Jump to content

Ganhe $$$ escrevendo tutoriais para nós!

Foto

Análise de log - arquivo não desinstala

Criado por Rosywata, Apr 25 2012 02:35 PM
LG service desinstalação virus




  • Faça login para responder
12 respostas neste tópico

#1 Rosywata

Rosywata
  • Participante
  • 7 mensagens

Publicado 25 April 2012 - 02:35 PM

Já fiz o que foi solicitado no forum antes de criar o novo tópico.

Tem um arquivo que eu não instalei mas que apareceu no meu PC. É o LGScsiCommandservice.exe. Fui no painel de controle e desinstalei. Ele não aparece mais no painel de controle, nem o CCleaner acha ele, mas toda vez que reinicio o PC lá esta ele rodando.
Será que é um virus?

Segue log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:49:28, on 25/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe
C:\Arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LGScsiCommandService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SecurDisc] C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /O6 "USB001" /M "Stylus CX4500"
O4 - HKLM\..\Run: [SafeNetCertMngr] "C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: http://www.bancoreal.com.br
O15 - Trusted Zone: http://www.santander.com.br
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77AB275-F2CB-49E5-92AE-BE8CE2CCBCB4}: NameServer = 208.67.222.222,208.67.220.220
O18 - Filter hijack: text/html - {2b4bf8c8-85b9-48f9-abc0-f2e17b3e27cc} - (no file)
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! antivírus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: LG SCSI command service (LGScsiCommandService) - Mobile Leader Co.,Ltd. - C:\WINDOWS\system32\LGScsiCommandService.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: SACSrv - SafeNet, Inc. - C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe

--
End of file - 9883 bytes



#2 ciro-mota

ciro-mota

    Malwares Expert

  • Analista
  • 14996 mensagens

Publicado 25 April 2012 - 04:09 PM

Rosywata,

Acesse o VirusTotal.com

Clique no botão Choose File e localize o arquivo abaixo.

C:\WINDOWS\system32\LGScsiCommandService.exe

Depois clique no botão Scan it!

Aguarde a análise terminar, depois copie o link que estará na barra de endereço do seu navegador

e cole na sua próxima resposta. Exemplo:

https://www.virustot...sis/1331728637/

Obs: Se você usar o VirusTotal, caso o arquivo já tenha sido analisado anteriormente pelo site,

você verá uma imagem semelhante a esta:

Posted Image

Se isso acontecer, reanalise o arquivo.
Posted ImageBlog do Ciro Mota - Update em 09/09/2011
Como rotear e abrir portas no modem TelSec TS-9000 para o Velox.
Leia mais em: http://www.ciromota.net/

#3 Rosywata

Rosywata
  • Participante
  • 7 mensagens

Publicado 25 April 2012 - 04:48 PM

Ok.

Fiz o que disse, abaixo link:

https://www.virustot...sis/1335383044/

#4 ciro-mota

ciro-mota

    Malwares Expert

  • Analista
  • 14996 mensagens

Publicado 26 April 2012 - 04:51 PM

Rosywata,

Baixe o Malwarebytes' Anti-Malware (MBAM)
http://download.cnet...4-10804572.html

Dê um duplo-clique no mbam-setup.exe, escolha a linguagem e na instalação, aceite todas as opções padrão.
  • Verifique se as caixas Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware estão marcadas e clique então, em Concluir.
  • Se houver atualizações a serem feitas, serão baixadas e instaladas.
  • Ao final da atualização, com o programa aberto, marque Verificação Rápida e clique no botão Verificar.
  • Começará então o exame. Aguarde, pois pode demorar.
  • Ao acabar o exame, clique em OK, depois no botão Mostrar Resultados para ver o relatório.
  • Se houver ítens encontrados, certifique-se de que, estão todos marcados e clique no botão Remover.
  • Ao final da desinfecção, abrirá o Bloco de notas com um log e poderá aparecer um aviso se quer reiniciar o PC. (Ver Nota abaixo)
  • O log é automaticamente salvo pelo MBAM e para vê-lo, clique na aba Logs na janela principal do programa.
  • Selecione, copie e cole todo o conteúdo deste log na sua próxima resposta, juntamente com um novo log do HijackThis.
NOTA: Se o MBAM encontrar arquivos que não consiga remover, poderá ter de reiniciar o PC (talvez mais de uma vez). Faça isso imediatamente, ao ser perguntado se quer reiniciar o PC.
Posted ImageBlog do Ciro Mota - Update em 09/09/2011
Como rotear e abrir portas no modem TelSec TS-9000 para o Velox.
Leia mais em: http://www.ciromota.net/

#5 Rosywata

Rosywata
  • Participante
  • 7 mensagens

Publicado 27 April 2012 - 01:27 PM

Segue log do Mbam e Hijack:



Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Versão da Base de Dados: v2012.04.27.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Micro :: AIKO [limitado]

27/04/2012 13:06:44
mbam-log-2012-04-27 (13-06-44).txt

Tipo de Verificação: Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados: 198446
Tempo decorrido: 12 minuto(s), 15 segundo(s)

Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)

Arquivos Detectados: 1
C:\WINDOWS\mastorscorps.cfg (Trojan.Banker) -> Enviado para a Quarentena e deletado com sucesso.

(fim)




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:26:21, on 27/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe
C:\Arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LGScsiCommandService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SecurDisc] C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /O6 "USB001" /M "Stylus CX4500"
O4 - HKLM\..\Run: [SafeNetCertMngr] "C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: http://www.bancoreal.com.br
O15 - Trusted Zone: http://www.santander.com.br
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77AB275-F2CB-49E5-92AE-BE8CE2CCBCB4}: NameServer = 208.67.222.222,208.67.220.220
O18 - Filter hijack: text/html - {2b4bf8c8-85b9-48f9-abc0-f2e17b3e27cc} - (no file)
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! antivírus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: LG SCSI command service (LGScsiCommandService) - Mobile Leader Co.,Ltd. - C:\WINDOWS\system32\LGScsiCommandService.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: SACSrv - SafeNet, Inc. - C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe

--
End of file - 10163 bytes

#6 ciro-mota

ciro-mota

    Malwares Expert

  • Analista
  • 14996 mensagens

Publicado 27 April 2012 - 04:27 PM

Rosywata,Desative temporariamente seu antivírus, antispywares e firewall, para não causar conflitos.

Faça o download do ComboFix
http://download.blee...Bs/ComboFix.exe

Salve-o na sua área de trabalho.
  • Feche todas as janelas e programas. Rode o ComboFix.
  • Dê um duplo-clique no combofix.exe e tecle "Sim" para prosseguir.
  • Quando perguntado se deseja instalar o Console de Recuperação, clique em Sim e agüarde.
  • Clique em OK para aceitar o EULA, e depois clique em Sim para continuar a busca por malwares.
Não clique em nada e não aperte nenhuma tecla durante o exame, pois a ferramenta não funcionará corretamente.

Quando a ferramenta terminar de rodar, gerará um log. Poste o conteúdo do arquivo C:\ComboFix.txt na sua próxima resposta.
Faça um novo log do HijackThis e cole na sua resposta.

Importante:
  • É necessário estar conectado durante o procedimento com o ComboFix;
  • É preciso estar logado no sistema com privilégios de administrador.
  • Baixe e SALVE o ComboFix. Na janela de download, onde aparecem as opções Executar / Salvar, clique em Salvar. Não execute o ComboFix na janela do seu navegador.
  • Mantenha seu antivírus, antispywares e firewall desativados durante os procedimentos com o ComboFix. Torne a ativá-los quando terminar tudo.
  • Caso você já tenha usado o Combofix anteriormente, então delete-o e baixe-o novamente.
  • Caso o Console de Recuperação já esteja instalado nesta máquina, o ComboFix não irá lhe sugerir a instalação.
  • Não rode o ComboFix mais do que uma vez. Isso irá sobreescrever o log e atrasará a remoção do(s) malware(s)
  • O ComboFix é uma ferramenta que pode danificar o sistema se for usada incorretamente. Use-o apenas sob supervisão de um analista de malwares.
Posted ImageBlog do Ciro Mota - Update em 09/09/2011
Como rotear e abrir portas no modem TelSec TS-9000 para o Velox.
Leia mais em: http://www.ciromota.net/

#7 Rosywata

Rosywata
  • Participante
  • 7 mensagens

Publicado 28 April 2012 - 05:42 PM

Segue log:


ComboFix 12-04-28.01 - Micro 28/04/2012 16:47:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.991.607 [GMT -3:00]
Executando de: c:\documents and settings\Micro\Desktop\ComboFix.exe
AV: avast! antivírus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Criado um novo ponto de restauração
.
ADS - system32: deleted 2 bytes in 1 streams.
ADS - drivers: deleted 220 bytes in 2 streams.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Micro\Dados de aplicativos\PriceGong
c:\documents and settings\Micro\WINDOWS
C:\readme.txt
c:\windows\IsUn0416.exe
c:\windows\system32\acelpdec.ax
c:\windows\system32\ativdaxx.ax
c:\windows\system32\ativmvxx.ax
c:\windows\system32\dshowext.ax
c:\windows\system32\g711codc.ax
c:\windows\system32\iac25_32.ax
c:\windows\system32\ipsink.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\kstvtune.ax
c:\windows\system32\kswdmcap.ax
c:\windows\system32\ksxbar.ax
c:\windows\system32\l3codecx.ax
c:\windows\system32\mpeg2data.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\mpg4ds32.ax
c:\windows\system32\msadds32.ax
c:\windows\system32\msscds32.ax
c:\windows\system32\P0620Ext.ax
c:\windows\system32\Thumbs.db
c:\windows\system32\vbicodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\wiasf.ax
c:\windows\system32\wmv8ds32.ax
c:\windows\system32\wmvds32.ax
c:\windows\system32\wstpager.ax
c:\windows\system32\wstrenderer.ax
c:\windows\systen.exe
D:\AUTORUN.INF
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-03-28 to 2012-04-28 ))))))))))))))))))))))))))))
.
.
2012-04-28 20:11 . 2012-04-28 20:11 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-25 16:01 . 2012-04-25 16:01 388608 ----a-w- C:\HijackThis.exe
2012-04-19 13:54 . 2012-04-19 13:54 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-18 00:36 . 2001-08-17 19:02 2785 ----a-w- c:\windows\system32\drivers\Audsub3.sys
2012-04-18 00:34 . 2012-04-24 21:07 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Panasonic
2012-04-18 00:34 . 2012-04-18 00:34 -------- d-----w- c:\arquivos de programas\Panasonic
2012-04-18 00:34 . 2005-03-07 21:07 36864 ----a-w- c:\windows\system32\sddevmgr.dll
2012-04-18 00:34 . 2012-04-18 00:36 -------- d-----w- c:\windows\system32\sda
2012-04-18 00:34 . 2005-03-07 21:07 40960 ----a-w- c:\windows\system32\sdsrvctl.exe
2012-04-11 16:50 . 2012-04-14 15:57 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy
2012-04-11 16:50 . 2012-04-14 15:55 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2012-04-11 13:53 . 2012-04-11 13:53 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Java
2012-04-11 13:19 . 2012-04-11 13:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-11 13:18 . 2012-04-11 13:18 -------- d-----w- c:\arquivos de programas\Java
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll
2012-04-03 22:04 . 2012-04-03 22:05 -------- d-----w- c:\arquivos de programas\OpenXML-ODF Translator
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 13:54 . 2012-02-28 18:54 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:18 . 2011-03-10 14:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 18:56 . 2009-10-15 14:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 10:59 . 2004-08-04 03:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-03-01 10:59 . 2004-08-04 03:45 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 10:59 . 2004-08-04 03:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-29 14:09 . 2004-08-04 03:45 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:09 . 2004-08-04 03:45 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 03:37 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:57 . 2004-08-04 03:38 1860224 ----a-w- c:\windows\system32\win32k.sys
2011-09-29 07:30 . 2011-10-17 23:09 134104 ----a-w- c:\arquivos de programas\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\arquivos de programas\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SecurDisc"="c:\arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"Ink Monitor"="c:\arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 262210]
"InCD"="c:\arquivos de programas\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"EPSON Stylus CX4500 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE" [2004-03-03 98304]
"SafeNetCertMngr"="c:\arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe" [2010-07-27 1024200]
"HP Software Update"="c:\arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"SunJavaUpdateSched"="c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe" [2012-01-18 254696]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
2010-06-10 19:48 332840 ----a-w- c:\arquiv~1\GbPlugin\gbiehAbn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 00:12 3872080 ----a-w- c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Arquivos de programas\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [04/07/2010 20:40 45800]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [23/01/2012 10:35 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [07/04/2009 12:40 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07/04/2009 12:40 20568]
R2 Audsub3;Audsub3;c:\windows\system32\drivers\Audsub3.sys [17/04/2012 21:36 2785]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [04/07/2010 20:40 55400]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [20/03/2012 08:14 47616]
R2 SACSrv;SACSrv;c:\arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe [27/07/2010 18:51 8392]
R3 iKeyEnum;Rainbow iKey Enumerator;c:\windows\system32\drivers\IKEYENUM.SYS [19/12/2011 15:44 11616]
R3 iKeyIFD;Rainbow iKey Virtual Reader;c:\windows\system32\drivers\IKEYIFD.SYS [19/12/2011 15:44 18080]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [28/04/2012 17:11 40776]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [19/04/2012 10:54 253088]
S3 RnbToken;Rainbow iKey Token Service;c:\windows\system32\drivers\RNBTOKEN.SYS [19/12/2011 15:44 21472]
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - WS2IFSL
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 13:54]
.
2012-04-27 c:\windows\Tasks\User_Feed_Synchronization-{DE83DA2D-10B9-49A5-B8C1-269996AEAF6E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 07:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.terra.com.br/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: bancoreal.com.br\www
Trusted Zone: realsecureweb.com.br\www
Trusted Zone: realsecureweb.com.br\www2
Trusted Zone: realsecureweb.com.br\wwws
Trusted Zone: santander.com.br\www
Trusted Zone: santandernet.com.br\www
Trusted Zone: secureweb.com.br\www
TCP: DhcpNameServer = 201.6.2.79 201.6.2.169
TCP: Interfaces\{D77AB275-F2CB-49E5-92AE-BE8CE2CCBCB4}: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Micro\Dados de aplicativos\Mozilla\Firefox\Profiles\349d0ro5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.terra.com.br/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORFÃOS REMOVIDOS - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 17:12
Windows 5.1.2600 Service Pack 3 NTFS
.
Procurando processos ocultos ...
.
Procurando entradas auto inicializáveis ocultas ...
.
Procurando ficheiros/arquivos ocultos ...
.
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): O arquivo já está sendo usado por outro processo.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-1757981266-1275210071-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\arquiv~1\GbPlugin\gbiehAbn.dll
.
- - - - - - - > 'explorer.exe'(592)
c:\windows\system32\WININET.dll
c:\arquiv~1\WINDOW~2\wmpband.dll
c:\arquivos de programas\Scpad\scpLIB.dll
c:\arquivos de programas\Scpad\scpMIB.dll
c:\arquiv~1\GbPlugin\gbiehAbn.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\arquivos de programas\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusão: 2012-04-28 17:23:46 - Máquina reiniciou
ComboFix-quarantined-files.txt 2012-04-28 20:23
.
Pré-execução: 2.410.266.624 bytes disponíveis
Pós execução: 2.636.689.408 bytes disponíveis
.
WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9E062BD243F0035C0978EB4638733DD2



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:41:26, on 28/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE
C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe
C:\Arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LGScsiCommandService.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe
C:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Micro\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense Banco Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SecurDisc] C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AL.EXE /P26 "EPSON Stylus CX4500 Series" /O6 "USB001" /M "Stylus CX4500"
O4 - HKLM\..\Run: [SafeNetCertMngr] "C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: http://www.bancoreal.com.br
O15 - Trusted Zone: http://www.santander.com.br
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D77AB275-F2CB-49E5-92AE-BE8CE2CCBCB4}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehAbn.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! antivírus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: LG SCSI command service (LGScsiCommandService) - Mobile Leader Co.,Ltd. - C:\WINDOWS\system32\LGScsiCommandService.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: SACSrv - SafeNet, Inc. - C:\Arquivos de programas\SafeNet\Authentication\SAC\x32\SACSrv.exe

--
End of file - 8806 bytes

#8 ciro-mota

ciro-mota

    Malwares Expert

  • Analista
  • 14996 mensagens

Publicado 29 April 2012 - 05:13 PM

Rosywata,

1)

Baixe o MbrScan.exe e salve no desktop.
http://eric71.geekst...ols/MbrScan.exe

Execute o arquivo MbrScan.exe.

Clique no botão Scan. Ao final do exame clique no botão Report. Abrirá um bloco de notas com o resultado do exame. É salvo no desktop com o nome de MbrScan.log.

*** Usuários do Windows Vista ou Windows 7 clique com o direito sobre o arquivo MbrScan.exe, depois clique em Posted Image.

Selecione, copie e cole o seu conteúdo na próxima resposta.

2)

Faça o download do Farbar Service Scanner, e salve na sua área de trabalho.
http://download.blee.../farbar/FSS.exe

Dê dois cliques no FSS.exe para executá-lo. Marque todas as opções e em seguida clique no botão Scan.

Posted Image


** Usuários do Windows Vista ou Windows 7 clique com o direito sobre o arquivo FSS.exe, depois clique em Posted Image.

Um log ficará salvo na sua área de trabalho, com o nome FSS.txt.

Copie todo o conteúdo desse log e cole na sua próxima resposta.
Posted ImageBlog do Ciro Mota - Update em 09/09/2011
Como rotear e abrir portas no modem TelSec TS-9000 para o Velox.
Leia mais em: http://www.ciromota.net/

#9 Rosywata

Rosywata
  • Participante
  • 7 mensagens

Publicado 01 May 2012 - 08:13 PM

Segue log:


MBRScan v1.1.1

OS : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR : x86 Family 15 Model 4 Stepping 1, GenuineIntel
BOOT : Normal Boot
DATE : 2012/05/01 (ISO 8601) at 20:09:40
________________________________________________________________________________

DISK : Device\Harddisk1\DR3 __EPSON Stylus Storage (1.00)
BUS_TYPE : (0x07) USB
USE_PIO : NO
MAX_TRANSFER : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0 37.27 Go [Fixed] ==> XP MBR Code ==> PARTITION TABLE FAKED !!

MBR_MD5 : B35294C52D5777BE4532C562A083BAD0
MBR_SHA1 : A87775A578F4F2E2384810B65FA35E646E2F7C92

Device\Harddisk0\Partition1 19.53 Go 0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2 17.73 Go 0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR3 125.0 Mo [Removable] ==> Unknown MBR Code

MBR_MD5 : A3781C9945FA0592AFC57A3193A9CA7B
MBR_SHA1 : C1D7CF251ACE15A02D6992C92F41D094E2EA041B

Device\Harddisk1\Partition1 125.0 Mo __ BOOTABLE __
________________________________________________________________________________

############################### Additional scan ################################

DRIVER : C:\WINDOWS\System32\Drivers\dump_atapi.sys => Invisible on the disk
ADDRESS : 0xF3F14000
SIZE : 96.0 Ko

DRIVER : C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xF7BEC000
SIZE : 8.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN FASTDETECT

________________________________________________________________________________

_______MBR \Device\Harddisk0\DR0

0x00000000 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C 3À.м.|ûP.P.ü¾.|
0x00000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04 ¿..PW¹å.ó¤Ë½¾.±.
0x00000020 38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5 8n.|.u..Å.âôÍ..õ
0x00000030 83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B .Æ.It.8,tö.µ.´..
0x00000040 F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88 ð¬<.tü»..´.Í.ëò.
0x00000050 4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B N.èF.s*þF..~..t.
0x00000060 80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83 .~..t..¶.uÒ.F...
0x00000070 46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB F...V..è!.s..¶.ë
0x00000080 BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0 ¼.>þ}Uªt..~..tÈ.
0x00000090 B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56 ·.ë©.ü.W.õË¿...V
0x000000A0 00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC .´.Í.r#.Á$?..Þ.ü
0x000000B0 43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56 C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0 0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C .w#r.9F.s.¸..».|
0x000000D0 8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A .N..V.Í.sQOtN2ä.
0x000000E0 56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD V.Í.ëä.V.`»ªU´AÍ
0x000000F0 13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60 .r6.ûUªu0öÁ.t+a`
0x00000100 6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A j.j..v..v.j.h.|j
0x00000110 01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B .j.´B.ôÍ.aas.Ot.
0x00000120 32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 54 61 62 65 2ä.V.Í.ëÖaùÃTabe
0x00000130 6C 61 20 64 65 20 70 61 72 74 69 87 E4 65 73 20 la de parti.äes
0x00000140 69 6E 76 A0 6C 69 64 61 00 45 72 72 6F 20 61 6F inv.lida.Erro ao
0x00000150 20 63 61 72 72 65 67 61 72 20 6F 20 73 69 73 74 carregar o sist
0x00000160 65 6D 61 20 6F 70 65 72 61 63 69 6F 6E 61 6C 00 ema operacional.
0x00000170 53 69 73 74 65 6D 61 20 6F 70 65 72 61 63 69 6F Sistema operacio
0x00000180 6E 61 6C 20 61 75 73 65 6E 74 65 00 00 00 00 00 nal ausente.....
0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001B0 00 00 00 00 00 2C 49 70 FF DD FF DD 00 00 80 01 .....,Ip.Ý.Ý....
0x000001C0 01 00 07 FE FF FF 3F 00 00 00 37 16 71 02 00 00 ...þ..?...7.q...
0x000001D0 C1 FF 0F FE FF FF 76 16 71 02 8A 3C 37 02 00 00 Á..þ..v.q..<7...
0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

_______MBR \Device\Harddisk1\DR3

0x00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 ................
0x000001C0 10 00 06 0F 60 F3 2F 00 00 00 D1 E7 03 00 00 00 ....`ó/...Ñç....
0x000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª




Farbar Service Scanner Version: 30-04-2012 01
Ran by Micro (administrator) on 01-05-2012 at 20:10:50
Running from "C:\Documents and Settings\Micro\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-04 00:45] - [2008-04-13 23:20] - 0126976 ____A (Microsoft Corporation) E587EEB3DA2390AE30053EC7EF2AFD92

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 00:45] - [2009-04-20 14:19] - 0045568 ____A (Microsoft Corporation) 2B3EC2EFEFD222EA15A06ED01E722060

C:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 00:45] - [2008-04-13 23:20] - 0331264 ____A (Microsoft Corporation) 0F70B1A8839BD83DB28210B6F11F9058

C:\WINDOWS\system32\netman.dll
[2004-08-04 00:45] - [2008-04-13 23:20] - 0198144 ____A (Microsoft Corporation) B199C4F441DDAB10253ABC0AC4858BFF

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2009-03-09 11:52] - [2008-04-13 23:20] - 0145408 ____A (Microsoft Corporation) 4176F07A724AEC7E4722A2D539EDC0B7

C:\WINDOWS\system32\srsvc.dll
[2009-03-09 11:55] - [2008-04-13 23:20] - 0171520 ____A (Microsoft Corporation) 4423787F4261EE43B7341429AF0CBB77

C:\WINDOWS\system32\Drivers\sr.sys
[2009-03-09 11:55] - [2008-04-13 23:02] - 0073472 ____A (Microsoft Corporation) D6C5A1A97FE0C533E712652AD9DC00D4

C:\WINDOWS\system32\wscsvc.dll
[2004-08-04 00:45] - [2008-04-13 23:20] - 0080896 ____A (Microsoft Corporation) B57E408B8E0758AF6EA4BF37B3ADC91D

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2009-03-09 11:52] - [2008-04-13 23:20] - 0145408 ____A (Microsoft Corporation) 4176F07A724AEC7E4722A2D539EDC0B7

C:\WINDOWS\system32\wuauserv.dll
[2009-03-09 11:55] - [2008-04-13 23:20] - 0006656 ____A (Microsoft Corporation) EB4EA477B7B4959D41B153C6D3CD869B

C:\WINDOWS\system32\qmgr.dll
[2009-03-09 11:55] - [2008-04-13 23:20] - 0409088 ____A (Microsoft Corporation) F0F5EEF8C4B0444E6E4D8E09F7A8F0A8

C:\WINDOWS\system32\es.dll
[2004-08-04 00:45] - [2008-07-07 17:28] - 0253952 ____A (Microsoft Corporation) B024AB8B7692D47C8176BE92AB36D316

C:\WINDOWS\system32\cryptsvc.dll
[2004-08-04 00:45] - [2008-04-13 23:20] - 0062464 ____A (Microsoft Corporation) 554798AAD881736DFC4D08C572DECD7A

C:\WINDOWS\system32\svchost.exe
[2004-08-04 00:45] - [2008-04-13 23:21] - 0014336 ____A (Microsoft Corporation) ED2D69CD4B0EBE37EFE11D4DC4ABC68F

C:\WINDOWS\system32\rpcss.dll
[2004-08-04 00:45] - [2009-02-09 07:53] - 0401408 ____A (Microsoft Corporation) F3763E01E7536F7A6D0C6E392C603EC2

C:\WINDOWS\system32\services.exe
[2004-08-04 00:45] - [2009-02-09 08:25] - 0111104 ____A (Microsoft Corporation) C52DEB6D8CD4B096BF1A9EC001F36507


Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

#10 ciro-mota

ciro-mota

    Malwares Expert

  • Analista
  • 14996 mensagens

Publicado 02 May 2012 - 04:51 PM

Rosywata,

Trata-se de uma infecção por rootkit..

Em uma infecção por rootkits, não há garantias que o computador volte a ser seguro novamente, após a limpeza.
Rootkits mexem em níveis tão profundos do sistema, abrindo brechas para explorá-las depois, de uma forma que mesmo depois de removido, não há como saber "os buracos" que ficaram pra trás.
Eu posso lhe ajudar a removê-lo, mas eu gostaria que você ficasse ciente de dois detalhes:

1 - A remoção envolve procedimentos complexos, essas coisas podem ser demoradas e às vezes até arriscadas, podendo deixar o sistema operacional instável, ou até mesmo inoperante.

2 - Se você usa o seu computador para acessar sites de bancos ou compras online, a solução mais segura é formatar.

Caso queira formatar, apenas me avise. Se precisar de ajuda para formatar, posso ajudá-la também.

Caso queira prosseguir com a limpeza do sistema, apenas me informe.
Posted ImageBlog do Ciro Mota - Update em 09/09/2011
Como rotear e abrir portas no modem TelSec TS-9000 para o Velox.
Leia mais em: http://www.ciromota.net/
Voltar para Malwares




Tópicos Relacionados Collapse

  Tópico Fórum Criado por Estatísticas Última atualização

Tópicos com palavra-chave: LG service, desinstalação, virus

  1. Forum do BABOO
  2. Segurança e Redes
  3. Malwares
  4. Política de Privacidade
  5. Termos, Condições Gerais e Regras ·




Ganhe $$$ escrevendo tutoriais para nós!