Jump to content

Foto

Sequestro de navegador: desk365.exe, 22find.com, TrayDownloader.exe

22find desk365 v9


Existem 3 respostas neste tópico

#1 emgeduardo    

emgeduardo
  • Participante
  • 2 mensagens

Publicado 28 January 2013 - 07:09 PM

Meu firefox travou e notei que estavam sendo instalados alguns programas: desk365.exe, 22find.com, TrayDownloader.exe

também achei instalado v9.

 

Não consigo imaginar a origem do problema pois estava navegando apenas em sites confiáveis.

 

Por gentileza me ajudem a me livrar destes sequestradores de browsers.

 

Eu também gostaria de saber a origem destas invasões para evitar que isto ocorra de novo.

 

Segue abaixo o log to Hijackthis:

 

 

 

 

 

Logfile of HijackThis v1.99.1
Scan saved at 14:00:30, on 2013.01.28
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Software Plate\svcgdp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Desk 365\deskSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\SUPERAntiSpyware\SASCORE.EXE
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Bacula\bacula-fd.exe
C:\Arquivos de programas\DigitalPersona\Bin\DpHost.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\BakBone Software\NetVault\bin\nvpmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\DigitalPersona\Bin\DPFUSMgr.exe
C:\Arquivos de programas\BakBone Software\NetVault\bin\nvstatsmngr.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe
C:\Arquivos de programas\Arquivos comuns\Raxco\Shared\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\Arquivos de programas\DigitalPersona\Bin\DPAgnt.exe
C:\Arquivos de programas\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Logitech\SetPointP\SetPoint.exe
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Arquivos de programas\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Samsung\Kies\KiesTrayAgent.exe
C:\Arquivos de programas\ClamWin\bin\ClamTray.exe
C:\Arquivos de programas\ClamSentinel\ClamSentinel.exe
C:\WINDOWS\system32\aetcrss1.exe
C:\Arquivos de programas\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Arquivos de programas\Samsung\Kies\Kies.exe
C:\Arquivos de programas\Arquivos comuns\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Arquivos de programas\Desk 365\desk365.exe
C:\Arquivos de programas\LaunchMate\LnchMate.exe
C:\Arquivos de programas\Nikon\NkView6\NkvMon.exe
C:\Arquivos de programas\Symmetricom\SymmTime\GeTTime.exe
C:\Arquivos de programas\MagicDisc\MagicDisc.exe
C:\Arquivos de programas\Sysinternals\procexp.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\Arquivos de programas\Notepad++\notepad++.exe
C:\WINDOWS\explorer.exe
L:\software\linux\Internet Security\clamav.net\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.22find.co...N&ts=1359380642
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.22find.co...N&ts=1359380642
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.22find.co...N&ts=1359380642
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.22find.co...N&ts=1359380642
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.22find...N&ts=1359380643
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.22find...N&ts=1359380643
O1 - Hosts: ::1 localhost #[IPv6]
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DPAgnt] C:\Arquivos de programas\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Arquivos de programas\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EvtMgr6] C:\Arquivos de programas\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Arquivos de programas\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NUSB3MON] "C:\Arquivos de programas\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [KiesTrayAgent] C:\Arquivos de programas\Samsung\Kies\KiesTrayAgent.exe
O4 - HKLM\..\Run: [CheckRun22find_uninstaller] "C:\Documents and Settings\emgeduardo\Dados de aplicativos\CheckRun22find.exe" -c=http://www.22find.co...N&ts=1359380635
O4 - HKLM\..\Run: [ClamTray.exe] "C:\Arquivos de programas\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [ClamSentinel.exe] C:\Arquivos de programas\ClamSentinel\ClamSentinel.exe
O4 - HKLM\..\Run: [CertificateRegistration] aetcrss1.exe
O4 - HKCU\..\Run: [] C:\Arquivos de programas\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 - HKCU\..\Run: [KiesPreload] C:\Arquivos de programas\Samsung\Kies\Kies.exe /preload
O4 - HKCU\..\Run: [KiesAirMessage] C:\Arquivos de programas\Samsung\Kies\KiesAirMessage.exe -startup
O4 - HKCU\..\Run: [Desk 365] C:\Arquivos de programas\Desk 365\desk365.exe /autorun
O4 - Startup: MagicDisc.lnk = C:\Arquivos de programas\MagicDisc\MagicDisc.exe
O4 - Startup: Process  Explorer.lnk = C:\Arquivos de programas\Sysinternals\procexp.exe
O4 - Global Startup: LaunchMate.lnk = C:\Arquivos de programas\LaunchMate\LnchMate.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Arquivos de programas\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SymmTime.lnk = C:\Arquivos de programas\Symmetricom\SymmTime\GeTTime.exe
O8 - Extra context menu item: Baixar com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Baixar vídeo com o Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download selecionado pelo Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec antivírus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs:                 
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: DPWLN   - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: LBTWlgn - c:\arquivos de programas\arquivos comuns\logishrd\bluetooth\LBTWlgn.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Arquivos de programas\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bacula File Backup Service (Bacula-fd) - Unknown owner - C:\Arquivos de programas\Bacula\bacula-fd.exe" /service  -c "C:\Arquivos de programas\Bacula\bacula-fd.conf (file missing)
O23 - Service: Desk 365 service (desksvc) - 337 Technology Limited. - C:\Arquivos de programas\Desk 365\deskSvc.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Arquivos de programas\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Arquivos de programas\DigitalPersona\Bin\DpHost.exe
O23 - Service: Serviço do Google Update (gupdate) (gupdate) - Unknown owner - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Unknown owner - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe" /medsvc (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Arquivos de programas\Arquivos comuns\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NetVault Process Manager - Unknown owner - C:/Arquivos de programas/BakBone Software/NetVault/bin/nvpmgr.exe" service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Arquivos de programas\Arquivos comuns\Raxco\Shared\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Business 2013\RpcAgentSrv.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Arquivos de programas\Skype\Updater\Updater.exe
O23 - Service: software services (svcgdp) - Beijing Xing Technology Co., Ltd. - C:\Arquivos de programas\Software Plate\svcgdp.exe
 




 

#2 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 64959 mensagens

Publicado 28 January 2013 - 08:12 PM

Vá até o Painel de Controle/ Programas e Recursos e desinstale o TrayDownloader e o  desk365
 
Siga este Procedimento :
Como remover o 22find de sua Página Inicial e de Pesquisa, de seus  eNavegadores


Depois informe a situação.


MillionMPV.gif

#3 Mr.Million    

Mr.Million

    Consumer Security MVP

  • Especialista
  • 64959 mensagens

Publicado 29 January 2013 - 01:29 PM

Como está a situação? Resolveu?


MillionMPV.gif

#4 emgeduardo    

emgeduardo
  • Participante
  • 2 mensagens

Publicado 30 January 2013 - 10:49 AM

Bom dia,

 

Acredito que esteja parcialmente resolvido.

 

Fiz todas as desinstalações manualmente e após isto usei o macecraft jv16 para limpar o registro do windows.

também percebi que havia um v9 instalado e desinstalei.

 

O que mais me intriga é que eu não cliquei em nada no momento em que ocorreu a instalação destes malwares.

 

Eu estava trabalhando no computador ao lado e observei o firefox fechar sozinho e começar a aparecer ícones nas barras de ferramentas.

 

Eu gostaria muito de ter uma ideia da forma como isto pode ter entrado em meu computador para tentar impedir novos ataques.