho um vírus kavo no meu computador e gostaria de retira-lo.

Executei o hijack e o combofix.

Estou enviando abaixo os logs gerados no txt para que possam me auxiliar.

Abraço.

HIJACk ====================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 03:52:10, on 9/7/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Winamp\winampa.exe

C:\Arquivos de programas\SiteAdvisor\6261\SiteAdv.exe

C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe

C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\Arquivos de programas\Portrait Displays\forteManager\DTSRVC.exe

C:\Arquivos de programas\McAfee\MBK\MBackMonitor.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\system32\ctfmon.exe

c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe

c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe

C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe

C:\Arquivos de programas\McAfee\MSK\MskSrver.exe

C:\Arquivos de programas\SiteAdvisor\6261\SAService.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\svchost.exe

c:\ARQUIV~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\ARQUIV~1\MOZILL~1\FIREFOX.EXE

C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe

C:\Arquivos de programas\FlashGet\flashget.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Arquivos de programas\SiteAdvisor\6261\SiteAdv.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\ARQUIV~1\FlashGet\jccatch.dll

O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\ARQUIV~1\mcafee\msk\mcapbho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Arquivos de programas\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\ARQUIV~1\FlashGet\getflash.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARQUIV~1\FlashGet\fgiebar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Arquivos de

COMBOFIX =================================================

ComboFix 08-07-08.5 - Dudu 2008-07-09 3:56:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1395 [GMT -3:00]

Executando de: C:\Documents and Settings\Dudu\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\kavo.exe

C:\WINDOWS\system32\kavo0.dll

C:\WINDOWS\system32\kavo1.dll

C:\WINDOWS\system32\tavo1.dll

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-09 to 2008-07-09 ))))))))))))))))))))))))))))))))

.

2008-07-09 03:48 . 2008-07-09 03:48 19 --a------ C:\WINDOWS\SoundConverter.INI

2008-07-09 03:36 . 2008-07-09 03:41 <DIR> d-------- C:\WINDOWS\LastGood

2008-07-09 03:24 . 2008-07-09 03:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-07-09 03:19 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\002862_.tmp

2008-07-04 20:48 . 2008-07-04 20:48 128,473 -r-hs---- C:\8uot.exe

2008-07-03 10:39 . 2008-07-03 18:15 129,013 -r-hs---- C:\cm0.com

2008-06-30 00:19 . 2008-07-02 12:08 128,321 -r-hs---- C:\ox.cmd

2008-06-28 13:33 . 2008-06-28 18:35 125,010 -r-hs---- C:\feav9a2.cmd

2008-06-25 14:53 . 2008-06-26 20:45 124,333 -r-hs---- C:\p1f6b.exe

2008-06-21 14:17 . 2008-06-28 14:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-21 14:17 . 2008-06-21 14:17 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-20 14:48 . 2008-06-20 14:48 247,808 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 14:48 . 2008-06-20 14:48 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 08:51 . 2008-06-20 08:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 08:40 . 2008-06-20 08:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 08:08 . 2008-06-20 08:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 17:47 . 2008-06-18 22:50 124,409 -r-hs---- C:\f.bat

2008-06-11 00:36 . 2008-07-09 03:37 118 --a------ C:\WINDOWS\system32\MRT.INI

2008-06-10 22:41 . 2008-06-10 22:41 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2008-06-10 17:43 . 2008-06-14 14:34 272,384 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-10 17:43 . 2008-06-14 14:34 272,384 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-10 17:36 . 2008-05-08 11:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-09 06:59 --------- d-----w C:\Arquivos de programas\FlashGet

2008-07-09 06:49 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-07-09 06:49 --------- d-----w C:\Arquivos de programas\Nokia

2008-07-09 06:30 96,384 ----a-w C:\WINDOWS\system32\drivers\sptd7405.sys

2008-07-09 02:36 --------- d-----w C:\Arquivos de programas\eMule

2008-07-07 20:04 --------- d-----w C:\Arquivos de programas\McAfee

2008-06-22 20:53 --------- d-----w C:\Documents and Settings\Dudu\Dados de aplicativos\Autodesk

2008-06-22 20:53 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Autodesk

2008-06-20 17:48 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-05 21:15 --------- d-----w C:\Documents and Settings\Dudu\Dados de aplicativos\SiteAdvisor

2008-05-24 15:26 --------- d-----w C:\Arquivos de programas\SiteAdvisor

2008-05-18 05:35 --------- d-----w C:\Arquivos de programas\Allok RM RMVB to AVI MPEG DVD Converter

2008-05-07 05:11 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 07:14 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-04-13 22:37 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-13 22:24 332,800 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-13 22:20 995,328 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-13 22:19 763,392 ----a-w C:\WINDOWS\system32\winntbbu.dll

2008-04-13 22:19 57,375 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-13 22:19 5,632 ----a-w C:\WINDOWS\system32\wmi.dll

2008-04-13 22:19 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll

2008-04-13 22:00 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll

2008-04-13 22:00 2,149,376 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 22:00 2,028,032 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-13 21:58 86,016 ----a-w C:\WINDOWS\system32\msxml6r.dll

2008-04-13 21:57 80,896 ------w C:\WINDOWS\system32\msshavmsg.dll

2008-04-13 21:56 563,712 ----a-w C:\WINDOWS\system32\shdoclc.dll

2008-04-13 21:56 49,664 ----a-w C:\WINDOWS\system32\inetres.dll

2008-04-13 21:54 10,240 ----a-w C:\WINDOWS\system32\gpkrsrc.dll

2008-04-13 21:54 1,845,760 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-13 21:53 67,584 ----a-w C:\WINDOWS\system32\browselc.dll

2008-04-13 14:45 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys

2008-04-13 14:43 9,728 ------w C:\WINDOWS\system32\comsdupd.exe

2008-04-13 14:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe

2008-04-13 14:40 444,928 ----a-w C:\WINDOWS\system32\xpob2res.dll

2008-04-13 14:35 2,945,536 ----a-w C:\WINDOWS\system32\xpsp2res.dll

2008-04-13 14:35 192,512 ----a-w C:\WINDOWS\system32\xpsp1res.dll

2008-04-13 14:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll

2008-04-13 14:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll

2008-04-13 13:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll

2008-04-13 13:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll

2008-04-13 13:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll

2008-04-13 13:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll

2008-04-13 13:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll

2008-04-13 12:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll

2008-04-13 12:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll

2008-04-13 12:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll

2008-04-13 11:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:20 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-19 22:11 925696]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

"DT Task"="C:\Arquivos de programas\Portrait Displays\forteManager\DTHtml.exe" [2006-04-21 10:53 280576]

"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-05-14 19:22 35328]

"SiteAdvisor"="C:\Arquivos de programas\SiteAdvisor\6261\SiteAdv.exe" [2007-03-05 16:10 36904]

"McAfee Backup"="C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-25 06:34 4838952]

"MBkLogOnHook"="C:\Arquivos de programas\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]

"mcagent_exe"="C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 19:20 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= "C:\Arquivos de programas\Scpad\scpLIB.dll" [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\EA GAMES\\Battlefield 2\\BF2.exe"=

"C:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=

"C:\\Arquivos de programas\\Arquivos comuns\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10ef6942-e609-11db-a08e-0017317471df}]

\Shell\AutoRun\command - F:\8uot.exe

\Shell\explore\Command - F:\8uot.exe

\Shell\open\Command - F:\8uot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{558c8abf-cb7c-11db-ac54-806d6172696f}]

\Shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79cfa0e6-ec10-11db-a09d-0017317471df}]

\Shell\AutoRun\command - F:\8uot.exe

\Shell\explore\Command - F:\8uot.exe

\Shell\open\Command - F:\8uot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9846afac-cf40-11db-a04e-0017317471df}]

\Shell\AutoRun\command - F:\cm0.com

\Shell\explore\Command - F:\cm0.com

\Shell\open\Command - F:\cm0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c13ac49a-5288-11dc-a732-0017317471df}]

\Shell\AutoRun\command - F:\93vx0c.com

\Shell\explore\Command - F:\93vx0c.com

\Shell\open\Command - F:\93vx0c.com

*Newly Created Service* - CATCHME

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-12-15 04:19:32 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\arquivos de programas\mcafee\mqc\QcConsol.exe'

"2008-02-01 04:00:06 C:\WINDOWS\Tasks\McQcTask.job"

- c:\arquivos de programas\mcafee\mqc\QcConsol.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-09 03:58:37

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-07-09 4:00:50

ComboFix-quarantined-files.txt 2008-07-09 07:00:25

Pre-Run: 170,185,457,664 bytes disponíveis

Post-Run: 170,259,337,216 bytes disponíveis

181 --- E O F --- 2008-07-09 06:37:31

Compartilhar este post


Link para o post
Compartilhar em outros sites

Não havia sido solicitado usar o ComboFix.

-----------

Vá no site da Microsoft -> http://support.microsoft.com/kb/310994

Selecione o download apropriado para o seu Sistema Operacional:

crecuperacaorz4.jpg

Faça download do arquivo e salve no seu desktop.

rc1.gif

Agora feche todos os seus programas abertos, inclusive antivírus e programa antimalwares para que eles não interfiram a execução do ComboFix.

  • Arraste o setup baixado do site da Microsoft para dentro do ComboFix.exe conforme mostra a figura acima.
  • Siga as mensagens que aparecem na tela para iniciar o ComboFix, concorde com o contrato da Microsoft para instalar o "Console de Recuperação da Microsoft".
  • Na próxima mensagem clique em "SIM" para realizar um scan completo com o ComboFix.
    RC_whatnext.gif
  • Quando a ferramenta acabar aparecerá um log.

Poste em sua próxima resposta o conteúdo do arquivo C:\ComboFix.txt junto com um novo log do Hijackthis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Conforme solicitado, segue abaixo o log dessa operação

____________________________________

ComboFix 08-07-08.5 - Dudu 2008-07-15 22:42:45.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1452 [GMT -3:00]

Executando de: C:\Documents and Settings\Dudu\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Dudu\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

* Criado um novo ponto de restauro

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\kavo.exe

C:\WINDOWS\system32\kavo0.dll

C:\WINDOWS\system32\kavo1.dll

C:\WINDOWS\system32\tavo.exe

C:\WINDOWS\system32\tavo0.dll

C:\WINDOWS\system32\tavo1.dll

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-16 to 2008-07-16 ))))))))))))))))))))))))))))))))

.

2008-07-15 14:18 . 2008-07-15 21:46 116,862 -r-hs---- C:\k.com

2008-07-14 08:42 . 2008-07-14 08:42 77,312 -r-hs---- C:\WINDOWS\system32\ckvo2.dll

2008-07-14 08:13 . 2008-07-14 22:49 118,512 -r-hs---- C:\fi.cmd

2008-07-13 20:31 . 2001-09-05 23:27 18,176 --a------ C:\WINDOWS\system32\drivers\sermouse.sys

2008-07-13 20:31 . 2001-09-05 23:27 18,176 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys

2008-07-11 14:08 . 2008-07-13 23:47 116,972 -r-hs---- C:\ffojc.com

2008-07-11 09:27 . 2008-07-11 09:52 117,053 -r-hs---- C:\0gjn3yw.exe

2008-07-11 09:27 . 2008-07-15 21:46 116,862 -r-hs---- C:\WINDOWS\system32\ckvo.exe

2008-07-11 09:27 . 2008-07-15 21:17 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll

2008-07-11 09:27 . 2008-07-15 21:46 77,312 -r-hs---- C:\WINDOWS\system32\ckvo0.dll

2008-07-11 08:57 . 2008-07-15 21:16 133,133 -r-hs---- C:\nqgcd.com

2008-07-09 15:10 . 2008-05-09 07:55 512,000 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll

2008-07-09 15:10 . 2008-05-09 07:55 430,080 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll

2008-07-09 15:10 . 2008-05-09 07:55 180,224 -----c--- C:\WINDOWS\system32\dllcache\scrobj.dll

2008-07-09 15:10 . 2008-05-09 07:55 172,032 -----c--- C:\WINDOWS\system32\dllcache\scrrun.dll

