Search Avançado
Onde procurar

This topic

Fóruns

Membros

Help Files
Novas postagens

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Gerenciador De Processos - Svchost.exe

Started By Inu, 23/05/2008, 19:33

This topic is locked

16 replies to this topic

#1 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 23/05/2008, 19:33

Olá pessoal,
Desde de meio dia, meu computador está lento e caindo muito a internet, suspeito de vírus, porque instalei umas coisas, mas não fiz backup nem ponto de restauração antes de instalar, o que me impede de restaurar o sistema.
Porém, rodei um programinha da linha defensiva, o banker fix, para ver se ajuda. Achou umas coisas suspeitas e tal... Mas o problema é que ainda continua caindo a internet. Andei vendo meus processos e tal, tem uns suspeitos. Li também que esse tal de svchost.exe, ele executa vários processos em um só arquivo, um grupo...
Então, gostaria que alguém visse se tem algum processo suspeito dentro deste, e, se possível, me informasse como removê-lo.
Os processos:

C:\Documents and Settings\Rejane>tasklist /svc

Nome da imagem Identi Serviços
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 632 N/A
csrss.exe 696 N/A
winlogon.exe 728 N/A
services.exe 772 Eventlog, PlugPlay
lsass.exe 784 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 972 DcomLaunch, TermService
svchost.exe 1056 RpcSs
svchost.exe 1152 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
WZCSVC
svchost.exe 1304 Dnscache
svchost.exe 1528 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1644 Spooler
explorer.exe 1764 N/A
httpd.exe 1924 Apache2.2
MDM.EXE 236 MDM
httpd.exe 324 N/A
mysqld-nt.exe 2212 MySQL
nvsvc32.exe 2252 NVSvc
SnMgrSvc.exe 2380 SNMgrSvc
SMAgent.exe 2432 SoundMAX Agent Service (default)
svchost.exe 2464 stisvc
wdfmgr.exe 2492 UMWdf
alg.exe 3396 ALG
svchost.exe 2008 N/A
svchost.exe 804 N/A
svchost.exe 832 N/A
usnsvc.exe 6140 usnjsvc
taskmgr.exe 29664 N/A
firefox.exe 29240 N/A
regedit.exe 29732 N/A
wmiprvse.exe 29384 N/A
cmd.exe 6000 N/A
tasklist.exe 21312 N/A

Observação: Windows XP SP2.
Obrigado,

#2 beto

Doutor

Ex-Admins
840 posts

Sexo:Masculino

Posted 23/05/2008, 20:13

fala Inu, beleza??

seguinte, to movendo seu topico para Remoção de Malwares...

leia esse topico para fazer o processo para gerar o log do HijackThis: http://forum.wmonlin...howtopic=195696

(y)

twitter: @robertorcezar

#3 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 23/05/2008, 21:18

Olá Beto,
Obrigado por ter movido... Tinha feito análise por conta própria com o Hijack This e não encontrei nada, mas deixo para vocês analizarem também...

Logfile of HijackThis v1.99.1Scan saved at 21:03:07, on 23/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\WINDOWS\system32\SnMgrSvc.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\hijackthis\HijackThis.exeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [url="http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab"]http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[/url]O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} - [url="https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab"]https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab[/url]O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab[/url]O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [url="http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab"]http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab[/url]O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - [url="http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab[/url]O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - [url="http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab"]http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CCS\Services\Tcpip\..\{27DC7724-E543-4713-B28F-F1F4301301F6}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CS1\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS2\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS3\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Fica aí meu log...
Outra coisa, dois processos suspeitos rodando aqui no computador... Finalizei os dois por segurança... Mas, são eles:
nvsvc32.exe - Só é suspeito porque, durante uma busca pelo processo no Google, um resultado foi isto:

Nvsvc32.exe = Backdoor (W32/Gaobot.BS) Obs: Remover em modo de segurança
procure tambem nas seguintes chaves de registro:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

"System Loader"="%system%syscfg.exe"
Geralmente ele também fica nas pastas System e System32

Deixo para vocês a questão de ser ou não malicioso, e, não realizei o processo descrito acima, por estar em dúvida quanto à confiança do resultado do Google.
vsnsvc.exe - Suspeito pois o Google não retorna nada quanto à este processo. E agora, depois de sair, desligar e ligar o computador, depois de um tempo, este processo não apareceu na lista ainda, mas mesmo assim é suspeito. (Google 1 e Google 2.
EEF9.tmp - Suspeito, pois nunca o vi antes e o Google também não retorna nada quanto à ele. (Google 1 e Google 2.

E então, o que podem me informar quanto à isto?
O resto dos processos me pareceram normais. Porém, quando finalizo o tal do EEF9.tmp, às vezes ele acaba retornando. Conclusão: há algum processo malicioso/dispensável/inadequado camuflado, de alguma maneira (pelo svchost.exe ou algum outro arquivo), que está abrindo/criando este EEF9.tmp.
É normal ser aberto um iexplore.exe do nada, como System, sem eu abrir o IE? Uso somente Firefox.
Acredito que seja apenas isto. Caso haja mais coisas, retornarei.
Observação: mesmo após finalizar os processos suspeitos, a conexão da internet (a que é aberta pelo discador da provedora) continua encerrando-se do nada. Isto não é normal, pois antes eu nunca notei este problema. Ah é, fica aparecendo umas mensagens, do nada, de erro de aplicativo, umas com o svchost.exe, outras de visual basic running, algo assim, do nada. o-o
Obrigado,

Edição feita por: Inu, 23/05/2008, 21:24.

#4 Mr. Xerife

12 Horas

Usuários
135 posts

Sexo:Masculino

Posted 24/05/2008, 00:06

- Faça o download do Combofix

• Desative, temporariamente, o antivírus;
• Feche todas as janelas abertas;
• Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir o Fix. Pode demorar algum tempo.
• O ComboFix poderá reiniciar o PC automaticamente para completar o processo de remoção.
• Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.
• Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, não mova o mouse e não use o teclado, pois senão irá parar e seu desktop ficará em branco.
• Para parar ou sair do ComboFix, tecle "N".
• Cole o ComboFix.txt na sua resposta.
- Gere novo log do HijackThis e cole na sua resposta.

#5 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 24/05/2008, 00:42

Olá,
Os dois logs, conforme solicitados, estão em anexo abaixo.
Combofix:

ComboFix 08-05-21.3 - XP 2008-05-24  0:18:34.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.63 [GMT -3:00]Executando de: C:\Documents and Settings\Rejane\Desktop\ComboFix.exe * Criado um novo ponto de restauro<strong class='bbc'>WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!</strong>.(((((((((((((((((((((((((((((((((((((   Outras Exclusäes   ))))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\mrofinu1535.exeC:\WINDOWS\system32\btqukiqp.iniC:\WINDOWS\system32\crypts.dllC:\WINDOWS\system32\dllh8jkd1q8.exeC:\WINDOWS\system32\drivers\Psv82.sysC:\WINDOWS\system32\drivers\Qux58.sysC:\WINDOWS\system32\drivers\Wbe60.sysC:\WINDOWS\system32\drivers\Ydg82.sysC:\WINDOWS\system32\kr_done1C:\WINDOWS\system32\vx.tllC:\WINDOWS\system32\WFLmoqss.iniC:\WINDOWS\system32\WFLmoqss.ini2C:\WINDOWS\system32\WinNt32.dllC:\WINDOWS\system32\wvUlighg.dll.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_PSV82-------\Legacy_QUX58-------\Legacy_TCPSR-------\Legacy_WBE60-------\Legacy_YDG82-------\Service_Psv82-------\Service_Qux58-------\Service_tcpsr-------\Service_Wbe60-------\Service_Ydg82(((((((((((((((((((((((   Ficheiros criados de 2008-04-24 to 2008-05-24  )))))))))))))))))))))))))))))))).2008-05-23 12:57 . 2008-05-23 21:03	<DIR>	d--------	C:\LinhaDefensiva2008-05-23 11:12 . 2008-05-23 11:19	<DIR>	d--------	C:\Documents and Settings\Rejane\Dados de aplicativos\mIRC2008-05-23 11:11 . 2008-05-23 11:11	80,896	--a------	C:\WINDOWS\system32\pqikuqtb.dll2008-05-23 11:05 . 2008-05-23 11:05	280,064	--a------	C:\WINDOWS\system32\ssqomLFW.dll2008-05-22 15:15 . 2008-05-22 15:15	<DIR>	d--------	C:\Arquivos de programas\Gabest2008-05-22 13:03 . 2008-05-22 13:46	<DIR>	d--------	C:\Bot Game2008-05-03 13:02 . 2008-05-03 13:03	<DIR>	d--------	C:\Arquivos de programas\Winamp2008-04-28 18:40 . 2008-04-28 18:40	<DIR>	d--------	C:\Arquivos de programas\WinSCP2008-04-27 18:33 . 2008-05-23 15:24	<DIR>	d--------	C:\Documents and Settings\Rejane\Dados de aplicativos\uTorrent2008-04-27 18:33 . 2008-05-23 10:59	<DIR>	d--------	C:\Arquivos de programas\uTorrent.(((((((((((((((((((((((((((((((((((((   Relat¢rio Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-05-23 14:48	---------	d-----w	C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer2008-05-17 01:06	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\BrOffice.org22008-05-14 00:00	---------	d-----w	C:\Arquivos de programas\eMule2008-05-03 16:02	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\Winamp2008-04-20 17:00	---------	d-----w	C:\Arquivos de programas\No-IP2008-04-13 21:51	---------	d-----w	C:\Arquivos de programas\Smallvideosoft2008-04-03 20:17	---------	d-----w	C:\Documents and Settings\All Users\Dados de aplicativos\JH Software2008-03-31 00:09	---------	d-----w	C:\Arquivos de programas\MSN Messenger2008-03-21 15:22	22,528	----a-w	C:\WINDOWS\system32\wupdm.exe2008-05-23 22:56	32,768	----a-w	C:\Arquivos de programas\mozilla firefox\plugins\MsnChat40pt-br.dll.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..REGEDIT4*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{083F37E3-043F-4B4F-8354-9C204EB1327F}]2008-05-23 11:05	280064	--a------	C:\WINDOWS\system32\ssqomLFW.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]"discador"="C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE" [2003-03-26 15:50 672768][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cmaudio"="cmicnfg.cpl" []"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 05:50 4620288]"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 05:50 86016][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Rejane^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]path=C:\Documents and Settings\Rejane\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnkbackup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]C:\Arquivos de programas\Google\Google Talk\googletalk.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2004-10-29 05:50 921600 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]C:\Arquivos de programas\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"XMail"=3 (0x3)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"9420:TCP"= 9420:TCP:Red Swoosh"5000:UDP"= 5000:UDP:Red SwooshR1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys [2007-05-30 11:23]R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys [2007-05-30 11:35]R2 Apache2.2;Apache2.2;"C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice []R2 Ps2KSecureKeyboard;SecureKbd;C:\WINDOWS\system32\DRIVERS\psseckbd.sys [2007-05-30 11:21]R2 SNMgrSvc;SNMgrSvc;"C:\WINDOWS\system32\SnMgrSvc.exe" [2007-05-30 11:34]R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys [2007-05-30 11:21]S3 Tomcat5;Apache Tomcat;"C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 []S4 XMail;XMail Server;c:\xmail\XMail.exe [].**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-05-24 00:31:48Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ...Procurando entradas auto inicializ veis ocultas ...Procurando ficheiros ocultos ...Varredura completada com sucessoFicheiros ocultos: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL".------------------------ Other Running Processes ------------------------.C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\WINDOWS\system32\nvsvc32.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\system32\wscntfy.exe.**************************************************************************.Tempo para conclusÆo: 2008-05-24  0:38:24 - machine was rebootedComboFix-quarantined-files.txt  2008-05-24 03:38:12Pre-Run: 24,361,684,992 bytes disponíveisPost-Run: 24,314,232,832 bytes dispon¡veis144

Hijack This:

Logfile of HijackThis v1.99.1Scan saved at 00:40:53, on 24/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\SnMgrSvc.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\MSN Messenger\msnmsgr.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\explorer.exeC:\hijackthis\HijackThis.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {083F37E3-043F-4B4F-8354-9C204EB1327F} - C:\WINDOWS\system32\ssqomLFW.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [url="http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab"]http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[/url]O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} - [url="https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab"]https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab[/url]O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab[/url]O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [url="http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab"]http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab[/url]O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - [url="http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab[/url]O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - [url="http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab"]http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CCS\Services\Tcpip\..\{27DC7724-E543-4713-B28F-F1F4301301F6}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CS1\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS2\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS3\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Obrigado,

#6 Mr. Xerife

12 Horas

Usuários
135 posts

Sexo:Masculino

Posted 24/05/2008, 01:06

Olá amigo,

Siga esse caminho. Iniciar > Executar > Digite combofix /u e aguarde a remoção do programa.

