Logo Hardware.com.br
felipestoker
felipestoker Veterano Registrado
1.3K Mensagens 22 Curtidas

[HiJackThis] Análise de Log.

#1 Por felipestoker 13/06/2010 - 00:47
Olá, poderiam analisar meu log?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:45:47, on 13/6/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\HelperBDN.exe
C:\Arquivos de programas\uTorrent\uTorrent.exe
C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\avgnt2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\TweetDeck\TweetDeck.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Documents and Settings\Administrador\Meus documentos\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 204.3.140.72 www.bancoreal.com.br
O1 - Hosts: 204.3.140.72 real.com.br
O1 - Hosts: 204.3.140.72|E!QK$xPn3@dS}$LL<H
O1 - Hosts: 204.3.140.72 www.itau.com.br
O1 - Hosts: 204.3.140.72 itau.com.br
O1 - Hosts: 204.3.140.72 www.itaupersonnalite.com.br
O1 - Hosts: 204.3.140.72 www.itauprivatebank.com.br
O1 - Hosts: 204.3.140.72 itauprivatebank.com.br
O1 - Hosts: 204.3.140.72 www.bb.com.br
O1 - Hosts: 204.3.140.72 bb.com.br
O1 - Hosts: 204.3.140.72 www.bb.gov.br
O1 - Hosts: 204.3.140.72 bb.gov.br
O1 - Hosts: 204.3.140.72 bradesco.com.br
O1 - Hosts: 204.3.140.72 www.bradesco.com.br
O1 - Hosts: 204.3.140.72 www.bradescoprime.com.br
O1 - Hosts: 204.3.140.72 bradescoprime.com.br
O1 - Hosts: 204.3.140.72 bradescojuridico.com.br
O1 - Hosts: 204.3.140.72 www.checktudo.com.br
O1 - Hosts: 204.3.140.72 checktudo.com.br
O1 - Hosts: 204.3.140.72 www.infoseg.gov.br
O1 - Hosts: 204.3.140.72 infoseg.gov.br
O1 - Hosts: 204.3.140.72 www.bradescojuridico.com.br
O1 - Hosts: 204.3.140.72 santander.com.br
O1 - Hosts: 204.3.140.72 www.santander.com.br
O1 - Hosts: 204.3.140.72 www.unibanco.com.br
O1 - Hosts: 204.3.140.72 unibanco.com.br
O1 - Hosts: 204.3.140.72 www.itauprivatebank.com.br
O1 - Hosts: 204.3.140.72 itauprivatebank.com.br
O1 - Hosts: 204.3.140.72 www.americanexpress.com.br
O1 - Hosts: 204.3.140.72 cetelem.com.br
O1 - Hosts: 204.3.140.72 www.cetelem.com.br
O1 - Hosts: 204.3.140.72 itauuniclass.com.br
O1 - Hosts: 204.3.140.72 www.itauuniclass.com.br
O1 - Hosts: 204.3.140.72 americanexpress.com.br
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [HelperBDN] C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\HelperBDN.exe
O4 - HKCU\..\Run: [Avira ] "C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\avgnt2.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE'
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE'
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE'
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE'
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE'
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM'
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM'
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user'
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user'
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34D47439-2533-4686-8B32-2945D827EDDD}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Serviço do Bonjour (Bonjour Service) - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccess - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 9599 bytes
igoreso
igoreso Super Participante Registrado
704 Mensagens 22 Curtidas
#3 Por igoreso
13/06/2010 - 14:57
-- ETAPA 1 --

Faça o download do Malwarebytes' Anti-Malware
http://www.besttechie.net/tools/mbam-setup.exe
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
Faça a instalação dando um duplo clique em "mbam-setup.exe";
Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir;
Marque "Verificação Completa" e depois clique em Verificar;
Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;
Se algo for detectado, veja se tudo está marcado e clique em "Remover";
O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;
Copie e cole todo o relatório em sua próxima resposta.

-- ETAPA 2 --
Faça o download do DDS e salve no desktop.
Lembre-se que estiver executando Windows Vista ou 7 é necessário dar privilégio de administrador a ferramenta para isso:
Clique com o direito do mouse sobre o arquivo e depois clique em
17c004ff757474cda22635c154079dfa
Execute na conta administradora do computador, e com permissão de administrador (no caso Windows Vista e 7).
Temporariamente desative seus programas de proteção, (anti-vírus e anti-spyware).
Duplo clique em dds.scr.
Irá surgir uma tela preta com algumas informações. Não clique em nada, apenas aguarde!
Quando terminar, duas janelas abrirão: DDS.txt e Attach.txt.
Salve os resultados e cole-os na resposta.
observe.pngNão respondo duvidas por MP, e-mail e msn! Use o fórum!

felipestoker
felipestoker Veterano Registrado
1.3K Mensagens 22 Curtidas
#4 Por felipestoker
15/06/2010 - 23:06
Olá, muito obrigado pela ajuda.

Fiz o que foi dito, segue abaixo os logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versão da Base de Dados: 4202

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

15/6/2010 21:48:48
mbam-log-2010-06-15 (21-48-48).txt

Tipo de Verificação: Verificação Completa (C:\|D:\|)
Objetos escaneados: 220676
Tempo decorrido: 1 hora(s), 10 minuto(s), 59 segundo(s)

Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 3
Valores de Registro Infectados: 1
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 1
Arquivos Infectados: 4

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-00we-aax5-77ef1d187563} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\m1RC (IRCBot.Trace.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Cl4sses (IRCBot.Trace) -> Quarantined and deleted successfully.

Valores de Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
C:\RESTORE\k-1-3542-4232123213-7676767-8888886 (Trojan.Agent) -> Delete on reboot.

Arquivos Infectados:
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Maq.exe (Generic.Bot.H) -> Delete on reboot.
C:\Documents and Settings\Administrador\Configurações locais\Temp\AZIP32.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrador\Configurações locais\Temp\ki.exe (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrador at 23:03:58,09 on ter 15/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2038.1118 [GMT -3:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com.br/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.compartilhando.org/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
uURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\arquivos de programas\soluto\soluto.exe /userinit,
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\arquivos de programas\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [avast5] c:\arquiv~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\arquivos de programas\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\arquivos de programas\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MsnMsgr] "c:\arquivos de programas\msn messenger\MsnMsgr.Exe" /background
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: &Download by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/202
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\arquivos de programas\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {34D47439-2533-4686-8B32-2945D827EDDD} = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {67KLN5J0-4OPM-00WE-AAX5-77EF1D187563} - c:\restore\k-1-3542-4232123213-7676767-8888886\Maq.exe
Hosts: 204.3.140.72 www.bancoreal.com.br
Hosts: 204.3.140.72 real.com.br
Hosts: 204.3.140.72|E!QK$xPn3@dS}$LL<H
Hosts: 204.3.140.72 www.itau.com.br
Hosts: 204.3.140.72 itau.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-15 164048]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-15 19024]
R2 avast! Antivirus;avast! Antivirus;c:\arquivos de programas\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\arquivos de programas\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-3-26 90112]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-3-26 27632]
S2 clr_optimization_v4.0.30128_32;Microsoft .NET Framework NGEN v4.0.30128_X86;c:\windows\microsoft.net\framework\v4.0.30128\mscorsvw.exe [2010-1-28 130384]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\google\update\GoogleUpdate.exe [2010-5-16 136176]
S2 wzmmvez;Config System;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\arquivos de programas\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\arquivos de programas\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
S3 Nbdrv;NetBalancer Service;c:\windows\system32\drivers\nbdrv.sys --> c:\windows\system32\drivers\nbdrv.sys [?]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [2010-3-26 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [2010-3-26 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [2010-3-26 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [2010-3-26 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [2010-3-26 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [2010-3-26 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [2010-3-26 117544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30128\wpf\WPFFontCache_v0400.exe [2010-1-28 738656]

=============== Created Last 30 ================

2010-06-16 00:49:00 54016 ----a-w- c:\windows\system32\drivers\fgjvql.sys
2010-06-15 23:36:32 0 d-----w- c:\docume~1\admini~1\dadosd~1\Malwarebytes
2010-06-15 23:36:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 23:36:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 23:36:19 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Malwarebytes
2010-06-15 23:36:19 0 d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2010-06-15 03:46:27 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Alwil Software
2010-06-15 03:04:22 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Last.fm
2010-06-15 03:03:39 0 d-----w- c:\arquivos de programas\Last.fm
2010-06-13 22:30:42 0 d-----w- c:\documents and settings\all users\Soluto
2010-06-13 22:30:26 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Soluto
2010-06-11 04:00:31 0 d-----w- c:\docume~1\admini~1\dadosd~1\Hunspell
2010-06-09 00:36:31 0 d-----w- c:\arquivos de programas\TweetDeck
2010-06-06 16:10:38 0 d-----w- c:\docume~1\admini~1\dadosd~1\SeriousBit
2010-06-06 16:10:10 0 d-----w- C:\SeriousBit
2010-06-06 16:09:29 0 d-----w- c:\arquivos de programas\NetBalancer
2010-05-30 22:58:00 0 d-----w- c:\documents and settings\all users\AdobeTemp
2010-05-30 22:20:15 0 d-----w- c:\arquivos de programas\CCleaner
2010-05-26 08:54:17 0 d-----w- c:\arquivos de programas\4shared.com
2010-05-23 22:16:21 0 d-----w- c:\docume~1\admini~1\dadosd~1\GetRightToGo
2010-05-23 22:08:44 55808 ----a-w- c:\windows\system\zlib1.dll
2010-05-23 22:08:33 48128 ----a-w- c:\windows\system\WNASPI32.DLL
2010-05-22 19:16:50 0 d-----w- C:\Archivos de Programa

==================== Find3M ====================

2010-06-14 15:28:30 91836 ----a-w- c:\windows\system32\perfc016.dat
2010-06-14 15:28:30 521776 ----a-w- c:\windows\system32\perfh016.dat
2010-06-02 16:41:54 365864 ----a-w- c:\windows\fonts\calibriz.ttf
2010-06-02 16:41:54 362524 ----a-w- c:\windows\fonts\calibrii.ttf
2010-06-02 16:41:54 352736 ----a-w- c:\windows\fonts\calibri.ttf
2010-06-02 16:41:54 351544 ----a-w- c:\windows\fonts\calibrib.ttf
2010-05-16 05:36:02 203800 ----a-w- c:\windows\fonts\pulse-sans.ttf
2010-05-16 05:34:56 123396 ----a-w- c:\windows\fonts\hawaii-killer.ttf
2010-05-16 05:34:52 560200 ----a-w- c:\windows\fonts\karabine.ttf
2010-05-10 00:02:31 38664 ----a-w- c:\windows\fonts\TradeGothic.ttf
2010-04-29 18:47:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-19 00:17:47 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-27 02:23:57 148736 ----a-w- c:\docume~1\alluse~1\dadosd~1\hpe1F1.dll
2010-03-24 23:23:05 21393 ----a-w- c:\windows\AegisP.sys
2010-03-24 03:41:43 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-03-24 03:41:43 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-03-24 01:03:41 21844 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:04:14,98 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23/3/2010 22:10:06
System Uptime: 15/6/2010 20:30:43 (3 hours ago)

Motherboard: Dell Inc. | | 0NX907
Processor: Processador Intel Pentium II | Microprocessor | 1862/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 1,997 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 2,111 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1395 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&AB208E&0&00E1
Manufacturer: Broadcom
Name: Dell Wireless 1395 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&AB208E&0&00E1
Service: BCM43XX

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Adaptador de rede 1394
Device ID: V1394\NIC1394\32E82DC1434FC000
Manufacturer: Microsoft
Name: Adaptador de rede 1394
PNP Device ID: V1394\NIC1394\32E82DC1434FC000
Service: NIC1394

==== System Restore Points ===================

RP59: 23/5/2010 19:17:53 - Removed WinZip 14.5
RP60: 24/5/2010 19:42:12 - Ponto de verificação do sistema
RP61: 25/5/2010 20:36:40 - Ponto de verificação do sistema
RP62: 27/5/2010 02:27:19 - Ponto de verificação do sistema
RP63: 28/5/2010 03:25:17 - Ponto de verificação do sistema
RP64: 29/5/2010 04:14:42 - Ponto de verificação do sistema
RP65: 30/5/2010 05:06:13 - Ponto de verificação do sistema
RP66: 30/5/2010 20:08:48 - Removido Apple Mobile Device Support
RP67: 1/6/2010 00:21:01 - Ponto de verificação do sistema
RP68: 2/6/2010 00:26:21 - Ponto de verificação do sistema
RP69: 3/6/2010 19:30:07 - Ponto de verificação do sistema
RP70: 5/6/2010 18:54:59 - Ponto de verificação do sistema
RP71: 6/6/2010 13:09:40 - System Restore Point created by NetBalancer Setup
RP72: 9/6/2010 02:53:59 - Ponto de verificação do sistema
RP73: 10/6/2010 02:59:11 - Ponto de verificação do sistema
RP74: 11/6/2010 03:59:11 - Ponto de verificação do sistema
RP75: 12/6/2010 04:54:57 - Ponto de verificação do sistema
RP76: 13/6/2010 05:15:26 - Ponto de verificação do sistema
RP77: 14/6/2010 06:15:25 - Ponto de verificação do sistema
RP78: 14/6/2010 23:07:12 - Removed Opera 10.53.
RP79: 14/6/2010 23:08:11 - Removed Soluto
RP80: 14/6/2010 23:13:42 - Removed Python 3.1.2
RP81: 15/6/2010 00:46:27 - avast! Free Antivirus Setup

==== Hosts File Hijack ======================

Hosts: 204.3.140.72 www.bancoreal.com.br
Hosts: 204.3.140.72 real.com.br
Hosts: 204.3.140.72|E!QK$xPn3@dS}$LL<H
Hosts: 204.3.140.72 www.itau.com.br
Hosts: 204.3.140.72 itau.com.br
Hosts: 204.3.140.72 www.itaupersonnalite.com.br
Hosts: 204.3.140.72 www.itauprivatebank.com.br
Hosts: 204.3.140.72 itauprivatebank.com.br
Hosts: 204.3.140.72 www.bb.com.br
Hosts: 204.3.140.72 bb.com.br
Hosts: 204.3.140.72 www.bb.gov.br
Hosts: 204.3.140.72 bb.gov.br
Hosts: 204.3.140.72 bradesco.com.br
Hosts: 204.3.140.72 www.bradesco.com.br
Hosts: 204.3.140.72 www.bradescoprime.com.br
Hosts: 204.3.140.72 bradescoprime.com.br
Hosts: 204.3.140.72 bradescojuridico.com.br
Hosts: 204.3.140.72 www.checktudo.com.br
Hosts: 204.3.140.72 checktudo.com.br
Hosts: 204.3.140.72 www.infoseg.gov.br
Hosts: 204.3.140.72 infoseg.gov.br
Hosts: 204.3.140.72 www.bradescojuridico.com.br
Hosts: 204.3.140.72 santander.com.br
Hosts: 204.3.140.72 www.santander.com.br
Hosts: 204.3.140.72 www.unibanco.com.br
Hosts: 204.3.140.72 unibanco.com.br
Hosts: 204.3.140.72 www.itauprivatebank.com.br
Hosts: 204.3.140.72 itauprivatebank.com.br
Hosts: 204.3.140.72 www.americanexpress.com.br
Hosts: 204.3.140.72 cetelem.com.br
Hosts: 204.3.140.72 www.cetelem.com.br
Hosts: 204.3.140.72 itauuniclass.com.br
Hosts: 204.3.140.72 www.itauuniclass.com.br
Hosts: 204.3.140.72 americanexpress.com.br

==== Installed Programs ======================

Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.3.2 - Português
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe Shockwave Player 11
Adobe SING CS4
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Akamai NetSession Interface
Apple Application Support
Apple Software Update
Arquivo do WinRAR
AssaultCube v1.0
Assistente de Conexão do Windows Live
µTorrent
Audacity 1.2.6
Avanquest update
avast! Free Antivirus
Bonjour
Broadcom 440x 10/100 Integrated Controller
BS.Player FREE
CCleaner
CDBurnerXP
CDisplay 1.8
Conexant HDA D330 MDC V.92 Modem
Connect
Dell Resource CD
Dell Touchpad
Dev-C++ 5 beta 9 release (4.9.9.2)
Ferramenta de Carregamento do Windows Live
Ferramenta de diagnóstico de modem
Google Chrome
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix para Windows XP (KB896256)
Hotfix para Windows XP (KB908673)
Hotfix para Windows XP (KB914642)
Intel(R) Graphics Media Accelerator Driver
IntelliSonic Speech Enhancement
J2SE Runtime Environment 5.0 Update 5
Java Auto Updater
Java DB 10.5.3.0
Java(TM) 6 Update 20
Java(TM) SE Development Kit 6 Update 20
Java(TM) SE Runtime Environment 6
Junk Mail filter update
K-Lite Mega Codec Pack 5.8.3
kuler
Laptop Integrated Webcam Driver (1.00.10.0320)
Last.fm 1.5.4.24567
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
Messenger Plus! Live
mHlpDell
Microsoft .NET Framework 2.0 Language Pack - PTB
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Professional Edição 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIRC
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
mWMI
mZConfig
Notepad++
OpenAL
Orbit Downloader
Pacote de Driver do Windows - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Pamela Basic 4.6
PDF Settings CS4
Photoshop Camera Raw
Picasa 3
Placa WLAN sem Fios Dell
QuickSet
QuickTime Alternative 3.1.1
RapidShare Mass Downloader
Segoe UI
SigmaTel Audio
Skype™ 4.2
Software do Intel(R) PROSet/Wireless
Sony Ericsson PC Suite 6.009.00
SoulSeek 157 NS 13e
Suite Shared Configuration CS4
TweetDeck
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VisuAlg 2.0.0.12 (20/09/06)
WebFldrs XP
Winamp
Winamp Remote
Winamp: Detectar Aplicação
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Galeria de Fotos
Windows Live Mail
Windows Live Messenger
Windows Live Sync
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB885855

==== End Of File ===========================
brando lee
brando lee Zerinho Registrado
2.4K Mensagens 97 Curtidas
#8 Por brando lee
19/06/2010 - 18:25
felipestoker disse:


Copia o caminho do arquivo.
c:\windows\system32\drivers\fgjvql.sys


Acesse o link abaixo, tem as instruções de como enviar o arquivo:
http://img198.imageshack.us/img198/4232/analisevirustotal.gif


Terminando o analise, cole o endereço do resultado aqui.
Ficarei um tempo ausente no Fórum, muito Ocupado, coisas mais importante pra fazer "Trabalho".


Removendo vírus pelo bloco de notas!


Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#12 Por Wings
21/06/2010 - 17:22
*Desative temporariamente seu antivírus


*Baixe o ComboFix e salve-o no desktop

*Execute o Combofix e aceite o contrato

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso contrário, clique em [SIM] para a sua instalação.

recovery-console-prompt.jpg

*Clique em [SIM] para continuar.

recovery-console-installed.jpg

*Aguarde a conclusão de todas as etapas

*Enquanto o ComboFix estiver em execução, evite usar o mouse e o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

*O programa será fechado automaticamente e um relatório (C:\combofix.txt) será apresentado. Cole-o na próxima resposta.
© 1999-2025 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal