Logo Hardware.com.br
atsui
atsui Membro Senior Registrado
178 Mensagens 1 Curtida

C:\qoobox\.... e CF10764.exe - lixo ou vírus presente? Resolvido

#1 Por atsui 26/07/2009 - 13:00
Depois de fazer alguns procedimentos para excluir uma contaminação recente: https://www.hardware.com.br/comunidade/conime-exe/994303/

passei o RegClean para limpar o lixo do registro. Entretanto, dois itens me chamaram a atenção. Não sei se são apenas lixo da infecção já solucionada ou se são infecções.

Arquivo ou pasta não encontrado
HKEY_LOCAL_MACHINE
SOFTWARE\swearware
REG_SZ
SnapShot
C:\qoobox\SnapShot@2009-07-25_19.17.07
C:\qoobox\SnapShot@2009-07-25_19.17.07


Arquivo ou pasta não encontrado (ValueName)
HKEY_USERS
S-1-5-21-3856072156-4015360853-2354893232-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
REG_SZ
C:\Windows\System32\CF10764.exe
Processador de comandos do Windows
C:\Windows\System32\CF10764.exe

Não sei muito sobre infecções por isso a dúvida. nao_sei.gif

Criei outro tópico pois já havia colocado resolvido no do link acima.
exe virus lixo excluir recente procedimentos fazer qoobox cf10764
brando lee
brando lee Zerinho Registrado
2.4K Mensagens 97 Curtidas
#4 Por brando lee
26/07/2009 - 15:49
É um arquivo que o combofix removel, e manda para essa pasta C:\QooBox.

Localize, o Relatório do Combofix, que fica em
C:\Combofix.txt
Abre-o e copia ele todo e cole aqui, o relatório.
Ficarei um tempo ausente no Fórum, muito Ocupado, coisas mais importante pra fazer "Trabalho".


Removendo vírus pelo bloco de notas!


atsui
atsui Membro Senior Registrado
178 Mensagens 1 Curtida
#5 Por atsui
26/07/2009 - 15:52
brando lee disse:


O relatório:

ComboFix 09-07-24.01 - maria 25/07/2009 16:10.1.2 - NTFSx86
Microsoft® Windows Vista™ Starter 6.0.6002.2.1252.55.1046.18.1519.877 [GMT -3:00]
Executando de: c:\users\maria\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\$recycle.bin\S-1-5-21-2177144668-4221143993-2563808586-500
c:\$recycle.bin\S-1-5-21-227943622-3988473395-2545754987-500
c:\$recycle.bin\S-1-5-21-2910466638-3441421308-3930598225-500
c:\$recycle.bin\S-1-5-21-3856072156-4015360853-2354893232-1001
c:\$recycle.bin\S-1-5-21-3856072156-4015360853-2354893232-1002
c:\$recycle.bin\S-1-5-21-3856072156-4015360853-2354893232-1003
c:\windows\Installer\5a4034.msi

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-25 to 2009-07-25 ))))))))))))))))))))))))))))
.

2009-07-25 19:16 . 2009-07-25 19:17 -------- d-----w- c:\users\maria\AppData\Local\temp
2009-07-25 19:16 . 2009-07-25 19:16 -------- d-----w- c:\users\Costela\AppData\Local\temp
2009-07-25 18:42 . 2009-07-25 18:44 -------- d-----w- C:\HiJackThis
2009-07-18 17:48 . 2009-07-18 17:49 -------- d-----w- c:\windows\system32\ca-ES
2009-07-18 17:48 . 2009-07-18 17:49 -------- d-----w- c:\windows\system32\eu-ES
2009-07-18 17:48 . 2009-07-18 17:49 -------- d-----w- c:\windows\system32\vi-VN
2009-07-18 17:34 . 2009-07-18 17:34 -------- d-----w- c:\windows\system32\EventProviders
2009-07-18 17:31 . 2009-04-11 06:28 550400 ----a-w- c:\windows\system32\rpcss.dll
2009-07-18 17:30 . 2009-04-11 06:28 33280 ----a-w- c:\windows\system32\wscapi.dll
2009-07-18 17:29 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-07-18 17:29 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-07-18 17:29 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-07-18 16:22 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-18 16:22 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-18 16:22 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-18 16:22 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-18 16:22 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-18 16:22 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-07-13 13:29 . 2009-07-13 13:29 -------- d-----w- c:\users\Costela\AppData\Roaming\Apple Computer

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-25 16:32 . 2006-11-06 01:33 632354 ----a-w- c:\windows\system32\prfh0416.dat
2009-07-25 16:32 . 2006-11-06 01:33 120882 ----a-w- c:\windows\system32\prfc0416.dat
2009-07-25 00:31 . 2009-03-05 17:10 1 ----a-w- c:\users\Costela\AppData\Roaming\BrOffice.org2\use r\uno_packages\cache\stamp.sys
2009-07-25 00:31 . 2009-03-05 17:09 -------- d-----w- c:\users\Costela\AppData\Roaming\BrOffice.org2
2009-07-24 22:09 . 2009-02-11 16:50 680 ----a-w- c:\users\Costela\AppData\Local\d3d9caps.dat
2009-07-24 13:24 . 2007-09-10 17:20 80864 ----a-w- c:\users\maria\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-23 15:22 . 2009-02-11 16:50 80864 ----a-w- c:\users\Costela\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-18 17:49 . 2006-11-02 12:33 -------- d-----w- c:\program files\Windows Calendar
2009-07-18 17:49 . 2006-11-02 12:33 -------- d-----w- c:\program files\Windows Sidebar
2009-07-18 17:49 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-18 17:49 . 2006-11-02 12:33 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-18 17:49 . 2006-11-02 12:33 -------- d-----w- c:\program files\Windows Defender
2009-07-18 17:48 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-18 17:41 . 2006-11-02 12:33 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-07-12 18:58 . 2009-06-19 19:23 -------- d-----w- c:\users\Costela\AppData\Roaming\gtk-2.0
2009-07-01 03:16 . 2009-06-20 00:09 18186048 ----a-w- c:\programdata\Yahoo!\YUpdater\msgup900_2162_us_v2 .exe
2009-06-22 18:23 . 2009-06-22 18:23 239088 ----a-w- c:\users\maria\AppData\Roaming\Mozilla\plugins\npg oogletalk.dll
2009-06-22 18:23 . 2009-06-22 18:23 239088 ----a-w- c:\users\Costela\AppData\Roaming\Mozilla\plugins\n pgoogletalk.dll
2009-06-08 02:43 . 2009-06-03 14:02 18184984 ----a-w- c:\programdata\Yahoo!\YUpdater\msgup900_2162_us.ex e
2009-05-09 05:50 . 2009-06-10 13:35 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-10 13:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-06 23:40 . 2009-05-06 23:40 18189072 ----a-w- c:\programdata\Yahoo!\YUpdater\msgup900_2152_us.ex e
2009-07-16 01:08 . 2008-06-19 19:33 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
1999-05-06 01:22 . 2007-04-18 14:03 95698 --sha-r- c:\windows\ConfigSetRoot\COMMAND.COM
1999-05-06 01:22 . 2007-04-18 14:03 222390 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
2005-01-06 13:50 . 2007-04-18 14:03 1642 --sha-r- c:\windows\ConfigSetRoot\MSDOS.SYS
2007-03-26 20:12 . 2007-03-26 20:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Google Update"="c:\users\maria\AppData\Local\Google\Updat e\GoogleUpdate.exe" [2009-02-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2007-03-09 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDFSTab"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDFSTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(b):19,5f,f2,be,d0,07,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{3F1D5C0A-5537-4802-A7DF-51B4700B3DA0}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{01DDFE6A-19F2-4E61-8D29-E549E3D9E273}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{5CA7F3F5-CDA3-49E8-A789-67ED17BC6CCB}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{3028B8DC-C720-40F7-B885-29F70514E4A5}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{7319B92A-5051-4CDD-88D1-A4011F4CAE2B}c:\\program files\\counterpath\\x-lite\\x-lite.exe"= UDP:c:\program files\counterpath\x-lite\x-lite.exe:X-Lite
"UDP Query User{8C7F0825-6092-49D4-8D3E-FA68CC82FE6B}c:\\program files\\counterpath\\x-lite\\x-lite.exe"= TCP:c:\program files\counterpath\x-lite\x-lite.exe:X-Lite
"{618BEA01-9323-4BA6-9504-76E78A59482A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{52F27253-3358-4B1B-9D60-4B91DA4F453F}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{3872A737-F95B-488D-94F8-EE2BAF72977B}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{6E368664-C563-4064-8B9D-0B1DBC03811E}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{0F11317F-CC0E-403B-BFD9-A52E1ADCF782}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{1AE0CB62-9C49-4AFC-88E7-64057E6CFE5E}"= UDP:c:\program files\Microsoft LifeCam\LifeEnC2.exe:LifeEnC2.exe
"{0B5B4390-2F23-4005-85EA-D20144257219}"= TCP:c:\program files\Microsoft LifeCam\LifeEnC2.exe:LifeEnC2.exe
"{49B180D9-FF8E-455E-8EE5-81724023C94D}"= UDP:c:\program files\Microsoft LifeCam\LifeTray.exe:LifeTray.exe
"{2E1A5F3B-C431-40A0-A997-CA99F94183E9}"= TCP:c:\program files\Microsoft LifeCam\LifeTray.exe:LifeTray.exe
"{77BF199A-C999-4E62-B7B4-C3AA1F6C852D}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{8FF79275-36C0-4C52-8327-F3BB9DF081E2}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2009 12:03 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [06/02/2008 13:10 1153368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 07:25 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3856072156-4015360853-2354893232-1000Core.job
- c:\users\maria\AppData\Local\Google\Update\GoogleU pdate.exe [2009-02-20 18:54]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3856072156-4015360853-2354893232-1000UA.job
- c:\users\maria\AppData\Local\Google\Update\GoogleU pdate.exe [2009-02-20 18:54]

2009-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3856072156-4015360853-2354893232-1003.job
- c:\users\Costela\AppData\Local\Google\Update\Googl eUpdate.exe [2009-02-26 21:08]

2009-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3856072156-4015360853-2354893232-1006Core.job
- c:\users\Costela\AppData\Local\Google\Update\Googl eUpdate.exe [2009-02-26 21:08]

2009-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3856072156-4015360853-2354893232-1006UA.job
- c:\users\Costela\AppData\Local\Google\Update\Googl eUpdate.exe [2009-02-26 21:08]

2009-07-25 c:\windows\Tasks\User_Feed_Synchronization-{BEF244A7-8545-415D-9739-5D39DB7301BA}.job
- c:\windows\system32\msfeedssync.exe [2009-05-01 11:31]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-eyeBeam SIP Client - (no file)


.
------- Scan Suplementar -------
.
IE: Abrir com Wordperfect
TCP: {923BA165-646D-4C89-9DC7-BB18EDC733AE} = 200.219.150.4,200.219.150.5
DPF: {D87BE747-157C-49BD-A392-A68B75A54947} - hxxp://www.plugfone.com.br/webfone/iaxWebPhone.CAB
FF - ProfilePath - c:\users\maria\AppData\Roaming\Mozilla\Firefox\Pro files\bbqb5376.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/firefox
FF - plugin: c:\users\maria\AppData\Local\Google\Update\1.2.183 .7\npGoogleOneClick8.dll
FF - plugin: c:\users\maria\AppData\Roaming\Mozilla\plugins\npg oogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.
------- Associação de arquivos/ficheiros -------
.
txtfile=Notepad.exe "%1"
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 16:17
Windows 6.0.6002 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

************************************************** ************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Tempo para conclusão: 2009-07-25 16:20
ComboFix-quarantined-files.txt 2009-07-25 19:20

Pré-execução: 31.680.110.592 bytes disponíveis
Pós execução: 35.639.287.808 bytes disponíveis

232 --- E O F --- 2009-07-24 13:26

Baixei um vídeo do Youtube e o conime.exe voltou a aparecer nos processos do gerenciador de tarefas.

Anexos

gdh.jpg
brando lee
brando lee Zerinho Registrado
2.4K Mensagens 97 Curtidas
#6 Por brando lee
26/07/2009 - 16:02
Ta, ja vamos saber que arquivo é esse Conime.exe

***************************************************

Vamos analizar um arquivo no vírus total

1) faça o seguinte, copia esse caminho que esta em Citação:
c:\users\Costela\AppData\Roaming\BrOffice.org2\use r\uno_packages\cache\stamp.sys
2) e agora entra nesse site www.virustotal.com abrindo você clique no botão ((arquivo)) e abrirá uma janela, depois cola o caminho na janela e clique em ((abrir)) e depois clique no botão ((enviar arquivo))


aguarde o arquivo será verificado por varios antivírus, finalizando o resultado poste o link do site aqui.

*****************************************

1) *Baixe o ((SystemLook)) e salve-o no desktop
http://jpshortstuff.247fixes.com/SystemLook.exe

*Selecione e copie (Ctrl+c) o código abaixo:
:File
c:\windows\system32\drvstore.dll
c:\windows\system32\atmfd.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\lpk.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\atmlib.dll
c:\windows\system32\conime.exe
2) *Duplo clique em (SystemLook.exe)

3) *Cole (Ctrl+v) o código no espaço em branco
*Clique em [Look]

4) *Abrirá um log Automatico, Copia ele todo, e Cole o relatório Aqui no Fórum.
Ficarei um tempo ausente no Fórum, muito Ocupado, coisas mais importante pra fazer "Trabalho".


Removendo vírus pelo bloco de notas!


atsui
atsui Membro Senior Registrado
178 Mensagens 1 Curtida
#7 Por atsui
26/07/2009 - 16:20
brando lee disse:


Fiz o que vc pediu:

O link do virus total: http://www.virustotal.com/pt/reanalisis.html?6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b-1248635760

O log do SystemLook:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 16:15 on 26/07/2009 by maria (Administrator - Elevation successful)

========== File ==========

c:\windows\system32\drvstore.dll - File found and opened.
MD5: 6A7908973D49248E4018E8E61B3DCDAA
Created at 17:29 on 18/07/2009
Modified at 06:28 on 11/04/2009
Size: 247808 bytes
Attributes: --a---
FileDescription: Offline Driver Store APIs
FileVersion: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
ProductVersion: 6.0.6002.18005
OriginalFilename: Drvstore.DLL
InternalName: Drvstore.dll
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\atmfd.dll - File found and opened.
MD5: 0A4F65D5C519D761F6FA77215B1242CF
Created at 16:22 on 18/07/2009
Modified at 12:42 on 15/06/2009
Size: 289792 bytes
Attributes: --a---
FileDescription: Windows NT OpenType/Type 1 Font Driver
FileVersion: 5.1 Build 227
ProductVersion: 5.1 Build 227
OriginalFilename: ATMFD.DLL
InternalName: ATMFD
ProductName: Adobe Type Manager
CompanyName: Adobe Systems Incorporated
LegalCopyright: ©1983-1990, 1993-2004 Adobe Systems Inc.

c:\windows\system32\t2embed.dll - File found and opened.
MD5: 4FE5E38E617F8204C157EF3FC82EE6F2
Created at 16:22 on 18/07/2009
Modified at 14:53 on 15/06/2009
Size: 156672 bytes
Attributes: --a---
FileDescription: Microsoft T2Embed Font Embedding
FileVersion: 6.0.6002.18051 (vistasp2_gdr.090615-0258)
ProductVersion: 6.0.6002.18051
OriginalFilename: T2EMBED.DLL
InternalName: T2EMBED.DLL
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\lpk.dll - File found and opened.
MD5: EB0E02749CE5C488741C9A0ABEAB5DEC
Created at 16:22 on 18/07/2009
Modified at 14:52 on 15/06/2009
Size: 23552 bytes
Attributes: --a---
FileDescription: Language Pack
FileVersion: 6.0.6002.18051 (vistasp2_gdr.090615-0258)
ProductVersion: 6.0.6002.18051
OriginalFilename: LanguagePack
InternalName: LanguagePack
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\fontsub.dll - File found and opened.
MD5: 0EC08262A40886DBD56D2E3CC25CB5F7
Created at 16:22 on 18/07/2009
Modified at 14:52 on 15/06/2009
Size: 72704 bytes
Attributes: --a---
FileDescription: Font Subsetting DLL
FileVersion: 6.0.6002.18051 (vistasp2_gdr.090615-0258)
ProductVersion: 6.0.6002.18051
OriginalFilename: fontsub
InternalName: fontsub
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\atmlib.dll - File found and opened.
MD5: FB69A3E9AAD1EF99E5DCF6DEF8F3B821
Created at 16:22 on 18/07/2009
Modified at 06:28 on 11/04/2009
Size: 34304 bytes
Attributes: --a---
FileDescription: Windows NT OpenType/Type 1 API Library.
FileVersion: 5.1 Build 227
ProductVersion: 5.1 Build 227
OriginalFilename: ATMLIB.DLL
InternalName: ATMLIB
ProductName: Adobe Type Manager
CompanyName: Adobe Systems
LegalCopyright: ©1983-1990, 1993-2004 Adobe Systems Inc.

c:\windows\system32\conime.exe - File found and opened.
MD5: 6080A176D09435FC8E6E800996656E18
Created at 17:31 on 18/07/2009
Modified at 06:27 on 11/04/2009
Size: 69120 bytes
Attributes: --a---
FileDescription: Console IME
FileVersion: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
ProductVersion: 6.0.6002.18005
OriginalFilename: CONIME.EXE
InternalName: Console
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-=End Of File=-

Notei que ao sair da conta de usuário e ao acessar a conta do adm o processo conime.exe não apareceu mais no gerenciador de tarefas.
brando lee
brando lee Zerinho Registrado
2.4K Mensagens 97 Curtidas
#8 Por brando lee
26/07/2009 - 16:25
Esse Arquivo pertense ao Windows Vista, da Empresa Microsoft.

Veja
c:\windows\system32\conime.exe - File found and opened.
MD5: 6080A176D09435FC8E6E800996656E18
Created at 17:31 on 18/07/2009
Modified at 06:27 on 11/04/2009
Size: 69120 bytes
Attributes: --a---
FileDescription: Console IME
FileVersion: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
ProductVersion: 6.0.6002.18005
OriginalFilename: CONIME.EXE
InternalName: Console
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.
O log Esta limpo, Delete a pasta C:\QooBox
E tambem Delete o programa Systemlook

>>>>>>>>>>>>>>>>>>>>>>>>>>

É isso um abraço.
Ficarei um tempo ausente no Fórum, muito Ocupado, coisas mais importante pra fazer "Trabalho".


Removendo vírus pelo bloco de notas!


© 1999-2025 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal