Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

meus 4 pcs foram infectados pelo mesmo virus


  • Please log in to reply
1 reply to this topic

#1 nanderia

nanderia

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 27 August 2010 - 07:59 AM

tenho uma rede com 4 pcs e 2 notebooks e acho q a troca de pendrives infectou todos, já tem 2 que não funciona mais nada.. o que fazer?

passei o combofix e já tenho o relatório/;

ComboFix 10-08-26.04 - DMSuporte 27/08/2010 10:13:12.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.55.1033.18.2038.1244 [GMT -3:00]
Executando de: c:\users\Windows7\Downloads\ComboFix.exe
.
ADS - drivers: deleted 100 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Win
c:\win\desktop.exe
c:\win\lsass.exe
c:\win\names.txt
c:\windows\desktop
c:\windows\desktop\Rifa.lnk
c:\windows\system32\%appdata%

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-07-27 to 2010-08-27 ))))))))))))))))))))))))))))
.

2010-08-27 13:16 . 2010-08-27 13:19 -------- d-----w- c:\users\DMSuporte\AppData\Local\temp
2010-08-27 13:16 . 2010-08-27 13:19 -------- d-----w- c:\users\Windows7\AppData\Local\temp
2010-08-27 13:16 . 2010-08-27 13:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-26 17:20 . 2008-12-19 13:35 228692 ----a-w- c:\users\Windows7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.exe
2010-08-25 11:15 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-24 15:04 . 2010-08-24 15:30 -------- d-----w- C:\Rifa
2010-08-23 13:35 . 2010-08-23 13:35 -------- d-----w- c:\users\DMSuporte\AppData\Local\Adobe
2010-08-23 13:32 . 2010-08-23 13:32 -------- d-----w- c:\users\DMSuporte\AppData\Local\Mozilla
2010-08-20 14:16 . 2010-08-09 17:34 14336 ----a-w- c:\users\Windows7\AppData\Roaming\Mozilla\Firefox\Profiles\8am923ux.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
2010-08-20 13:53 . 2010-08-20 13:53 -------- d-----w- c:\users\DMSuporte\AppData\Local\uTorrent
2010-08-20 13:53 . 2010-08-20 13:53 -------- d-----w- c:\users\DMSuporte\AppData\Roaming\uTorrent
2010-08-20 13:52 . 2010-08-27 13:19 -------- d-----w- c:\users\Windows7\AppData\Roaming\uTorrent
2010-08-20 13:52 . 2010-08-20 13:52 -------- d-----w- c:\users\Windows7\AppData\Local\uTorrent
2010-08-20 13:47 . 2010-08-20 13:47 -------- d-----w- c:\users\Windows7\AppData\Roaming\BitTorrent
2010-08-19 11:37 . 2010-08-19 11:37 -------- d-----w- c:\windows\system32\Lang
2010-08-19 11:37 . 2010-08-19 11:37 -------- d-----w- c:\program files\Intel
2010-08-19 11:37 . 2009-09-23 14:50 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
2010-08-19 11:37 . 2009-09-23 14:49 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2010-08-13 20:52 . 2010-08-13 20:52 -------- d-----w- c:\windows\system32\x64
2010-08-13 20:52 . 2009-09-23 22:30 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-08-13 15:58 . 2010-06-14 06:12 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-13 15:58 . 2010-07-29 06:30 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-08-13 15:58 . 2010-07-29 06:30 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-08-13 15:58 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-08-13 15:58 . 2010-06-08 06:02 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-08-13 15:56 . 2010-06-16 05:48 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-13 15:56 . 2010-06-19 04:07 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-08-02 23:46 . 2010-08-25 11:35 88 --sh--r- c:\programdata\Protexis\8D95B1DCB8.sys
2010-08-02 23:45 . 2010-08-25 11:35 3140 --sha-w- c:\programdata\Protexis\KGyGaAvL.sys
2010-08-02 23:45 . 2010-08-02 23:46 -------- d-----w- c:\programdata\Protexis
2010-08-02 23:45 . 2010-08-02 23:45 -------- d-----w- c:\users\DMSuporte\AppData\Roaming\Corel
2010-08-02 23:39 . 2010-08-02 23:39 -------- d-----w- c:\program files\Microsoft SDKs
2010-08-02 23:39 . 2010-08-02 23:39 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 13:09 . 2009-06-21 20:08 663606 ----a-w- c:\windows\system32\prfh0416.dat
2010-08-25 13:09 . 2009-06-21 20:08 127896 ----a-w- c:\windows\system32\prfc0416.dat
2010-08-20 18:48 . 2010-01-21 13:19 2880 --sha-w- c:\programdata\KGyGaAvL.sys
2010-08-20 18:48 . 2010-01-21 13:19 2880 --sha-w- c:\programdata\KGyGaAvL.sys
2010-08-18 16:42 . 2010-01-21 13:19 -------- d-----w- c:\users\Windows7\AppData\Roaming\Corel
2010-08-13 20:52 . 2009-06-22 12:31 -------- d-----w- c:\programdata\Microsoft Help
2010-08-04 22:31 . 2009-06-21 20:02 117608 ----a-w- c:\users\Windows7\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-02 23:45 . 2010-04-06 20:09 117608 ----a-w- c:\users\DMSuporte\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-02 23:38 . 2010-01-21 12:52 -------- d-----w- c:\programdata\Corel
2010-08-02 23:35 . 2010-01-21 12:51 -------- d-----w- c:\program files\Corel
2010-07-20 12:09 . 2010-07-20 12:09 114149208 ----a-w- c:\programdata\Corel\Downloads\540215253_410003\1270498514694\CDGSX5SP1.exe
2010-06-30 06:25 . 2010-08-13 15:57 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 02:47 . 2010-08-13 15:57 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-13 15:57 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-13 15:57 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-13 15:57 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-13 15:57 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-04-06 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]

c:\users\Windows7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
desktop.exe [2008-12-19 228692]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399001}"= "c:\windows\Downloaded Program Files\gbiehbmb.dll" [2009-09-30 305024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 scpVista;scpVista;c:\program files\Scpad\scpVista.exe [2009-07-10 136496]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-30 1343400]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2010-02-12 123280]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2010-02-12 41680]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Realtek11nSU;Realtek11nSU;c:\program files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [2009-07-10 36864]
S3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l260x86.sys [2009-07-13 29184]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2009-10-14 581120]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-02-12 99152]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-02-12 110096]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {E9FC49E5-C6B5-4D1A-9EB9-271EC200152C} = 200.175.182.139,200.175.5.139
DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} - hxxps://cpne.bradesco.com.br/certifexp.cab
DPF: {E37CB5F0-51F5-4395-A808-5FA49E399001} - hxxps://bdu.bmb.com.br/plugin/GbPluginBmb.cab
FF - ProfilePath - c:\users\DMSuporte\AppData\Roaming\Mozilla\Firefox\Profiles\ci446ins.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORFÃOS REMOVIDOS - - - -

AddRemove-RealVNC_is1 - c:\program files\RealVNC\VNC4\unins000.exe


.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'lsass.exe'(536)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll

- - - - - - - > 'Explorer.exe'(2136)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\REALTEK\11n USB Wireless LAN Utility\RtWlan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\users\Windows7\Desktop\uTorrent.exe
c:\windows\System32\Magnify.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Tempo para conclusão: 2010-08-27 10:23:29 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-08-27 13:23

Pré-execução: 278.011.412.480 bytes disponíveis
Pós execução: 278.053.150.720 bytes disponíveis

- - End Of File - - F2B79A4227E8F372F64180487930F266

Edited by hamluis, 27 August 2010 - 09:05 AM.
Moved from XP forum to Malware Removal Logs forum. I believe this is Portuguese ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:06:17 AM

Posted 02 September 2010 - 09:58 PM

Oi nanderia,

Bem vindo ao Bleepingcomputer.

Antes de mais nada, gostaria de avisar que nós não sugerimos nunca a execução de Combofix a não ser que ele tenha sido recomendado por um dos ajudantes.

Isso é porquê ele pode causar problemas no startup do sistema operativo e em alguns casos pode não servir.

Você já executou o Combofix em todos eles? (Se sim, poste os outros logs) Em caso contrario, quais são os sistemas operativos dos outros computadores?
Quais são os sintomas dos outros computadores? O que você quer dizer por: "já tem 2 que não funciona mais nada"? Eles não ligam?

Por favor faça um scan do PC atual com Malwarebytes:

Faça download do arquivo de instalação do Malwarebytes de um desses dois links: Link 1 ou

Link 2

Faça dois cliques sob o arquivo mbam-setup.exe e instale o programa.
Atualize e faça um scan completo do sistema com um click em "Perform Full Scan", depoi um click em Scan.
O scan pode demorar um pouco para terminar então por favor seja paciente.
Quando o scan estiver completato, faça um click em OK, e depois em Show Results para ver os resultados.
Verificar que todos os items infectados estejam selecionados e apertar o botão Remove Selected.
Quando a remoção das infeções estiver completada um log vai se abrir no bloco de notas. Por favor cole o resultado do log no próximo post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users