|
|
|||||||
|
 |
|
|
Thread Tools |
|
#1
23 jun 2009, 10:38
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
Recentemente baixado um tema candidatura. Após a instalação, Kaspersky solicitado um alerta dizendo computador está infectado com MultiPacked.Multi.Generic malware. Meu Kaspersky parou de trabalhar e meu windows tema é I'm gone-presa com janelas clássico. Ajuda por favor!
|
|
#2
23 jun 2009, 11:25
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
Tente ficar-me qualquer um dos logs que você pode a partir daqui. http://www.computer-juice.com/forums...-posting-7476/
__________________
 |
|
#3
24 jun 2009, 11:44
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
Parece que os fóruns tinha um defeito. Por favor, postar esses DDS logs.
Download do DDS | AQUI | ou | AQUI | ou | AQUI | e salvá-lo em seu desktop. Vista usuários clique direito sobre DDS e selecione Executar como administrador (você receberá um prompt UAC, por favor deixe-) * XP usuários Dê um clique duplo sobre DDS para executá-lo. * Se o seu antivírus ou firewall tentar bloquear DDS então por favor deixe-a correr. * Quando terminar DDS será aberto duas (2) registros. 1) DDS.txt 2) Attach.txt * Guardar logs tanto para o seu desktop. * Por favor, copie e cole todo o conteúdo de ambos os logs em sua próxima resposta. Nota: DDS irá instruí-lo para postar o log Attach.txt como um anexo. Por favor, basta publicá-la como faria com qualquer outro registo por copiar e colar em sua resposta.
__________________
|
|
#4
24 jun 2009, 13:55
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
DDS (Ver_09-05-14/01) - NTFSx86
Corre por Rato em 16:53:23.36 em Wed 06/24/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1294 [GMT -4:00] AV: Kaspersky Internet Security * On-access scanning deficientes * (Atualizado) (2C4D4BC6-0793-4956-A9F9-E252435469C0) FW: Kaspersky Internet Security ativado * * (2C4D4BC6-0793-4956-A9F9-E252435469C0) Executando Processos ============== =============== C: \ WINDOWS \ system32 \ Svchost-k DcomLaunch svchost.exe C: \ WINDOWS \ System32 \ svchost.exe-k netsvcs C: \ WINDOWS \ system32 \ svchost.exe-k WudfServiceGroup svchost.exe C: \ WINDOWS \ system32 \ spoolsv.exe C: \ Program Files \ Creative \ Shared Files \ CTAudSvc.exe C: \ WINDOWS \ Explorer.EXE C: \ WINDOWS \ system32 \ CTHELPER.EXE C: \ WINDOWS \ system32 \ CTXFIHLP.EXE C: \ Program Files \ Creative \ Sound Blaster X-Fi \ DVDAudio \ CTDVDDET.EXE C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Volume Panel \ VolPanlu.exe C: \ WINDOWS \ system32 \ rundll32.exe C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe C: \ Program Files \ iTunes \ iTunesHelper.exe C: \ WINDOWS \ SYSTEM32 \ CTXFISPI.EXE C: \ WINDOWS \ system32 \ ctfmon.exe C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe C: \ PROGRA ~ 1 \ MICROS ~ 4 \ rapimgr.exe svchost.exe C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe C: \ Program Files \ Bonjour \ mDNSResponder.exe C: \ WINDOWS \ system32 \ nvsvc32.exe C: \ WINDOWS \ system32 \ PnkBstrA.exe C: \ WINDOWS \ System32 \ svchost.exe-k imgsvc C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Entertainment Center \ EAXLoadr.exe C: \ Program Files \ Viewpoint \ Common \ ViewpointService.exe C: \ Program Files \ iPod \ bin \ iPodService.exe C: \ WINDOWS \ System32 \ svchost.exe-k HTTPFilter C: \ Program Files \ Mozilla Firefox \ firefox.exe C: \ Program Files \ LimeWire \ LimeWire.exe C: \ Documents and Settings \ Mouse \ Desktop \ dds.com ============== Pseudo HJT Relatório =============== uStart Page = hxxp: / / google.com / uInternet Settings, ProxyOverride = *. local BHO: Adobe PDF Reader Link Helper: (06849e9f-c8d7-4d59-b87d-784b7d6be0b3) - C: \ Program Files \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll BHO: Skype add-on (regente): (22bf413b-c6d2-82a9-4d91-a0f997ba588c) - C: \ Program Files \ Skype \ Toolbars \ Internet Explorer \ SkypeIEPlugin.dll BHO: IEVkbdBHO Classe: (59273ab4-e7d3-40f9-a1a8-6fa9cca1862c) - C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ ievkbd.dll BHO: Java (tm) Plug-In 2 SSV Helper: (dbc80044-a445-435b-bc74-9c25c1c588a9) - C: \ Program Files \ Java \ jre6 \ bin \ jp2ssv.dll BHO: JQSIEStartDetectorImpl Classe: (e7e6f031-17ce-4c07-bc86-eabfe594f69c) - C: \ Program Files \ Java \ jre6 \ lib \ implantar \ jqs \ IE \ jqs_plugin.dll TB: Veoh Browser Plug-in: (d0943516-5076-4020-a3b5-aefaf26ab263) - C: \ Program Files \ Veoh redes \ Veoh \ plugins \ reg \ VeohToolbar.dll EB: (32683183-48a0-441b-A342-7c2a440a9478) - Processo n º uRun: [ctfmon.exe] C: \ Windows \ system32 \ ctfmon.exe uRun: [H / PC Connection Agent] "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" mRun: [NvCplDaemon] RUNDLL32.EXE C: \ Windows \ system32 \ NvCpl.dll, NvStartup mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [CTDVDDET] "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ dvdaudio \ CTDVDDET.EXE" mRun: [RCSystem] "C: \ Program Files \ criativo \ arquivos compartilhados \ module loader \ DLLML.exe" RCSystem *-Inicialização mRun: [AudioDrvEmulator] "C: \ Program Files \ criativo \ arquivos compartilhados \ module loader \ dllml.exe" -1 audiodrvemulator "C: \ Program Files \ criativo \ arquivos compartilhados \ module loader \ áudio emulador \ AudDrvEm.dll" mRun: [VolPanel] "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Volume Panel \ VolPanlu.exe" / r mRun: [NvMediaCenter] RUNDLL32.EXE C: \ Windows \ system32 \ NvMcTray.dll, NvTaskbarInit mRun: [AVP] "C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe" mRun: [QuickTime Task] "C: \ Program Files \ QuickTime \ QTTask.exe"-atboottime mRun: [AppleSyncNotifier] C: \ Program Files \ Common Files \ Apple \ dispositivo móvel apoio \ bin \ AppleSyncNotifier.exe mRun: [iTunesHelper] "C: \ Program Files \ iTunes \ iTunesHelper.exe" IE: Add to Banner Ad Blocker - C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ ie_banner_deny.htm IE: E & xportar para o Microsoft Excel - C: \ PROGRA ~ 1 \ micros ~ 2 \ Office10 \ EXCEL.EXE/3000 IE: (e2e2dd38-d088-4134-82b7-f2ba38496583) -% windir% \ Network Diagnostic \ xpnetdiag.exe IE: (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe IE: (1F460357-8A94-4D71-9CA3-AA4ACF32ED8E) - (85E0B171-04FA-11D1-B7DA-00A0C90348D6) - C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ SCIEPlgn.dll IE: (2EAF5BB1-070F-11D3-9307-00C04FAE2D4F) - (2EAF5BB0-070F-11D3-9307-00C04FAE2D4F) - c: \ progra ~ 1 \ micros ~ 4 \ INetRepl.dll IE: (2EAF5BB2-070F-11D3-9307-00C04FAE2D4F) - (2EAF5BB0-070F-11D3-9307-00C04FAE2D4F) - c: \ progra ~ 1 \ micros ~ 4 \ INetRepl.dll IE: (77BF5300-1474-4EC7-9980-D32B190E9B07) - (77BF5300-1474-4EC7-9980-D32B190E9B07) - C: \ Program Files \ Skype \ Toolbars \ Internet Explorer \ SkypeIEPlugin.dll DPF: Microsoft XML Parser para Java - file: / / c: \ windows \ java \ classes \ xmldso.cab DPF: (17492023-C23A-453E-A040-C7C580BBF700) - hxxp: / / go.microsoft.com / fwlink /? Linkid = 39204 DPF: (45B69029-F3AB-4204-92DE-D5140C3E8E74) - hxxps: / / portal.apogentech.com / vdesk / terminal / InstallerControl.cab DPF: (463ED66E-431B-11D2-ADB0-0080C83DA4EB) - hxxps: / / w3s.webmoney.ru/WMAcceptor.dll DPF: (57C76689-F052-487B-A19F-855AFDDF28EE) - hxxps: / / portal.apogentech.com/vdesk/terminal/f5InspectionHost.cab # version = 6030,2008,0904,1939 DPF: (8AD9C840-044E-11D1-B3E9-00805F499D93) - hxxp: / / java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: (CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA) - hxxp: / / java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab DPF: (CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA) - hxxp: / / java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: (CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA) - hxxp: / / java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: (CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA) - hxxp: / / java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: (CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA) - hxxp: / / java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: (E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D) - hxxps: / / portal.apogentech.com/policy/download_binary.php/win32/f5syschk.cab # Version = 6030,2008,0904,1947 Manipulador: cdo - (CD00020A-8B95-11D1-82DB-00C04FB1625D) - c: \ Program Files \ Common Files \ Microsoft Shared \ Web Folders \ PKMCDO.DLL Manipulador: skype4com - (FFC8B962-9B40-4DFF-9458-1830C7DD7F5D) - c: \ progra ~ 1 \ common ~ 1 \ Skype \ SKYPE4 ~ 1.DLL Notify:! SASWinLogon - C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL Notify: klogon - C: \ Windows \ system32 \ klogon.dll AppInit_DLLs: c: \ progra ~ 1 \ kasper ~ 1 \ kasper ~ 1 \ mzvkbd.dll, c: \ progra ~ 1 \ kasper ~ 1 \ kasper ~ 1 \ adialhk.dll, C: \ PROGRA ~ 1 \ kaspe r ~ 1 \ kasper ~ 1 \ kloehk.dll SSODL: WPDShServiceObj - (AAA288BA-9A4C-45B0-95D7-94D524869DB5) - c: \ windows \ system32 \ WPDShServiceObj.dll SEH: SABShellExecuteHook Classe: (5ae067d3-9afb-48e0-853a-ebb7f4a000da) - C: \ Program Files \ SUPERAntiSpyware \ SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath -- ============= SERVIÇOS / MAQUINISTAS =============== R0 kl1; Kl1; c: \ windows \ system32 \ drivers \ kl1.sys [2007-10-31 112144] R0 klbg; Kaspersky Lab Boot Guard Driver; c: \ windows \ system32 \ drivers \ klbg.sys [2008/1/29 33808] R1 klif; Kaspersky Lab Driver; c: \ windows \ system32 \ drivers \ klif.sys [2008/4/18 213520] R1 SASKUTIL; SASKUTIL; C: \ Program Files \ SUPERAntiSpyware \ SASKUTIL.SYS [2008/2/29 55024] R1 UGURU; UGURU; c: \ windows \ system32 \ drivers \ uGuru.sys [2008/5/12 14592] R2 avp; Kaspersky Internet Security; C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe-r -> C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe-r [? ] R2 Viewpoint Manager Service; Viewpoint Manager Service; C: \ Program Files \ vista \ common \ ViewpointService.exe [2008/12/7 24652] R3 KLFLTDEV; Kaspersky Lab KLFltDev; c: \ windows \ system32 \ drivers \ klfltdev.sys [2008/3/13 26640] R3 klim5; Kaspersky Anti-Virus NDIS Filter; c: \ windows \ system32 \ drivers \ klim5.sys [2007-12-13 24592] R3 SASENUM; SASENUM; C: \ Program Files \ SUPERAntiSpyware \ SASENUM.SYS [2006/2/16 4096] S1 SASDIFSV; SASDIFSV; C: \ Program Files \ SUPERAntiSpyware \ SASDIFSV.SYS [2008/2/29 9968] S2 Cubase32; Cubase32; c: \ windows \ system32 \ drivers \ Cuba se32.sys [2009/4/5 11808] S3 IlvMoneyDRIVER53; IlvMoneyDRIVER53; c: \ windows \ siste M32 \ drivers \ IlvMoney1215.sys [2008/8/21 30080] =============== Criado Última 30 ================ 2009/06/17 13:58 <dir> - d ----- C: \ Program Files \ LSoft Technologies 2009/06/13 12:32 <dir> - d ----- C: \ Program Files \ iPod 2009/06/13 12:32 <dir> - d ----- C: \ Program Files \ iTunes Find3M ==================== ==================== ============= FINISH: 16:54:12.42 =============== A menos que especificamente instruído, NÃO ESTE POST LOG. Caso seja solicitado, ZIP IT UP e anexá-lo DDS (Ver_09-05-14/01) Microsoft Windows XP Professional Boot Device: \ Device \ HarddiskVolume1 Instale Data: 5/12/2008 2:38:20 Sistema Uptime: 6/24/2009 12:33:35 (4 horas atrás) Motherboard: http://www.abit.com.tw/ | | IP35 PRO (P35 + ICH9R) Processador: Intel (R) Pentium (R) 4 CPU 2.80GHz | Socket 775 | 3024/216mhz ==== Disco Partições ========================= A: é removível C: é fixo (NTFS) - 128 GIB total, 60,146 Gib livre. D: é fixo (NTFS) - 69 GIB total, 60,479 Gib livre. E: é CDROM (CDFS) F: é CDROM (CDFS) G: é fixo (NTFS) - 245 GIB total, 138,326 Gib livre. H: é CDROM () I: é CDROM () J: É CDROM () K: é CDROM () ==== Disabled Device Manager Itens ============= Class GUID: (4D36E972-E325-11CE-BFC1-08002BE10318) Descrição: Realtek RTL8169/8110 Family Gigabit Ethernet NIC Device ID: PCI \ VEN_10EC & DEV_8167 & SUBSYS_1083147B & REV_10 \ 4 & BB2 9FA6 & 0 & 00f0 Fabricante: Realtek Semiconductor Corp Nome: Realtek RTL8169/8110 Family Gigabit Ethernet NIC # 3 PNP Device ID: PCI \ VEN_10EC & DEV_8167 & SUBSYS_1083147B & REV_10 \ 4 & BB2 9FA6 & 0 & 00f0 Serviço: RTL8023xp Class GUID: (4D36E972-E325-11CE-BFC1-08002BE10318) Descrição: MAC Bridge Miniport Device ID: ROOT \ MS_BRIDGEMP \ 0000 Fabricante: Microsoft Nome: MAC Bridge Miniport PNP Device ID: ROOT \ MS_BRIDGEMP \ 0000 Serviço: BridgeMP ==== System Restore Points =================== RP202: 3/26/2009 6:14:01 - Sistema Checkpoint RP203: 3/27/2009 9:06:08 - Sistema Checkpoint RP204: 3/30/2009 12:43:20 - Sistema Checkpoint RP205: 4/1/2009 5:11:23 - Sistema Checkpoint RP206: 4/3/2009 3:31:49 - Sistema Checkpoint RP207: 4/6/2009 11:30:33 - Sistema Checkpoint RP208: 4/8/2009 1:48:55 - Removed MapleStory GL. RP209: 4/8/2009 1:49:05 - Instalado MapleStory. RP210: 4/8/2009 2:00:33 - Removed MapleStory. RP211: 4/8/2009 2:12:11 - Instalado MapleStory. RP212: 4/9/2009 1:53:58 - Sistema Checkpoint RP213: 4/11/2009 6:22:36 - Sistema Checkpoint RP214: 4/14/2009 11:18:28 - Sistema Checkpoint RP215: 4/15/2009 5:50:23 - Software Distribution Service 3,0 RP216: 4/18/2009 1:32:37 - Sistema Checkpoint RP217: 4/21/2009 2:37:36 - Sistema Checkpoint RP218: 4/22/2009 5:07:27 - Sistema Checkpoint RP219: 4/24/2009 2:41:28 - Sistema Checkpoint RP220: 4/25/2009 10:07:27 - Sistema Checkpoint RP221: 4/28/2009 6:48:10 - Instalado Java (TM) 6 Update 13 RP222: 5/2/2009 7:23:06 - Sistema Checkpoint RP223: 5/3/2009 11:36:18 - Sistema Checkpoint RP224: 5/5/2009 2:29:10 - Sistema Checkpoint RP225: 5/6/2009 8:29:33 - Sistema Checkpoint RP226: 5/7/2009 3:00:17 - Software Distribution Service 3,0 RP227: 5/7/2009 11:16:03 - Instalado o Windows XP WgaNotify. RP228: 5/9/2009 11:12:42 - Sistema Checkpoint RP229: 5/10/2009 5:10:12 - Sistema Checkpoint RP230: 5/11/2009 9:02:07 - Sistema Checkpoint RP231: 5/13/2009 12:26:07 - Software Distribution Service 3,0 RP232: 5/14/2009 2:28:00 - Removed ZU-ONLINE RP233: 5/15/2009 2:47:49 - Sistema Checkpoint RP234: 5/17/2009 1:28:31 - Sistema Checkpoint RP235: 5/17/2009 4:58:00 - Instalado LG USB Modem Driver RP236: 5/19/2009 11:34:48 - Sistema Checkpoint RP237: 5/20/2009 12:47:48 - Sistema Checkpoint RP238: 5/23/2009 10:08:08 - Sistema Checkpoint RP239: 6/1/2009 10:03:10 - Sistema Checkpoint RP240: 6/2/2009 10:03:30 - Sistema Checkpoint RP241: 6/3/2009 11:47:56 - Sistema Checkpoint RP242: 6/5/2009 11:10:53 - Sistema Checkpoint RP243: 6/7/2009 2:46:24 - Sistema Checkpoint RP244: 6/9/2009 11:32:41 - Sistema Checkpoint RP245: 6/10/2009 5:52:30 - Sistema Checkpoint RP246: 6/10/2009 11:00:09 - Software Distribution Service 3,0 RP247: 6/12/2009 12:14:34 - Sistema Checkpoint RP248: 6/13/2009 1:12:33 - Sistema Checkpoint RP249: 6/14/2009 9:20:14 - Sistema Checkpoint RP250: 6/15/2009 9:53:46 - Sistema Checkpoint RP251: 6/17/2009 12:27:01 - Sistema Checkpoint RP252: 6/21/2009 7:28:06 - Sistema Checkpoint RP253: 6/22/2009 8:08:50 - Sistema Checkpoint RP254: 6/23/2009 2:54:41 - Removed Garmin City Navigator América do Norte NT 2009 Update RP255: 6/23/2009 2:58:20 - Removed PalmOne RP256: 6/24/2009 3:58:18 - Sistema Checkpoint ==== Instalada Programas ====================== ==== Event Viewer Mensagens Do Passado Semana ======== ==== Fim do arquivo =========================== |
|
#5
24 jun 2009, 14:05
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
Download ComboFix © por SUBS de um dos links abaixo. Certifique-se de guardá-lo para o topo Desktop.
Link # 1 Link # 2 ** Nota: É importante que ele é guardado directamente para o seu desktop NÃO executá-lo ainda! Nota: as instruções abaixo foram criados especificamente para este usuário. Se você não é esse usuário, NÃO siga estas instruções, uma vez que poderia danificar o funcionamento de seu sistema Excluir esses arquivos / pastas, como se segue: 1. Ir para Iniciar > Correr > Tipo Notepad.exe e clique em OK para abrir o Bloco de Notas. Ele deve ser Notepad, Wordpad não. 2. Copie o código abaixo o texto na caixa de realce todo o texto e pressionar Ctrl + C Código:
Killall:: DDS:: uInternet Settings, ProxyOverride = *. local EB: (32683183-48a0-441b-A342-7c2a440a9478) - Processo n º IE: (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Program Files \ messenger \ msmsgs.exe DPF: (463ED66E-431B-11D2-ADB0-0080C83DA4EB) - hxxps: / / w3s.webmoney.ru/WMAcceptor.dll Driver:: Viewpoint Manager Service Folder:: C: \ Program Files \ vista 4. Em seguida, clique em Arquivo > Salvar 5. Nome do arquivo CFScript.txt - Salve o arquivo para o seu desktop 6. Em seguida, arraste o CFScript (mantenha o botão esquerdo do mouse ao arrastar o arquivo) e largá-la (liberar o botão esquerdo do mouse) em ComboFix.exe como você vê na imagem abaixo. Importante: Realize estas instruções cuidadosamente!  ComboFix irá começar a executar, basta seguir as instruções na tela. Após o reboot (no caso ele pede para reiniciar), que irá produzir um log para você. Post que log (Combofix.txt) em sua próxima resposta. Nota: Não mouseclick ComboFix da janela enquanto ele está sendo executado. Isso pode fazer com que seu sistema de congelar
__________________
|
|
#6
25 jun. 2009, 08:45
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
ComboFix 09-06-23.01 - Rato 06/24/2009 17:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1452 [GMT -4:00] Executando de: C: \ Documents and Settings \ Mouse \ Desktop \ ComboFix.exe Comando interruptores utilizados:: C: \ Documents and Settings \ Mouse \ Desktop \ CFScript.txt AV: Kaspersky Internet Security * On-access scanning deficientes * (Atualizado) (2C4D4BC6-0793-4956-A9F9-E252435469C0) FW: Kaspersky Internet Security ativado * * (2C4D4BC6-0793-4956-A9F9-E252435469C0) . ((((((((((((((((((((((((((((((((((((((( Outros Supressões ))))))))) )))))))))))))))))))))))))))))))))))))))) . C: \ Program Files \ vista c: \ recycler \ S-1-5-21-1957994488-1801674531-1177238915-1004 c: \ recycler \ S-1-5-21-789336058-2025429265-1644491937-1003 c: \ windows \ system32 \ drivers \ kl1.sys C: \ Program Files \ Messenger \ msmsgs.exe C: \ Program Files \ vista \ Common \ ViewpointService.exe C: \ Program Files \ vista \ Common \ VistaBoot.sdll C: \ Program Files \ vista \ Viewpoint Media Player \ AxMetaStream.dll C: \ Program Files \ vista \ Viewpoint Media Player \ ClassIDs.ini C: \ Program Files \ vista \ Viewpoint Media Player \ ComponentMgr.dll C: \ Program Files \ vista \ Viewpoint Media Player \ MetaStreamID.ini C: \ Program Files \ vista \ Viewpoint Media Player \ MtsAxInstaller.exe C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ AOLUserShell.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ Cursors.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ JpegReader.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ Mts3Reader.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ SceneComponent.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ SreeDMMX.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ SWFView.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ VETScriptInterpreter.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ VMPSpeech.dll C: \ Program Files \ vista \ Viewpoint Media Player \ NewComponents \ VMPVideo2.dll C: \ Program Files \ vista \ Viewpoint Media Player \ npViewpoint.dll C: \ Program Files \ vista \ Viewpoint Media Player \ npViewpoint.xpt c: \ recycler \ S-1-5-21-1957994488-1801674531-1177238915-1004 \ desktop.ini c: \ recycler \ S-1-5-21-1957994488-1801674531-1177238915-1004 \ INFO2 c: \ recycler \ S-1-5-21-789336058-2025429265-1644491937-1003 \ desktop.ini c: \ recycler \ S-1-5-21-789336058-2025429265-1644491937-1003 \ INFO2 c: \ windows \ emMON.exe c: \ windows \ system32 \ Codecs \ 7zAES.dll c: \ windows \ system32 \ Codecs \ AES.dll c: \ windows \ system32 \ Codecs \ Branch.dll c: \ windows \ system32 \ Codecs \ BZip2.dll c: \ windows \ system32 \ Codecs \ Copy.dll c: \ windows \ system32 \ Codecs \ Deflate.dll c: \ windows \ system32 \ Codecs \ LZMA.dll c: \ windows \ system32 \ Codecs \ PPMd.dll c: \ windows \ system32 \ Codecs \ Rar29.dll c: \ windows \ system32 \ Codecs \ Swap.dll c: \ windows \ system32 \ drivers \ ctoss2k.sys c: \ windows \ system32 \ Formats \ 7z.dll . ((((((((((((((((((((((((((((((((((((((( Drivers / Serviços )))))))) ))))))))))))))))))))))))))))))))))))))))) . ------- \ Legacy_ILVMONEYDRIVER53 ------- \ Legacy_VIEWPOINT_MANAGER_SERVICE ------- \ Service_IlvMoneyDRIVER53 ------- \ Service_Viewpoint Service Manager ------- \ Legacy_ossrv ------- \ Service_ossrv ((((((((((((((((((((((((( Arquivos criados a partir de 2009/05/24 a 2009/06/24 ))))))))))) )))))))))))))))))))) . 2009/06/23 18:47. 2009/06/24 16:37 117,760 ---- aw-c: \ Documents and Settings \ Mouse \ Application Data \ SUPERAntiSpyware.com \ SUPERAntiSpyware \ SDDLLS \ UIREPAIR.DLL 2009/06/17 17:58. 2009/06/17 18:10 -------- d ----- w-C: \ Program Files \ LSoft Technologies 2009/06/13 16:32. 2009/06/13 16:32 -------- d ----- w-C: \ Program Files \ iPod 2009/06/13 16:32. 2009/06/13 16:32 -------- d ----- w-C: \ Program Files \ iTunes 2009/06/13 16:28. 2009/06/13 16:29 -------- d ----- w-C: \ Program Files \ QuickTime 2009/06/13 16:23. 2009/06/13 16:23 75,048 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Apple Computer \ Installer Cache \ iTunes 8.2.0.23 \ SetupAdmin.exe 2009/06/10 23:14. 2001/08/18 02:36 462,848-c - aw-c: \ windows \ system32 \ dllcache \ a3dapi.dll 2009/06/10 23:14. 2001/08/18 02:36 462,848 ---- aw-c: \ windows \ system32 \ a3dapi.dll 2009/06/10 23:13. 2009/06/11 07:20 -------- d ----- w-C: \ Descent3 2009/06/10 23:13. 2009/06/10 23:13 -------- d ----- w-C: \ Jogos 2009/06/10 20:13. 2009/05/07 15:32 345,600-c ---- w-c: \ windows \ system32 \ dllcache \ Localspl.dll 2009/06/10 20:13. 2009/04/15 14:51 585,216-c ---- w-c: \ windows \ system32 \ dllcache \ rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) )))))))))))))))))))))))))))))))))))))))))))) . 2009/06/24 23:25. 2008/05/16 03:35 -------- d ----- w-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab 2009/06/24 21:26. 2008/05/16 03:35 761,888 - sha-w-c: \ windows \ system32 \ drivers \ fidbox2.dat 2009/06/24 21:26. 2008/05/16 03:35 64,388 - sha-w-c: \ windows \ system32 \ drivers \ fidbox.idx 2009/06/24 21:26. 2008-05-16 03:35 4571424 - sha-w-c: \ windows \ system32 \ drivers \ fidbox.dat 2009/06/24 21:26. 2008/05/16 03:35 29,696 - sha-w-c: \ windows \ system32 \ drivers \ fidbox2.idx 2009/06/24 21:09. 2008/05/17 00:25 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Application Data \ LimeWire 2009/06/24 16:37. 2008/05/19 02:02 -------- d ----- w-C: \ Program Files \ SUPERAntiSpyware 2009/06/23 19:00. 2008/10/16 02:40 -------- d ----- w-C: \ Program Files \ Pando Networks 2009/06/23 18:59. 2008/11/29 18:36 -------- d ----- w-C: \ Program Files \ PalmOne 2009/06/21 23:00. 2009/02/09 03:50 138,184 ---- aw-c: \ windows \ system32 \ drivers \ PnkBstrK.sys 2009/06/21 23:00. 2009/02/09 03:50 183,112 ---- aw-c: \ windows \ system32 \ PnkBstrB.exe 2009/06/18 22:35. 2008/06/17 15:40 -------- d ----- w-C: \ Program Files \ Diablo II 2009/06/18 22:31. 2008/06/02 00:09 -------- d --- aw-c: \ Documents and Settings \ All Users \ Application Data \ TEMP 2009/06/17 22:51. 2008/05/15 04:41 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Application Data \ uTorrent 2009/06/13 16:32. 2008/08/19 04:10 -------- d ----- w-C: \ Program Files \ Common Files \ Apple 2009/05/20 16:16. 2008/05/16 03:36 94,643 ---- aw-c: \ windows \ system32 \ drivers \ klick.dat 2009/05/20 16:16. 2008/05/16 03:36 105,395 ---- aw-c: \ windows \ system32 \ drivers \ klin.dat 2009/05/17 20:58. 2009/05/17 20:58 -------- d ----- w-C: \ Program Files \ LG Electronics 2009/05/17 20:58. 2008/05/12 09:20 -------- d - h - w-C: \ Program Files \ InstallShield Informações de instalação 2009/05/17 20:57. 2008/05/12 09:20 -------- d ----- w-C: \ Program Files \ Common Files \ InstallShield 2009/05/07 15:32. 2003/03/31 12:00 345,600 ---- aw-c: \ windows \ system32 \ Localspl.dll 2009/04/29 04:46. 2003/03/31 12:00 666,624 ---- aw-c: \ windows \ system32 \ wininet.dll 2009/04/29 04:46. 2008/05/16 21:18 81,920 ------ w-c: \ windows \ system32 \ ieencode.dll 2009/04/28 10:48. 2008/05/17 00:24 -------- d ----- w-C: \ Program Files \ Java 2009/04/28 10:47. 2009/04/28 10:47 152,576 ---- aw-c: \ Documents and Settings \ Mouse \ Application Data \ domingo \ Java \ jre1.6.0_13 \ lzma.dll 2009/04/26 01:13. 2009/04/26 00:43 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Dados de aplicativos \ Move Networks 2009/04/17 12:26. 2003/03/31 12:00 1.847.168 ---- aw-c: \ windows \ system32 \ win32k.sys 2009/04/15 14:51. 2003/03/31 12:00 585,216 ---- aw-c: \ windows \ system32 \ rpcrt4.dll 2009/04/08 06:13. 2009/04/08 06:13 45,056 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ MapleStory.exe1_B5F7ED63E4D54BE694F0 F06A2CCC5374.exe 2009/04/08 06:13. 2009/04/08 06:13 45,056 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ MapleStory.exe_B5F7ED63E4D54BE694F0F 06A2CCC5374_1.exe 2009/04/08 06:13. 2009/04/08 06:13 10,134 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ ARPPRODUCTICON.exe 2009/04/05 23:39. 2008/05/16 02:24 23,032 ---- aw-c: \ Documents and Settings \ Mouse \ Local Settings \ Application Data \ GDIPFONTCACHEV1.DAT 2009/04/05 23:27. 2009/04/05 23:28 5.433.520 ---- aw-c: \ windows \ system32 \ SpoonUninstall.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) )))))))))))))))))))))))))))))))))))))))) . . * Nota * entradas vazias & legit entradas padrão não são mostrados REGEDIT4 [HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ actuais ntVersion \ Run] "ctfmon.exe" = "c: \ windows \ system32 \ ctfmon.exe" [2008-04-14 15360] "H / PC Connection Agent" = "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run] "NvCplDaemon" = "c: \ windows \ system32 \ NvCpl.dll" [2008-05-03 13529088] "CTDVDDET" = "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ DVDAudio \ CTDVDDET.EXE" [2003-06-18 45056] "RCSystem" = "C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe" [2005-11-04 49152] "AudioDrvEmulator" = "C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe" [2005-11-04 49152] "VolPanel" = "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Volume Panel \ VolPanlu.exe" [2006-07-28 122880] "NvMediaCenter" = "c: \ windows \ system32 \ NvMcTray. Dll" [2008-05-03 86016] "AVP" = "C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe" [2009-02-05 201992] "QuickTime Task" = "C: \ Program Files \ QuickTime \ QTTask.exe" [2009-05-26 413696] "AppleSyncNotifier" = "C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleSyncNotifier.exe" [2009-05-14 177472] "iTunesHelper" = "C: \ Program Files \ iTunes \ iTunesHelper.exe" [2009-06-05 292136] "CTHelper" = "CTHELPER.EXE" - c: \ windows \ system32 \ CtHelper.exe [2008-02-21 19456] "CTxfiHlp" = "CTXFIHLP.EXE" - c: \ windows \ system32 \ Ctxfihlp.exe [2008-02-21 19968] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ explorer \ ShellExecuteHooks] "(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "C: \ Program Files \ SUPERAntiSpyware \ SASSEH.DLL" [2009-01-01 77824] [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notificar \! SASWinLogon] 2009/01/01 04:29 356,352 ---- aw-C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Contro l \ safeboot \ Minimal \ Wdf01000.sys] @ = "Driver" [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Inicializar ^ Adobe Gamma Loader.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ Adobe Gamma Loader.lnk backup = c: \ windows \ pss \ Adobe Gamma Loader.lnkCommon Inicialização [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Arranque ^ HOTSYNCSHORTCUTNAME.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ HOTSYNCSHORTCUTNAME.lnk backup = c: \ windows \ pss \ n HOTSYNCSHORTCUTNAME.lnkCommo Inicialização [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Inicializar ^ Microsoft Office.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ Microsoft Office.lnk backup = c: \ windows \ pss \ Microsoft Office.lnkCommon Inicialização [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ services] "StyleXPService" = 2 (0x2) "PLFlash DeviceIoControl Service" = 2 (0x2) "NMIndexingService" = 3 (0x3) "Nero BackItUp Scheduler 3" = 2 (0x2) "MDM" = 2 (0x2) "ZuneNetworkSvc" = 3 (0x3) "WMPNetworkSvc" = 3 (0x3) "npkcmsvc" = 2 (0x2) "JavaQuickStarterService" = 2 (0x2) "IDriverT" = 3 (0x3) "iPod Service" = 3 (0x3) "idsvc" = 3 (0x3) "Adobe LM Service" = 3 (0x3) [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center] "AntiVirusOverride" = dword: 00000001 [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ KasperskyAntiVirus] "DisableMonitoring" = dword: 00000001 [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile] "EnableFirewall" = 0 (0x0) [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List] "% windir% \ \ system32 \ \ Sessmgr.exe" = "c: \ \ Arquivos de Programas \ \ uTorrent \ \ uTorrent.exe" = "c: \ \ Arquivos de Programas \ \ Veoh Networks \ \ Veoh \ \ VeohClient.exe" = "c: \ \ Arquivos de Programas \ \ LimeWire \ \ LimeWire.exe" = "c: \ \ Arquivos de Programas \ \ Sierra \ \ FEAR \ \ FEAR.exe" = "c: \ \ Arquivos de Programas \ \ Xfire \ \ xfire.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Dx9.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Dx10.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Launcher.exe" = "c: \ \ Documents and Settings \ \ All Users \ \ Application Data \ \ Kaspersky Lab Setup Files \ \ Kaspersky Internet Security 2009 \ \ Inglês \ \ setup.exe" = "C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync RAPI Manager "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" = C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Connection Manager "C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Application "% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" = "c: \ \ Arquivos de Programas \ \ Skype \ \ Phone \ \ Skype.exe" = "c: \ \ Program Files \ \ Common Files \ AOL \ \ Loader \ \ aolload.exe" = "c: \ \ Arquivos de Programas \ \ AIM6 \ \ aim6.exe" = "c: \ \ Arquivos de Programas \ \ Bonjour \ \ mDNSResponder.exe" = "c: \ \ Arquivos de Programas \ \ iTunes \ \ iTunes.exe" = [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List] "6112: TCP" = 6112: TCP: Diablo 2 "26675: TCP" = 26675: TCP: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Service "58398: TCP" = 58398: TCP: Pando Media Booster "58398: UDP" = 58398: UDP: Pando Media Booster R0 klbg; Kaspersky Lab Boot Guard Driver; c: \ windows \ system32 \ drivers \ klbg.sys [1/29/2008 6:29 33808] R1 SASDIFSV; SASDIFSV; C: \ Program Files \ SUPERAntiSpyware \ SASDIFSV.SYS [2/29/2008 4:03 9968] R1 SASKUTIL; SASKUTIL; C: \ Program Files \ SUPERAntiSpyware \ SASKUTIL.SYS [2/29/2008 4:03 55024] R1 UGURU; UGURU; c: \ windows \ system32 \ drivers \ uGuru.sys [5/12/2008 5:23 14592] R3 KLFLTDEV; Kaspersky Lab KLFltDev; c: \ windows \ system32 \ drivers \ klfltdev.sys [3/13/2008 7:02 26640] R3 klim5; Kaspersky Anti-Virus NDIS Filter; c: \ windows \ system32 \ drivers \ klim5.sys [12/13/2007 1:28 24592] S2 Cubase32; Cubase32; c: \ windows \ system32 \ drivers \ Cuba se32.sys [4/5/2009 7:02 11.808] S3 SASENUM; SASENUM; C: \ Program Files \ SUPERAntiSpyware \ SASENUM.SYS [2/16/2006 4:51 4096] --- Outros Serviços / drivers em Memória --- * NewlyCreated * - SASDIFSV . Conteúdo da 'Tarefas agendadas' pasta 2009/06/13 c: \ windows \ Tasks \ AppleSoftwareUpdate.job - C: \ Program Files \ Apple Software Update \ SoftwareUpdate.exe [2008-07-30 17:34] 2009/06/24 c: \ windows \ Tasks \ Malwarebytes' Anti-Malware.job - C: \ progra ~ 1 \ MALWAR ~ 1 \ mbam.exe [2008-05-19 00:52] . - - - - ÓRFÃOS REMOVIDO - - - -- Safeboot-AVG Anti-Spyware Driver Safeboot-AVG Anti-Spyware Guard . Scan Suplementar ------- ------- . uStart Page = hxxp: / / google.com / IE: Add to Banner Ad Blocker - C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ ie_banner_deny.htm IE: E & xportar para o Microsoft Excel - C: \ PROGRA ~ 1 \ MICROS ~ 2 \ Office10 \ EXCEL.EXE/3000 DPF: Microsoft XML Parser para Java - file: / / c: \ windows \ Java \ classes \ xmldso.cab DPF: (463ED66E-431B-11D2-ADB0-0080C83DA4EB) - hxxps: / / w3s.webmoney.ru/WMAcceptor.dll FF - ProfilePath -- . ************************************************** ************************ CatchMe 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector por Gmer, http://www.gmer.net Rootkit scan 2009/06/24 19:25 5/1/2600 Windows Service Pack 3 NTFS digitalizar processos escondidos ... escaneamento automático entradas escondidas ... digitalizar os arquivos ocultos ... varredura foi concluída com êxito ficheiros ocultos: 0 ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (47629D4 B-2AD3-4e50-B716-A66C15C63153) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "cd042efbbd7f7af1647644e76e06692b" = hex: 2e, e8, e1, 00, eb, 16,2 b, de, ff, 66,8 f, 81, d1, 34, d2, d9, c8, 28,51, af, b0, 29, a3, 98, A9, c3, A8, 8a, 5e, d3, 39,87, e2, 63,26, f1, 3f, c8, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (604BB98 A-A94F-4a5c-A67C-D8D3582C741C) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "bca643cdc5c2726b20d2ecedcc62c59b" = hex: 71,3 b, 04,66, 8b, 46,0 d, 96, c2, c2, dc, e4, A8, 65,45,2 e, 71,3 b, 04,66,8 b, 46,0 d, 96,21,7 c, aa, e9, a8, 42, 2f, c4, 6a, 9c, d6, 61, af, 45, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (684373F B-9CD8-4e47-B990-5A4466C16034) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "2c81e34222e8052573023a60d06dd016" = hex: 25, DA, CE, 7e, 55,20, c9, 26, EB, A7, DF, 4d, 25, c2, 62,83,25, DA, CE, 7e, 55,20, c9, 26, a3, f2, 65, ed, 80,3 e, e4, f6, ff, 7c, 85, e0, 43, d4, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (74554CC D-F60F-4708-AD98-D0152D08C8B9) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "2582ae41fb52324423be06337561aa48" = hex: 3e, 1e, 9.oE, e0, 57,5 a, 93,61, f2, a1, b4, 61,82, bb, ab, d5, 3e, 1e, 9.oE, e0, 57,5 a, 93,61,6 f, 0e, 5c, ae, CE, 4f, e7, 8d, 86,8 c, 21,01, seja, 91, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (7EB537F 9-A916-4339-B91B-DED8E83632C0) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "caaeda5fd7a9ed7697d9686d4b818472" = hex: cd, 44, cd, b9, a6, 33,6 c, cd, 91, d7, 7a, 29,97, c7, 40,4 b, cd, 44, cd, b9, a6, 33,6 c, cd, 49,19,95,11,6 f, ac, 43,68, f5, 1d, 4d, 73, a8, 13, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (948395E 8-7A56-4fb1-843B-3E52D94DB145) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "a4a1bcf2cc2b8bc3716b74b2b4522f5d" = hex: df, 20,58,62, 78,6 b, cf, c8, 7e, 4a, d5, 24,8 d, 3a, 49, C4, b0, 18, ed, A7, 3f, 8d, 37, a4, 29, b5, 53,9 um, d3, 4a, 02,51, DF, 20,58,62,78,6 b, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "4d370831d2c43cd13623e232fed27b7b" = hex: 31,77, e1, ba, b1, f8, 68,02,09, d4, 0b, f3, 53, bc, 62,26,31,77, e1, ba, b1, f8, 68,02,77, c3, de, c6, 98,79, 54,2 c, fb, A7, 78, e6, 12,2 f, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (DE5654C A-EB84-4df9-915B-37E957082D6D) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "1d68fe701cdea33e477eb204b76f993d" = hex: 01,3 a, 48, fc, e8, 04,4 a, f1, df, 00, d5, 43, ff, f8, 0F, f3, 83,6 c, 56,8 b, a0, 85,96, ab, d5, 19,39,90, da, 30, 2a, 05,01,3 a, 48, fc, e8, 04, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (E39C35E 8-7488-4926-92B2-2F94619AC1A5) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "1fac81b91d8e3c5aa4b0a51804d844a3" = hex: f6, 0F, 4e, 58, 98,5 b, 89, c9, 6a, eA, f8, c4, 82, 1a, 7f, d8, 51, fa, 6e, 91,28,9 e, 14, cc, 82, AC, 7a, 83, EB, 90, 81, c6, f6, 0F, 4e, 58,98,5 b, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (EACAFCE 5-B0E2-4288-8073-C02FF9619B6F) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "f5f62a6129303efb32fbe080bb27835b" = hex: 3d, ce, eA, 26, 2d, 45, aa, 78,0 b, ba, 41,78,8 a, c9, 90,04, b1, cd, 45,5 a, a8, c4, f8, b9, 6b, c6, a2, 44,8 d, 59, a6, f5, 3d, ce, eA, 26,2 d, 45, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (F8F02AD D-7366-4186-9488-C21CB8B3DCEC) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "fd4e2e1a3940b94dceb5a6a021f2e3c6" = hex: 2a, b7, cc, b5, b9, 7f, 41, e7, 5d, 45,06,19,5 e, 30,20, e6, e3, 0e, 66, d5, EB, bc, 2f, 6b, e1, 69,31, ac, dd, BA, 7f, 02,2 a, b7, cc, b5, b9, 7f, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (FEE45DE 2-A467-4bf9-BF2D-1411304BCD84) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "8a8aec57dd6508a385616fbc86791ec2" = hex: fa, eA, 66,7 f, d4, 3b, 6b, 70, a5, 97,0 a, 6e, 8a, cf, 52,73, fa, eA, 66,7 f, d4, 3b, 6b, 70,30,24, eA, 79, a1, 7.oB, 08,64,6 c, 43,2 d, 1e, aa, 22, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Installer \ UserData \ LocalSystem \ Componen ts \ h-€ | YYYY ¤ • € | ù • Um ~ *] "AB141C35E9F4BF344B9FC010BB17F68A" = "" . --------------------- DLLs Loaded Sob Running Processes --------------------- - - - - - - -> 'Winlogon.exe' (1028) C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL c: \ windows \ system32 \ klogon.dll - - - - - - -> 'Explorer.exe' (3748) c: \ windows \ system32 \ WPDShServiceObj.dll c: \ windows \ system32 \ PortableDeviceTypes.dll c: \ windows \ system32 \ PortableDeviceApi.dll . ------------------------ Other Running Processes ----------------------- -- . C: \ Program Files \ Creative \ Shared Files \ CTAudSvc.exe C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe C: \ Program Files \ Bonjour \ mDNSResponder.exe c: \ windows \ system32 \ nvsvc32.exe c: \ windows \ system32 \ PnkBstrA.exe c: \ windows \ system32 \ rundll32.exe c: \ progra ~ 1 \ MICROS ~ 4 \ rapimgr.exe C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Entertainment Center \ EAXLoadr.exe C: \ Program Files \ iPod \ bin \ iPodService.exe c: \ windows \ system32 \ wscntfy.exe c: \ windows \ system32 \ CTxfispi.exe . ************************************************** ************************ . Conclusão tempo: 2009/06/24 19:29 - máquina foi reinicializada ComboFix-quarantined-files.txt 2009/06/24 23:29 ComboFix2.txt 2008/05/20 17:05 Pré-Run: 65511231488 bytes livres Post-Run: 67799437312 bytes livres WindowsXP-KB310994-SP2-Pro-Bootdisk-PTG.exe [boot loader] timeout = 2 default = multi (0) disk (0) rdisk (1) partition (1) \ WINDOW S [sistemas operacionais] c: \ cmdcons \ bootsect.dat = "Microsoft Windows Recovery Console" / cmdcons multi (0) disk (0) rdisk (1) partition (1) \ WINDOWS = "Micro soft Windows XP Professional" / noexecute = OptIn / fastdetect multi (0) disk (0) rdisk (0) partition (1) \ WINDOWS = "Micro soft Windows XP Professional" / fastdetect / noexecute = OptIn Atual = 3 Default = 3 Falha = 1 LastKnownGood = 4 Conjuntos = 1,2,3,4 335 --- --- EOF 2009/06/11 03:03 |
|
#7
25 jun. 2009, 09:58
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
Excluir esses arquivos / pastas, como se segue:
1. Ir para Iniciar > Correr > Tipo Notepad.exe e clique em OK para abrir o Bloco de Notas. Ele deve ser Notepad, Wordpad não. 2. Copie o código abaixo o texto na caixa de realce todo o texto e pressionar Ctrl + C Código:
Killall: RegLock:: [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (47629D4 B-2AD3-4e50-B716-A66C15C63153) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (604BB98 A-A94F-4a5c-A67C - D8D3582C741C) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (684373F B-9CD8-4e47-B990-5A4466C16034) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (74554CC D-F60F-4708-AD98 - D0152D08C8B9) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (7EB537F 9-A916-4339-B91B-DED8E83632C0) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (948395E 8-7A56-4fb1-843B - 3E52D94DB145) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (DE5654C A-EB84-4df9-915B - 37E957082D6D) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (E39C35E 8-7488-4926-92B2-2F94619AC1A5) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (EACAFCE 5-B0E2-4288-8073 - C02FF9619B6F) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (F8F02AD D-7366-4186-9488-C21CB8B3DCEC) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (FEE45DE 2-A467-4bf9-BF2D - 1411304BCD84) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Installer \ UserData \ LocalSystem \ Componen ts \ h-€ | YYYY ¤ • € | ù • Um ~ *] 4. Em seguida, clique em Arquivo > Salvar 5. Nome do arquivo CFScript.txt - Salve o arquivo para o seu desktop 6. Em seguida, arraste o CFScript (mantenha o botão esquerdo do mouse ao arrastar o arquivo) e largá-la (liberar o botão esquerdo do mouse) em ComboFix.exe como você vê na imagem abaixo. Importante: Realize estas instruções cuidadosamente! ComboFix irá começar a executar, basta seguir as instruções na tela. Após o reboot (no caso ele pede para reiniciar), que irá produzir um log para você. Post que log (Combofix.txt) em sua próxima resposta. Nota: Não mouseclick ComboFix da janela enquanto ele está sendo executado. Isso pode fazer com que seu sistema de congelar ---------- Também deixe-me saber como é que o computador está executando agora. .
__________________
|
|
#8
25 jun. 2009, 16:17
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
ComboFix 09-06-23.01 - Rato 06/25/2009 19:04.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1597 [GMT -4:00] Executando de: C: \ Documents and Settings \ Mouse \ Desktop \ ComboFix.exe Comando interruptores utilizados:: C: \ Documents and Settings \ Mouse \ Desktop \ CFScript.txt AV: Kaspersky Internet Security * On-access scanning deficientes * (Atualizado) (2C4D4BC6-0793-4956-A9F9-E252435469C0) FW: Kaspersky Internet Security desativado * * (2C4D4BC6-0793-4956-A9F9-E252435469C0) . ((((((((((((((((((((((((((((((((((((((( Outros Supressões ))))))))) )))))))))))))))))))))))))))))))))))))))) . c: \ windows \ system32 \ drivers \ kl1.sys . ((((((((((((((((((((((((( Arquivos criados a partir de 2009/05/25 a 2009/06/25 ))))))))))) )))))))))))))))))))) . 2009/06/24 23:28. 2009/06/24 23:28 -------- dc ---- w-c: \ windows \ system32 \ dllcache \ cache 2009/06/23 18:47. 2009/06/24 16:37 117,760 ---- aw-c: \ Documents and Settings \ Mouse \ Application Data \ SUPERAntiSpyware.com \ SUPERAntiSpyware \ SDDLLS \ UIREPAIR.DLL 2009/06/17 17:58. 2009/06/17 18:10 -------- d ----- w-C: \ Program Files \ LSoft Technologies 2009/06/13 16:32. 2009/06/13 16:32 -------- d ----- w-C: \ Program Files \ iPod 2009/06/13 16:32. 2009/06/13 16:32 -------- d ----- w-C: \ Program Files \ iTunes 2009/06/13 16:28. 2009/06/13 16:29 -------- d ----- w-C: \ Program Files \ QuickTime 2009/06/13 16:23. 2009/06/13 16:23 75,048 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Apple Computer \ Installer Cache \ iTunes 8.2.0.23 \ SetupAdmin.exe 2009/06/10 23:14. 2001/08/18 02:36 462,848-c - aw-c: \ windows \ system32 \ dllcache \ a3dapi.dll 2009/06/10 23:14. 2001/08/18 02:36 462,848 ---- aw-c: \ windows \ system32 \ a3dapi.dll 2009/06/10 23:13. 2009/06/11 07:20 -------- d ----- w-C: \ Descent3 2009/06/10 23:13. 2009/06/10 23:13 -------- d ----- w-C: \ Jogos 2009/06/10 20:13. 2009/05/07 15:32 345,600-c ---- w-c: \ windows \ system32 \ dllcache \ Localspl.dll 2009/06/10 20:13. 2009/04/15 14:51 585,216-c ---- w-c: \ windows \ system32 \ dllcache \ rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) )))))))))))))))))))))))))))))))))))))))))))) . 2009/06/25 23:11. 2008/05/16 03:35 -------- d ----- w-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab 2009/06/25 23:09. 2008/05/16 03:35 761,888 - sha-w-c: \ windows \ system32 \ drivers \ fidbox2.dat 2009/06/25 23:09. 2008/05/16 03:35 64,388 - sha-w-c: \ windows \ system32 \ drivers \ fidbox.idx 2009/06/25 23:09. 2008-05-16 03:35 4571424 - sha-w-c: \ windows \ system32 \ drivers \ fidbox.dat 2009/06/25 23:09. 2008/05/16 03:35 29,696 - sha-w-c: \ windows \ system32 \ drivers \ fidbox2.idx 2009/06/24 23:59. 2008/01/29 22:29 33,808 ---- aw-c: \ windows \ system32 \ drivers \ klbg.sys 2009/06/24 23:59. 2009/02/05 00:58 33,808 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab \ AVP8 \ Data \ Updater \ Temporary Files \ temporaryFolder \ AutoPatches \ kav8exec \ 8.0.0.3 57 \ klbg.sys 2009/06/24 23:59. 2008/05/16 03:36 94,643 ---- aw-c: \ windows \ system32 \ drivers \ klick.dat 2009/06/24 23:59. 2008/05/16 03:36 105,395 ---- aw-c: \ windows \ system32 \ drivers \ klin.dat 2009/06/24 23:59. 2008/07/17 23:08 213,520 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab \ AVP8 \ Data \ Updater \ Temporary Files \ temporaryFolder \ AutoPatches \ kav8exec \ 8.0.0.3 57 \ XP \ klif.sys 2009/06/24 23:59. 2008/07/17 23:08 861,448 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab \ AVP8 \ Data \ Updater \ Temporary Files \ temporaryFolder \ AutoPatches \ kav8exec \ 8.0.0.3 57 \ updater.dll 2009/06/24 21:09. 2008/05/17 00:25 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Application Data \ LimeWire 2009/06/24 16:37. 2008/05/19 02:02 -------- d ----- w-C: \ Program Files \ SUPERAntiSpyware 2009/06/23 19:00. 2008/10/16 02:40 -------- d ----- w-C: \ Program Files \ Pando Networks 2009/06/23 18:59. 2008/11/29 18:36 -------- d ----- w-C: \ Program Files \ PalmOne 2009/06/21 23:00. 2009/02/09 03:50 138,184 ---- aw-c: \ windows \ system32 \ drivers \ PnkBstrK.sys 2009/06/21 23:00. 2009/02/09 03:50 183,112 ---- aw-c: \ windows \ system32 \ PnkBstrB.exe 2009/06/18 22:35. 2008/06/17 15:40 -------- d ----- w-C: \ Program Files \ Diablo II 2009/06/18 22:31. 2008/06/02 00:09 -------- d --- aw-c: \ Documents and Settings \ All Users \ Application Data \ TEMP 2009/06/17 22:51. 2008/05/15 04:41 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Application Data \ uTorrent 2009/06/13 16:32. 2008/08/19 04:10 -------- d ----- w-C: \ Program Files \ Common Files \ Apple 2009/05/17 20:58. 2009/05/17 20:58 -------- d ----- w-C: \ Program Files \ LG Electronics 2009/05/17 20:58. 2008/05/12 09:20 -------- d - h - w-C: \ Program Files \ InstallShield Informações de instalação 2009/05/17 20:57. 2008/05/12 09:20 -------- d ----- w-C: \ Program Files \ Common Files \ InstallShield 2009/05/07 15:32. 2003/03/31 12:00 345,600 ---- aw-c: \ windows \ system32 \ Localspl.dll 2009/04/29 04:46. 2003/03/31 12:00 666,624 ---- aw-c: \ windows \ system32 \ wininet.dll 2009/04/29 04:46. 2008/05/16 21:18 81,920 ------ w-c: \ windows \ system32 \ ieencode.dll 2009/04/28 10:48. 2008/05/17 00:24 -------- d ----- w-C: \ Program Files \ Java 2009/04/28 10:47. 2009/04/28 10:47 152,576 ---- aw-c: \ Documents and Settings \ Mouse \ Application Data \ domingo \ Java \ jre1.6.0_13 \ lzma.dll 2009/04/17 12:26. 2003/03/31 12:00 1.847.168 ---- aw-c: \ windows \ system32 \ win32k.sys 2009/04/15 14:51. 2003/03/31 12:00 585,216 ---- aw-c: \ windows \ system32 \ rpcrt4.dll 2009/04/08 06:13. 2009/04/08 06:13 45,056 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ MapleStory.exe1_B5F7ED63E4D54BE694F0 F06A2CCC5374.exe 2009/04/08 06:13. 2009/04/08 06:13 45,056 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ MapleStory.exe_B5F7ED63E4D54BE694F0F 06A2CCC5374_1.exe 2009/04/08 06:13. 2009/04/08 06:13 10,134 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ ARPPRODUCTICON.exe 2009/04/05 23:39. 2008/05/16 02:24 23,032 ---- aw-c: \ Documents and Settings \ Mouse \ Local Settings \ Application Data \ GDIPFONTCACHEV1.DAT 2009/04/05 23:27. 2009/04/05 23:28 5.433.520 ---- aw-c: \ windows \ system32 \ SpoonUninstall.exe . ((((((((((((((((((((((((((((( SnapShot@2009-06-24_23.25.37 )))))))))))) ))))))))))))))))))))))))))))) . + 2008-03-26 00:07. 2008-03-26 00:07 24592 C: \ Windows \ system32 \ drivers \ klim5.sys - 2007/12/13 17:28. 2008-03-26 00:07 24592 C: \ Windows \ system32 \ drivers \ klim5.sys + 2009/06/24 23:28. 2008-10-16 19:09 51224 C: \ Windows \ system32 \ dllcache \ cache \ wuauclt.exe + 2009/06/24 23:28. 2008-04-14 00:12 82432 C: \ Windows \ system32 \ dllcache \ cache \ Ws2_32.dll + 2009/06/24 23:28. 2008-04-14 00:12 26112 C: \ Windows \ system32 \ dllcache \ cache \ userinit.exe + 2009/06/24 23:28. 2008-04-14 00:12 14336 C: \ Windows \ system32 \ dllcache \ cache \ svchost.exe + 2009/06/24 23:28. 2008-04-14 00:12 57856 C: \ Windows \ system32 \ dllcache \ cache \ spoolsv.exe + 2009/06/24 23:28. 2008-04-14 00:12 17408 C: \ Windows \ system32 \ dllcache \ cache \ powrprof.dll + 2009/06/24 23:28. 2008-04-14 00:12 13312 C: \ Windows \ system32 \ dllcache \ cache \ lsass.exe + 2009/06/24 23:28. 2008-04-13 18:39 24576 C: \ Windows \ system32 \ dllcache \ cache \ Kbdclass.sys + 2009/06/24 23:28. 2008-04-13 18:53 36608 C: \ Windows \ system32 \ dllcache \ cache \ Ip6fw.sys + 2009/06/24 23:28. 2008-04-14 00:12 15360 C: \ Windows \ system32 \ dllcache \ cache \ ctfmon.exe - 2008/04/18 17:53. 2009-02-05 00:58 213520 c: \ windows \ system32 \ drivers \ klif.sys + 2008/04/18 17:53. 2009-06-24 23:59 213520 c: \ windows \ system32 \ drivers \ klif.sys + 2009/06/24 23:28. 2008-04-14 00:12 507904 c: \ windows \ system32 \ dllcache \ cache \ winlogon.exe + 2009/06/24 23:28. 2009-04-29 04:46 666624 c: \ windows \ system32 \ dllcache \ cache \ wininet.dll + 2009/06/24 23:28. 2008-04-14 00:12 578560 c: \ windows \ system32 \ dllcache \ cache \ user32.dll + 2009/06/24 23:28. 2008-04-14 00:12 295424 c: \ windows \ system32 \ dllcache \ cache \ Termsrv.dll + 2009/06/24 23:28. 2008-06-20 11:51 361600 c: \ windows \ system32 \ dllcache \ cache \ tcpip.sys + 2009/06/24 23:28. 2009/02/06 11:11 110592 c: \ windows \ system32 \ dllcache \ cache \ Services.exe + 2009/06/24 23:28. 2008-04-13 19:20 182656 c: \ windows \ system32 \ dllcache \ cache \ Ndis.sys + 2009/06/24 23:28. 2009-03-21 14:06 989696 c: \ windows \ system32 \ dllcache \ cache \ kernel32.dll + 2009/06/24 23:28. 2008-04-14 00:11 110080 c: \ windows \ system32 \ dllcache \ cache \ imm32.dll + 2009/06/24 23:28. 2008-04-14 00:11 167936 c: \ windows \ system32 \ dllcache \ cache \ appmgmts.dll + 2009/06/24 23:28. 2008/04/14 00:12 1614848 c: \ windows \ system32 \ dllcache \ cache \ Sfcfiles.dll + 2009/06/24 23:28. 2009/02/06 11:06 2145280 c: \ windows \ system32 \ dllcache \ cache \ ntoskrnl.exe + 2009/06/24 23:28. 2009/02/06 10:32 2023936 c: \ windows \ system32 \ dllcache \ cache \ Ntkrnlpa.exe + 2009/06/24 23:28. 2008/04/14 00:12 1033728 c: \ windows \ system32 \ dllcache \ cache \ explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) )))))))))))))))))))))))))))))))))))))))) . . * Nota * entradas vazias & legit entradas padrão não são mostrados REGEDIT4 [HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ actuais ntVersion \ Run] "ctfmon.exe" = "c: \ windows \ system32 \ ctfmon.exe" [2008-04-14 15360] "H / PC Connection Agent" = "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run] "NvCplDaemon" = "c: \ windows \ system32 \ NvCpl.dll" [2008-05-03 13529088] "CTDVDDET" = "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ DVDAudio \ CTDVDDET.EXE" [2003-06-18 45056] "RCSystem" = "C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe" [2005-11-04 49152] "AudioDrvEmulator" = "C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe" [2005-11-04 49152] "VolPanel" = "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Volume Panel \ VolPanlu.exe" [2006-07-28 122880] "NvMediaCenter" = "c: \ windows \ system32 \ NvMcTray. Dll" [2008-05-03 86016] "AVP" = "C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe" [2009-02-05 201992] "QuickTime Task" = "C: \ Program Files \ QuickTime \ QTTask.exe" [2009-05-26 413696] "AppleSyncNotifier" = "C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleSyncNotifier.exe" [2009-05-14 177472] "iTunesHelper" = "C: \ Program Files \ iTunes \ iTunesHelper.exe" [2009-06-05 292136] "CTHelper" = "CTHELPER.EXE" - c: \ windows \ system32 \ CtHelper.exe [2008-02-21 19456] "CTxfiHlp" = "CTXFIHLP.EXE" - c: \ windows \ system32 \ Ctxfihlp.exe [2008-02-21 19968] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ explorer \ ShellExecuteHooks] "(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "C: \ Program Files \ SUPERAntiSpyware \ SASSEH.DLL" [2009-01-01 77824] [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notificar \! SASWinLogon] 2009/01/01 04:29 356,352 ---- aw-C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Contro l \ safeboot \ Minimal \ Wdf01000.sys] @ = "Driver" [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Inicializar ^ Adobe Gamma Loader.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ Adobe Gamma Loader.lnk backup = c: \ windows \ pss \ Adobe Gamma Loader.lnkCommon Inicialização [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Arranque ^ HOTSYNCSHORTCUTNAME.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ HOTSYNCSHORTCUTNAME.lnk backup = c: \ windows \ pss \ n HOTSYNCSHORTCUTNAME.lnkCommo Inicialização [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Inicializar ^ Microsoft Office.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ Microsoft Office.lnk backup = c: \ windows \ pss \ Microsoft Office.lnkCommon Inicialização [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ services] "StyleXPService" = 2 (0x2) "PLFlash DeviceIoControl Service" = 2 (0x2) "NMIndexingService" = 3 (0x3) "Nero BackItUp Scheduler 3" = 2 (0x2) "MDM" = 2 (0x2) "ZuneNetworkSvc" = 3 (0x3) "WMPNetworkSvc" = 3 (0x3) "npkcmsvc" = 2 (0x2) "JavaQuickStarterService" = 2 (0x2) "IDriverT" = 3 (0x3) "iPod Service" = 3 (0x3) "idsvc" = 3 (0x3) "Adobe LM Service" = 3 (0x3) [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center] "AntiVirusOverride" = dword: 00000001 [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ KasperskyAntiVirus] "DisableMonitoring" = dword: 00000001 [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile] "EnableFirewall" = 0 (0x0) [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List] "% windir% \ \ system32 \ \ Sessmgr.exe" = "c: \ \ Arquivos de Programas \ \ uTorrent \ \ uTorrent.exe" = "c: \ \ Arquivos de Programas \ \ Veoh Networks \ \ Veoh \ \ VeohClient.exe" = "c: \ \ Arquivos de Programas \ \ LimeWire \ \ LimeWire.exe" = "c: \ \ Arquivos de Programas \ \ Sierra \ \ FEAR \ \ FEAR.exe" = "c: \ \ Arquivos de Programas \ \ Xfire \ \ xfire.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Dx9.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Dx10.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Launcher.exe" = "c: \ \ Documents and Settings \ \ All Users \ \ Application Data \ \ Kaspersky Lab Setup Files \ \ Kaspersky Internet Security 2009 \ \ Inglês \ \ setup.exe" = "C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync RAPI Manager "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" = C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Connection Manager "C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Application "% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" = "c: \ \ Arquivos de Programas \ \ Skype \ \ Phone \ \ Skype.exe" = "c: \ \ Program Files \ \ Common Files \ AOL \ \ Loader \ \ aolload.exe" = "c: \ \ Arquivos de Programas \ \ AIM6 \ \ aim6.exe" = "c: \ \ Arquivos de Programas \ \ Bonjour \ \ mDNSResponder.exe" = "c: \ \ Arquivos de Programas \ \ iTunes \ \ iTunes.exe" = [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List] "6112: TCP" = 6112: TCP: Diablo 2 "26675: TCP" = 26675: TCP: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Service "58398: TCP" = 58398: TCP: Pando Media Booster "58398: UDP" = 58398: UDP: Pando Media Booster R0 klbg; Kaspersky Lab Boot Guard Driver; c: \ windows \ system32 \ drivers \ klbg.sys [1/29/2008 6:29 33808] R1 SASDIFSV; SASDIFSV; C: \ Program Files \ SUPERAntiSpyware \ SASDIFSV.SYS [2/29/2008 4:03 9968] R1 SASKUTIL; SASKUTIL; C: \ Program Files \ SUPERAntiSpyware \ SASKUTIL.SYS [2/29/2008 4:03 55024] R1 UGURU; UGURU; c: \ windows \ system32 \ drivers \ uGuru.sys [5/12/2008 5:23 14592] R3 KLFLTDEV; Kaspersky Lab KLFltDev; c: \ windows \ system32 \ drivers \ klfltdev.sys [3/13/2008 7:02 26640] R3 klim5; Kaspersky Anti-Virus NDIS Filter; c: \ windows \ system32 \ drivers \ klim5.sys [3/25/2008 8:07 24592] S2 Cubase32; Cubase32; c: \ windows \ system32 \ drivers \ Cuba se32.sys [4/5/2009 7:02 11.808] S3 SASENUM; SASENUM; C: \ Program Files \ SUPERAntiSpyware \ SASENUM.SYS [2/16/2006 4:51 4096] . Conteúdo da 'Tarefas agendadas' pasta 2009/06/13 c: \ windows \ Tasks \ AppleSoftwareUpdate.job - C: \ Program Files \ Apple Software Update \ SoftwareUpdate.exe [2008-07-30 17:34] 2009/06/25 c: \ windows \ Tasks \ Malwarebytes' Anti-Malware.job - C: \ progra ~ 1 \ MALWAR ~ 1 \ mbam.exe [2008-05-19 00:52] . . Scan Suplementar ------- ------- . uStart Page = hxxp: / / google.com / IE: Add to Banner Ad Blocker - C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ ie_banner_deny.htm IE: E & xportar para o Microsoft Excel - C: \ PROGRA ~ 1 \ MICROS ~ 2 \ Office10 \ EXCEL.EXE/3000 DPF: Microsoft XML Parser para Java - file: / / c: \ windows \ Java \ classes \ xmldso.cab DPF: (463ED66E-431B-11D2-ADB0-0080C83DA4EB) - hxxps: / / w3s.webmoney.ru/WMAcceptor.dll FF - ProfilePath -- . ************************************************** ************************ CatchMe 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector por Gmer, http://www.gmer.net Rootkit scan 2009/06/25 19:11 5/1/2600 Windows Service Pack 3 NTFS digitalizar processos escondidos ... escaneamento automático entradas escondidas ... digitalizar os arquivos ocultos ... varredura foi concluída com êxito ficheiros ocultos: 0 ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (47629D4 B-2AD3-4e50-B716-A66C15C63153) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "cd042efbbd7f7af1647644e76e06692b" = hex: 2e, e8, e1, 00, eb, 16,2 b, de, ff, 66,8 f, 81, d1, 34, d2, d9, c8, 28,51, af, b0, 29, a3, 98, A9, c3, A8, 8a, 5e, d3, 39,87, e2, 63,26, f1, 3f, c8, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (604BB98 A-A94F-4a5c-A67C-D8D3582C741C) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "bca643cdc5c2726b20d2ecedcc62c59b" = hex: 71,3 b, 04,66, 8b, 46,0 d, 96, c2, c2, dc, e4, A8, 65,45,2 e, 71,3 b, 04,66,8 b, 46,0 d, 96,21,7 c, aa, e9, a8, 42, 2f, c4, 6a, 9c, d6, 61, af, 45, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (684373F B-9CD8-4e47-B990-5A4466C16034) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "2c81e34222e8052573023a60d06dd016" = hex: 25, DA, CE, 7e, 55,20, c9, 26, EB, A7, DF, 4d, 25, c2, 62,83,25, DA, CE, 7e, 55,20, c9, 26, a3, f2, 65, ed, 80,3 e, e4, f6, ff, 7c, 85, e0, 43, d4, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (74554CC D-F60F-4708-AD98-D0152D08C8B9) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "2582ae41fb52324423be06337561aa48" = hex: 3e, 1e, 9.oE, e0, 57,5 a, 93,61, f2, a1, b4, 61,82, bb, ab, d5, 3e, 1e, 9.oE, e0, 57,5 a, 93,61,6 f, 0e, 5c, ae, CE, 4f, e7, 8d, 86,8 c, 21,01, seja, 91, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (7EB537F 9-A916-4339-B91B-DED8E83632C0) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "caaeda5fd7a9ed7697d9686d4b818472" = hex: cd, 44, cd, b9, a6, 33,6 c, cd, 91, d7, 7a, 29,97, c7, 40,4 b, cd, 44, cd, b9, a6, 33,6 c, cd, 49,19,95,11,6 f, ac, 43,68, f5, 1d, 4d, 73, a8, 13, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (948395E 8-7A56-4fb1-843B-3E52D94DB145) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "a4a1bcf2cc2b8bc3716b74b2b4522f5d" = hex: df, 20,58,62, 78,6 b, cf, c8, 7e, 4a, d5, 24,8 d, 3a, 49, C4, b0, 18, ed, A7, 3f, 8d, 37, a4, 29, b5, 53,9 um, d3, 4a, 02,51, DF, 20,58,62,78,6 b, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "4d370831d2c43cd13623e232fed27b7b" = hex: 31,77, e1, ba, b1, f8, 68,02,09, d4, 0b, f3, 53, bc, 62,26,31,77, e1, ba, b1, f8, 68,02,77, c3, de, c6, 98,79, 54,2 c, fb, A7, 78, e6, 12,2 f, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (DE5654C A-EB84-4df9-915B-37E957082D6D) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "1d68fe701cdea33e477eb204b76f993d" = hex: 01,3 a, 48, fc, e8, 04,4 a, f1, df, 00, d5, 43, ff, f8, 0F, f3, 83,6 c, 56,8 b, a0, 85,96, ab, d5, 19,39,90, da, 30, 2a, 05,01,3 a, 48, fc, e8, 04, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (E39C35E 8-7488-4926-92B2-2F94619AC1A5) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "1fac81b91d8e3c5aa4b0a51804d844a3" = hex: f6, 0F, 4e, 58, 98,5 b, 89, c9, 6a, eA, f8, c4, 82, 1a, 7f, d8, 51, fa, 6e, 91,28,9 e, 14, cc, 82, AC, 7a, 83, EB, 90, 81, c6, f6, 0F, 4e, 58,98,5 b, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (EACAFCE 5-B0E2-4288-8073-C02FF9619B6F) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "f5f62a6129303efb32fbe080bb27835b" = hex: 3d, ce, eA, 26, 2d, 45, aa, 78,0 b, ba, 41,78,8 a, c9, 90,04, b1, cd, 45,5 a, a8, c4, f8, b9, 6b, c6, a2, 44,8 d, 59, a6, f5, 3d, ce, eA, 26,2 d, 45, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (F8F02AD D-7366-4186-9488-C21CB8B3DCEC) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "fd4e2e1a3940b94dceb5a6a021f2e3c6" = hex: 2a, b7, cc, b5, b9, 7f, 41, e7, 5d, 45,06,19,5 e, 30,20, e6, e3, 0e, 66, d5, EB, bc, 2f, 6b, e1, 69,31, ac, dd, BA, 7f, 02,2 a, b7, cc, b5, b9, 7f, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (FEE45DE 2-A467-4bf9-BF2D-1411304BCD84) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "8a8aec57dd6508a385616fbc86791ec2" = hex: fa, eA, 66,7 f, d4, 3b, 6b, 70, a5, 97,0 a, 6e, 8a, cf, 52,73, fa, eA, 66,7 f, d4, 3b, 6b, 70,30,24, eA, 79, a1, 7.oB, 08,64,6 c, 43,2 d, 1e, aa, 22, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Installer \ UserData \ LocalSystem \ Componen ts \ h-€ | YYYY ¤ • € | ù • Um ~ *] "AB141C35E9F4BF344B9FC010BB17F68A" = "" . --------------------- DLLs Loaded Sob Running Processes --------------------- - - - - - - -> 'Winlogon.exe' (1028) C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL c: \ windows \ system32 \ klogon.dll - - - - - - -> 'Explorer.exe' (212) c: \ windows \ system32 \ WPDShServiceObj.dll c: \ windows \ system32 \ PortableDeviceTypes.dll c: \ windows \ system32 \ PortableDeviceApi.dll . ------------------------ Other Running Processes ----------------------- -- . C: \ Program Files \ Creative \ Shared Files \ CTAudSvc.exe C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe C: \ Program Files \ Bonjour \ mDNSResponder.exe c: \ windows \ system32 \ nvsvc32.exe c: \ windows \ system32 \ PnkBstrA.exe c: \ windows \ system32 \ rundll32.exe C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Entertainment Center \ EAXLoadr.exe c: \ progra ~ 1 \ MICROS ~ 4 \ rapimgr.exe C: \ Program Files \ iPod \ bin \ iPodService.exe c: \ windows \ system32 \ CTxfispi.exe c: \ windows \ system32 \ wscntfy.exe . ************************************************** ************************ . Conclusão tempo: 2009/06/25 19:14 - máquina foi reinicializada ComboFix-quarantined-files.txt 2009/06/25 23:14 ComboFix2.txt 2009/06/24 23:29 ComboFix3.txt 2008/05/20 17:05 Pré-Run: 67819319296 bytes livres Post-Run: 67883995136 bytes livres Atual = 3 Default = 3 Falha = 1 LastKnownGood = 4 Conjuntos = 1,2,3,4 310 --- --- EOF 2009/06/11 03:03 |
|
#9
25 jun. 2009, 18:13
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
Desculpe ter negligenciado alguma coisa.
Excluir esses arquivos / pastas, como se segue: 1. Ir para Iniciar > Correr > Tipo Notepad.exe e clique em OK para abrir o Bloco de Notas. Ele deve ser Notepad, Wordpad não. 2. Copie o código abaixo o texto na caixa de realce todo o texto e pressionar Ctrl + C Código:
Killall: RegLock:: [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (47629D4B-2AD3-4e50-B716-A66C15C63153) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (604BB98A-A94F-4a5c-A67C-D8D3582C741C) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (684373FB-9CD8-4e47-B990-5A4466C16034) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (74554CCD-F60F-4708-AD98-D0152D08C8B9) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (7EB537F9-A916-4339-B91B-DED8E83632C0) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (948395E8-7A56-4fb1-843B-3E52D94DB145) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (DE5654CA-EB84-4df9-915B-37E957082D6D) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (E39C35E8-7488-4926-92B2-2F94619AC1A5) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (EACAFCE5-B0E2-4288-8073-C02FF9619B6F) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ software \ Classes \ CLSID \ (F8F02ADD-7366-4186-9488-C21CB8B3DCEC) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (FEE45DE2-A467-4bf9-BF2D-1411304BCD84) \ InprocServer32 *] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Installer \ UserData \ LocalSystem \ Components \ h-€ | YYYY ¤ • € | ù • Um ~ *] 4. Em seguida, clique em Arquivo > Salvar 5. Nome do arquivo CFScript.txt - Salve o arquivo para o seu desktop 6. Em seguida, arraste o CFScript (mantenha o botão esquerdo do mouse ao arrastar o arquivo) e largá-la (liberar o botão esquerdo do mouse) em ComboFix.exe como você vê na imagem abaixo. Importante: Realize estas instruções cuidadosamente! ComboFix irá começar a executar, basta seguir as instruções na tela. Após o reboot (no caso ele pede para reiniciar), que irá produzir um log para você. Post que log (Combofix.txt) em sua próxima resposta. Nota: Não mouseclick ComboFix da janela enquanto ele está sendo executado. Isso pode fazer com que seu sistema de congelar ---------- Também deixe-me saber como é que o computador está executando agora. .
__________________
|
|
#10
26 jun. 2009, 00:59
|
|||
|
|||
|
Infectados com MultiPacked.Multi.Generic Malware!
ComboFix 09-06-23.01 - Rato 06/26/2009 3:47.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT -4:00] Executando de: C: \ Documents and Settings \ Mouse \ Desktop \ ComboFix.exe Comando interruptores utilizados:: C: \ Documents and Settings \ Mouse \ Desktop \ CFScript.txt AV: Kaspersky Internet Security * On-access scanning deficientes * (Atualizado) (2C4D4BC6-0793-4956-A9F9-E252435469C0) FW: Kaspersky Internet Security desativado * * (2C4D4BC6-0793-4956-A9F9-E252435469C0) . ((((((((((((((((((((((((((((((((((((((( Outros Supressões ))))))))) )))))))))))))))))))))))))))))))))))))))) . c: \ windows \ system32 \ drivers \ kl1.sys . ((((((((((((((((((((((((( Arquivos criados a partir de 2009/05/26 a 2009/06/26 ))))))))))) )))))))))))))))))))) . 2009/06/24 23:28. 2009/06/24 23:28 -------- dc ---- w-c: \ windows \ system32 \ dllcache \ cache 2009/06/23 18:47. 2009/06/24 16:37 117,760 ---- aw-c: \ Documents and Settings \ Mouse \ Application Data \ SUPERAntiSpyware.com \ SUPERAntiSpyware \ SDDLLS \ UIREPAIR.DLL 2009/06/17 17:58. 2009/06/17 18:10 -------- d ----- w-C: \ Program Files \ LSoft Technologies 2009/06/13 16:32. 2009/06/13 16:32 -------- d ----- w-C: \ Program Files \ iPod 2009/06/13 16:32. 2009/06/13 16:32 -------- d ----- w-C: \ Program Files \ iTunes 2009/06/13 16:28. 2009/06/13 16:29 -------- d ----- w-C: \ Program Files \ QuickTime 2009/06/13 16:23. 2009/06/13 16:23 75,048 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Apple Computer \ Installer Cache \ iTunes 8.2.0.23 \ SetupAdmin.exe 2009/06/10 23:14. 2001/08/18 02:36 462,848-c - aw-c: \ windows \ system32 \ dllcache \ a3dapi.dll 2009/06/10 23:14. 2001/08/18 02:36 462,848 ---- aw-c: \ windows \ system32 \ a3dapi.dll 2009/06/10 23:13. 2009/06/11 07:20 -------- d ----- w-C: \ Descent3 2009/06/10 23:13. 2009/06/10 23:13 -------- d ----- w-C: \ Jogos 2009/06/10 20:13. 2009/05/07 15:32 345,600-c ---- w-c: \ windows \ system32 \ dllcache \ Localspl.dll 2009/06/10 20:13. 2009/04/15 14:51 585,216-c ---- w-c: \ windows \ system32 \ dllcache \ rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) )))))))))))))))))))))))))))))))))))))))))))) . 2009/06/26 07:54. 2008/05/16 03:35 -------- d ----- w-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab 2009/06/26 07:52. 2008/05/16 03:35 761,888 - sha-w-c: \ windows \ system32 \ drivers \ fidbox2.dat 2009/06/26 07:52. 2008/05/16 03:35 64,388 - sha-w-c: \ windows \ system32 \ drivers \ fidbox.idx 2009/06/26 07:52. 2008-05-16 03:35 4571424 - sha-w-c: \ windows \ system32 \ drivers \ fidbox.dat 2009/06/26 07:52. 2008/05/16 03:35 29,696 - sha-w-c: \ windows \ system32 \ drivers \ fidbox2.idx 2009/06/25 23:24. 2008/01/29 22:29 33,808 ---- aw-c: \ windows \ system32 \ drivers \ klbg.sys 2009/06/25 23:24. 2008/05/16 03:36 94,643 ---- aw-c: \ windows \ system32 \ drivers \ klick.dat 2009/06/25 23:24. 2008/05/16 03:36 105,395 ---- aw-c: \ windows \ system32 \ drivers \ klin.dat 2009/06/25 23:24. 2009/02/05 00:58 33,808 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab \ AVP8 \ Data \ Updater \ Temporary Files \ temporaryFolder \ AutoPatches \ kav8exec \ 8.0.0.3 57 \ klbg.sys 2009/06/25 23:24. 2008/07/17 23:08 213,520 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab \ AVP8 \ Data \ Updater \ Temporary Files \ temporaryFolder \ AutoPatches \ kav8exec \ 8.0.0.3 57 \ XP \ klif.sys 2009/06/25 23:24. 2008/07/17 23:08 861,448 ---- aw-c: \ Documents and Settings \ All Users \ Application Data \ Kaspersky Lab \ AVP8 \ Data \ Updater \ Temporary Files \ temporaryFolder \ AutoPatches \ kav8exec \ 8.0.0.3 57 \ updater.dll 2009/06/24 21:09. 2008/05/17 00:25 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Application Data \ LimeWire 2009/06/24 16:37. 2008/05/19 02:02 -------- d ----- w-C: \ Program Files \ SUPERAntiSpyware 2009/06/23 19:00. 2008/10/16 02:40 -------- d ----- w-C: \ Program Files \ Pando Networks 2009/06/23 18:59. 2008/11/29 18:36 -------- d ----- w-C: \ Program Files \ PalmOne 2009/06/21 23:00. 2009/02/09 03:50 138,184 ---- aw-c: \ windows \ system32 \ drivers \ PnkBstrK.sys 2009/06/21 23:00. 2009/02/09 03:50 183,112 ---- aw-c: \ windows \ system32 \ PnkBstrB.exe 2009/06/18 22:35. 2008/06/17 15:40 -------- d ----- w-C: \ Program Files \ Diablo II 2009/06/18 22:31. 2008/06/02 00:09 -------- d --- aw-c: \ Documents and Settings \ All Users \ Application Data \ TEMP 2009/06/17 22:51. 2008/05/15 04:41 -------- d ----- w-c: \ Documents and Settings \ Mouse \ Application Data \ uTorrent 2009/06/13 16:32. 2008/08/19 04:10 -------- d ----- w-C: \ Program Files \ Common Files \ Apple 2009/05/17 20:58. 2009/05/17 20:58 -------- d ----- w-C: \ Program Files \ LG Electronics 2009/05/17 20:58. 2008/05/12 09:20 -------- d - h - w-C: \ Program Files \ InstallShield Informações de instalação 2009/05/17 20:57. 2008/05/12 09:20 -------- d ----- w-C: \ Program Files \ Common Files \ InstallShield 2009/05/07 15:32. 2003/03/31 12:00 345,600 ---- aw-c: \ windows \ system32 \ Localspl.dll 2009/04/29 04:46. 2003/03/31 12:00 666,624 ---- aw-c: \ windows \ system32 \ wininet.dll 2009/04/29 04:46. 2008/05/16 21:18 81,920 ------ w-c: \ windows \ system32 \ ieencode.dll 2009/04/28 10:48. 2008/05/17 00:24 -------- d ----- w-C: \ Program Files \ Java 2009/04/28 10:47. 2009/04/28 10:47 152,576 ---- aw-c: \ Documents and Settings \ Mouse \ Application Data \ domingo \ Java \ jre1.6.0_13 \ lzma.dll 2009/04/17 12:26. 2003/03/31 12:00 1.847.168 ---- aw-c: \ windows \ system32 \ win32k.sys 2009/04/15 14:51. 2003/03/31 12:00 585,216 ---- aw-c: \ windows \ system32 \ rpcrt4.dll 2009/04/08 06:13. 2009/04/08 06:13 45,056 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ MapleStory.exe1_B5F7ED63E4D54BE694F0 F06A2CCC5374.exe 2009/04/08 06:13. 2009/04/08 06:13 45,056 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ MapleStory.exe_B5F7ED63E4D54BE694F0F 06A2CCC5374_1.exe 2009/04/08 06:13. 2009/04/08 06:13 10,134 ---- ar-c: \ Documents and Settings \ Mouse \ Application Data \ Microsoft \ Installer \ (B5F7ED63-E4D5-94F0-4BE6-F06A2CCC5374) \ ARPPRODUCTICON.exe 2009/04/05 23:39. 2008/05/16 02:24 23,032 ---- aw-c: \ Documents and Settings \ Mouse \ Local Settings \ Application Data \ GDIPFONTCACHEV1.DAT 2009/04/05 23:27. 2009/04/05 23:28 5.433.520 ---- aw-c: \ windows \ system32 \ SpoonUninstall.exe . ((((((((((((((((((((((((((((( SnapShot@2009-06-24_23.25.37 )))))))))))) ))))))))))))))))))))))))))))) . + 2008-03-26 00:07. 2008-03-26 00:07 24592 C: \ Windows \ system32 \ drivers \ klim5.sys - 2007/12/13 17:28. 2008-03-26 00:07 24592 C: \ Windows \ system32 \ drivers \ klim5.sys + 2009/06/24 23:28. 2008-10-16 19:09 51224 C: \ Windows \ system32 \ dllcache \ cache \ wuauclt.exe + 2009/06/24 23:28. 2008-04-14 00:12 82432 C: \ Windows \ system32 \ dllcache \ cache \ Ws2_32.dll + 2009/06/24 23:28. 2008-04-14 00:12 26112 C: \ Windows \ system32 \ dllcache \ cache \ userinit.exe + 2009/06/24 23:28. 2008-04-14 00:12 14336 C: \ Windows \ system32 \ dllcache \ cache \ svchost.exe + 2009/06/24 23:28. 2008-04-14 00:12 57856 C: \ Windows \ system32 \ dllcache \ cache \ spoolsv.exe + 2009/06/24 23:28. 2008-04-14 00:12 17408 C: \ Windows \ system32 \ dllcache \ cache \ powrprof.dll + 2009/06/24 23:28. 2008-04-14 00:12 13312 C: \ Windows \ system32 \ dllcache \ cache \ lsass.exe + 2009/06/24 23:28. 2008-04-13 18:39 24576 C: \ Windows \ system32 \ dllcache \ cache \ Kbdclass.sys + 2009/06/24 23:28. 2008-04-13 18:53 36608 C: \ Windows \ system32 \ dllcache \ cache \ Ip6fw.sys + 2009/06/24 23:28. 2008-04-14 00:12 15360 C: \ Windows \ system32 \ dllcache \ cache \ ctfmon.exe - 2008/04/18 17:53. 2009-02-05 00:58 213520 c: \ windows \ system32 \ drivers \ klif.sys + 2008/04/18 17:53. 2009-06-25 23:24 213520 c: \ windows \ system32 \ drivers \ klif.sys + 2009/06/24 23:28. 2008-04-14 00:12 507904 c: \ windows \ system32 \ dllcache \ cache \ winlogon.exe + 2009/06/24 23:28. 2009-04-29 04:46 666624 c: \ windows \ system32 \ dllcache \ cache \ wininet.dll + 2009/06/24 23:28. 2008-04-14 00:12 578560 c: \ windows \ system32 \ dllcache \ cache \ user32.dll + 2009/06/24 23:28. 2008-04-14 00:12 295424 c: \ windows \ system32 \ dllcache \ cache \ Termsrv.dll + 2009/06/24 23:28. 2008-06-20 11:51 361600 c: \ windows \ system32 \ dllcache \ cache \ tcpip.sys + 2009/06/24 23:28. 2009/02/06 11:11 110592 c: \ windows \ system32 \ dllcache \ cache \ Services.exe + 2009/06/24 23:28. 2008-04-13 19:20 182656 c: \ windows \ system32 \ dllcache \ cache \ Ndis.sys + 2009/06/24 23:28. 2009-03-21 14:06 989696 c: \ windows \ system32 \ dllcache \ cache \ kernel32.dll + 2009/06/24 23:28. 2008-04-14 00:11 110080 c: \ windows \ system32 \ dllcache \ cache \ imm32.dll + 2009/06/24 23:28. 2008-04-14 00:11 167936 c: \ windows \ system32 \ dllcache \ cache \ appmgmts.dll + 2009/06/24 23:28. 2008/04/14 00:12 1614848 c: \ windows \ system32 \ dllcache \ cache \ Sfcfiles.dll + 2009/06/24 23:28. 2009/02/06 11:06 2145280 c: \ windows \ system32 \ dllcache \ cache \ ntoskrnl.exe + 2009/06/24 23:28. 2009/02/06 10:32 2023936 c: \ windows \ system32 \ dllcache \ cache \ Ntkrnlpa.exe + 2009/06/24 23:28. 2008/04/14 00:12 1033728 c: \ windows \ system32 \ dllcache \ cache \ explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) )))))))))))))))))))))))))))))))))))))))) . . * Nota * entradas vazias & legit entradas padrão não são mostrados REGEDIT4 [HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ actuais ntVersion \ Run] "ctfmon.exe" = "c: \ windows \ system32 \ ctfmon.exe" [2008-04-14 15360] "H / PC Connection Agent" = "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run] "NvCplDaemon" = "c: \ windows \ system32 \ NvCpl.dll" [2008-05-03 13529088] "CTDVDDET" = "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ DVDAudio \ CTDVDDET.EXE" [2003-06-18 45056] "RCSystem" = "C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe" [2005-11-04 49152] "AudioDrvEmulator" = "C: \ Program Files \ Creative \ Shared Files \ Module Loader \ DLLML.exe" [2005-11-04 49152] "VolPanel" = "C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Volume Panel \ VolPanlu.exe" [2006-07-28 122880] "NvMediaCenter" = "c: \ windows \ system32 \ NvMcTray. Dll" [2008-05-03 86016] "AVP" = "C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ avp.exe" [2009-02-05 201992] "QuickTime Task" = "C: \ Program Files \ QuickTime \ QTTask.exe" [2009-05-26 413696] "AppleSyncNotifier" = "C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleSyncNotifier.exe" [2009-05-14 177472] "iTunesHelper" = "C: \ Program Files \ iTunes \ iTunesHelper.exe" [2009-06-05 292136] "CTHelper" = "CTHELPER.EXE" - c: \ windows \ system32 \ CtHelper.exe [2008-02-21 19456] "CTxfiHlp" = "CTXFIHLP.EXE" - c: \ windows \ system32 \ Ctxfihlp.exe [2008-02-21 19968] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ explorer \ ShellExecuteHooks] "(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "C: \ Program Files \ SUPERAntiSpyware \ SASSEH.DLL" [2009-01-01 77824] [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ notificar \! SASWinLogon] 2009/01/01 04:29 356,352 ---- aw-C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Contro l \ safeboot \ Minimal \ Wdf01000.sys] @ = "Driver" [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Inicializar ^ Adobe Gamma Loader.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ Adobe Gamma Loader.lnk backup = c: \ windows \ pss \ Adobe Gamma Loader.lnkCommon Inicialização [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Arranque ^ HOTSYNCSHORTCUTNAME.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ HOTSYNCSHORTCUTNAME.lnk backup = c: \ windows \ pss \ n HOTSYNCSHORTCUTNAME.lnkCommo Inicialização [HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menu Iniciar ^ Programas ^ Inicializar ^ Microsoft Office.lnk] path = c: \ Documents and Settings \ All Users \ Menu Iniciar \ Programas \ Inicializar \ Microsoft Office.lnk backup = c: \ windows \ pss \ Microsoft Office.lnkCommon Inicialização [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ services] "StyleXPService" = 2 (0x2) "PLFlash DeviceIoControl Service" = 2 (0x2) "NMIndexingService" = 3 (0x3) "Nero BackItUp Scheduler 3" = 2 (0x2) "MDM" = 2 (0x2) "ZuneNetworkSvc" = 3 (0x3) "WMPNetworkSvc" = 3 (0x3) "npkcmsvc" = 2 (0x2) "JavaQuickStarterService" = 2 (0x2) "IDriverT" = 3 (0x3) "iPod Service" = 3 (0x3) "idsvc" = 3 (0x3) "Adobe LM Service" = 3 (0x3) [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center] "AntiVirusOverride" = dword: 00000001 [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ KasperskyAntiVirus] "DisableMonitoring" = dword: 00000001 [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile] "EnableFirewall" = 0 (0x0) [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List] "% windir% \ \ system32 \ \ Sessmgr.exe" = "c: \ \ Arquivos de Programas \ \ uTorrent \ \ uTorrent.exe" = "c: \ \ Arquivos de Programas \ \ Veoh Networks \ \ Veoh \ \ VeohClient.exe" = "c: \ \ Arquivos de Programas \ \ LimeWire \ \ LimeWire.exe" = "c: \ \ Arquivos de Programas \ \ Sierra \ \ FEAR \ \ FEAR.exe" = "c: \ \ Arquivos de Programas \ \ Xfire \ \ xfire.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Dx9.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Dx10.exe" = "c: \ \ Arquivos de Programas \ \ Ubisoft \ \ Assassin's Creed \ \ AssassinsCreed_Launcher.exe" = "c: \ \ Documents and Settings \ \ All Users \ \ Application Data \ \ Kaspersky Lab Setup Files \ \ Kaspersky Internet Security 2009 \ \ Inglês \ \ setup.exe" = "C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ rapimgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync RAPI Manager "C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe" = C: \ Program Files \ Microsoft ActiveSync \ wcescomm.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Connection Manager "C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe" = C: \ Program Files \ Microsoft ActiveSync \ WCESMgr.exe: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Application "% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" = "c: \ \ Arquivos de Programas \ \ Skype \ \ Phone \ \ Skype.exe" = "c: \ \ Program Files \ \ Common Files \ AOL \ \ Loader \ \ aolload.exe" = "c: \ \ Arquivos de Programas \ \ AIM6 \ \ aim6.exe" = "c: \ \ Arquivos de Programas \ \ Bonjour \ \ mDNSResponder.exe" = "c: \ \ Arquivos de Programas \ \ iTunes \ \ iTunes.exe" = [HKLM \ ~ \ Services \ SharedAccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List] "6112: TCP" = 6112: TCP: Diablo 2 "26675: TCP" = 26675: TCP: 169.254.2.0/255.255.255.0: Enabled: ActiveSync Service "58398: TCP" = 58398: TCP: Pando Media Booster "58398: UDP" = 58398: UDP: Pando Media Booster R0 klbg; Kaspersky Lab Boot Guard Driver; c: \ windows \ system32 \ drivers \ klbg.sys [1/29/2008 6:29 33808] R1 SASDIFSV; SASDIFSV; C: \ Program Files \ SUPERAntiSpyware \ SASDIFSV.SYS [2/29/2008 4:03 9968] R1 SASKUTIL; SASKUTIL; C: \ Program Files \ SUPERAntiSpyware \ SASKUTIL.SYS [2/29/2008 4:03 55024] R1 UGURU; UGURU; c: \ windows \ system32 \ drivers \ uGuru.sys [5/12/2008 5:23 14592] R3 KLFLTDEV; Kaspersky Lab KLFltDev; c: \ windows \ system32 \ drivers \ klfltdev.sys [3/13/2008 7:02 26640] R3 klim5; Kaspersky Anti-Virus NDIS Filter; c: \ windows \ system32 \ drivers \ klim5.sys [3/25/2008 8:07 24592] S2 Cubase32; Cubase32; c: \ windows \ system32 \ drivers \ Cuba se32.sys [4/5/2009 7:02 11.808] S3 SASENUM; SASENUM; C: \ Program Files \ SUPERAntiSpyware \ SASENUM.SYS [2/16/2006 4:51 4096] . Conteúdo da 'Tarefas agendadas' pasta 2009/06/13 c: \ windows \ Tasks \ AppleSoftwareUpdate.job - C: \ Program Files \ Apple Software Update \ SoftwareUpdate.exe [2008-07-30 17:34] 2009/06/26 c: \ windows \ Tasks \ Malwarebytes' Anti-Malware.job - C: \ progra ~ 1 \ MALWAR ~ 1 \ mbam.exe [2008-05-19 00:52] . . Scan Suplementar ------- ------- . uStart Page = hxxp: / / google.com / IE: Add to Banner Ad Blocker - C: \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 2009 \ ie_banner_deny.htm IE: E & xportar para o Microsoft Excel - C: \ PROGRA ~ 1 \ MICROS ~ 2 \ Office10 \ EXCEL.EXE/3000 DPF: Microsoft XML Parser para Java - file: / / c: \ windows \ Java \ classes \ xmldso.cab DPF: (463ED66E-431B-11D2-ADB0-0080C83DA4EB) - hxxps: / / w3s.webmoney.ru/WMAcceptor.dll FF - ProfilePath -- . ************************************************** ************************ CatchMe 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector por Gmer, http://www.gmer.net Rootkit scan 2009/06/26 03:54 5/1/2600 Windows Service Pack 3 NTFS digitalizar processos escondidos ... escaneamento automático entradas escondidas ... digitalizar os arquivos ocultos ... varredura foi concluída com êxito ficheiros ocultos: 0 ************************************************** ************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (47629D4 B-2AD3-4e50-B716-A66C15C63153) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "cd042efbbd7f7af1647644e76e06692b" = hex: 2e, e8, e1, 00, eb, 16,2 b, de, ff, 66,8 f, 81, d1, 34, d2, d9, c8, 28,51, af, b0, 29, a3, 98, A9, c3, A8, 8a, 5e, d3, 39,87, e2, 63,26, f1, 3f, c8, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (604BB98 A-A94F-4a5c-A67C-D8D3582C741C) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "bca643cdc5c2726b20d2ecedcc62c59b" = hex: 71,3 b, 04,66, 8b, 46,0 d, 96, c2, c2, dc, e4, A8, 65,45,2 e, 71,3 b, 04,66,8 b, 46,0 d, 96,21,7 c, aa, e9, a8, 42, 2f, c4, 6a, 9c, d6, 61, af, 45, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (684373F B-9CD8-4e47-B990-5A4466C16034) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "2c81e34222e8052573023a60d06dd016" = hex: 25, DA, CE, 7e, 55,20, c9, 26, EB, A7, DF, 4d, 25, c2, 62,83,25, DA, CE, 7e, 55,20, c9, 26, a3, f2, 65, ed, 80,3 e, e4, f6, ff, 7c, 85, e0, 43, d4, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (74554CC D-F60F-4708-AD98-D0152D08C8B9) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "2582ae41fb52324423be06337561aa48" = hex: 3e, 1e, 9.oE, e0, 57,5 a, 93,61, f2, a1, b4, 61,82, bb, ab, d5, 3e, 1e, 9.oE, e0, 57,5 a, 93,61,6 f, 0e, 5c, ae, CE, 4f, e7, 8d, 86,8 c, 21,01, seja, 91, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (7EB537F 9-A916-4339-B91B-DED8E83632C0) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "caaeda5fd7a9ed7697d9686d4b818472" = hex: cd, 44, cd, b9, a6, 33,6 c, cd, 91, d7, 7a, 29,97, c7, 40,4 b, cd, 44, cd, b9, a6, 33,6 c, cd, 49,19,95,11,6 f, ac, 43,68, f5, 1d, 4d, 73, a8, 13, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (948395E 8-7A56-4fb1-843B-3E52D94DB145) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "a4a1bcf2cc2b8bc3716b74b2b4522f5d" = hex: df, 20,58,62, 78,6 b, cf, c8, 7e, 4a, d5, 24,8 d, 3a, 49, C4, b0, 18, ed, A7, 3f, 8d, 37, a4, 29, b5, 53,9 um, d3, 4a, 02,51, DF, 20,58,62,78,6 b, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (AC3ED30 B-6F1A-4bfc-A4F6-2EBDCCD34C19) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "4d370831d2c43cd13623e232fed27b7b" = hex: 31,77, e1, ba, b1, f8, 68,02,09, d4, 0b, f3, 53, bc, 62,26,31,77, e1, ba, b1, f8, 68,02,77, c3, de, c6, 98,79, 54,2 c, fb, A7, 78, e6, 12,2 f, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (DE5654C A-EB84-4df9-915B-37E957082D6D) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "1d68fe701cdea33e477eb204b76f993d" = hex: 01,3 a, 48, fc, e8, 04,4 a, f1, df, 00, d5, 43, ff, f8, 0F, f3, 83,6 c, 56,8 b, a0, 85,96, ab, d5, 19,39,90, da, 30, 2a, 05,01,3 a, 48, fc, e8, 04, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (E39C35E 8-7488-4926-92B2-2F94619AC1A5) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "1fac81b91d8e3c5aa4b0a51804d844a3" = hex: f6, 0F, 4e, 58, 98,5 b, 89, c9, 6a, eA, f8, c4, 82, 1a, 7f, d8, 51, fa, 6e, 91,28,9 e, 14, cc, 82, AC, 7a, 83, EB, 90, 81, c6, f6, 0F, 4e, 58,98,5 b, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (EACAFCE 5-B0E2-4288-8073-C02FF9619B6F) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "f5f62a6129303efb32fbe080bb27835b" = hex: 3d, ce, eA, 26, 2d, 45, aa, 78,0 b, ba, 41,78,8 a, c9, 90,04, b1, cd, 45,5 a, a8, c4, f8, b9, 6b, c6, a2, 44,8 d, 59, a6, f5, 3d, ce, eA, 26,2 d, 45, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (F8F02AD D-7366-4186-9488-C21CB8B3DCEC) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "fd4e2e1a3940b94dceb5a6a021f2e3c6" = hex: 2a, b7, cc, b5, b9, 7f, 41, e7, 5d, 45,06,19,5 e, 30,20, e6, e3, 0e, 66, d5, EB, bc, 2f, 6b, e1, 69,31, ac, dd, BA, 7f, 02,2 a, b7, cc, b5, b9, 7f, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (FEE45DE 2-A467-4bf9-BF2D-1411304BCD84) \ InprocServer32 *] "ThreadingModel" = "Apartment" @ = "c: \ \ WINDOWS \ \ system32 \ \ ole32.dll" "8a8aec57dd6508a385616fbc86791ec2" = hex: fa, eA, 66,7 f, d4, 3b, 6b, 70, a5, 97,0 a, 6e, 8a, cf, 52,73, fa, eA, 66,7 f, d4, 3b, 6b, 70,30,24, eA, 79, a1, 7.oB, 08,64,6 c, 43,2 d, 1e, aa, 22, \ [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Installer \ UserData \ LocalSystem \ Componen ts \ h-€ | YYYY ¤ • € | ù • Um ~ *] "AB141C35E9F4BF344B9FC010BB17F68A" = "" . --------------------- DLLs Loaded Sob Running Processes --------------------- - - - - - - -> 'Winlogon.exe' (672) C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.DLL c: \ windows \ system32 \ klogon.dll - - - - - - -> 'Explorer.exe' (288) c: \ windows \ system32 \ WPDShServiceObj.dll c: \ windows \ system32 \ PortableDeviceTypes.dll c: \ windows \ system32 \ PortableDeviceApi.dll . ------------------------ Other Running Processes ----------------------- -- . C: \ Program Files \ Creative \ Shared Files \ CTAudSvc.exe C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe C: \ Program Files \ Bonjour \ mDNSResponder.exe c: \ windows \ system32 \ nvsvc32.exe c: \ windows \ system32 \ PnkBstrA.exe c: \ windows \ system32 \ rundll32.exe C: \ Program Files \ Creative \ Sound Blaster X-Fi \ Entertainment Center \ EAXLoadr.exe c: \ progra ~ 1 \ MICROS ~ 4 \ rapimgr.exe C: \ Program Files \ iPod \ bin \ iPodService.exe c: \ windows \ system32 \ wscntfy.exe c: \ windows \ system32 \ CTxfispi.exe . ************************************************** ************************ . Conclusão tempo: 2009/06/26 3:57 - máquina foi reinicializada ComboFix-quarantined-files.txt 2009-06-26 07:57 ComboFix2.txt 2009/06/25 23:14 ComboFix3.txt 2009/06/24 23:29 ComboFix4.txt 2008/05/20 17:05 Pré-Run: 67824807936 bytes livres Post-Run: 67888648192 bytes livres Atual = 3 Default = 3 Falha = 1 LastKnownGood = 4 Conjuntos = 1,2,3,4 311 --- --- EOF 2009/06/11 03:03 |
