JediForce 0 Denunciar post Postado Dezembro 8, 2005 Olá pessoal, Peguei um Spyware que mostrava um X vermelho perto do relógio, esse spyware desativou minha área de trabalho e colocou um outro plano de fundo dizendo que meu computador está infectado. Usei o Microsoft Antispyware, consegui remover o X vermelho, mas minha área de trablaho naum foi recuperada e janelas redirecionando para outros site ainda aparecem, abaixo o log: Logfile of HijackThis v1.99.1 Scan saved at 10:14:04, on 8/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\ARQUIV~1\Iomega\System32\AppServices.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\pavProxy.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe C:\windows\adtech2006.exe C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe C:\Arquivos de programas\Mozilla Firefox\firefox.exe C:\Arquivos de programas\WinRAR\WinRAR.exe C:\DOCUME~1\TURISM~1.TUR\CONFIG~1\Temp\Rar$EX00.391\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.br R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.br R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com F3 - REG:win.ini: run=C:\WINDOWS\inet20009\services.exe O4 - HKLM\..\Run: [Microsoft Servicez Manager] servicemgrz.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [indexSearch] C:\Arquivos de programas\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunServices: [Microsoft Servicez Manager] servicemgrz.exe O4 - Startup: Palm Desktop.lnk = C:\Palm\palm.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{981DE450-90C4-4FD1-99F7-B661458E0DE2}: NameServer = 200.204.0.10,200.176.2.12 O20 - Winlogon Notify: Mixer - C:\WINDOWS\SYSTEM32\sndmix.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\MNJET35.DLL O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\enijlccb.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe Por Favor que me ajudem, pois pelo que percebi existem várias versões desse spyware do X vermelho. Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Dezembro 8, 2005 Caro JediForce, Vamos lá. Habilite o Windows para mostrar todos os arquivos (até ocultos). C:\DOCUME~1\TURISM~1.TUR\CONFIG~1\Temp\Rar$EX00.391\HijackThis.exe Atenção --> Coloque o HijackThis em uma pasta própria, por exemplo: c:\HTJ\HijackThis.exe. 1ª Etapa Baixe o Killbox em: Killbox Baixe, mas não execute ainda. Baixe o CWShredder em: CWShredder Baixe, mas não execute ainda. Baixe o Deldomains em: Deldomains Baixe e salve o Deldomains.inf em seu desktop, mas não execute ainda. Baixe o SpySweeper em: SpySweeper Baixe e atualize, mas não execute ainda. Baixe: Restorethemes.reg -e- Restore Luna Theme Baixe-os, mas não execute ainda. 2ª Etapa Execute o KillBox: 1) Selecione Delete on reboot; 2) Full path of file to delete; 3) Coloque: C:\WINDOWS\inet20009 - Aperte X. Responda "sim" à primeira pergunta e "não" à segunda. Repita a operação para: C:\windows\system32\servicemgrz.exeC:\windows\timessquare.exe C:\windows\servicemgrz.exe C:\windows\adtech2006.exe C:\WINDOWS\SYSTEM32\sndmix.dll C:\WINDOWS\system32\enijlccb.dll C:\WINDOWS\system32\MNJET35.DLL Caso o Killbox acuse a não existência de algum arquivo/pasta, apenas passe para o próximo. É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível. 3ª Etapa Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8 até aparecer uma tela preta em DOS e escolha Modo Seguro). Execute o HijackThis, clique em Do a system scan only e marque: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comF3 - REG:win.ini: run=C:\WINDOWS\inet20009\services.exe O4 - HKLM\..\Run: [Microsoft Servicez Manager] servicemgrz.exe O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe O4 - HKLM\..\RunServices: [Microsoft Servicez Manager] servicemgrz.exe O20 - Winlogon Notify: Mixer - C:\WINDOWS\SYSTEM32\sndmix.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\MNJET35.DLL O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\enijlccb.dll Clique em Fix Checked. 4ª Etapa Ainda em Modo Seguro faça o seguinte: 1) Execute o Deldomains: Dê um clique-direito no arquivo deldomains.inf e então clique em Instalar. Executar o arquivo diretamente não funciona. 2) Execute o CWShredder. 3) Execute uma verificação completa com o SpySweeper. 4) Restorethemes.reg -ou- Restore Luna Theme. Um destes deve restaurar as configurações de seu desktop. 5ª Etapa Reinicie em modo normal. Verifique se os problemas foram resolvidos e poste o novo log. Aguardo retorno. Um abraço. IMPORTANTE: Poste um log do Silent Runners também. Baixe-o clicando aqui. Extraia para o C --> dê duplo clique sobre o SilentRunners.vbs (talvez o seu antivírus tente bloquear, mas autorize) --> aguarde até a geração do documento STARTUP PROGRAMS (USUÁRIO) data e seja paciente, pois talvez demore um pouco. Poste o conteúdo deste documento em sua próxima resposta. Compartilhar este post Link para o post Compartilhar em outros sites
JediForce 0 Denunciar post Postado Dezembro 9, 2005 Fiz todos os procedimentos citados acima, mas o problema persiste, não mudou nada :( LOG HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 10:12:25, on 9/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe Acho que isso não é normal, oq acha? C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe C:\ARQUIV~1\Iomega\System32\AppServices.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\pavProxy.exe C:\WINDOWS\System32\svchost.exe C:\HTJ\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.br R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.br O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [indexSearch] C:\Arquivos de programas\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe" O4 - Startup: Palm Desktop.lnk = C:\Palm\palm.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O17 - HKLM\System\CCS\Services\Tcpip\..\{981DE450-90C4-4FD1-99F7-B661458E0DE2}: NameServer = 200.204.0.10,200.176.2.12 O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\h8j4li1q18.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe LOG SILENT RUNNERS: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "APVXDWIN" = ""C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s" ["Panda Software International"] "SunJavaUpdateSched" = "C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."] "PaperPort PTD" = "C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."] "IndexSearch" = "C:\Arquivos de programas\Scansoft\PaperPort\IndexSearch.exe" [null data] "gcasServ" = ""C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" = "WebCheck" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ws817112.dll" [null data] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\Office10\msohev.dll" [MS] "{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."] "{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Iomega\Shell\ImgProp.dll" ["Iomega Corp."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] "{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\OpenOffice.org1.1.5\program\shlxthdl.dll" ["Sun Microsystems, Inc."] "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx" -> {CLSID}\InProcServer32\(Default) = "C:\ARQUIV~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\SmartFTP\smarthook.dll" ["SmartFTP"] "{2B2DE203-B38F-432B-B12B-7B9F0213B1E5}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mjmdd.dll" [null data] "{6EA24A3C-2EF0-4341-BF18-693837F5CF40}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dh16gt.dLL" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ws817112.dll" [null data] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! Internet Settings\DLLName = "C:\WINDOWS\system32\h8j4li1q18.dll" [null data] INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\ShellTit.DLL" ["Panda Software International"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Alegria.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Turismo e Eventos" & "All Users" startup folders: ------------------------------------------------------------------- C:\Documents and Settings\Turismo e Eventos.TURISMOEEVENTOS\Menu Iniciar\Programas\Inicializar "Palm Desktop" -> shortcut to: "C:\Palm\palm.exe" ["Palm Computing, Inc."] C:\Documents and Settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar "Adobe Gamma Loader" -> shortcut to: "C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm Computing, Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [strings]: SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp" [strings]: SAFESITE_VALUE="search.msn.com.br" Missing lines (compared with English-language version): [strings]: 2 lines HOSTS file ---------- HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ HIJACK WARNING! "DataBasePath" = "%SystemRoot%\System32\drivers\etc" Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} Iomega Active Disk, _IOMEGA_ACTIVE_DISK_SERVICE_, ""C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe"" ["Iomega Corporation"] Iomega App Services, Iomega App Services, ""C:\ARQUIV~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"] Panda anti-virus service, PAVSRV, "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe" ["Panda Software"] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] StarWind iSCSI Service, StarWindService, "C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 52 seconds, including 18 seconds for message boxes) Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Dezembro 9, 2005 Caro JediForce, Vamos ter trabalho, mas bola pra frente! 1ª Etapa Execute o KillBox: 1) Selecione Delete on reboot; 2) Full path of file to delete; 3) Coloque: C:\WINDOWS\system32\ws817112.dll - Aperte X. Responda "sim" à primeira pergunta e "não" à segunda. Repita a operação para: C:\WINDOWS\system32\h8j4li1q18.dllC:\WINDOWS\system32\mjmdd.dll C:\WINDOWS\system32\dh16gt.dLL Caso o Killbox acuse a não existência de algum arquivo/pasta, apenas passe para o próximo. 2ª Etapa Execute o HijackThis, clique em Do a system scan only e marque: O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\h8j4li1q18.dll Clique em Fix Checked. É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível. 3ª Etapa Reinicie em modo normal. Vou precisar de um log do L2MFix. Clique aqui e baixe. Extraia os arquivos e rode o l2mfix.bat --> opção "run find log". Depois de alguns minutos o bloco de notas deve abrir com um log. É o conteúdo deste log que você deverá colar em sua próxima resposta, bem como o novo log do Hijack. Aguardo retorno. Um abraço. PS.: A restauração das configurações de seu Desktop ficará por último, ok. ;) Compartilhar este post Link para o post Compartilhar em outros sites
JediForce 0 Denunciar post Postado Dezembro 12, 2005 Olá amigo,Meu sistema aparentemente está normal agora, segui as instruções acima, eu já tinha conseguido restaurar o desktop, só tinha sobrado as propagandas, mas essas já foram eliminadas, abaixo os logs que pediu, gostaria de saber se o spyware já foi totalmente removido ou ainda sobrou resíduos dele.L2MFIX find log 120905These are the registry keys present**********************************************************************************Winlogon/notify:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00"Logoff"="ChainWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]"Asynchronous"=dword:00000000"Impersonate"=dword:00000000"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Logoff"="CryptnetWlxLogoffEvent"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]"DLLName"="cscdll.dll""Logon"="WinlogonLogonEvent""Logoff"="WinlogonLogoffEvent""ScreenSaver"="WinlogonScreenSaverEvent""Startup"="WinlogonStartupEvent""Shutdown"="WinlogonShutdownEvent""StartShell"="WinlogonStartShellEvent""Impersonate"=dword:00000000"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]"DLLName"="wlnotify.dll""Logon"="SCardStartCertProp""Logoff"="SCardStopCertProp""Lock"="SCardSuspendCertProp""Unlock"="SCardResumeCertProp""Enabled"=dword:00000001"Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"StartShell"="SchedStartShell""Logoff"="SchedEventLogOff"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]"Logoff"="WLEventLogoff""Impersonate"=dword:00000000"Asynchronous"=dword:00000001"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]"DLLName"="WlNotify.dll""Lock"="SensLockEvent""Logon"="SensLogonEvent""Logoff"="SensLogoffEvent""Safe"=dword:00000001"MaxWait"=dword:00000258"StartScreenSaver"="SensStartScreenSaverEvent""StopScreenSaver"="SensStopScreenSaverEvent""Startup"="SensStartupEvent""Shutdown"="SensShutdownEvent""StartShell"="SensStartShellEvent""PostShell"="SensPostShellEvent""Disconnect"="SensDisconnectEvent""Reconnect"="SensReconnectEvent""Unlock"="SensUnlockEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]"Asynchronous"=dword:00000000"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00"Impersonate"=dword:00000000"Logoff"="TSEventLogoff""Logon"="TSEventLogon""PostShell"="TSEventPostShell""Shutdown"="TSEventShutdown""StartShell"="TSEventStartShell""Startup"="TSEventStartup""MaxWait"=dword:00000258"Reconnect"="TSEventReconnect""Disconnect"="TSEventDisconnect"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]"DLLName"="wlnotify.dll""Logon"="RegisterTicketExpiredNotificationEvent""Logoff"="UnregisterTicketExpiredNotificationEvent""Impersonate"=dword:00000001"Asynchronous"=dword:00000001[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]"Asynchronous"=dword:00000000"DllName"="WRLogonNTF.dll""Impersonate"=dword:00000001"Lock"="WRLock""StartScreenSaver"="WRStartScreenSaver""StartShell"="WRStartShell""Startup"="WRStartup""StopScreenSaver"="WRStopScreenSaver""Unlock"="WRUnlock""Shutdown"="WRShutdown""Logoff"="WRLogoff""Logon"="WRLogon"**********************************************************************************useragent:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"{58F3CEBD-C954-B2D0-A26D-60217060A55C}"=""**********************************************************************************Shell Extension key:Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]"{00022613-0000-0000-C000-000000000046}"="Folha de propriedades de arquivo de multim¡dia""{176d6597-26d3-11d1-b350-080036a75b03}"="Gerenciamento de scanner ICM""{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguran‡a NTFS""{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propriedades do arquivo de documento OLE""{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensäes do Shell para compartilhamento""{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension""{42071712-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para adaptador de v¡deo""{42071713-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para monitor de v¡deo""{42071714-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para panorƒmica de v¡deo""{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguran‡a DS""{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidade""{56117100-C0CD-101B-81E2-00AA004AE837}"="Manipulador de dados de recorte do shell""{59099400-57FF-11CE-BD94-0020AF85B590}"="ExtensÆo de c¢pia de disco""{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensäes do shell para objetos Microsoft Windows Network""{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gerenciamento de monitor ICM""{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gerenciamento de impressora ICM""{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensäes do shell para compacta‡Æo de arquivos""{77597368-7b15-11d0-a0c2-080036af3f03}"="ExtensÆo do shell de impressora na Web""{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI""{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu de contexto de criptografia""{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porta-arquivos""{88895560-9AA2-1069-930E-00AA0030EBC8}"="ExtensÆo de ¡cone do HyperTerminal""{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts""{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil ICC""{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguran‡a de impressoras""{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensäes do Shell para compartilhamento""{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension""{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo PKO de criptografia""{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo do sinal de criptografia""{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexäes de rede""{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexäes de rede""{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & cƒmeras""{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & cƒmeras""{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & cƒmeras""{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & cƒmeras""{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & cƒmeras""{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension""{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension""{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensäes shell para host de scripts do Windows""{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Vincula‡Æo de dados Microsoft""{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler""{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension""{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tarefas agendadas""{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tarefas e menu Iniciar""{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Pesquisar""{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte""{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte""{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Executar...""{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet""{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Email""{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fontes""{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Ferramentas administrativas""{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler""{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler""{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler""{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler""{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler""{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor""{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de ferramentas do Microsoft Internet Explorer""{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Status do download""{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Pasta do shell aumentada""{6413BA2C-B461-11d1-A18A-080036B11A03}"="Pasta do shell aumentada 2""{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy""{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand""{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Faixa de pesquisa""{32683183-48a0-441b-a342-7c2a440a9478}"="Faixa de m¡dia""{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Pesquisa no painel""{07798131-AF23-11d1-9111-00A0C98BA67D}"="Pesquisa na Web""{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit rio de op‡äes de rvore do Registro""{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="E&ndere‡o""{A08C11D2-A228-11d0-825B-00AA005B4383}"="Caixa de edi‡Æo de endere‡o""{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Preenchimento autom tico da Microsoft""{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor""{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista de preenchimento autom tico MRU""{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista personalizada MRU preenchida automaticamente""{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Acess¡vel""{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra Popup de controle""{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analisador da barra de endere‡os""{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista de preenchimento autom tico de hist¢rico da Microsoft""{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista de preenchimento autom tico de pastas do Shell da Microsoft""{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Recipiente de lista de preenchimento autom tico m£ltiplo da Microsoft""{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu de site de faixa do Shell""{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp""{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar""{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite""{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistˆncia ao usu rio""{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configura‡äes de pasta globais""{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band""{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service""{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer""{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture""{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut""{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servi‡o de hist¢rico de URLs da Microsoft""{FF393560-C2A7-11CF-BFF4-444553540000}"="Hist¢rico""{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files""{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files""{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook""{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen""{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook""{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC""{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC""{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet""{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space""{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Faixa do Explorer""{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service""{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service""{88C6C381-2E85-11D0-94DE-444553540000}"="Pasta cache de ActiveX""{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck""{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr""{F5175861-2688-11d0-9C5E-00AA00A45957}"="Pasta de inscri‡äes""{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler""{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent""{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent""{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent""{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent""{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent""{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler""{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gerenciador