Logo Hardware.com.br
bmrmezenga
bmrmezenga General de Pijama Registrado
3.4K Mensagens 149 Curtidas

Análise de LOG - Worms Re-incidentes

#1 Por bmrmezenga 03/02/2010 - 18:51
Povo, já limpei esse PC umas 2x, sempre volta a infeção. Ele tá com o Avira e ele não detecta.

Por favor dêem uma verificada nos logs para ver se tá ficando algo.

Log do Combofix

ComboFix 10-02-03.03 - Administrador 03/02/2010 18:39:43.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.510.204 [GMT -2:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - drivers: deleted 12 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AutoRun.inf
c:\windows\system32\csrcs.exe
c:\windows\system32\midimap.dll . . . está infectado!!
.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-01-03 to 2010-02-03 ))))))))))))))))))))))))))))
.
2010-02-03 18:16 . 2010-02-03 18:16 -------- d-----w- C:\spoolerlogs
2010-01-05 09:56 . 2010-01-05 09:56 192512 -c----w- c:\windows\system32\dllcache\iepeers.dll
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 20:22 . 2009-01-29 19:41 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Skype
2010-02-03 18:11 . 2009-01-29 18:34 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2010-01-13 14:10 . 2009-01-29 17:56 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-12-29 10:38 . 2009-01-29 17:59 -------- d-----w- c:\arquivos de programas\Microsoft Works
2009-12-28 11:05 . 2009-11-10 19:56 -------- d-----w- c:\arquivos de programas\Google
2009-12-28 10:56 . 2002-09-11 08:00 370046 ----a-w- c:\windows\system32\perfh016.dat
2009-12-28 10:56 . 2002-09-11 08:00 60114 ----a-w- c:\windows\system32\perfc016.dat
2009-12-22 13:06 . 2009-01-29 20:10 -------- d-----w- c:\arquivos de programas\Windows Live
2009-12-22 12:53 . 2009-03-10 21:43 -------- d-----w- c:\arquivos de programas\HP
2009-12-22 12:48 . 2009-03-10 21:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP
2009-12-21 12:30 . 2009-02-06 19:36 -------- d-----w- c:\arquivos de programas\GbPlugin
2009-12-11 10:39 . 2009-02-06 19:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-12-08 11:57 . 2009-04-29 22:42 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:58 . 2008-04-13 17:20 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
------- Sigcheck -------
[-] 2009-01-22 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-01-22 . 4A82CD98D559D958523E9CAD9FDA399E . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-01-22 . 7C0E5D593730414B5994A15A6D10C201 . 588288 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2009-01-22 . F1A3E95588DB92660C8C6DAA9101D49B . 1554432 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2009-01-22 . B541D5DF035BE6644380C5902CD6AE70 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2009-01-22 . D67945A2290E98BB54D7792F09E7504E . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2007-07-02 23237416]
"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-01-05 124928]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Media Player\\wmplayer.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [29/4/2009 20:42 108289]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [6/2/2009 17:36 53800]
R3 PAC207;USB PC CAMERA P227;c:\windows\system32\drivers\PFC027.SYS [28/9/2007 16:25 614912]
S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [6/2/2009 17:36 30504]
S4 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [10/11/2009 17:56 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Conteúdo da pasta 'Tarefas Agendadas'
2010-02-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-12-22 00:18]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.unoparvirtual.com.br/
IE: Download all with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dllink.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORFÃOS REMOVIDOS - - - -
Notify- GbPluginCef - c:\arquivos de programas\GbPlugin\gbiehcef.dll

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 18:43
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll
- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\SETUPAPI.dll
.
Tempo para conclusão: 2010-02-03 18:44:50
ComboFix-quarantined-files.txt 2010-02-03 20:44
ComboFix2.txt 2009-12-22 13:00
Pré-execução: 13 pasta(s) 68.447.342.592 bytes disponíveis
Pós execução: 14 pasta(s) 68.567.937.024 bytes disponíveis
- - End Of File - - 4E7115F0F0AAFF5AEEF9EB15AD49CEA6



Log do Hijackthis depois que passei o Combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:38, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\zshp1020.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unoparvirtual.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
--
End of file - 5876 bytes

pc analise povo log limpei worms 2x combofix reincidentes
bmrmezenga
bmrmezenga General de Pijama Registrado
3.4K Mensagens 149 Curtidas
#3 Por bmrmezenga
03/02/2010 - 19:25
Wings disse:
Baixe o arquivo midimap.dll e salve-o em c:\windows\system32\dllcache

Execute novamente o combofix e cole o relatório.


Antes da sua resposta já tinha rodado dinovo arrancando o Gbplugin.dll

Log do Combofix

ComboFix 10-02-03.04 - Administrador 03/02/2010 19:02:03.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.510.205 [GMT -2:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Administrador\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FILE ::
"c:\arquiv~1\GbPlugin\GbpSv.exe"
"c:\windows\system32\drivers\GbpKm.sys"
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\arquiv~1\GbPlugin\GbpSv.exe
c:\windows\system32\drivers\GbpKm.sys
c:\windows\system32\midimap.dll . . . está infectado!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GBPKM
-------\Legacy_GBPSV
-------\Service_GbpKm
-------\Service_GbpSv

(((((((((((((((( Arquivos/Ficheiros criados de 2010-01-03 to 2010-02-03 ))))))))))))))))))))))))))))
.
2010-02-03 20:51 . 2010-02-03 20:51 -------- d-----w- c:\arquivos de programas\Trend Micro
2010-02-03 18:16 . 2010-02-03 18:16 -------- d-----w- C:\spoolerlogs
2010-01-05 09:56 . 2010-01-05 09:56 192512 -c----w- c:\windows\system32\dllcache\iepeers.dll
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 21:09 . 2009-01-29 19:41 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Skype
2010-02-03 21:05 . 2009-02-06 19:36 -------- d-----w- c:\arquivos de programas\GbPlugin
2010-02-03 18:11 . 2009-01-29 18:34 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2010-01-13 14:10 . 2009-01-29 17:56 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-12-29 10:38 . 2009-01-29 17:59 -------- d-----w- c:\arquivos de programas\Microsoft Works
2009-12-28 11:05 . 2009-11-10 19:56 -------- d-----w- c:\arquivos de programas\Google
2009-12-28 10:56 . 2002-09-11 08:00 370046 ----a-w- c:\windows\system32\perfh016.dat
2009-12-28 10:56 . 2002-09-11 08:00 60114 ----a-w- c:\windows\system32\perfc016.dat
2009-12-22 13:06 . 2009-01-29 20:10 -------- d-----w- c:\arquivos de programas\Windows Live
2009-12-22 12:53 . 2009-03-10 21:43 -------- d-----w- c:\arquivos de programas\HP
2009-12-22 12:48 . 2009-03-10 21:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP
2009-12-11 10:39 . 2009-02-06 19:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-12-08 11:57 . 2009-04-29 22:42 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:58 . 2008-04-13 17:20 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
------- Sigcheck -------
[-] 2009-01-22 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-01-22 . 4A82CD98D559D958523E9CAD9FDA399E . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-01-22 . 7C0E5D593730414B5994A15A6D10C201 . 588288 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2009-01-22 . F1A3E95588DB92660C8C6DAA9101D49B . 1554432 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2009-01-22 . B541D5DF035BE6644380C5902CD6AE70 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2009-01-22 . D67945A2290E98BB54D7792F09E7504E . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2007-07-02 23237416]
"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-01-05 124928]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
c:\arquivos de programas\GbPlugin\gbiehcef.dll [BU]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Media Player\\wmplayer.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [29/4/2009 20:42 108289]
R3 PAC207;USB PC CAMERA P227;c:\windows\system32\drivers\PFC027.SYS [28/9/2007 16:25 614912]
S4 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [10/11/2009 17:56 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Conteúdo da pasta 'Tarefas Agendadas'
2010-02-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-12-22 00:18]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.unoparvirtual.com.br/
IE: Download all with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dllink.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 19:07
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\SETUPAPI.dll
- - - - - - - > 'explorer.exe'(3180)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\LINKINFO.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Avira\AntiVir Desktop\avguard.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\mmc.exe
c:\windows\system32\zshp1020.exe
.
**************************************************************************
.
Tempo para conclusão: 2010-02-03 19:12:05 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-02-03 21:12
ComboFix2.txt 2010-02-03 20:44
ComboFix3.txt 2009-12-22 13:00
Pré-execução: 13 pasta(s) 68.574.879.744 bytes disponíveis
Pós execução: 14 pasta(s) 68.526.800.896 bytes disponíveis
- - End Of File - - B352F68E1335FD4E873DF92E45CB6772


Segue o novo log depois do midimap.dll colado no dllcache.

Novo log do Combofix

ComboFix 10-02-03.04 - Administrador 03/02/2010 19:18:27.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.510.257 [GMT -2:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\midimap.dll . . . está infectado!!
.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-01-03 to 2010-02-03 ))))))))))))))))))))))))))))
.
2010-02-03 18:16 . 2010-02-03 18:16 -------- d-----w- C:\spoolerlogs
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 21:21 . 2009-01-29 19:41 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Skype
2010-02-03 21:05 . 2009-02-06 19:36 -------- d-----w- c:\arquivos de programas\GbPlugin
2010-02-03 20:51 . 2010-02-03 20:51 -------- d-----w- c:\arquivos de programas\Trend Micro
2010-02-03 18:11 . 2009-01-29 18:34 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP
2010-01-13 14:10 . 2009-01-29 17:56 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-12-29 10:38 . 2009-01-29 17:59 -------- d-----w- c:\arquivos de programas\Microsoft Works
2009-12-28 11:05 . 2009-11-10 19:56 -------- d-----w- c:\arquivos de programas\Google
2009-12-28 10:56 . 2002-09-11 08:00 370046 ----a-w- c:\windows\system32\perfh016.dat
2009-12-28 10:56 . 2002-09-11 08:00 60114 ----a-w- c:\windows\system32\perfc016.dat
2009-12-22 13:06 . 2009-01-29 20:10 -------- d-----w- c:\arquivos de programas\Windows Live
2009-12-22 12:53 . 2009-03-10 21:43 -------- d-----w- c:\arquivos de programas\HP
2009-12-22 12:48 . 2009-03-10 21:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\HP
2009-12-11 10:39 . 2009-02-06 19:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-12-08 11:57 . 2009-04-29 22:42 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 15:58 . 2008-04-13 17:20 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
------- Sigcheck -------
[-] 2009-01-22 . B0C0BF2504B830BFC1E93CA39F3C75FE . 549376 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-01-22 . 4A82CD98D559D958523E9CAD9FDA399E . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-01-22 . 7C0E5D593730414B5994A15A6D10C201 . 588288 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2009-01-22 . F1A3E95588DB92660C8C6DAA9101D49B . 1554432 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2009-01-22 . B541D5DF035BE6644380C5902CD6AE70 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2009-01-22 . D67945A2290E98BB54D7792F09E7504E . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-03_20.43.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-03 21:15 . 2010-02-03 21:15 18944 c:\windows\system32\dllcache\midimap.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2007-07-02 23237416]
"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-28 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2010-01-05 124928]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
c:\arquivos de programas\GbPlugin\gbiehcef.dll [BU]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Windows Media Player\\wmplayer.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [29/4/2009 20:42 108289]
R3 PAC207;USB PC CAMERA P227;c:\windows\system32\drivers\PFC027.SYS [28/9/2007 16:25 614912]
S4 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [10/11/2009 17:56 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.unoparvirtual.com.br/
IE: Download all with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\arquivos de programas\Free Download Manager\dllink.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\arquivos de programas\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 19:21
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\SETUPAPI.dll
- - - - - - - > 'explorer.exe'(1212)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\LINKINFO.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Tempo para conclusão: 2010-02-03 19:23:01
ComboFix-quarantined-files.txt 2010-02-03 21:22
ComboFix2.txt 2010-02-03 21:12
ComboFix3.txt 2010-02-03 20:44
ComboFix4.txt 2009-12-22 13:00
Pré-execução: 13 pasta(s) 68.533.911.552 bytes disponíveis
Pós execução: 14 pasta(s) 68.524.941.312 bytes disponíveis
- - End Of File - - 03CC5F8E331AE315F2086271DE6F606E



E outra coisa.

Ele está dando aquele erro que endereço de memória não pode ser Writen e fecha o Spoolsv.exe e a impressora para.

Imagem

[edit]

Removi um trabalho da impressora e parou os erros...
Vai comprar HD?
Confira dicas e compare os modelos veja.png Guia de Compra de HD´s

Atlhon XP 1800+ @1590 Mhz numa A7N266-E
2 x 256 MiB DDR 266 e WD 80 GB [7200 RPM / 8 MiB Buffer]

Crê e siga os mandamentos de Deus que Ele tudo lhe proverá!
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#4 Por Wings
03/02/2010 - 20:56
1.
*Abra o bloco de notas, copie e cole nele todo o código abaixo:

Attrib -h c:\windows\system32\midimap.dll
MOVE c:\windows\system32\midimap.dll midimapbad.dll
Salve o arquivo no desktop como mover.bat
*Duplo clique em mover.bat
*O arquivo será movido para o desktop

2.
*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:


FCOPY::
c:\windows\system32\dllcache\midimap.dll | c:\windows\system32\midimap.dll
*Salve o arquivo no desktop como CFScript.txt
*Arraste o arquivo para o Combofix conforme ilustração abaixo:

Imagem

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt
© 1999-2024 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal