Jump to content


Photo

Aparecimento De Processos Estranhos E Afins.

Started By Inu, 26/08/2008, 18:53

  • This topic is locked This topic is locked
13 replies to this topic

#1 Inu

Inu

    Veterano

  • Usuários
  • 1138 posts
  • Sexo:Masculino
  • Localidade:Canela, Rio Grande do Sul, Brasil

Posted 26/08/2008, 18:53

Olá a todos,
Hoje eu vim para o computador, abriu umas páginas estranhas do Internet Explorer, e, cada vez que eu fechava uma, abria outra. Após isto, fui no Gerenciador de tarefas, aba Processos e notei o aparecimento de alguns processos estranhos.
Então, tirei um log do Hijack This:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:51:52, on 26/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\MSN Messenger\usnsvc.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.aspR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankO2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dllO4 - HKLM\..\Run: [Smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [process] C:\WINDOWS\system32\process.exeO4 - HKLM\..\Run: [msshell] C:\WINDOWS\system32\msshell.exeO4 - HKLM\..\Run: [msmsn] C:\WINDOWS\system32\msmsn.exeO4 - HKLM\..\Run: [msne] C:\WINDOWS\system32\msne.exeO4 - HKLM\..\Run: [wscntfx] C:\WINDOWS\system32\wscntfx.exeO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [star1] C:\WINDOWS\system32\Winrun.exeO4 - HKCU\..\Run: [star2] C:\WINDOWS\system32\ischot.exeO4 - HKCU\..\Run: [star3] C:\WINDOWS\system32\Xred1.exeO4 - HKCU\..\Run: [star4] C:\WINDOWS\system32\Zred2.exeO4 - HKCU\..\Run: [star6] C:\WINDOWS\system32\MscheldB.exeO4 - HKCU\..\Run: [star7] C:\WINDOWS\system32\Mscheldncx.exeO4 - HKCU\..\Run: [star8] C:\WINDOWS\system32\svscheld.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Monitor Apache Servers.lnk = C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217801760265"]http://update.microsoft.com/windowsupdate/...b?1217801760265[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1DEDC0-6986-45D3-92F6-17A1D8ADD44B}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CCS\Services\Tcpip\..\{7C181193-DCDC-4B2A-8462-F16A3B42B204}: Domain = @O20 - Winlogon Notify:  GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 5220 bytes
Há alguma coisa de errada? Em caso positivo, como procedo?
Obrigado a todos,

#2 William Monteiro

William Monteiro

    São tantas as emoções..

  • Usuários
  • 453 posts
  • Sexo:Masculino

Posted 26/08/2008, 22:56

cara eu num manjo muito de logs e etc, mais pelo o que eu vi sua maquina ta com uns probleminhas, num vou passar pra vc as linhas que teoricamente precisa da um fix pq fiquei com dúvidas ao analisar o log, vou deixar pro pessoal q manja mais..

mais uma coisa vc já pode e deve fazer, vai no iniciar> executar> digita msconfig > vai ter uma aba inicializar> nessa aba, deixa marcado apenas os softwares q vc usa, que incializam normalmente com o windows, se tiver alguma coisa estranha desativa
SMSolution - http://www.smsolution.com.br
Blog - http://www.williamonteiro.com.br

#3 Tulio de Mello

Tulio de Mello

    Novato no fórum

  • Usuários
  • 7 posts
  • Sexo:Não informado

Posted 27/08/2008, 09:59

Já colocac o log no http://hjt.networktechs.com/ ?
apareceu alguma coisa?

Pelo que vi os mais estranhos são

Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancob...gin/GbpDist.cab

Seria um GB plugin.. que serve pra killar o plug que os bancos instalão em seu computador para fazer transações..

#4 beto

beto

    Doutor

  • Ex-Admins
  • 840 posts
  • Sexo:Masculino

Posted 27/08/2008, 12:26

Já colocac o log no http://hjt.networktechs.com/ ?
apareceu alguma coisa?

Pelo que vi os mais estranhos são

Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancob...gin/GbpDist.cab

Seria um GB plugin.. que serve pra killar o plug que os bancos instalão em seu computador para fazer transações..

o GbPlugin é um plugin de segurança que o banco usa.. vc pode até fazer um teste removendo ele, em Adicionar e Remover Programas... aí qdo vc acessar o site novamente, ele pedirá para instalar... :D

(y)
twitter: @robertorcezar

#5 Inu

Inu

    Veterano

  • Usuários
  • 1138 posts
  • Sexo:Masculino
  • Localidade:Canela, Rio Grande do Sul, Brasil

Posted 27/08/2008, 17:37

E quanto à esses processos:

O4 - HKCU\..\Run: [star1] C:\WINDOWS\system32\Winrun.exe
O4 - HKCU\..\Run: [star2] C:\WINDOWS\system32\ischot.exe
O4 - HKCU\..\Run: [star3] C:\WINDOWS\system32\Xred1.exe
O4 - HKCU\..\Run: [star4] C:\WINDOWS\system32\Zred2.exe
O4 - HKCU\..\Run: [star6] C:\WINDOWS\system32\MscheldB.exe
O4 - HKCU\..\Run: [star7] C:\WINDOWS\system32\Mscheldncx.exe
O4 - HKLM\..\Run: [process] C:\WINDOWS\system32\process.exe
O4 - HKLM\..\Run: [msshell] C:\WINDOWS\system32\msshell.exe
O4 - HKLM\..\Run: [msmsn] C:\WINDOWS\system32\msmsn.exe
O4 - HKLM\..\Run: [msne] C:\WINDOWS\system32\msne.exe
O4 - HKLM\..\Run: [wscntfx] C:\WINDOWS\system32\wscntfx.exe

?
Nunca havia visto eles antes.
Grato,

#6 Mr. Xerife

Mr. Xerife

    12 Horas

  • Usuários
  • 135 posts
  • Sexo:Masculino

Posted 28/08/2008, 00:21

Opa Inu, esses processos são virus, para que eu possa ajuda-lo siga os procedimentos abaixos.

Baixe o Combofix e salve no seu desktop.

Feche todas as janelas e programas
Dê um duplo-clique no combofix e tecle "1" em seguida enter para prosseguir com o fix. Vai durar uma média de 10 minutos (seja paciente). O combofix reiniciará o PC automaticamente para completar o processo de remoção.

Quando acabar, será gerado um log, que vai estar em C:\ComboFix.txt.

Atenção:
Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, pois senão irá parar e seu desktop ficará em branco.

Para parar ou sair do ComboFix, tecle "2" e Enter.

Depois gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

#7 Inu

Inu

    Veterano

  • Usuários
  • 1138 posts
  • Sexo:Masculino
  • Localidade:Canela, Rio Grande do Sul, Brasil

Posted 28/08/2008, 19:01

Olá,
Segue os logs.
Combofix:
ComboFix 08-08-28.04 - WinXP 2008-08-28 18:45:04.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.85 [GMT -3:00]Executando de: C:\Documents and Settings\WinXP\Desktop\ComboFix.exe * Criado um novo ponto de restauro<strong class='bbc'>ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!</strong>.(((((((((((((((((((((((((((((((((((((   Outras Exclusäes   ))))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dllC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\desktop.iniC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\DirectAnimation Java Classes.osdC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\downloadsgbi\GbpSv.exeC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\Microsoft XML Parser for Java.osdC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\MsnChat40pt-br.dllC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\MsnChat45.infC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\MSNChat45.ocxC:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\wuweb.infC:\WINDOWS\ponto.DLLC:\WINDOWS\system32\autentic.dllC:\WINDOWS\system32\configex.dllC:\WINDOWS\system32\MEGATRON.iniC:\WINDOWS\system32\msghot.dllC:\WINDOWS\system32\msssc.dll.(((((((((((((((((((((((   Ficheiros criados de 2008-07-28 to 2008-08-28  )))))))))))))))))))))))))))))))).2008-08-28 18:31 . 2008-08-28 18:07	2,970	--a------	C:\WINDOWS\system32\CONFIG.BAK2008-08-28 18:07 . 2008-08-28 18:07	286,720	---------	C:\WINDOWS\Setup1.exe2008-08-28 18:07 . 2008-08-28 18:07	73,216	--a------	C:\WINDOWS\ST6UNST.EXE2008-08-28 18:06 . 2008-08-28 18:06	<DIR>	d--h-----	C:\WINDOWS\PIF2008-08-28 17:44 . 2008-08-28 17:44	0	--a------	C:\WINDOWS\system32\yahoo2008-08-28 09:23 . 2008-08-28 18:51	<DIR>	d---s----	C:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll2008-08-26 18:51 . 2008-08-26 18:51	<DIR>	d--------	C:\Arquivos de programas\Trend Micro2008-08-26 14:26 . 2008-08-26 14:26	<DIR>	d--------	C:\Documents and Settings\WinXP\Configuraes locais2008-08-26 14:21 . 2008-08-26 14:21	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\Adobe Systems2008-08-26 11:05 . 2008-08-28 16:33	18	--a------	C:\WINDOWS\system32\.ork2008-08-26 11:04 . 2008-08-27 22:00	59	--a------	C:\WINDOWS\plugin.fax2008-08-26 11:03 . 2008-08-26 11:04	1,206,826	---hs----	C:\WINDOWS\system32\wscntfx.exe2008-08-26 11:03 . 2008-08-26 11:03	498,730	--a------	C:\WINDOWS\system32\msne.exe2008-08-26 11:03 . 2008-08-26 11:03	8	--a------	C:\WINDOWS\control.ctr2008-08-26 11:02 . 2008-08-26 11:02	322,090	--a------	C:\WINDOWS\system32\msshell.exe2008-08-26 11:02 . 2008-08-26 11:02	320,554	--a------	C:\WINDOWS\system32\msmsn.exe2008-08-26 11:02 . 2008-08-26 11:02	257,578	--a------	C:\WINDOWS\system32\idmaq32.exe2008-08-26 11:02 . 2008-08-26 11:02	180,266	--a------	C:\WINDOWS\system32\process.exe2008-08-26 11:02 . 2008-08-26 11:02	16	---hs----	C:\Arquivos de programas\winmaq32.dll2008-08-23 16:49 . 2008-08-23 16:49	16,536	--ah-----	C:\WINDOWS\system32\mlfcache.dat2008-08-23 15:01 . 2008-08-23 15:01	<DIR>	d--------	C:\Arquivos de programas\MySQL2008-08-23 14:54 . 2008-05-02 18:07	4,874,301	--a------	C:\WINDOWS\system32\php5ts.dll2008-08-23 14:54 . 2008-05-02 18:07	2,076,672	--a------	C:\WINDOWS\system32\libmysql.dll2008-08-23 14:49 . 2008-08-23 16:47	46,318	--a------	C:\WINDOWS\php.ini2008-08-23 14:48 . 2008-08-23 14:48	<DIR>	d--------	C:\php2008-08-23 14:46 . 2008-08-23 14:46	<DIR>	d--------	C:\Arquivos de programas\Apache Software Foundation2008-08-20 14:41 . 2008-08-26 14:24	<DIR>	d--------	C:\Arquivos de programas\eMule2008-08-20 14:26 . 2008-08-23 20:12	<DIR>	d--------	C:\Documents and Settings\WinXP\Dados de aplicativos\uTorrent2008-08-20 14:26 . 2008-08-20 14:28	<DIR>	d--------	C:\Arquivos de programas\uTorrent2008-08-18 18:27 . 2008-08-18 18:27	268	--ah-----	C:\sqmdata00.sqm2008-08-18 18:27 . 2008-08-18 18:27	244	--ah-----	C:\sqmnoopt00.sqm2008-08-10 13:36 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys2008-08-10 04:27 . 2008-08-10 04:27	<DIR>	d--------	C:\Arquivos de programas\Opera2008-08-07 12:37 . 2008-08-10 13:21	<DIR>	d--------	C:\Documents and Settings\WinXP\Dados de aplicativos\Winamp2008-08-07 12:37 . 2008-08-07 12:45	<DIR>	d--------	C:\Arquivos de programas\Winamp2008-08-07 12:25 . 2008-08-07 12:25	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared2008-08-07 12:23 . 2008-08-15 19:21	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Adobe2008-08-06 20:14 . 2008-08-07 12:06	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin2008-08-06 20:07 . 2008-08-06 20:07	<DIR>	d--------	C:\WINDOWS\Sun2008-08-05 18:21 . 2008-08-05 18:21	<DIR>	d--------	C:\Arquivos de programas\Macromedia2008-08-05 18:21 . 2008-08-05 18:21	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Macromedia2008-08-05 18:20 . 2008-08-05 18:20	<DIR>	d--------	C:\WINDOWS\Downloaded Installations2008-08-05 18:17 . 2008-08-27 20:31	<DIR>	d--------	C:\Documents and Settings\WinXP\Dados de aplicativos\BrOffice.org22008-08-05 17:50 . 2008-08-05 17:50	<DIR>	d--------	C:\Arquivos de programas\BrOffice.org 2.42008-08-05 17:48 . 2008-06-10 02:32	73,728	--a------	C:\WINDOWS\system32\javacpl.cpl2008-08-05 17:47 . 2008-08-05 17:47	<DIR>	d--------	C:\Arquivos de programas\Java2008-08-05 17:47 . 2008-08-05 17:47	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Java2008-08-05 17:40 . 2002-09-30 09:38	119,798	-ra------	C:\WINDOWS\system32\drivers\SPCA561.SYS2008-08-05 17:40 . 2004-08-04 00:45	91,136	--a------	C:\WINDOWS\system32\kswdmcap.ax2008-08-05 17:40 . 2004-08-04 00:45	91,136	--a--c---	C:\WINDOWS\system32\dllcache\kswdmcap.ax2008-08-05 17:40 . 2004-08-04 00:45	61,952	--a------	C:\WINDOWS\system32\kstvtune.ax2008-08-05 17:40 . 2004-08-04 00:45	61,952	--a--c---	C:\WINDOWS\system32\dllcache\kstvtune.ax2008-08-05 17:40 . 2004-08-04 00:45	54,784	--a------	C:\WINDOWS\system32\vfwwdm32.dll2008-08-05 17:40 . 2004-08-04 00:45	54,784	--a--c---	C:\WINDOWS\system32\dllcache\vfwwdm32.dll2008-08-05 17:40 . 2004-08-04 00:45	43,008	--a------	C:\WINDOWS\system32\ksxbar.ax2008-08-05 17:40 . 2004-08-04 00:45	43,008	--a--c---	C:\WINDOWS\system32\dllcache\ksxbar.ax2008-08-05 17:40 . 2002-09-24 03:30	14,336	-ra------	C:\WINDOWS\system32\dshow508.ax2008-08-04 18:40 . 2004-08-03 23:01	25,856	--a------	C:\WINDOWS\system32\drivers\usbprint.sys2008-08-04 18:40 . 2004-08-03 23:01	25,856	--a--c---	C:\WINDOWS\system32\dllcache\usbprint.sys2008-08-04 18:32 . 2008-08-04 18:32	<DIR>	d--h-----	C:\BJPrinter2008-08-04 18:32 . 2004-04-23 02:00	116,736	--a------	C:\WINDOWS\system32\CNMLM6e.DLL2008-08-04 18:32 . 2004-03-11 13:06	86,016	-ra------	C:\WINDOWS\system32\CNMCP6e.exe2008-08-04 18:32 . 2004-04-23 02:00	7,680	--a------	C:\WINDOWS\system32\CNMVS6e.DLL2008-08-04 18:28 . 2008-08-16 18:17	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\Messenger Plus!2008-08-04 14:03 . 2008-08-04 14:03	<DIR>	d--------	C:\Arquivos de programas\CCleaner2008-08-04 14:01 . 2008-08-04 14:01	<DIR>	d--------	C:\Arquivos de programas\Messenger Plus! Live2008-08-04 13:19 . 1998-11-13 13:18	308,224	--a------	C:\WINDOWS\IsUn0416.exe2008-08-04 13:19 . 2003-10-03 16:28	45,056	--a------	C:\WINDOWS\system32\vusetup.dll2008-08-04 13:19 . 2003-08-04 04:29	11,392	--a------	C:\WINDOWS\system32\drivers\vulfntr.sys2008-08-04 13:19 . 2003-08-04 04:29	6,912	--a------	C:\WINDOWS\system32\drivers\vulfnth.sys2008-08-04 12:56 . 2008-08-04 12:56	<DIR>	d--h-----	C:\Arquivos de programas\InstallShield Installation Information2008-08-04 12:56 . 2008-08-05 18:20	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\InstallShield2008-08-04 12:56 . 2008-08-04 12:56	<DIR>	d--------	C:\Arquivos de programas\Analog Devices2008-08-04 12:55 . 2008-08-04 12:55	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller2008-08-04 12:55 . 2008-08-04 14:01	<DIR>	d--------	C:\Arquivos de programas\Windows Live2008-08-04 12:55 . 2008-08-04 12:55	<DIR>	d--hsc---	C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller2008-08-04 12:49 . 2008-08-04 12:49	<DIR>	d--------	C:\Documents and Settings\LocalService\Menu Iniciar2008-08-04 12:39 . 2008-08-04 12:50	316,640	--a------	C:\WINDOWS\WMSysPr9.prx2008-08-04 12:36 . 2008-08-04 12:36	<DIR>	d--------	C:\WINDOWS\ServicePackFiles2008-08-04 12:32 . 2004-07-17 11:40	19,528	--a------	C:\WINDOWS\[u]0[/u]02271_.tmp2008-08-04 12:32 . 2004-08-03 22:42	15,872	--a------	C:\WINDOWS\system32\spupdsvc.exe2008-08-04 12:29 . 2008-08-04 12:38	<DIR>	d--------	C:\WINDOWS\EHome2008-08-03 20:54 . 2008-08-03 20:54	<DIR>	d--------	C:\Documents and Settings\WinXP\Contacts2008-08-03 20:27 . 2008-08-03 20:27	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE2008-08-03 20:27 . 2008-08-04 14:01	<DIR>	d--------	C:\Arquivos de programas\MSN Messenger2008-08-03 19:48 . 2008-08-03 19:48	<DIR>	d--------	C:\Arquivos de programas\TurboADSL2008-08-03 19:45 . 2008-08-03 19:46	<DIR>	d--------	C:\Arquivos de programas\Programador de Modem2008-08-03 19:20 . 2007-07-30 19:19	549,720	--a------	C:\WINDOWS\system32\wuapi.dll2008-08-03 19:20 . 2007-07-30 19:19	325,976	--a------	C:\WINDOWS\system32\wucltui.dll2008-08-03 19:20 . 2007-07-30 19:19	216,408	--a------	C:\WINDOWS\system32\wuaucpl.cpl2008-08-03 19:20 . 2007-07-30 19:19	43,352	--a------	C:\WINDOWS\system32\wups2.dll2008-08-03 19:20 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui2008-08-03 19:20 . 2007-07-30 19:18	33,624	--a------	C:\WINDOWS\system32\wups.dll2008-08-03 19:20 . 2007-07-30 19:20	30,040	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui2008-08-03 19:20 . 2007-07-30 19:20	30,040	--a------	C:\WINDOWS\system32\wuapi.dll.mui2008-08-03 19:20 . 2007-07-30 19:18	20,824	--a------	C:\WINDOWS\system32\wuaueng.dll.mui2008-08-03 19:02 . 2004-08-04 00:45	130,048	--a------	C:\WINDOWS\system32\ksproxy.ax2008-08-03 19:02 . 2004-08-04 00:45	130,048	--a--c---	C:\WINDOWS\system32\dllcache\ksproxy.ax2008-08-03 19:02 . 2004-08-04 00:45	23,552	--a------	C:\WINDOWS\system32\wdmaud.drv2008-08-03 19:02 . 2004-08-04 00:45	23,552	--a--c---	C:\WINDOWS\system32\dllcache\wdmaud.drv2008-08-03 19:02 . 2004-08-04 00:45	4,096	--a------	C:\WINDOWS\system32\ksuser.dll2008-08-03 19:02 . 2004-08-04 00:45	4,096	--a--c---	C:\WINDOWS\system32\dllcache\ksuser.dll2008-08-03 17:54 . 2001-08-17 21:59	3,072	--a------	C:\WINDOWS\system32\drivers\audstub.sys2008-08-03 17:53 . 2004-08-04 00:36	57,984	--a------	C:\WINDOWS\system32\drivers\redbook.sys2008-08-03 17:52 . 2004-08-04 00:45	76,288	--a------	C:\WINDOWS\system32\usbui.dll2008-08-03 17:52 . 2001-08-17 20:13	27,165	--a------	C:\WINDOWS\system32\drivers\fetnd5.sys2008-08-03 17:52 . 2004-08-03 23:08	10,624	--a------	C:\WINDOWS\system32\drivers\gameenum.sys2008-08-03 17:50 . 2008-08-03 18:01	<DIR>	d--h-----	C:\Documents and Settings\Default User\Modelos2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--------	C:\Documents and Settings\Default User\Meus documentos2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	dr-------	C:\Documents and Settings\Default User\Menu Iniciar2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--------	C:\Documents and Settings\Default User\Favoritos2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	dr-h-----	C:\Documents and Settings\Default User\Configura‡äes locais2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--h-----	C:\Documents and Settings\Default User\Ambiente de rede2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--h-----	C:\Documents and Settings\Default User\Ambiente de impressÆo2008-08-03 17:50 . 2008-08-05 17:50	<DIR>	d--h-----	C:\Documents and Settings\All Users\Modelos2008-08-03 17:50 . 2008-08-04 12:39	<DIR>	dr-------	C:\Documents and Settings\All Users\Menu Iniciar2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--------	C:\Documents and Settings\All Users\Favoritos2008-08-03 17:50 . 2008-08-07 12:26	<DIR>	dr-------	C:\Documents and Settings\All Users\Documentos2008-08-03 17:49 . 2008-08-03 17:50	<DIR>	dr-h-----	C:\Documents and Settings\Default User\Dados de aplicativos2008-08-03 17:49 . 2008-08-03 18:16	<DIR>	d--h-----	C:\Documents and Settings\Default User2008-08-03 17:49 . 2008-08-26 14:21	<DIR>	dr-h-----	C:\Documents and Settings\All Users\Dados de aplicativos2008-08-03 17:49 . 2008-08-03 18:04	<DIR>	d--------	C:\Documents and Settings\All Users2008-08-03 17:49 . 2008-08-03 18:17	<DIR>	d--------	C:\Documents and Settings.(((((((((((((((((((((((((((((((((((((   Relat¢rio Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-26 14:02	576	----a-w	C:\Arquivos de programas\idcef.html2008-08-26 14:02	576	----a-w	C:\Arquivos de programas\idbb.html2008-08-03 21:24	---------	d-----w	C:\Arquivos de programas\Serviços on-line2008-08-03 21:06	558,142	----a-w	C:\WINDOWS\java\Packages\1BNJ9VP3.ZIP2008-08-03 21:06	155,995	----a-w	C:\WINDOWS\java\Packages\DVFVB1VJ.ZIP2008-08-03 21:06	---------	d-----w	C:\Arquivos de programas\microsoft frontpage2008-08-03 21:03	---------	d-----w	C:\Arquivos de programas\Arquivos comuns\Serviços.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"discador"="C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE" [2003-03-26 15:50 672768]"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"process"="C:\WINDOWS\system32\process.exe" [2008-08-26 11:02 180266]"msmsn"="C:\WINDOWS\system32\msmsn.exe" [2008-08-26 11:02 320554]"msne"="C:\WINDOWS\system32\msne.exe" [2008-08-26 11:03 498730]"wscntfx"="C:\WINDOWS\system32\wscntfx.exe" [2008-08-26 11:04 1206826][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Monitor Apache Servers.lnk - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-06-13 04:09:14 41041][HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\eMule\\emule.exe"="D:\\PowerEdge-v3\\Servidor.exe"="D:\\PowerEdge-v3\\Bot Teste\\mIRC1.exe"="D:\\BCScript\\mirc.exe"=R2 Apache2.2;Apache2.2;C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-06-13 04:05]R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01].- - - - ORFAOS REMOVIDOS - - - -ShellExecuteHooks-{E37CB5F0-51F5-4395-A808-5FA49E399F83} - (no file)Notify- GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll.------- Ccan Suplementar -------.FireFox -: Profile - C:\Documents and Settings\WinXP\Dados de aplicativos\Mozilla\Firefox\Profiles\fyk14l7p.default\FF -: plugin - C:\Arquivos de programas\Mozilla Firefox\plugins\NPPGWrap.dll.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-08-28 18:51:34Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ...Procurando entradas auto inicializ veis ocultas ...Procurando ficheiros ocultos ...C:\WINDOWS\system32\MEGATRON.ini 0 bytesVarredura completada com sucessoFicheiros ocultos: 1**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL"[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GbpSv]"ImagePath"="C:\ARQUIV~1\GbPlugin\GbpSv.exe".------------------------ Outros Processos em Execu‡Æo ------------------------.C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\Arquivos de programas\Messenger\msmsgs.exe.**************************************************************************.Tempo para conclusÆo: 2008-08-28 18:56:12 - Maquina reiniciouComboFix-quarantined-files.txt  2008-08-28 21:56:00Pre-Run: 6 pasta(s) 34,494,726,144 bytes disponíveisPost-Run: 9 pasta(s) 34,494,054,400 bytes dispon¡veis230

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:59:45, on 28/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\WINDOWS\system32\process.exeC:\WINDOWS\system32\msmsn.exeC:\WINDOWS\system32\msne.exeC:\WINDOWS\system32\wscntfx.exeC:\Arquivos de programas\MSN Messenger\MsnMsgr.ExeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Messenger\msmsgs.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [process] C:\WINDOWS\system32\process.exeO4 - HKLM\..\Run: [msmsn] C:\WINDOWS\system32\msmsn.exeO4 - HKLM\..\Run: [msne] C:\WINDOWS\system32\msne.exeO4 - HKLM\..\Run: [wscntfx] C:\WINDOWS\system32\wscntfx.exeO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Monitor Apache Servers.lnk = C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217801760265"]http://update.microsoft.com/windowsupdate/...b?1217801760265[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1DEDC0-6986-45D3-92F6-17A1D8ADD44B}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CCS\Services\Tcpip\..\{7C181193-DCDC-4B2A-8462-F16A3B42B204}: Domain = @O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 4639 bytes

Grato,

Edição feita por: Inu, 28/08/2008, 19:02.

#8 Leone Fernandes

Leone Fernandes

    (y)

  • Usuários
  • 585 posts
  • Sexo:Masculino
  • Localidade:Belo Horizonte - MG

Posted 28/08/2008, 22:28

- De Fix nas seguintes entradas:

C:\WINDOWS\system32\msne.exe
		O4 - HKLM\..\Run: [msne] C:\WINDOWS\system32\msne.exe
		O4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE

- Faça o download do Malwarebytes Anti-Malware
http://www.besttechi.../mbam-setup.exe
  • Faça a instalação dando um duplo clique em "mbam-setup.exe";
  • Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir;
  • Marque "Verificação Completa" e depois clique em Verificar;
  • Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;
  • Se algo for detectado, veja se tudo está marcado e clique em "Remover";
  • O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;
  • Copie e cole o conteúdo desse log na sua próxima resposta.
- Gere novo log do HijackThis e cole na sua resposta.

Edição feita por: Northon, 28/08/2008, 22:37.


#9 Mr. Xerife

Mr. Xerife

    12 Horas

  • Usuários
  • 135 posts
  • Sexo:Masculino

Posted 28/08/2008, 22:54

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
C:\WINDOWS\system32\wscntfx.exe
C:\WINDOWS\system32\msshell.exe
C:\WINDOWS\system32\msmsn.exe
C:\WINDOWS\system32\process.exe
C:\WINDOWS\system32\mlfcache.dat
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"process"=-
"msmsn"=-
"msne"=-
"wscntfx"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001


Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

Posted Image

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Poste-o junto com o novo log do hijackthis

#10 Inu

Inu

    Veterano

  • Usuários
  • 1138 posts
  • Sexo:Masculino
  • Localidade:Canela, Rio Grande do Sul, Brasil

Posted 29/08/2008, 17:06

Olá, segue abaixo os logs:
Combofix:
ComboFix 08-08-28.04 - WinXP 2008-08-29 16:33:29.2 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.131 [GMT -3:00]Executando de: C:\Documents and Settings\WinXP\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\WinXP\Desktop\CFScript.txt * Criado um novo ponto de restauro<strong class='bbc'>ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!</strong>FILE ::C:\WINDOWS\system32\mlfcache.datC:\WINDOWS\system32\msmsn.exeC:\WINDOWS\system32\msshell.exeC:\WINDOWS\system32\process.exeC:\WINDOWS\system32\wscntfx.exe.(((((((((((((((((((((((((((((((((((((   Outras Exclusões   ))))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\WinXP\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dllC:\WINDOWS\ponto.DLLC:\WINDOWS\system32\MEGATRON.iniC:\WINDOWS\system32\mlfcache.datC:\WINDOWS\system32\msmsn.exeC:\WINDOWS\system32\msshell.exeC:\WINDOWS\system32\process.exeC:\WINDOWS\system32\wscntfx.exe.(((((((((((((((((((((((   Ficheiros criados de 2008-07-28 to 2008-08-29  )))))))))))))))))))))))))))))))).2008-08-29 12:43 . 2008-08-29 12:43	<DIR>	d---s----	C:\WINDOWS\Downloaded Program Files2008-08-28 18:56 . 2008-08-28 18:56	<DIR>	d--------	C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais2008-08-28 18:56 . 2008-08-28 18:56	<DIR>	d--------	C:\Documents and Settings\WinXP\Configuraþ§es locais2008-08-28 18:56 . 2008-08-28 18:56	<DIR>	d--------	C:\Documents and Settings\NetworkService\Configuraþ§es locais2008-08-28 18:56 . 2008-08-28 18:56	<DIR>	d--------	C:\Documents and Settings\LocalService\Configuraþ§es locais2008-08-28 18:31 . 2008-08-28 18:07	2,970	--a------	C:\WINDOWS\system32\CONFIG.BAK2008-08-28 18:07 . 2008-08-28 18:07	286,720	---------	C:\WINDOWS\Setup1.exe2008-08-28 18:07 . 2008-08-28 18:07	73,216	--a------	C:\WINDOWS\ST6UNST.EXE2008-08-28 18:06 . 2008-08-28 18:06	<DIR>	d--h-----	C:\WINDOWS\PIF2008-08-28 17:44 . 2008-08-28 17:44	0	--a------	C:\WINDOWS\system32\yahoo2008-08-26 18:51 . 2008-08-26 18:51	<DIR>	d--------	C:\Arquivos de programas\Trend Micro2008-08-26 14:26 . 2008-08-26 14:26	<DIR>	d--------	C:\Documents and Settings\WinXP\Configuraes locais2008-08-26 14:21 . 2008-08-26 14:21	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\Adobe Systems2008-08-26 11:05 . 2008-08-28 16:33	18	--a------	C:\WINDOWS\system32\.ork2008-08-26 11:04 . 2008-08-27 22:00	59	--a------	C:\WINDOWS\plugin.fax2008-08-26 11:03 . 2008-08-26 11:03	498,730	--a------	C:\WINDOWS\system32\msne.exe2008-08-26 11:03 . 2008-08-26 11:03	8	--a------	C:\WINDOWS\control.ctr2008-08-26 11:02 . 2008-08-26 11:02	257,578	--a------	C:\WINDOWS\system32\idmaq32.exe2008-08-26 11:02 . 2008-08-26 11:02	16	---hs----	C:\Arquivos de programas\winmaq32.dll2008-08-23 15:01 . 2008-08-23 15:01	<DIR>	d--------	C:\Arquivos de programas\MySQL2008-08-23 14:54 . 2008-05-02 18:07	4,874,301	--a------	C:\WINDOWS\system32\php5ts.dll2008-08-23 14:54 . 2008-05-02 18:07	2,076,672	--a------	C:\WINDOWS\system32\libmysql.dll2008-08-23 14:49 . 2008-08-23 16:47	46,318	--a------	C:\WINDOWS\php.ini2008-08-23 14:48 . 2008-08-23 14:48	<DIR>	d--------	C:\php2008-08-23 14:46 . 2008-08-23 14:46	<DIR>	d--------	C:\Arquivos de programas\Apache Software Foundation2008-08-20 14:41 . 2008-08-26 14:24	<DIR>	d--------	C:\Arquivos de programas\eMule2008-08-20 14:26 . 2008-08-23 20:12	<DIR>	d--------	C:\Documents and Settings\WinXP\Dados de aplicativos\uTorrent2008-08-20 14:26 . 2008-08-20 14:28	<DIR>	d--------	C:\Arquivos de programas\uTorrent2008-08-18 18:27 . 2008-08-18 18:27	268	--ah-----	C:\sqmdata00.sqm2008-08-18 18:27 . 2008-08-18 18:27	244	--ah-----	C:\sqmnoopt00.sqm2008-08-10 13:36 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys2008-08-10 04:27 . 2008-08-10 04:27	<DIR>	d--------	C:\Arquivos de programas\Opera2008-08-07 12:37 . 2008-08-10 13:21	<DIR>	d--------	C:\Documents and Settings\WinXP\Dados de aplicativos\Winamp2008-08-07 12:37 . 2008-08-07 12:45	<DIR>	d--------	C:\Arquivos de programas\Winamp2008-08-07 12:25 . 2008-08-07 12:25	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared2008-08-07 12:23 . 2008-08-15 19:21	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Adobe2008-08-06 20:14 . 2008-08-07 12:06	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin2008-08-06 20:07 . 2008-08-06 20:07	<DIR>	d--------	C:\WINDOWS\Sun2008-08-05 18:21 . 2008-08-05 18:21	<DIR>	d--------	C:\Arquivos de programas\Macromedia2008-08-05 18:21 . 2008-08-05 18:21	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Macromedia2008-08-05 18:20 . 2008-08-05 18:20	<DIR>	d--------	C:\WINDOWS\Downloaded Installations2008-08-05 18:17 . 2008-08-27 20:31	<DIR>	d--------	C:\Documents and Settings\WinXP\Dados de aplicativos\BrOffice.org22008-08-05 17:50 . 2008-08-05 17:50	<DIR>	d--------	C:\Arquivos de programas\BrOffice.org 2.42008-08-05 17:48 . 2008-06-10 02:32	73,728	--a------	C:\WINDOWS\system32\javacpl.cpl2008-08-05 17:47 . 2008-08-05 17:47	<DIR>	d--------	C:\Arquivos de programas\Java2008-08-05 17:47 . 2008-08-05 17:47	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\Java2008-08-05 17:40 . 2002-09-30 09:38	119,798	-ra------	C:\WINDOWS\system32\drivers\SPCA561.SYS2008-08-05 17:40 . 2004-08-04 00:45	91,136	--a------	C:\WINDOWS\system32\kswdmcap.ax2008-08-05 17:40 . 2004-08-04 00:45	91,136	--a--c---	C:\WINDOWS\system32\dllcache\kswdmcap.ax2008-08-05 17:40 . 2004-08-04 00:45	61,952	--a------	C:\WINDOWS\system32\kstvtune.ax2008-08-05 17:40 . 2004-08-04 00:45	61,952	--a--c---	C:\WINDOWS\system32\dllcache\kstvtune.ax2008-08-05 17:40 . 2004-08-04 00:45	54,784	--a------	C:\WINDOWS\system32\vfwwdm32.dll2008-08-05 17:40 . 2004-08-04 00:45	54,784	--a--c---	C:\WINDOWS\system32\dllcache\vfwwdm32.dll2008-08-05 17:40 . 2004-08-04 00:45	43,008	--a------	C:\WINDOWS\system32\ksxbar.ax2008-08-05 17:40 . 2004-08-04 00:45	43,008	--a--c---	C:\WINDOWS\system32\dllcache\ksxbar.ax2008-08-05 17:40 . 2002-09-24 03:30	14,336	-ra------	C:\WINDOWS\system32\dshow508.ax2008-08-04 18:40 . 2004-08-03 23:01	25,856	--a------	C:\WINDOWS\system32\drivers\usbprint.sys2008-08-04 18:40 . 2004-08-03 23:01	25,856	--a--c---	C:\WINDOWS\system32\dllcache\usbprint.sys2008-08-04 18:32 . 2008-08-04 18:32	<DIR>	d--h-----	C:\BJPrinter2008-08-04 18:32 . 2004-04-23 02:00	116,736	--a------	C:\WINDOWS\system32\CNMLM6e.DLL2008-08-04 18:32 . 2004-03-11 13:06	86,016	-ra------	C:\WINDOWS\system32\CNMCP6e.exe2008-08-04 18:32 . 2004-04-23 02:00	7,680	--a------	C:\WINDOWS\system32\CNMVS6e.DLL2008-08-04 18:28 . 2008-08-16 18:17	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\Messenger Plus!2008-08-04 14:03 . 2008-08-04 14:03	<DIR>	d--------	C:\Arquivos de programas\CCleaner2008-08-04 14:01 . 2008-08-04 14:01	<DIR>	d--------	C:\Arquivos de programas\Messenger Plus! Live2008-08-04 13:19 . 1998-11-13 13:18	308,224	--a------	C:\WINDOWS\IsUn0416.exe2008-08-04 13:19 . 2003-10-03 16:28	45,056	--a------	C:\WINDOWS\system32\vusetup.dll2008-08-04 13:19 . 2003-08-04 04:29	11,392	--a------	C:\WINDOWS\system32\drivers\vulfntr.sys2008-08-04 13:19 . 2003-08-04 04:29	6,912	--a------	C:\WINDOWS\system32\drivers\vulfnth.sys2008-08-04 12:56 . 2008-08-04 12:56	<DIR>	d--h-----	C:\Arquivos de programas\InstallShield Installation Information2008-08-04 12:56 . 2008-08-05 18:20	<DIR>	d--------	C:\Arquivos de programas\Arquivos comuns\InstallShield2008-08-04 12:56 . 2008-08-04 12:56	<DIR>	d--------	C:\Arquivos de programas\Analog Devices2008-08-04 12:55 . 2008-08-04 12:55	<DIR>	d--------	C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller2008-08-04 12:55 . 2008-08-04 14:01	<DIR>	d--------	C:\Arquivos de programas\Windows Live2008-08-04 12:55 . 2008-08-04 12:55	<DIR>	d--hsc---	C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller2008-08-04 12:49 . 2008-08-04 12:49	<DIR>	d--------	C:\Documents and Settings\LocalService\Menu Iniciar2008-08-04 12:39 . 2008-08-04 12:50	316,640	--a------	C:\WINDOWS\WMSysPr9.prx2008-08-04 12:36 . 2008-08-04 12:36	<DIR>	d--------	C:\WINDOWS\ServicePackFiles2008-08-04 12:32 . 2004-07-17 11:40	19,528	--a------	C:\WINDOWS\[u]0[/u]02271_.tmp2008-08-04 12:32 . 2004-08-03 22:42	15,872	--a------	C:\WINDOWS\system32\spupdsvc.exe2008-08-04 12:29 . 2008-08-04 12:38	<DIR>	d--------	C:\WINDOWS\EHome2008-08-03 20:54 . 2008-08-03 20:54	<DIR>	d--------	C:\Documents and Settings\WinXP\Contacts2008-08-03 20:27 . 2008-08-03 20:27	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE2008-08-03 20:27 . 2008-08-04 14:01	<DIR>	d--------	C:\Arquivos de programas\MSN Messenger2008-08-03 19:48 . 2008-08-03 19:48	<DIR>	d--------	C:\Arquivos de programas\TurboADSL2008-08-03 19:45 . 2008-08-03 19:46	<DIR>	d--------	C:\Arquivos de programas\Programador de Modem2008-08-03 19:20 . 2007-07-30 19:19	549,720	--a------	C:\WINDOWS\system32\wuapi.dll2008-08-03 19:20 . 2007-07-30 19:19	325,976	--a------	C:\WINDOWS\system32\wucltui.dll2008-08-03 19:20 . 2007-07-30 19:19	216,408	--a------	C:\WINDOWS\system32\wuaucpl.cpl2008-08-03 19:20 . 2007-07-30 19:19	43,352	--a------	C:\WINDOWS\system32\wups2.dll2008-08-03 19:20 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui2008-08-03 19:20 . 2007-07-30 19:18	33,624	--a------	C:\WINDOWS\system32\wups.dll2008-08-03 19:20 . 2007-07-30 19:20	30,040	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui2008-08-03 19:20 . 2007-07-30 19:20	30,040	--a------	C:\WINDOWS\system32\wuapi.dll.mui2008-08-03 19:20 . 2007-07-30 19:18	20,824	--a------	C:\WINDOWS\system32\wuaueng.dll.mui2008-08-03 19:02 . 2004-08-04 00:45	130,048	--a------	C:\WINDOWS\system32\ksproxy.ax2008-08-03 19:02 . 2004-08-04 00:45	130,048	--a--c---	C:\WINDOWS\system32\dllcache\ksproxy.ax2008-08-03 19:02 . 2004-08-04 00:45	23,552	--a------	C:\WINDOWS\system32\wdmaud.drv2008-08-03 19:02 . 2004-08-04 00:45	23,552	--a--c---	C:\WINDOWS\system32\dllcache\wdmaud.drv2008-08-03 19:02 . 2004-08-04 00:45	4,096	--a------	C:\WINDOWS\system32\ksuser.dll2008-08-03 19:02 . 2004-08-04 00:45	4,096	--a--c---	C:\WINDOWS\system32\dllcache\ksuser.dll2008-08-03 17:54 . 2001-08-17 21:59	3,072	--a------	C:\WINDOWS\system32\drivers\audstub.sys2008-08-03 17:53 . 2004-08-04 00:36	57,984	--a------	C:\WINDOWS\system32\drivers\redbook.sys2008-08-03 17:52 . 2004-08-04 00:45	76,288	--a------	C:\WINDOWS\system32\usbui.dll2008-08-03 17:52 . 2001-08-17 20:13	27,165	--a------	C:\WINDOWS\system32\drivers\fetnd5.sys2008-08-03 17:52 . 2004-08-03 23:08	10,624	--a------	C:\WINDOWS\system32\drivers\gameenum.sys2008-08-03 17:50 . 2008-08-03 18:01	<DIR>	d--h-----	C:\Documents and Settings\Default User\Modelos2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--------	C:\Documents and Settings\Default User\Meus documentos2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	dr-------	C:\Documents and Settings\Default User\Menu Iniciar2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--------	C:\Documents and Settings\Default User\Favoritos2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	dr-h-----	C:\Documents and Settings\Default User\Configurações locais2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--h-----	C:\Documents and Settings\Default User\Ambiente de rede2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--h-----	C:\Documents and Settings\Default User\Ambiente de impressão2008-08-03 17:50 . 2008-08-05 17:50	<DIR>	d--h-----	C:\Documents and Settings\All Users\Modelos2008-08-03 17:50 . 2008-08-04 12:39	<DIR>	dr-------	C:\Documents and Settings\All Users\Menu Iniciar2008-08-03 17:50 . 2008-08-03 17:50	<DIR>	d--------	C:\Documents and Settings\All Users\Favoritos2008-08-03 17:50 . 2008-08-07 12:26	<DIR>	dr-------	C:\Documents and Settings\All Users\Documentos2008-08-03 17:49 . 2008-08-03 17:50	<DIR>	dr-h-----	C:\Documents and Settings\Default User\Dados de aplicativos2008-08-03 17:49 . 2008-08-28 18:56	<DIR>	d--h-----	C:\Documents and Settings\Default User2008-08-03 17:49 . 2008-08-26 14:21	<DIR>	dr-h-----	C:\Documents and Settings\All Users\Dados de aplicativos2008-08-03 17:49 . 2008-08-03 18:04	<DIR>	d--------	C:\Documents and Settings\All Users2008-08-03 17:49 . 2008-08-03 18:17	<DIR>	d--------	C:\Documents and Settings.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-26 14:02	576	----a-w	C:\Arquivos de programas\idcef.html2008-08-26 14:02	576	----a-w	C:\Arquivos de programas\idbb.html2008-08-03 21:24	---------	d-----w	C:\Arquivos de programas\Serviços on-line2008-08-03 21:06	558,142	----a-w	C:\WINDOWS\java\Packages\1BNJ9VP3.ZIP2008-08-03 21:06	155,995	----a-w	C:\WINDOWS\java\Packages\DVFVB1VJ.ZIP2008-08-03 21:06	---------	d-----w	C:\Arquivos de programas\microsoft frontpage2008-08-03 21:03	---------	d-----w	C:\Arquivos de programas\Arquivos comuns\Serviços2008-08-29 15:26	32,768	----a-w	C:\Arquivos de programas\mozilla firefox\plugins\MsnChat40pt-br.dll.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..*Nota* entradas vazias & legítimas por defeito não são mostradas.REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"discador"="C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE" [2003-03-26 15:50 672768]"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Monitor Apache Servers.lnk - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-06-13 04:09:14 41041][HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\eMule\\emule.exe"="D:\\PowerEdge-v3\\Servidor.exe"="D:\\PowerEdge-v3\\Bot Teste\\mIRC1.exe"="D:\\BCScript\\mirc.exe"=R2 Apache2.2;Apache2.2;C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-06-13 04:05]R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-08-29 16:35:32Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ...Procurando entradas auto inicializáveis ocultas ...Procurando ficheiros ocultos ...Varredura completada com sucessoFicheiros ocultos: 0**************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL"[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\GbpSv]"ImagePath"="C:\ARQUIV~1\GbPlugin\GbpSv.exe".Tempo para conclusão: 2008-08-29 16:37:43ComboFix-quarantined-files.txt  2008-08-29 19:36:59ComboFix2.txt  2008-08-28 21:56:13Pre-Run: 6 pasta(s) 34,569,920,512 bytes disponíveisPost-Run: 8 pasta(s) 34,559,782,912 bytes disponíveis209

Hijack This:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:02:09, on 29/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\msne.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Messenger\msmsgs.exeC:\Arquivos de programas\MSN Messenger\usnsvc.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\explorer.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Monitor Apache Servers.lnk = C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217801760265"]http://update.microsoft.com/windowsupdate/...b?1217801760265[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1DEDC0-6986-45D3-92F6-17A1D8ADD44B}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CCS\Services\Tcpip\..\{7C181193-DCDC-4B2A-8462-F16A3B42B204}: Domain = @O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 4191 bytes

Grato,

#11 Mr. Xerife

Mr. Xerife

    12 Horas

  • Usuários
  • 135 posts
  • Sexo:Masculino

Posted 29/08/2008, 18:18

Faça o download do Avenger e salve no seu Desktop em seguida descompacte-o.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo:

Files to delete:
C:\WINDOWS\system32\msne.exe


Execute o Avenger.exe no desktop.

◘ Clique direito do mouse na janela Input script here:, em seguida clique em Paste ou (control + v).
◘ Clique em Execute
◘ Escolha "Yes" duas vezes, quando solicitado.


Ao acabar de executar o script o PC será reiniciado. É possivel que o PC seja reiniciado mais de uma vez.

Poste o log que encontrará em C:\avenger.txt mais um novo Log do Hijackthis.

#12 Inu

Inu

    Veterano

  • Usuários
  • 1138 posts
  • Sexo:Masculino
  • Localidade:Canela, Rio Grande do Sul, Brasil

Posted 29/08/2008, 19:46

Olá,
Segue em anexo os logs.
Avenger:
Logfile of The Avenger Version 2.0, © by Swandog46[url="http://swandog46.geekstogo.com"]http://swandog46.geekstogo.com[/url]Platform:  Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!File "C:\WINDOWS\system32\msne.exe" deleted successfully.Completed script processing.*******************Finished!  Terminate.

Hijack This:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:44:30, on 29/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Arquivos de programas\MSN Messenger\MsnMsgr.ExeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Monitor Apache Servers.lnk = C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217801760265"]http://update.microsoft.com/windowsupdate/...b?1217801760265[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{2E1DEDC0-6986-45D3-92F6-17A1D8ADD44B}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CCS\Services\Tcpip\..\{7C181193-DCDC-4B2A-8462-F16A3B42B204}: Domain = @O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe--End of file - 4233 bytes

Grato,

#13 Mr. Xerife

Mr. Xerife

    12 Horas

  • Usuários
  • 135 posts
  • Sexo:Masculino

Posted 29/08/2008, 23:55

- Digite no Executar combofix /u e clique em Ok e aguarde a remoção do combofix.

PARABENS

Seu PC estar limpo!

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner

* Abra o programa e clique em Executar Limpeza;
* Após isto, clique em Registro > Procurar erros > Corrigir Erros

- Desative e ative novamente a Restauração do Sistema

Leia o artigo Proteja seu PC para maiores informações sobre como evitar infecções;

Volte sempre que precisar.

Abraços

#14 Allex Severino

Allex Severino

    Será?!?!?!

  • Usuários
  • 793 posts
  • Sexo:Masculino
  • Localidade:São Luís de Montes Belos - GO

Posted 05/12/2008, 14:49

Problema Resolvido!

Caso o autor necessite que seu tópico seja reaberto, entrar em contato com a equipe de moderação.
Meu post lhe ajudou? Clicar no Posted Image é uma das formas de agradecer.
Voltar para Casos Solucionados


0 user(s) are reading this topic

0 membro(s), 0 visitante(s) e 0 membros anônimo(s)

  1. Fórum WMO
  2. Troubleshooting - resolvendo problemas
  3. Segurança
  4. Remoção de Pragas Virtuais
  5. Casos Solucionados
  6. Privacy Policy
  7. Regras ·
IPB Skin By Virteq