Flux 
Social bookmarking
Conservar e compartilhar o endereço de PC Seguro em seu site de social bookmarking
Conservar e compartilhar o endereço de Fórum PC Brasil em seu site de social bookmarking
Estatísticas
Temos 14810 usuários registradosO último membro registrado é Josevinil
Os nossos membros postaram um total de 36047 mensagens em 3685 assuntos
Quem está conectado?
Há 14 usuários online :: 0 registrados, 0 invisíveis e 14 visitantes Nenhum
O recorde de usuários online foi de 301 em Ter 26 Out 2021, 15:28
Procurar
Top dos mais postadores
| Power Max |
| |||
| joram |
| |||
| Wings [In Memoriam] |
| |||
| caedurodrigues |
| |||
| Amigo Brasileiro |
| |||
| luizvilarinho |
| |||
| Danii |
| |||
| Admin |
| |||
| Danilo Marsaro |
| |||
| Andreata |
|
COMO ELIMINAR ROOTKIT ?
2 participantes
Página 1 de 1
COMO ELIMINAR ROOTKIT ?
por nitrox363 Ter 18 maio 2010, 11:24
ComboFix 10-05-16.05 - Douglas 18/05/2010 11:05:58.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1982.1706 [GMT -3]
Executando de: c:\documents and settings\Douglas\desktop\Combofix.exe
Comandos utilizados :: /killall
.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-04-18 to 2010-05-18 ))))))))))))))))))))))))))))
.
2010-05-16 15:03 . 2010-05-16 15:03 -------- d-----w- c:\arquivos de programas\Bazooka Scanner
2010-05-08 04:14 . 2010-03-26 00:49 66048 ----a-w- c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-28 01:57 . 2010-04-28 01:57 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\ParetoLogic Anti-Spyware
2010-04-27 01:37 . 2010-04-27 01:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 13:46 . 2001-10-28 18:07 48744 ----a-w- c:\windows\system32\perfc016.dat
2010-05-18 13:46 . 2001-10-28 18:07 344724 ----a-w- c:\windows\system32\perfh016.dat
2010-05-16 15:05 . 2010-01-25 22:54 -------- d-----w- c:\documents and settings\Douglas\Dados de aplicativos\GetRightToGo
2010-05-15 14:55 . 2010-01-19 06:15 -------- d-----w- c:\arquivos de programas\sXe Injected
2010-05-15 14:50 . 2007-01-03 02:06 -------- d-----w- c:\arquivos de programas\Valve
2010-04-27 01:35 . 2007-01-11 04:34 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2010-03-17 12:13 . 2007-01-11 02:24 52224 ----a-w- c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\FFExternalAlert.dll
2010-03-17 12:13 . 2007-01-11 02:24 101376 ----a-w- c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\RadioWMPCore.dll
2010-03-11 17:22 . 2007-01-31 01:53 69632 ----a-w- c:\windows\system32\MSJCE.dll
2004-08-04 07:45 . 2004-08-04 07:45 168371 --sha-r- c:\windows\system32\idezhbei.dll
.
((((((((((((((((((((((((((((( [Tens de ter uma conta e sessão iniciada para poderes visualizar este link] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-11 04:33 . 2007-04-17 00:45 43352 c:\windows\system32\wups2.dll
+ 2009-06-08 16:08 . 2007-04-17 00:47 33624 c:\windows\system32\wups.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 53080 c:\windows\system32\wuauclt.exe
+ 2007-01-04 23:27 . 2003-01-26 16:41 40960 c:\windows\system32\SSubTmr6.dll
+ 2007-01-11 04:33 . 2007-04-17 00:47 33624 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\wups.dll
+ 2009-07-26 18:44 . 2009-07-26 18:44 48448 c:\windows\system32\sirenacm.dll
+ 2001-10-28 18:07 . 2010-05-18 13:46 40108 c:\windows\system32\perfc009.dat
+ 2009-06-08 16:08 . 2007-04-17 00:47 33624 c:\windows\system32\dllcache\wups.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 53080 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 07:45 . 2007-04-17 00:45 92504 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 07:45 . 2007-04-17 00:45 92504 c:\windows\system32\cdm.dll
+ 2007-01-11 02:43 . 2007-01-11 02:43 27136 c:\windows\Installer\18dabf9.msi
+ 2007-01-11 02:42 . 2007-01-11 02:42 59904 c:\windows\Installer\18dabdd.msi
+ 2007-01-30 09:03 . 2007-01-30 09:03 29926 c:\windows\Installer\{F1E17FB0-12BC-45D0-ABA3-287F2A1E3A1E}\MsblIco.Exe
+ 2007-01-11 02:43 . 2007-01-11 02:43 80395 c:\windows\Installer\{B5ED7AB0-3838-4389-8549-7C8E22DD48F4}\MsblIco.Exe
+ 2007-01-11 02:43 . 2007-01-11 02:43 62304 c:\windows\Installer\{32BC546A-8AA3-4239-AE92-9CF3291C35A6}\IconWlc.exe
+ 2007-01-04 23:27 . 2007-01-04 23:27 5240 c:\windows\system32\msystem\unins000.dat
+ 2007-01-09 02:09 . 2001-08-18 08:36 8192 c:\windows\system32\kbdkor.dll
+ 2007-01-09 02:09 . 2001-08-18 08:36 8704 c:\windows\system32\kbdjpn.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\kbd106.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 5632 c:\windows\system32\kbd103.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\kbd101c.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\kbd101b.dll
+ 2007-01-09 02:09 . 2001-08-18 08:36 8192 c:\windows\system32\dllcache\kbdkor.dll
+ 2007-01-09 02:09 . 2001-08-18 08:36 8704 c:\windows\system32\dllcache\kbdjpn.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\dllcache\kbd106.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 5632 c:\windows\system32\dllcache\kbd103.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\dllcache\kbd101c.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\dllcache\kbd101b.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 203096 c:\windows\system32\wuweb.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 325976 c:\windows\system32\wucltui.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 549720 c:\windows\system32\wuapi.dll
+ 2007-01-04 23:27 . 2006-11-10 17:28 139264 c:\windows\system32\vbSendMail.dll
+ 2001-10-28 18:07 . 2010-05-18 13:46 311912 c:\windows\system32\perfh009.dat
+ 2007-01-04 23:27 . 2007-01-04 23:27 692602 c:\windows\system32\msystem\unins000.exe
+ 2009-06-08 16:08 . 2007-04-17 00:45 203096 c:\windows\system32\dllcache\wuweb.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 325976 c:\windows\system32\dllcache\wucltui.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 549720 c:\windows\system32\dllcache\wuapi.dll
+ 2007-01-01 23:28 . 2007-01-01 23:28 794112 c:\windows\Installer\1d3c78.msi
+ 2007-01-11 02:43 . 2007-01-11 02:43 152576 c:\windows\Installer\18dabf0.msi
+ 2007-01-11 02:43 . 2007-01-11 02:43 430080 c:\windows\Installer\18dabe7.msi
+ 2007-01-11 02:42 . 2007-01-11 02:42 107008 c:\windows\Installer\18dabe1.msi
+ 2007-01-11 02:42 . 2007-01-11 02:42 155648 c:\windows\Installer\18dabd8.msi
+ 2007-01-01 23:26 . 2007-01-01 23:26 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-06-08 16:08 . 2007-04-17 00:45 1710936 c:\windows\system32\wuaueng.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 1710936 c:\windows\system32\dllcache\wuaueng.dll
+ 2007-01-01 23:26 . 2007-01-01 23:26 1565696 c:\windows\Installer\1d3c73.msi
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7842:TCP"= 7842:TCP:fapixf
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [26/6/2009 09:43 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [26/6/2009 09:43 5248]
S2 iawzyejys;Config Driver;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 04:45 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Douglas\CONFIG~1\Temp\ZGU26.tmp --> c:\docume~1\Douglas\CONFIG~1\Temp\ZGU26.tmp [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 XDva302;XDva302;\??\c:\windows\system32\XDva302.sys --> c:\windows\system32\XDva302.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
iawzyejys
.
.
------- Scan Suplementar -------
.
uStart Page = [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
mStart Page = [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\
FF - prefs.js: browser.search.defaulturl - [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
FF - prefs.js: browser.search.selectedEngine - Messenger Plus Live Brazil Customized Web Search
FF - prefs.js: browser.startup.homepage - [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
FF - prefs.js: keyword.URL - [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
FF - component: c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Rootkit scan 2010-05-18 11:12
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8996C0F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba759cb8
\Driver\atapi -> 0x8996c0f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Douglas\CONFIG~1\Temp\ZGU26.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\iawzyejys]
"ServiceDll"="c:\windows\system32\idezhbei.dll"
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Tempo para conclusão: 2010-05-18 11:15:44 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-05-18 14:15
ComboFix2.txt 2010-05-17 23:12
ComboFix3.txt 2010-05-16 15:15
ComboFix4.txt 2010-04-28 14:51
ComboFix5.txt 2010-05-18 13:59
Pré-execução: 6 pasta(s) 28.900.937.728 bytes disponíveis
Pós execução: 7 pasta(s) 28.872.040.448 bytes disponíveis
- - End Of File - - 58FBD1E9827D4CD503160A2DDB98C0A4
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1982.1706 [GMT -3]
Executando de: c:\documents and settings\Douglas\desktop\Combofix.exe
Comandos utilizados :: /killall
.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-04-18 to 2010-05-18 ))))))))))))))))))))))))))))
.
2010-05-16 15:03 . 2010-05-16 15:03 -------- d-----w- c:\arquivos de programas\Bazooka Scanner
2010-05-08 04:14 . 2010-03-26 00:49 66048 ----a-w- c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-28 01:57 . 2010-04-28 01:57 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\ParetoLogic Anti-Spyware
2010-04-27 01:37 . 2010-04-27 01:37 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 13:46 . 2001-10-28 18:07 48744 ----a-w- c:\windows\system32\perfc016.dat
2010-05-18 13:46 . 2001-10-28 18:07 344724 ----a-w- c:\windows\system32\perfh016.dat
2010-05-16 15:05 . 2010-01-25 22:54 -------- d-----w- c:\documents and settings\Douglas\Dados de aplicativos\GetRightToGo
2010-05-15 14:55 . 2010-01-19 06:15 -------- d-----w- c:\arquivos de programas\sXe Injected
2010-05-15 14:50 . 2007-01-03 02:06 -------- d-----w- c:\arquivos de programas\Valve
2010-04-27 01:35 . 2007-01-11 04:34 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2010-03-17 12:13 . 2007-01-11 02:24 52224 ----a-w- c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\FFExternalAlert.dll
2010-03-17 12:13 . 2007-01-11 02:24 101376 ----a-w- c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\RadioWMPCore.dll
2010-03-11 17:22 . 2007-01-31 01:53 69632 ----a-w- c:\windows\system32\MSJCE.dll
2004-08-04 07:45 . 2004-08-04 07:45 168371 --sha-r- c:\windows\system32\idezhbei.dll
.
((((((((((((((((((((((((((((( [Tens de ter uma conta e sessão iniciada para poderes visualizar este link] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-11 04:33 . 2007-04-17 00:45 43352 c:\windows\system32\wups2.dll
+ 2009-06-08 16:08 . 2007-04-17 00:47 33624 c:\windows\system32\wups.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 53080 c:\windows\system32\wuauclt.exe
+ 2007-01-04 23:27 . 2003-01-26 16:41 40960 c:\windows\system32\SSubTmr6.dll
+ 2007-01-11 04:33 . 2007-04-17 00:47 33624 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\wups.dll
+ 2009-07-26 18:44 . 2009-07-26 18:44 48448 c:\windows\system32\sirenacm.dll
+ 2001-10-28 18:07 . 2010-05-18 13:46 40108 c:\windows\system32\perfc009.dat
+ 2009-06-08 16:08 . 2007-04-17 00:47 33624 c:\windows\system32\dllcache\wups.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 53080 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 07:45 . 2007-04-17 00:45 92504 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 07:45 . 2007-04-17 00:45 92504 c:\windows\system32\cdm.dll
+ 2007-01-11 02:43 . 2007-01-11 02:43 27136 c:\windows\Installer\18dabf9.msi
+ 2007-01-11 02:42 . 2007-01-11 02:42 59904 c:\windows\Installer\18dabdd.msi
+ 2007-01-30 09:03 . 2007-01-30 09:03 29926 c:\windows\Installer\{F1E17FB0-12BC-45D0-ABA3-287F2A1E3A1E}\MsblIco.Exe
+ 2007-01-11 02:43 . 2007-01-11 02:43 80395 c:\windows\Installer\{B5ED7AB0-3838-4389-8549-7C8E22DD48F4}\MsblIco.Exe
+ 2007-01-11 02:43 . 2007-01-11 02:43 62304 c:\windows\Installer\{32BC546A-8AA3-4239-AE92-9CF3291C35A6}\IconWlc.exe
+ 2007-01-04 23:27 . 2007-01-04 23:27 5240 c:\windows\system32\msystem\unins000.dat
+ 2007-01-09 02:09 . 2001-08-18 08:36 8192 c:\windows\system32\kbdkor.dll
+ 2007-01-09 02:09 . 2001-08-18 08:36 8704 c:\windows\system32\kbdjpn.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\kbd106.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 5632 c:\windows\system32\kbd103.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\kbd101c.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\kbd101b.dll
+ 2007-01-09 02:09 . 2001-08-18 08:36 8192 c:\windows\system32\dllcache\kbdkor.dll
+ 2007-01-09 02:09 . 2001-08-18 08:36 8704 c:\windows\system32\dllcache\kbdjpn.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\dllcache\kbd106.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 5632 c:\windows\system32\dllcache\kbd103.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\dllcache\kbd101c.dll
+ 2007-01-09 02:09 . 2001-08-18 00:55 6144 c:\windows\system32\dllcache\kbd101b.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 203096 c:\windows\system32\wuweb.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 325976 c:\windows\system32\wucltui.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 549720 c:\windows\system32\wuapi.dll
+ 2007-01-04 23:27 . 2006-11-10 17:28 139264 c:\windows\system32\vbSendMail.dll
+ 2001-10-28 18:07 . 2010-05-18 13:46 311912 c:\windows\system32\perfh009.dat
+ 2007-01-04 23:27 . 2007-01-04 23:27 692602 c:\windows\system32\msystem\unins000.exe
+ 2009-06-08 16:08 . 2007-04-17 00:45 203096 c:\windows\system32\dllcache\wuweb.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 325976 c:\windows\system32\dllcache\wucltui.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 549720 c:\windows\system32\dllcache\wuapi.dll
+ 2007-01-01 23:28 . 2007-01-01 23:28 794112 c:\windows\Installer\1d3c78.msi
+ 2007-01-11 02:43 . 2007-01-11 02:43 152576 c:\windows\Installer\18dabf0.msi
+ 2007-01-11 02:43 . 2007-01-11 02:43 430080 c:\windows\Installer\18dabe7.msi
+ 2007-01-11 02:42 . 2007-01-11 02:42 107008 c:\windows\Installer\18dabe1.msi
+ 2007-01-11 02:42 . 2007-01-11 02:42 155648 c:\windows\Installer\18dabd8.msi
+ 2007-01-01 23:26 . 2007-01-01 23:26 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-06-08 16:08 . 2007-04-17 00:45 1710936 c:\windows\system32\wuaueng.dll
+ 2009-06-08 16:08 . 2007-04-17 00:45 1710936 c:\windows\system32\dllcache\wuaueng.dll
+ 2007-01-01 23:26 . 2007-01-01 23:26 1565696 c:\windows\Installer\1d3c73.msi
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Reader Speed Launch.lnk - c:\arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7842:TCP"= 7842:TCP:fapixf
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [26/6/2009 09:43 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [26/6/2009 09:43 5248]
S2 iawzyejys;Config Driver;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 04:45 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Douglas\CONFIG~1\Temp\ZGU26.tmp --> c:\docume~1\Douglas\CONFIG~1\Temp\ZGU26.tmp [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 XDva302;XDva302;\??\c:\windows\system32\XDva302.sys --> c:\windows\system32\XDva302.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
iawzyejys
.
.
------- Scan Suplementar -------
.
uStart Page = [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
mStart Page = [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\
FF - prefs.js: browser.search.defaulturl - [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
FF - prefs.js: browser.search.selectedEngine - Messenger Plus Live Brazil Customized Web Search
FF - prefs.js: browser.startup.homepage - [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
FF - prefs.js: keyword.URL - [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
FF - component: c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\{edbca961-4bf8-4cbe-8c63-a11dff9ed2d9}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Douglas\Dados de aplicativos\Mozilla\Firefox\Profiles\h67my6lu.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
Rootkit scan 2010-05-18 11:12
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [Tens de ter uma conta e sessão iniciada para poderes visualizar este link]
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8996C0F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba759cb8
\Driver\atapi -> 0x8996c0f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Douglas\CONFIG~1\Temp\ZGU26.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\iawzyejys]
"ServiceDll"="c:\windows\system32\idezhbei.dll"
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Tempo para conclusão: 2010-05-18 11:15:44 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-05-18 14:15
ComboFix2.txt 2010-05-17 23:12
ComboFix3.txt 2010-05-16 15:15
ComboFix4.txt 2010-04-28 14:51
ComboFix5.txt 2010-05-18 13:59
Pré-execução: 6 pasta(s) 28.900.937.728 bytes disponíveis
Pós execução: 7 pasta(s) 28.872.040.448 bytes disponíveis
- - End Of File - - 58FBD1E9827D4CD503160A2DDB98C0A4
nitrox363- Iniciante
- Mensagens : 1
Reputação : 0
Data de inscrição : 18/05/2010
Re: COMO ELIMINAR ROOTKIT ?
por LordEvil Qua 19 maio 2010, 09:19
Olá!
O ComboFix é uma ferramenta poderosa e pode causar diversos danos O SEU COMPUTADOR e aos SEUS ARQUIVOS. Nunca o utilize sem supervisão.
Por favor, poste todos os logs encontrados em C:\Qoobox (Combofix1.txt, Combofix2.txt, Combofix3.txt, Combofix4.txt, ComboFix5.txt... etc)
Após isso, poste um log do HijackThis seguindo as instruções [Tens de ter uma conta e sessão iniciada para poderes visualizar este link].
Abraços.
O ComboFix é uma ferramenta poderosa e pode causar diversos danos O SEU COMPUTADOR e aos SEUS ARQUIVOS. Nunca o utilize sem supervisão.
Por favor, poste todos os logs encontrados em C:\Qoobox (Combofix1.txt, Combofix2.txt, Combofix3.txt, Combofix4.txt, ComboFix5.txt... etc)
Após isso, poste um log do HijackThis seguindo as instruções [Tens de ter uma conta e sessão iniciada para poderes visualizar este link].
Abraços.
LordEvil- Membro
- Mensagens : 132
Reputação : 0
Data de inscrição : 13/10/2009
Re: COMO ELIMINAR ROOTKIT ?
por LordEvil Qui 19 Ago 2010, 11:39
Tópico arquivado.
Como o autor não respondeu ao tópico por mais de 20 dias, o mesmo foi arquivado.
Caso você seja o autor do tópico e quer que o mesmo seja reaberto, envie uma mensagem privada para um membro da [Tens de ter uma conta e sessão iniciada para poderes visualizar este link] com um link para este tópico e justifique porque você precisa dele reaberto.
Como o autor não respondeu ao tópico por mais de 20 dias, o mesmo foi arquivado.
Caso você seja o autor do tópico e quer que o mesmo seja reaberto, envie uma mensagem privada para um membro da [Tens de ter uma conta e sessão iniciada para poderes visualizar este link] com um link para este tópico e justifique porque você precisa dele reaberto.
LordEvil- Membro
- Mensagens : 132
Reputação : 0
Data de inscrição : 13/10/2009
Página 1 de 1
Permissões neste sub-fórum
Não podes responder a tópicos|
|
|