2008-07-09 15:10 . 2008-05-08 08:24 155,648 -----c--- C:\WINDOWS\system32\dllcache\wscript.exe

2008-07-09 15:10 . 2008-05-09 05:45 135,168 -----c--- C:\WINDOWS\system32\dllcache\cscript.exe

2008-07-09 15:10 . 2008-05-09 07:55 90,112 -----c--- C:\WINDOWS\system32\dllcache\wshext.dll

2008-07-09 03:48 . 2008-07-09 03:48 19 --a------ C:\WINDOWS\SoundConverter.INI

2008-07-09 03:24 . 2008-07-09 03:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-07-09 03:19 . 2006-12-28 12:01 19,569 --a------ C:\WINDOWS\002862_.tmp

2008-07-04 20:48 . 2008-07-04 20:48 128,473 -r-hs---- C:\8uot.exe

2008-07-03 10:39 . 2008-07-03 18:15 129,013 -r-hs---- C:\cm0.com

2008-06-28 13:33 . 2008-06-28 18:35 125,010 -r-hs---- C:\feav9a2.cmd

2008-06-21 14:17 . 2008-06-28 14:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-21 14:17 . 2008-06-21 14:17 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-20 14:48 . 2008-06-20 14:48 247,808 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 14:48 . 2008-06-20 14:48 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 08:51 . 2008-06-20 08:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 08:40 . 2008-06-20 08:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 08:08 . 2008-06-20 08:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-16 01:38 --------- d-----w C:\Arquivos de programas\FlashGet

2008-07-16 00:54 --------- d-----w C:\Arquivos de programas\eMule

2008-07-16 00:16 --------- d-----w C:\Arquivos de programas\McAfee

2008-07-09 06:49 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-07-09 06:49 --------- d-----w C:\Arquivos de programas\Nokia

2008-07-09 06:30 96,384 ----a-w C:\WINDOWS\system32\drivers\sptd7405.sys

2008-06-22 20:53 --------- d-----w C:\Documents and Settings\Dudu\Dados de aplicativos\Autodesk

2008-06-22 20:53 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Autodesk

2008-06-20 17:48 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-19 01:50 124,409 --sh--r C:\f.bat

2008-06-14 17:34 272,384 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 01:41 --------- d-----w C:\Arquivos de programas\Trend Micro

2008-06-05 21:15 --------- d-----w C:\Documents and Settings\Dudu\Dados de aplicativos\SiteAdvisor

2008-05-24 15:26 --------- d-----w C:\Arquivos de programas\SiteAdvisor

2008-05-18 05:35 --------- d-----w C:\Arquivos de programas\Allok RM RMVB to AVI MPEG DVD Converter

2008-05-09 10:55 90,112 ----a-w C:\WINDOWS\system32\wshext.dll

2008-05-09 10:55 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll

2008-05-09 10:55 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll

2008-05-09 10:55 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll

2008-05-09 08:45 135,168 ----a-w C:\WINDOWS\system32\cscript.exe

2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe

2008-05-07 05:11 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 07:14 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((( snapshot@2008-07-09_ 4.00.10,90 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-07-09 06:39:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-07-16 00:16:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat

- 2008-07-09 06:31:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2008-07-16 00:24:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2008-07-09 06:31:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2008-07-16 00:24:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2008-07-09 06:31:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-07-16 00:24:28 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-04-13 22:20:30 512,000 ----a-w C:\WINDOWS\system32\jscript.dll

+ 2008-05-09 10:55:05 512,000 ----a-w C:\WINDOWS\system32\jscript.dll

- 2008-07-09 06:44:08 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-07-09 18:10:18 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-07-09 06:44:08 73,122 ----a-w C:\WINDOWS\system32\perfc016.dat

+ 2008-07-09 18:10:18 73,122 ----a-w C:\WINDOWS\system32\perfc016.dat

- 2008-07-09 06:44:08 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-07-09 18:10:18 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat

- 2008-07-09 06:44:08 442,018 ----a-w C:\WINDOWS\system32\perfh016.dat

+ 2008-07-09 18:10:18 442,018 ----a-w C:\WINDOWS\system32\perfh016.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:20 15360]

"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [2008-07-15 21:46 116862]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-19 22:11 925696]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

"DT Task"="C:\Arquivos de programas\Portrait Displays\forteManager\DTHtml.exe" [2006-04-21 10:53 280576]

"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-05-14 19:22 35328]

"SiteAdvisor"="C:\Arquivos de programas\SiteAdvisor\6261\SiteAdv.exe" [2007-03-05 16:10 36904]

"McAfee Backup"="C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-25 06:34 4838952]

"MBkLogOnHook"="C:\Arquivos de programas\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]

"mcagent_exe"="C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 19:20 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= "C:\Arquivos de programas\Scpad\scpLIB.dll" [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\EA GAMES\\Battlefield 2\\BF2.exe"=

"C:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=

"C:\\Arquivos de programas\\Arquivos comuns\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10ef6942-e609-11db-a08e-0017317471df}]

\Shell\AutoRun\command - F:\8uot.exe

\Shell\explore\Command - F:\8uot.exe

\Shell\open\Command - F:\8uot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{558c8abf-cb7c-11db-ac54-806d6172696f}]

\Shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9846afac-cf40-11db-a04e-0017317471df}]

\Shell\AutoRun\command - F:\cm0.com

\Shell\explore\Command - F:\cm0.com

\Shell\open\Command - F:\cm0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c13ac49a-5288-11dc-a732-0017317471df}]

\Shell\AutoRun\command - F:\93vx0c.com

\Shell\explore\Command - F:\93vx0c.com

\Shell\open\Command - F:\93vx0c.com

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-12-15 04:19:32 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\arquivos de programas\mcafee\mqc\QcConsol.exe'

"2008-02-01 04:00:06 C:\WINDOWS\Tasks\McQcTask.job"

- c:\arquivos de programas\mcafee\mqc\QcConsol.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-15 22:44:17

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-07-15 22:45:35

ComboFix-quarantined-files.txt 2008-07-16 01:45:30

ComboFix2.txt 2008-07-09 07:00:51

Pre-Run: 169,498,251,264 bytes disponíveis

Post-Run: 169,510,510,592 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

192 --- E O F --- 2008-07-09 19:07:08

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá,

* Resident AV is active

Por gentileza, leia o que escrevi com ATENÇÃO:

Agora feche todos os seus programas abertos, inclusive antivírus e programa antimalwares para que eles não interfiram a execução do ComboFix.

Desative temporariamente seu antivírus ou qualquer outro software de segurança, tais como firewall, antispyware, etc.

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Quote":

File::

C:\k.com
C:\WINDOWS\system32\ckvo2.dll
C:\fi.cmd
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\ckvo0.dll
C:\nqgcd.com
C:\WINDOWS\002862_.tmp
C:\8uot.exe
C:\cm0.com
C:\feav9a2.cmd
C:\f.bat

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kamsoft"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10ef6942-e609-11db-a08e-0017317471df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{558c8abf-cb7c-11db-ac54-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9846afac-cf40-11db-a04e-0017317471df}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c13ac49a-5288-11dc-a732-0017317471df}]

  • Salve este arquivo como: CFScript.txt
    cfscriptuq2.gif
  • Tal como exemplificado na foto acima, arraste o arquivo CFScript.txt para o ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.
  • Faça também um novo log do HijackThis para colocar na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Renato, obrigado pela força, mas eu nao consigo fechar o McAfee!!!

Eu executei da mesma forma e coloquei no antivirus para aceitar esse processo!!!

Estou lhe enviando o log após fazer o q solicitou!!!

Abraço!!!

________________________________________________________________________

ComboFix 08-07-19.1 - Dudu 2008-07-20 15:24:56.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1531 [GMT -3:00]

Executando de: C:\Documents and Settings\Dudu\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Dudu\Desktop\CFScript.txt

* Criado um novo ponto de restauro

* Resident AV is active

FILE ::

C:\8uot.exe

C:\cm0.com

C:\f.bat

C:\feav9a2.cmd

C:\fi.cmd

C:\k.com

C:\nqgcd.com

C:\WINDOWS\002862_.tmp

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\ckvo1.dll

C:\WINDOWS\system32\ckvo2.dll

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

C:\f.bat

C:\fi.cmd

C:\k.com

C:\nqgcd.com

C:\WINDOWS\002862_.tmp

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\ckvo1.dll

C:\WINDOWS\system32\ckvo2.dll

.

((((((((((((((((((((((( Ficheiros criados de 2008-06-20 to 2008-07-20 ))))))))))))))))))))))))))))))))

.

2008-07-18 15:54 . 2008-07-20 15:06 117,009 -r-hs---- C:\ybj8df.exe

2008-07-17 09:35 . 2008-07-18 08:49 117,757 -r-hs---- C:\ivcvknr.bat

2008-07-16 22:21 . 2008-07-16 22:20 115,233 -r-hs---- C:\p83gjy.exe

2008-07-16 12:42 . 2008-07-16 12:41 117,001 -r-hs---- C:\33gmhso.bat

2008-07-13 20:31 . 2001-09-05 23:27 18,176 --a------ C:\WINDOWS\system32\drivers\sermouse.sys

2008-07-13 20:31 . 2001-09-05 23:27 18,176 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys

2008-07-09 15:10 . 2008-05-09 07:55 512,000 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll

2008-07-09 15:10 . 2008-05-09 07:55 430,080 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll

2008-07-09 15:10 . 2008-05-09 07:55 180,224 -----c--- C:\WINDOWS\system32\dllcache\scrobj.dll

2008-07-09 15:10 . 2008-05-09 07:55 172,032 -----c--- C:\WINDOWS\system32\dllcache\scrrun.dll

2008-07-09 15:10 . 2008-05-08 08:24 155,648 -----c--- C:\WINDOWS\system32\dllcache\wscript.exe

2008-07-09 15:10 . 2008-05-09 05:45 135,168 -----c--- C:\WINDOWS\system32\dllcache\cscript.exe

2008-07-09 15:10 . 2008-05-09 07:55 90,112 -----c--- C:\WINDOWS\system32\dllcache\wshext.dll

2008-07-09 03:48 . 2008-07-09 03:48 19 --a------ C:\WINDOWS\SoundConverter.INI

2008-07-09 03:24 . 2008-07-09 03:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles

2008-06-21 14:17 . 2008-06-28 14:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-06-21 14:17 . 2008-06-21 14:17 1,409 --a------ C:\WINDOWS\QTFont.for

2008-06-20 14:48 . 2008-06-20 14:48 247,808 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 14:48 . 2008-06-20 14:48 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 08:51 . 2008-06-20 08:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 08:40 . 2008-06-20 08:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 08:08 . 2008-06-20 08:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-18 18:53 --------- d-----w C:\Arquivos de programas\McAfee

2008-07-16 07:55 --------- d-----w C:\Arquivos de programas\eMule

2008-07-16 01:58 --------- d-----w C:\Arquivos de programas\FlashGet

2008-07-09 06:49 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-07-09 06:49 --------- d-----w C:\Arquivos de programas\Nokia

2008-07-09 06:30 96,384 ----a-w C:\WINDOWS\system32\drivers\sptd7405.sys

2008-06-22 20:53 --------- d-----w C:\Documents and Settings\Dudu\Dados de aplicativos\Autodesk

2008-06-22 20:53 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Autodesk

2008-06-20 17:48 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-14 17:34 272,384 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 01:41 --------- d-----w C:\Arquivos de programas\Trend Micro

2008-06-05 21:15 --------- d-----w C:\Documents and Settings\Dudu\Dados de aplicativos\SiteAdvisor

2008-05-24 15:26 --------- d-----w C:\Arquivos de programas\SiteAdvisor

2008-05-09 10:55 90,112 ----a-w C:\WINDOWS\system32\wshext.dll

2008-05-09 10:55 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll

2008-05-09 10:55 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll

2008-05-09 10:55 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll

2008-05-09 08:45 135,168 ----a-w C:\WINDOWS\system32\cscript.exe

2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe

2008-05-07 05:11 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 07:14 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((( snapshot@2008-07-09_ 4.00.10,90 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-07-09 06:31:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2008-07-20 18:11:34 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2008-07-09 06:31:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2008-07-20 18:11:34 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2008-07-09 06:31:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-07-20 18:11:34 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-04-13 22:20:30 512,000 ----a-w C:\WINDOWS\system32\jscript.dll

