Ir ao conteúdo
  • Cadastre-se
Entre para seguir isso  
Panicguy

Rootkit, ja formatei e ele apareceu novamente!

Recommended Posts

Eu formatei o pc por ter sido hackiado em um jogo, e fui hackiado de novo, ngm

tem minha senha, e apareceu um processo estranho chamado mssmbios.exe

no gerenciador...aqui está os logs que é obrigatório...

DDS Log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Eduardo at 12:07:50 on 2012-04-04

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.55.1046.18.2935.1998 [GMT -3:00]

.

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\Dwm.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe

C:\Windows\system32\igfxsrvc.exe

C:\Users\Eduardo\AppData\Roaming\Microsoft\Windows\Templates\typeperf.exe

C:\Users\Eduardo\AppData\Local\Temp\mssmbios.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wuauclt.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Microsoft® Windows® Operating System] c:\users\eduardo\appdata\roaming\microsoft\windows\templates\typeperf.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [PlusService] c:\program files\yuna software\messenger plus!\PlusService.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

LSP: %SystemRoot%\system32\PrxerDrv.dll

TCP: DhcpNameServer = 201.6.2.40 201.6.2.160

TCP: Interfaces\{F92EDE60-1A93-46BD-9B6F-EE1BC378549A} : DhcpNameServer = 201.6.2.40 201.6.2.160

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\eduardo\appdata\roaming\mozilla\firefox\profiles\vm81d1b6.default\

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\eduardo\appdata\roaming\mozilla\firefox\profiles\vm81d1b6.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e8873}\plugins\npgbfnc_uni.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-4-1 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-4-1 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-4-1 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-4-1 74640]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2012-4-1 208552]

R3 IntcDAud;Áudio do vídeo Intel®;c:\windows\system32\drivers\IntcDAud.sys [2012-4-1 209920]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-4-1 183560]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-1 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]

S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-2 1343400]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-04-04 14:52:59 -------- d-----w- c:\users\eduardo\Pavark

2012-04-04 14:37:09 -------- d-----w- c:\program files\CCleaner

2012-04-04 13:59:31 -------- d-----w- c:\users\eduardo\appdata\local\{6EF8BC22-341B-4E62-B99C-763C52F71420}

2012-04-04 01:58:57 -------- d-----w- c:\users\eduardo\appdata\local\{A3CC0AE7-491B-46A2-8247-D2AE3C37670D}

2012-04-04 01:58:56 -------- d-----w- c:\users\eduardo\appdata\local\{D1F6AE94-9AB3-40FC-BA76-8C6BF1782DA4}

2012-04-04 00:26:30 -------- d-----w- c:\programdata\gas

2012-04-03 18:05:15 -------- d-----w- c:\program files\Ventrilo

2012-04-03 18:04:59 -------- d-----w- c:\users\eduardo\appdata\roaming\1334

2012-04-03 18:04:58 12800 ---h--r- c:\users\eduardo\appdata\roaming\microsoft\windows\templates\typeperf.exe

2012-04-03 18:04:58 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2012-04-03 15:27:15 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll

2012-04-03 15:27:12 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ffb88e05-6458-49b8-8812-eb06630ac939}\mpengine.dll

2012-04-03 11:10:54 -------- d-----w- c:\users\eduardo\appdata\local\{939EE2C8-29DE-48A6-8DA8-81EC2A7C1489}

2012-04-03 05:27:40 -------- d-----w- c:\windows\CheckSur

2012-04-02 18:10:49 -------- d-----w- c:\users\eduardo\appdata\roaming\TS3Client

2012-04-02 18:07:16 -------- d-----w- c:\program files\TeamSpeak 3 Client

2012-04-02 17:49:39 -------- d-----w- c:\users\eduardo\appdata\local\{B6F2EE6C-C7A0-4631-A40C-BEEE5998E502}

2012-04-02 17:46:31 -------- d-----w- c:\windows\system32\Wat

2012-04-02 11:24:17 257024 ----a-w- c:\windows\system32\msv1_0.dll

2012-04-02 11:15:13 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2012-04-02 11:14:57 276992 ----a-w- c:\windows\system32\wcncsvc.dll

2012-04-02 11:14:42 3957616 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-02 11:14:41 3902320 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-02 06:12:59 109056 ----a-w- c:\windows\system32\t2embed.dll

2012-04-02 06:11:55 67072 ----a-w- c:\windows\system32\packager.dll

2012-04-02 06:10:54 2614784 ----a-w- c:\windows\explorer.exe

2012-04-02 06:09:59 168448 ----a-w- c:\windows\system32\srvsvc.dll

2012-04-02 06:04:30 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2012-04-02 06:04:30 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2012-04-02 06:04:30 107520 ----a-w- c:\windows\system32\cdd.dll

2012-04-02 02:36:49 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2012-04-02 02:36:49 49472 ----a-w- c:\windows\system32\netfxperf.dll

2012-04-02 02:36:49 297808 ----a-w- c:\windows\system32\mscoree.dll

2012-04-02 02:36:49 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2012-04-02 02:36:49 1130824 ----a-w- c:\windows\system32\dfshim.dll

2012-04-02 01:55:33 -------- d-----w- c:\windows\Panther

2012-04-01 22:39:15 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-01 22:39:15 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-01 22:34:23 -------- d-----w- c:\users\eduardo\appdata\roaming\Tibia

2012-04-01 22:34:14 -------- d-----w- c:\users\eduardo\appdata\roaming\Tibiacast

2012-04-01 22:32:12 -------- d-----w- c:\users\eduardo\appdata\roaming\Proxifier

2012-04-01 22:32:07 88816 ----a-w- c:\windows\system32\ProxifierShellExt.dll

2012-04-01 22:32:07 67824 ----a-w- c:\windows\system32\PrxerDrv.dll

2012-04-01 22:32:07 54000 ----a-w- c:\windows\system32\PrxerNsp.dll

2012-04-01 22:32:07 11264 ----a-w- c:\windows\system32\SPORDER.DLL

2012-04-01 22:32:06 -------- d-----w- c:\program files\Proxifier

2012-04-01 22:30:27 -------- d-----w- c:\program files\Tibiacast

2012-04-01 22:28:42 -------- d-----w- c:\program files\iBot

2012-04-01 22:25:15 -------- d-----w- c:\users\eduardo\appdata\local\{B6DDCF11-3454-4F4F-B453-28BA6F08C0C6}

2012-04-01 22:25:03 -------- d-----w- c:\users\eduardo\Tracing

2012-04-01 22:23:37 -------- d-----w- c:\programdata\Messenger Plus!

2012-04-01 22:23:31 -------- d-----w- c:\program files\Yuna Software

2012-04-01 21:36:52 172032 ----a-w- c:\windows\system32\wintrust.dll

2012-04-01 21:36:51 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-04-01 21:36:51 57856 ----a-w- c:\windows\system32\rdpwsx.dll

2012-04-01 21:36:51 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-04-01 21:36:50 826368 ----a-w- c:\windows\system32\rdpcore.dll

2012-04-01 21:36:50 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2012-04-01 21:36:50 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-04-01 21:36:42 132608 ----a-w- c:\windows\system32\cabview.dll

2012-04-01 21:31:04 -------- d-----w- c:\program files\Tibia

2012-04-01 21:26:56 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2012-04-01 21:26:40 -------- d-----w- c:\users\eduardo\appdata\roaming\Avira

2012-04-01 21:24:55 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-04-01 21:24:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2012-04-01 21:23:17 -------- d-----w- c:\windows\PCHEALTH

2012-04-01 21:21:58 -------- d-----w- c:\program files\Microsoft

2012-04-01 21:21:53 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2012-04-01 21:21:53 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2012-04-01 21:21:51 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2012-04-01 21:21:31 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2012-04-01 21:21:02 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2012-04-01 21:21:02 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2012-04-01 21:21:01 -------- d-----w- c:\programdata\Avira

2012-04-01 21:21:01 -------- d-----w- c:\program files\Avira

2012-04-01 21:19:17 -------- d-----w- c:\users\eduardo\appdata\local\Windows Live

2012-04-01 21:19:16 -------- d-----w- c:\program files\common files\Windows Live

2012-04-01 21:09:40 86528 ----a-w- c:\windows\system32\iesysprep.dll

2012-04-01 21:07:26 398336 ----a-w- c:\windows\system32\TVWizudlg.exe

2012-04-01 21:07:26 140288 ----a-w- c:\windows\system32\igfxtvcx.dll

2012-04-01 21:07:26 -------- d-----w- c:\windows\system32\Lang

2012-04-01 21:06:10 2796064 ----a-w- c:\windows\system32\RtkAPO.dll

2012-04-01 21:06:06 -------- d-----w- c:\program files\Realtek

2012-04-01 21:06:02 -------- d--h--w- c:\program files\Temp

2012-04-01 21:05:51 256712 ----a-r- c:\windows\system32\PROUnstl.exe

2012-04-01 21:05:25 -------- d-----w- c:\windows\system32\wbem\Performance

2012-04-01 21:05:14 72288 ----a-w- c:\windows\system32\e1kmsg.dll

2012-04-01 21:05:14 28792 ----a-w- c:\windows\system32\NicCo36.dll

2012-04-01 21:05:14 208552 ----a-w- c:\windows\system32\drivers\e1k6232.sys

2012-04-01 21:05:11 62656 ----a-w- c:\windows\system32\NicInstK.dll

2012-04-01 21:03:24 53248 ----a-r- c:\windows\system32\CSVer.dll

2012-04-01 21:03:21 -------- d-----w- C:\Intel

2012-04-01 21:02:55 -------- d-----w- c:\windows\system32\Tools

2012-04-01 21:02:47 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll

2012-04-01 21:02:47 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll

2012-04-01 21:02:47 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe

2012-04-01 21:02:47 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll

2012-04-01 21:02:47 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll

2012-04-01 21:02:47 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll

2012-04-01 21:02:47 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll

2012-04-01 21:02:47 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll

2012-03-08 21:50:28 49016 ----a-w- c:\windows\system32\sirenacm.dll

2012-03-08 21:37:20 302448 ----a-w- c:\windows\WLXPGSS.SCR

.

==================== Find3M ====================

.

2012-02-10 05:41:38 1074176 ----a-w- c:\windows\system32\DWrite.dll

2012-02-10 05:41:20 218624 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-02-10 05:41:20 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2012-02-10 05:41:20 1170944 ----a-w- c:\windows\system32\d3d10warp.dll

2012-02-10 05:41:19 739840 ----a-w- c:\windows\system32\d2d1.dll

2012-02-03 04:01:58 2341376 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 12:08:08,78 ===============

ATTACH LOG

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 01/04/2012 18:01:16

System Uptime: 04/04/2012 11:54:48 (1 hours ago)

.

Motherboard: MEGAWARE | | MW-H55H-CM

Processor: Intel® Core i3 CPU 530 @ 2.93GHz | CPU 1 | 2933/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 466 GiB total, 441,995 GiB free.

D: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 01/04/2012 18:08:56 - Instalador de Módulos do Windows

RP3: 01/04/2012 18:19:36 - Windows Live Essentials

RP4: 01/04/2012 18:19:54 - Windows Update

RP5: 01/04/2012 18:20:19 - Windows Update

RP7: 01/04/2012 18:21:15 - DirectX instalado

RP9: 01/04/2012 18:21:39 - DirectX instalado

RP10: 01/04/2012 18:22:43 - WLSetup

RP11: 01/04/2012 18:36:55 - Windows Update

RP12: 01/04/2012 19:30:04 - Installed Tibiacast

RP13: 01/04/2012 23:36:36 - Windows Update

RP14: 02/04/2012 08:14:22 - Windows Update

RP15: 03/04/2012 02:23:58 - Windows Update

RP16: 03/04/2012 12:26:43 - Windows Update

RP17: 03/04/2012 13:40:46 - Installed Tibiacast

RP18: 03/04/2012 15:05:03 - Installed Ventrilo Client

RP19: 04/04/2012 03:00:10 - Windows Update

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

Avira Free Antivirus

Bing Bar

CCleaner

Controle ActiveX do Windows Live Mesh para Conexões Remotas

D3DX10

Intel® Control Center

Intel® Graphics Media Accelerator Driver

Intel® Network Connections Drivers

Intel® TV Wizard

Junk Mail filter update

Mesh Runtime

Messenger Companion

Messenger Plus! 5

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile PTB Language Pack

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Extended PTB Language Pack

Microsoft Application Error Reporting

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 11.0 (x86 pt-BR)

MSVCRT

Pacote de Idiomas do Microsoft .NET Framework 4 Client Profile - Português (Brasil)

Pacote de Idiomas do Microsoft .NET Framework 4 Extended - Português (Brasil)

Proxifier version 3.0

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Pacote de Idiomas do Microsoft .NET Framework 4 Client Profile - Português (Brasil) (KB2518870)

TeamSpeak 3 Client

Tibia

Tibiacast

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Ventrilo Client

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Galeria de Fotos

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinRAR 4.11 (32-bit)

.

==== End Of File ===========================

E POR ULTIMO O GMER

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-04-04 12:26:26

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500413AS rev.JC45

Running: gmer.exe; Driver: C:\Users\Eduardo\AppData\Local\Temp\kwtiyfow.sys

---- System - GMER 1.0.15 ----

SSDT 9314B076 ZwCreateSection

SSDT 9314B080 ZwRequestWaitReplyPort

SSDT 9314B07B ZwSetContextThread

SSDT 9314B085 ZwSetSecurityObject

SSDT 9314B08A ZwSystemDebugControl

SSDT 9314B017 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C4B8A9 1 Byte [06]

.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C6B2F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text ntoskrnl.exe!KeRemoveQueueEx + 14B7 82C72684 4 Bytes [76, B0, 14, 93] {JBE 0xffffffffffffffb2; ADC AL, 0x93}

.text ntoskrnl.exe!KeRemoveQueueEx + 1813 82C729E0 4 Bytes [80, B0, 14, 93]

.text ntoskrnl.exe!KeRemoveQueueEx + 1857 82C72A24 4 Bytes [7B, B0, 14, 93] {JNP 0xffffffffffffffb2; ADC AL, 0x93}

.text ntoskrnl.exe!KeRemoveQueueEx + 18D3 82C72AA0 4 Bytes [85, B0, 14, 93]

.text ntoskrnl.exe!KeRemoveQueueEx + 1927 82C72AF4 4 Bytes [8A, B0, 14, 93]

.text ...

? System32\DRIVERS\avgarkt.sys O sistema não pode encontrar o caminho especificado. !

? System32\DRIVERS\AvgArCln.sys O sistema não pode encontrar o caminho especificado. !

PAGE spsys.sys!?SPRevision@@3PADA + 4F90 8FECD000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 50B3 8FECD123 629 Bytes [85, EC, 8F, FE, 05, 34, 85, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 5329 8FECD399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 538F 8FECD3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]

PAGE spsys.sys!?SPRevision@@3PADA + 543B 8FECD4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]

PAGE ...

? C:\Users\Eduardo\AppData\Local\Temp\mbr.sys O sistema não pode encontrar o arquivo especificado. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe[2396] @ C:\Windows\system32\user32.dll [KERNEL32.dll!GetProcAddress] [75D45E25] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe[2396] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75D45E25] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe[2396] @ C:\Windows\system32\advapi32.dll [KERNEL32.dll!GetProcAddress] [75D45E25] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe[2396] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75D45E25] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000044 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

POR FAVOR ESTOU DESESPERADO :(

Compartilhar este post


Link para o post
Compartilhar em outros sites

Baixe o Kaspersky AVP Tool de um desses 2 links:

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

http://dnl-us6.kaspersky-labs.com/devbuilds/AVPTool/

Você será conduzido a uma página da Kaspersky, solicitando um email para cadastro, nome e sobrenome. Somente o campo "email" é obrigatório.

Informe seu email depois clique no botão Submit Form.

A página será recarregada. Clique no botão Download

Salve-o em sua área de trabalho.

Execute o arquivo e aguarde a instalação.

** Usuários do Windows Vista e Windows 7:

Clique com o direito sobre o arquivo, depois clique em Executar como administrador

Na tela do contrato de licença, marque a opção I accept the license agreement e depois clique no botão Start. Aparentemente o programa congela e nada acontece. É normal, apenas aguarde até aparecer a tela inicial do programa, e então clique no ícone Settings:

KRT_settings.png

Nesta tela, marque a caixa ao lado de:

  • Meu Computador
  • Disco local (C:)

Marque também todas as unidades que aparecem abaixo de Disco Local, caso houverem. Depois clique na aba Automatic Scan

KRT_install2_.png

De volta à tela inicial do programa, clique no botão Start scanning

Tenha paciência, é um pouco demorado.

Quando terminar, caso tenha detectado algo, o programa irá lhe perguntar o que fazer.

Marque o quadradinho ao lado de Apply to all objects e depois clique em Skip (queremos apenas o log).

KRT_detection_.png

Enquanto durar o exame, a tela inicial exibirá uma barra de progresso. Quando terminar, o programa exibirá o status concluído e um botão que ficará na cor laranja, caso nada tenha sido detectado, e na cor vermelha, caso tenha encontrado algo.

Caso tenha detectado algo, o programa também exibirá uma tela de alerta, avisando que o seu sistema está desprotegido e sugerindo um produto da Kaspersky. Clique no botão No, thanks.

De volta à tela principal, caso tenha sido detectado algo, então salve o log. Se você fechar o programa e esquecer de salvar o log, terá que repetir todo o scan novamente.

Para salvar o log, clique no ícone Reports (ao lado do ícone "Settings"). Na próxima janela, clique em Detected Threats, depois clique no ícone de disquete para salvar o log.

Escolha um local de fácil acesso e salve como log.txt

Copie todo o conteúdo desse bloco de notas e cole na sua próxima resposta.

Se nada for detectado, então não precisa salvar o log. Apenas poste aqui avisando.

Para sair do programa, basta clicar no X no canto superior direito.

  • Curtir 1

Compartilhar este post


Link para o post
Compartilhar em outros sites

Status: Detected (events: 9)

07/04/2012 13:15:35 Detected Trojan program Trojan.MSIL.Crypt.pcg C:\Documents and Settings\Eduardo\AppData\Roaming\Microsoft\Windows\Templates\typeperf.exe High

07/04/2012 13:17:33 Detected Trojan program Trojan.MSIL.Crypt.pcg C:\Documents and Settings\Eduardo\Dados de aplicativos\Microsoft\Windows\Templates\typeperf.exe High

07/04/2012 13:18:15 Detected Trojan program Trojan.MSIL.Crypt.pcg C:\Documents and Settings\Eduardo\Modelos\typeperf.exe High

07/04/2012 13:35:04 Detected Trojan program Trojan.MSIL.Crypt.pcg C:\Users\Eduardo\AppData\Roaming\Microsoft\Windows\Templates\typeperf.exe High

07/04/2012 13:35:07 Detected Trojan program Trojan.MSIL.Crypt.pcg C:\Users\Eduardo\Dados de aplicativos\Microsoft\Windows\Templates\typeperf.exe High

07/04/2012 13:35:09 Detected Trojan program Trojan.MSIL.Crypt.pcg C:\Users\Eduardo\Modelos\typeperf.exe High

07/04/2012 13:35:47 Detected unknown threat UDS:DangerousObject.Multi.Generic C:\Documents and Settings\Eduardo\Downloads\ventrilo-3.0.1-windows-i386.exe High

07/04/2012 13:36:21 Detected unknown threat UDS:DangerousObject.Multi.Generic C:\Users\Eduardo\Downloads\ventrilo-3.0.1-windows-i386.exe High

07/04/2012 15:40:04 Detected Trojan program Trojan.MSIL.Crypt.pcg c:\Users\Eduardo\AppData\Roaming\microsoft\Windows\templates\typeperf.exe High

Compartilhar este post


Link para o post
Compartilhar em outros sites

Aparentemente é um processo legitimo, mas podemos descobrir do que se trata:

Configure o Windows para mostrar todos os arquivos

Acesse este site: http://virustotal.com/

Em File to upload coloque: C:\Documents and Settings\Eduardo\AppData\Roaming\Microsoft\Windows \Templates\typeperf.exe

Em seguida clique em Submit

Copie e poste o resultado deste exame.

Compartilhar este post


Link para o post
Compartilhar em outros sites

https://www.virustotal.com/file/4b0edd6adec53f2177470851bf977edbaaa4d073f7a9c10594acc20a1f3bee55/analysis/

aqui está a analise, obrigado por ajudar estou muito feliz :D

SHA256: 4b0edd6adec53f2177470851bf977edbaaa4d073f7a9c10594acc20a1f3bee55

SHA1: bc5ecc1ea6badb732d47ddbebab45f60a8f2c3bd

MD5: 08535cd39d8a5326ac3e314c83ba591e

File size: 12.5 KB ( 12800 bytes )

File name: 387B77150014C26F32CE005050DE49009A53B8C7.exe

File type: Win32 EXE

Detection ratio: 6 / 42

Analysis date: 2012-04-05 18:57:24 UTC ( 3 dias, 20 horas ago )

0

0

Antivirus Result Update

AhnLab-V3 - 20120405

AntiVir - 20120406

Antiy-AVL - 20120406

Avast - 20120406

AVG - 20120406

BitDefender - 20120406

ByteHero - 20120404

CAT-QuickHeal - 20120406

ClamAV - 20120406

Commtouch - 20120406

Comodo - 20120406

DrWeb - 20120406

Emsisoft Trojan.Msil!IK 20120406

eSafe - 20120405

eTrust-Vet - 20120406

F-Prot - 20120406

F-Secure - 20120406

Fortinet W32/Crypt.PCG!tr 20120406

GData - 20120406

Ikarus Trojan.Msil 20120406

Jiangmin - 20120331

K7AntiVirus - 20120405

Kaspersky Trojan.MSIL.Crypt.pcg 20120406

McAfee - 20120406

McAfee-GW-Edition - 20120406

Microsoft - 20120406

NOD32 MSIL/Agent.NNP 20120406

Norman - 20120405

nProtect - 20120406

Panda - 20120406

PCTools - 20120406

Rising - 20120406

Sophos - 20120406

SUPERAntiSpyware - 20120402

Symantec - 20120406

TheHacker - 20120406

TrendMicro - 20120406

TrendMicro-HouseCall - 20120406

VBA32 - 20120405

VIPRE Trojan.Win32.Generic!BT 20120406

ViRobot - 20120406

VirusBuster - 20120406

Compartilhar este post


Link para o post
Compartilhar em outros sites

Essas coisas tomam tempo, não adianta me apressar.

O arquivo realmente é malicioso, pode excluir todos os arquivos apontados no Kaspersky Removal Tool.

Feito isso, monitore o comportamento do computador.

Compartilhar este post


Link para o post
Compartilhar em outros sites

até agora normal, pode dar close se precisar eu mando pvt,

brigadao e desculpa pelo incomodo....

Compartilhar este post


Link para o post
Compartilhar em outros sites

Parabéns, seu log está limpo.

De agora em diante fique ALERTA!

Para finalizar faça o seguinte:

Vá em Iniciar > Executar e digite ComboFix /Uninstall . Isso desinstalará o ComboFix de sua máquina.

Faça download do OTC

  • Salve no seu desktop (área/ambiente de trabalho).
  • Duplo-clique no icone do OTC.
  • Clique no botão "Cleanup" 8gehxg0.gif
  • Permita que o seu computador seja reiniciado.

Sugiro que rode o CCleaner para fazer uma limpeza em sua máquina. Faça o download dele aqui CCleaner

  • Abra o programa e clique em Executar Limpeza;
  • Após isto, clique em Erros >> Procurar erros >> Corrigir Erros

Sugiro também que consulte este artigo: Proteja seu PC

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caso o autor do tópico necessite, o mesmo será reaberto, para isso deverá entrar em contato com a moderação solicitando o desbloqueio.

Compartilhar este post


Link para o post
Compartilhar em outros sites
Visitante
Este tópico está impedido de receber novos posts.
Entre para seguir isso  





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×