Faça o download do combofix novamente, e poste o log junto com do hijackthis

Abraços

#7 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 24/05/2008, 11:10

Olá,
Segue abaixo os logs, conforme solicitado.
Combofix:

ComboFix 08-05-21.3 - XP 2008-05-24 10:59:17.2 - NTFSx86Executando de: C:\Documents and Settings\Rejane\Desktop\ComboFix.exe<strong class='bbc'>WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!</strong>.(((((((((((((((((((((((   Ficheiros criados de 2008-04-24 to 2008-05-24  )))))))))))))))))))))))))))))))).2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\Rejane\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\NetworkService\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\LocalService\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\Administrador\Configuraþ§es locais2008-05-23 12:57 . 2008-05-24 00:40	<DIR>	d--------	C:\LinhaDefensiva2008-05-23 11:12 . 2008-05-23 11:19	<DIR>	d--------	C:\Documents and Settings\Rejane\Dados de aplicativos\mIRC2008-05-23 11:11 . 2008-05-23 11:11	80,896	--a------	C:\WINDOWS\system32\pqikuqtb.dll2008-05-23 11:05 . 2008-05-23 11:05	280,064	--a------	C:\WINDOWS\system32\ssqomLFW.dll2008-05-22 15:15 . 2008-05-22 15:15	<DIR>	d--------	C:\Arquivos de programas\Gabest2008-05-22 13:03 . 2008-05-22 13:46	<DIR>	d--------	C:\Bot Game2008-05-03 13:02 . 2008-05-03 13:03	<DIR>	d--------	C:\Arquivos de programas\Winamp2008-04-28 18:40 . 2008-04-28 18:40	<DIR>	d--------	C:\Arquivos de programas\WinSCP2008-04-27 18:33 . 2008-05-23 15:24	<DIR>	d--------	C:\Documents and Settings\Rejane\Dados de aplicativos\uTorrent2008-04-27 18:33 . 2008-05-23 10:59	<DIR>	d--------	C:\Arquivos de programas\uTorrent.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-05-23 14:48	---------	d-----w	C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer2008-05-17 01:06	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\BrOffice.org22008-05-14 00:00	---------	d-----w	C:\Arquivos de programas\eMule2008-05-03 16:02	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\Winamp2008-04-20 17:00	---------	d-----w	C:\Arquivos de programas\No-IP2008-04-13 21:51	---------	d-----w	C:\Arquivos de programas\Smallvideosoft2008-04-03 20:17	---------	d-----w	C:\Documents and Settings\All Users\Dados de aplicativos\JH Software2008-03-31 00:09	---------	d-----w	C:\Arquivos de programas\MSN Messenger2008-03-21 15:22	22,528	----a-w	C:\WINDOWS\system32\wupdm.exe2008-05-24 03:45	32,768	----a-w	C:\Arquivos de programas\mozilla firefox\plugins\MsnChat40pt-br.dll.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..REGEDIT4*Nota* entradas vazias & legítimas por defeito não são mostradas.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{083F37E3-043F-4B4F-8354-9C204EB1327F}]2008-05-23 11:05	280064	--a------	C:\WINDOWS\system32\ssqomLFW.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]"discador"="C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE" [2003-03-26 15:50 672768][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cmaudio"="cmicnfg.cpl" []"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 05:50 4620288]"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 05:50 86016][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Rejane^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]path=C:\Documents and Settings\Rejane\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnkbackup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]C:\Arquivos de programas\Google\Google Talk\googletalk.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2004-10-29 05:50 921600 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]C:\Arquivos de programas\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"XMail"=3 (0x3)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"9420:TCP"= 9420:TCP:Red Swoosh"5000:UDP"= 5000:UDP:Red SwooshR1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys [2007-05-30 11:23]R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys [2007-05-30 11:35]R2 Apache2.2;Apache2.2;"C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice []R2 Ps2KSecureKeyboard;SecureKbd;C:\WINDOWS\system32\DRIVERS\psseckbd.sys [2007-05-30 11:21]R2 SNMgrSvc;SNMgrSvc;"C:\WINDOWS\system32\SnMgrSvc.exe" [2007-05-30 11:34]R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys [2007-05-30 11:21]S3 Tomcat5;Apache Tomcat;"C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 []S4 XMail;XMail Server;c:\xmail\XMail.exe []*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-05-24 11:02:12Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ...Procurando entradas auto inicializáveis ocultas ...Procurando ficheiros ocultos ...Varredura completada com sucessoFicheiros ocultos: 0**************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySQL]"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL".Tempo para conclusão: 2008-05-24 11:06:27ComboFix-quarantined-files.txt  2008-05-24 14:05:43ComboFix2.txt  2008-05-24 03:38:26Pre-Run: 25,581,391,872 bytes disponíveisPost-Run: 25,892,077,568 bytes disponíveis109

Hijackthis:

Logfile of HijackThis v1.99.1Scan saved at 11:08:17, on 24/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\SnMgrSvc.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\MSN Messenger\usnsvc.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {083F37E3-043F-4B4F-8354-9C204EB1327F} - C:\WINDOWS\system32\ssqomLFW.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [url="http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab"]http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[/url]O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} - [url="https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab"]https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab[/url]O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab[/url]O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [url="http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab"]http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab[/url]O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - [url="http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab[/url]O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - [url="http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab"]http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CCS\Services\Tcpip\..\{27DC7724-E543-4713-B28F-F1F4301301F6}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CS1\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS2\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS3\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Ah, você pode me recomendar um anti-vírus bom? E um firewall? De anti-vírus, me recomendaram o NOD32, será que é bom?

Obrigado,

#8 Allex Severino

Será?!?!?!

Usuários
793 posts

Sexo:Masculino
Localidade:São Luís de Montes Belos - GO

Posted 24/05/2008, 13:49

Ah, você pode me recomendar um anti-vírus bom? E um firewall? De anti-vírus, me recomendaram o NOD32, será que é bom?

Obrigado,

Bem, anti-vírus de recomendo o Karpesky, ele não me falha no servidor de backup onde trabalho. Quanto a firewall recomendo o do Zone Alarm, ele é muito bom.

Meu post lhe ajudou? Clicar no Posted Image

é uma das formas de agradecer.

#9 Mr. Xerife

12 Horas

Usuários
135 posts

Sexo:Masculino

Posted 24/05/2008, 14:36

Envie esses arquivos para o Virus Total

C:\WINDOWS\system32\pqikuqtb.dll

C:\WINDOWS\system32\ssqomLFW.dll

C:\Bot Game

http://www.virustotal.com/pt/

E poste-o os resultados.

#10 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 24/05/2008, 17:25

Olá,
Os resultados:
http://www.virustota...c2edd5dbdcbe499
http://www.virustota...b39c7e0adeea9b7
http://www.virustota...8ac0f8e6c961f09
O último, tive de zipar, por ser uma pasta, criada por mim, onde contém o mIRC e alguns arquivos .ini, .mrc e .txt, por isso, acho pouco possível que haja vírus na mesma.
Obrigado,

#11 Mr. Xerife

12 Horas

Usuários
135 posts

Sexo:Masculino

Posted 25/05/2008, 00:40

Faça o download do VundoFix
http://linhadefensiv....br/dl/vundofix
Salve-o em sua área de trabalho.

1 - Rode o VundoFix.exe.

2 - Quando o VundoFix abrir novamente, clique em Scan for Vundo

3 - Quando ele terminar, clique em Remove Vundo

4 - Você receberá um prompt perguntando se você quer remover os arquivos. Confirme. Sua área de trabalho vai sumir.

5 - Você receberá um aviso dizendo que seu computador deve ser desligado. Clique em OK e depois ligue o computador novamente.

6 - É possível que o VundoFix encontre um arquivo, mas não consiga removê-lo. Se isso acontecer, a ferramenta rodará ao reiniciar.
Quando o VundoFix aparecer, clique no botão Scan for Vundo para repetir o processo.

Quando o VundoFix não encontrar mais nenhum arquivo que não consegue remover, faça um novo log do HijackThis e poste o arquivo vundofix.txt junto na sua proxima resposta.

Abraços

#12 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 25/05/2008, 09:26

Olá,
Rodei-o como solicitado, porém, ele me retorna donne scanning, files... Eu tenho que adicionar algum(ns) arquivo(s) nele? Se sim, quail(is)?

#13 Mr. Xerife

12 Horas

Usuários
135 posts

Sexo:Masculino

Posted 25/05/2008, 14:55

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
C:\WINDOWS\system32\pqikuqtb.dll
C:\WINDOWS\system32\ssqomLFW.dll
C:\Bot Game

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Poste-o junto com o novo log do hijackthis

Abraços.

#14 Inu

Veterano

Usuários
1138 posts

Sexo:Masculino
Localidade:Canela, Rio Grande do Sul, Brasil

Posted 04/06/2008, 19:46

Olá,
Peço desculpas pela demora na realização e postagem do novo LOG, mas estive com uns problemas.
Segue os mesmos:

Combofix:

ComboFix 08-06-04.1 - XP 2008-06-04 18:42:29.3 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.101 [GMT -3:00]Executando de: C:\Documents and Settings\Rejane\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\Rejane\Desktop\CFScript.txt * Criado um novo ponto de restauro<strong class='bbc'>WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!</strong>FILE ::C:\WINDOWS\system32\pqikuqtb.dllC:\WINDOWS\system32\ssqomLFW.dll.(((((((((((((((((((((((((((((((((((((   Outras Exclusões   ))))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\pqikuqtb.dllC:\WINDOWS\system32\ssqomLFW.dll.(((((((((((((((((((((((   Ficheiros criados de 2008-05-04 to 2008-06-04  )))))))))))))))))))))))))))))))).2008-06-02 18:09 . 2008-06-02 20:20	<DIR>	d--------	C:\BCScript2008-05-25 13:53 . 2008-05-26 12:16	<DIR>	d--------	C:\Banjo2006E2008-05-24 18:47 . 2008-05-26 17:12	<DIR>	d--------	C:\Bot Entretenimento2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\Rejane\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\NetworkService\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\LocalService\Configuraþ§es locais2008-05-24 00:38 . 2008-05-24 00:38	<DIR>	d--------	C:\Documents and Settings\Administrador\Configuraþ§es locais2008-05-22 15:15 . 2008-05-22 15:15	<DIR>	d--------	C:\Arquivos de programas\Gabest.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-04 21:37	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\uTorrent2008-06-01 20:56	---------	d-----w	C:\Arquivos de programas\MSN Messenger2008-06-01 16:47	---------	d-----w	C:\Arquivos de programas\eMule2008-05-29 22:51	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\BrOffice.org22008-05-23 14:48	---------	d-----w	C:\Documents and Settings\All Users\Dados de aplicativos\Apple Computer2008-05-23 13:59	---------	d-----w	C:\Arquivos de programas\uTorrent2008-05-03 16:03	---------	d-----w	C:\Arquivos de programas\Winamp2008-05-03 16:02	---------	d-----w	C:\Documents and Settings\Rejane\Dados de aplicativos\Winamp2008-04-28 21:40	---------	d-----w	C:\Arquivos de programas\WinSCP2008-04-20 17:00	---------	d-----w	C:\Arquivos de programas\No-IP2008-04-13 21:51	---------	d-----w	C:\Arquivos de programas\Smallvideosoft2008-03-21 15:22	22,528	----a-w	C:\WINDOWS\system32\wupdm.exe2008-06-04 20:08	32,768	----a-w	C:\Arquivos de programas\mozilla firefox\plugins\MsnChat40pt-br.dll.(((((((((((((((((((((((((((((   snapshot@2008-05-24_11.05.18,68   ))))))))))))))))))))))))))))))))))))))))).- 2008-05-24 13:24:22	2,048	--s-a-w	C:\WINDOWS\bootstat.dat+ 2008-06-04 15:12:41	2,048	--s-a-w	C:\WINDOWS\bootstat.dat+ 2008-04-15 12:39:28	70,472	----a-w	C:\WINDOWS\Downloaded Program Files\gbpdist.dll.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..REGEDIT4*Nota* entradas vazias & legítimas por defeito não são mostradas.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]"discador"="C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXE" [2003-03-26 15:50 672768][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Cmaudio"="cmicnfg.cpl" []"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 05:50 4620288]"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 05:50 86016][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Rejane^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]path=C:\Documents and Settings\Rejane\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnkbackup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]C:\Arquivos de programas\Google\Google Talk\googletalk.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2004-10-29 05:50 921600 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]C:\Arquivos de programas\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"XMail"=3 (0x3)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"9420:TCP"= 9420:TCP:Red Swoosh"5000:UDP"= 5000:UDP:Red SwooshR1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys [2007-05-30 11:23]R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys [2007-05-30 11:35]R2 Apache2.2;Apache2.2;"C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice []R2 Ps2KSecureKeyboard;SecureKbd;C:\WINDOWS\system32\DRIVERS\psseckbd.sys [2007-05-30 11:21]R2 SNMgrSvc;SNMgrSvc;"C:\WINDOWS\system32\SnMgrSvc.exe" [2007-05-30 11:34]R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys [2007-05-30 11:21]S3 Tomcat5;Apache Tomcat;"C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 []S4 XMail;XMail Server;c:\xmail\XMail.exe [].**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-06-04 18:45:02Windows 5.1.2600 Service Pack 2 NTFSProcurando processos ocultos ...Procurando entradas auto inicializáveis ocultas ...Procurando ficheiros ocultos ...**************************************************************************[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySQL]"ImagePath"="\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" MySQL".Tempo para conclusão: 2008-06-04 18:48:05ComboFix-quarantined-files.txt  2008-06-04 21:47:01ComboFix2.txt  2008-05-24 14:06:28ComboFix3.txt  2008-05-24 03:38:26Pre-Run: 24,933,187,584 bytes disponíveisPost-Run: 24,936,521,728 bytes disponíveis119