+ 2008-05-09 10:55:05 512,000 ----a-w C:\WINDOWS\system32\jscript.dll

- 2008-07-09 06:44:08 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-07-09 18:10:18 64,372 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-07-09 06:44:08 73,122 ----a-w C:\WINDOWS\system32\perfc016.dat

+ 2008-07-09 18:10:18 73,122 ----a-w C:\WINDOWS\system32\perfc016.dat

- 2008-07-09 06:44:08 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-07-09 18:10:18 409,232 ----a-w C:\WINDOWS\system32\perfh009.dat

- 2008-07-09 06:44:08 442,018 ----a-w C:\WINDOWS\system32\perfh016.dat

+ 2008-07-09 18:10:18 442,018 ----a-w C:\WINDOWS\system32\perfh016.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:20 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-19 22:11 925696]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2006-09-01 15:57 282624]

"DT Task"="C:\Arquivos de programas\Portrait Displays\forteManager\DTHtml.exe" [2006-04-21 10:53 280576]

"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-05-14 19:22 35328]

"SiteAdvisor"="C:\Arquivos de programas\SiteAdvisor\6261\SiteAdv.exe" [2007-03-05 16:10 36904]

"McAfee Backup"="C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-25 06:34 4838952]

"MBkLogOnHook"="C:\Arquivos de programas\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]

"mcagent_exe"="C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"= "C:\Arquivos de programas\Scpad\scpLIB.dll" [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"C:\\Arquivos de programas\\eMule\\emule.exe"=

"C:\\Arquivos de programas\\EA GAMES\\Battlefield 2\\BF2.exe"=

"C:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=

"C:\\Arquivos de programas\\Arquivos comuns\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79cfa0e6-ec10-11db-a09d-0017317471df}]

\Shell\AutoRun\command - F:\nqgcd.com

\Shell\explore\Command - F:\p83gjy.exe

\Shell\open\Command - F:\

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-12-15 04:19:32 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\arquivos de programas\mcafee\mqc\QcConsol.exe'

"2008-02-01 04:00:06 C:\WINDOWS\Tasks\McQcTask.job"

- c:\arquivos de programas\mcafee\mqc\QcConsol.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-20 15:27:08

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = C:\Arquivos de programas\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-07-20 15:28:39

ComboFix-quarantined-files.txt 2008-07-20 18:28:00

ComboFix2.txt 2008-07-16 01:45:35

ComboFix3.txt 2008-07-09 07:00:51

Pre-Run: 22 pasta(s) 166,511,992,832 bytes disponíveis

Post-Run: 23 pasta(s) 166,530,150,400 bytes disponíveis

176 --- E O F --- 2008-07-09 19:07:08

Compartilhar este post


Link para o post
Compartilhar em outros sites

Conecte qualquer mídia removível que use, tais como pendrive, MP3, MP4, etc.

Desative temporariamente seu antivírus ou qualquer outro software de segurança, tais como firewall, antispyware, etc.

Abra o seu Bloco de Notas, copie (control + c) e cole (control + v) todo o texto que está dentro do "Quote":

File::

C:\ybj8df.exe
C:\ivcvknr.bat
C:\p83gjy.exe
C:\33gmhso.bat
F:\nqgcd.com
F:\p83gjy.exe

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79cfa0e6-ec10-11db-a09d-0017317471df}]

  • Salve este arquivo como: CFScript.txt
    cfscriptuq2.gif
  • Tal como exemplificado na foto acima, arraste o arquivo CFScript.txt para o ComboFix.exe
  • Quando a ferramenta terminar de rodar, gerará um log. Poste esse arquivo C:\ComboFix.txt.
  • Faça também um novo log do HijackThis para colocar na sua resposta.

Compartilhar este post


Link para o post
Compartilhar em outros sites





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×