Hijack This:

Logfile of HijackThis v1.99.1Scan saved at 19:44:16, on 04/06/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\SnMgrSvc.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\MSN Messenger\usnsvc.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\explorer.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [discador] C:\Arquivos de programas\TurboADSL\TurboADSL 0.98\DISCADOR.EXEO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [url="http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab"]http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[/url]O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} - [url="https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab"]https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab[/url]O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab[/url]O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [url="http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab"]http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab[/url]O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - [url="http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab[/url]O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - [url="http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab"]http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url="http://fdl.msn.com/public/chat/msnchat45.cab"]http://fdl.msn.com/public/chat/msnchat45.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CCS\Services\Tcpip\..\{27DC7724-E543-4713-B28F-F1F4301301F6}: NameServer = 201.10.1.2 201.10.120.3O17 - HKLM\System\CS1\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS2\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O17 - HKLM\System\CS3\Services\Tcpip\..\{02EA583D-EE08-4BCC-812B-E62BC7463EDC}: Domain = @O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe (file missing)O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Obrigado,

#15 Mr. Xerife

12 Horas

Usuários
135 posts

Sexo:Masculino

Posted 04/06/2008, 20:10

- Execute a Ferramenta HijackThis - Clique em Do a System Scan Only. Marque a(s) caixinha(s) referente(s) à(s) entrada(s) relacionada(s) abaixo(s) em azul. Ao final da seleção, clique em Fix Checked...

O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)

No mais seu log estar limpo.

- Digite no Executar combofix /u e clique em Ok. Na próxima janela clique em "Executar" e aguarde a remoção do programa;

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner

* Abra o programa e clique em Executar Limpeza;
* Após isto, clique em Registro > Procurar erros > Corrigir Erros

- Desative e ative novamente a Restauração do Sistema

Leia o artigo Proteja seu PC para maiores informações sobre como evitar infecções;

• Algum problema relacionado a malware?

Abraços

Voltar para Casos Solucionados

1 user(s) are reading this topic

0 membro(s), 1 visitante(s) e 0 membros anônimo(s)

Gerenciador De Processos - Svchost.exe

1 user(s) are reading this topic

Entrar