de aplicativos do shell""{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicativos instalado""{CFCCC7A0-A282-11D1-9082-006008059382}"="Editor de aplicativo Darwin""{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs""{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory""{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extrator de miniaturas de arquivo GDI+""{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Identificador de informa‡äes de resumo de miniaturas (DOCFILES)""{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extrator de miniaturas HTML""{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler""{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistente para publica‡Æo na Web""{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impressÆo via Web""{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto do assistente para publica‡Æo do shell""{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Obter um Assistente do Passport""{7A9D77BD-5403-11d2-8785-2E0420524153}"="Contas de usu rio""{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler""{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target""{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Arquivo de canal""{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Atalho para o canal""{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto manipulador de canais""{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu""{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties""{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview""{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext""{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control""{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control""{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control""{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control""{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control""{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI""{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object""{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find""{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find""{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI""{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs""{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook""{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target""{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties""{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu""{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options""{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Pasta de arquivos off-line""{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler""{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell""{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%""{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler""{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer""{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Pessoas...""{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler""{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler""{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler""{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Pastas da Web""{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler""{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler""{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension""{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension""{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension""{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults""{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page""{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions""{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"@="CorelDRAW Shell Extension Component""{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player""{65756541-C65C-11CD-0000-4B656E696100}"="Panda Antivirus""{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler""{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx""{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL""{2B2DE203-B38F-432B-B12B-7B9F0213B1E5}"="""{6EA24A3C-2EF0-4341-BF18-693837F5CF40}"="""{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"**********************************************************************************HKEY ROOT CLASSIDS:Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}]@=""[HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}\Implemented Categories]@=""[HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]@=""[HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}\InprocServer32]@="C:\\WINDOWS\\system32\\dh16gt.dLL""ThreadingModel"="Apartment"**********************************************************************************Files Found are not all bad files:C:\WINDOWS\SYSTEM32\ bassmod.dll Fri 25 Nov 2005 14:50:42 A.... 34.308 33,50 K cpmmtb32.dll Fri 9 Dec 2005 8:52:42 ..S.R 234.985 229,48 K f02mla~1.dll Fri 9 Dec 2005 9:15:26 ..S.R 237.051 231,49 K f4j2le~1.dll Thu 8 Dec 2005 14:46:24 ..S.R 236.017 230,48 K floop32.dll Thu 8 Dec 2005 9:38:54 A.... 18.432 18,00 K gccoll~1.dll Tue 15 Nov 2005 12:12:08 A.... 126.680 123,71 K gcunco~1.dll Tue 15 Nov 2005 12:12:06 A.... 95.448 93,21 K gdi32.dll Thu 6 Oct 2005 1:17:42 A.... 280.064 273,50 K hashlib.dll Tue 15 Nov 2005 12:12:08 A.... 117.976 115,21 K iisload.dll Thu 8 Dec 2005 16:34:48 A.... 6.656 6,50 K islzma.dll Fri 21 Oct 2005 15:50:14 A.... 102.912 100,50 K k8800i~1.dll Fri 9 Dec 2005 10:00:18 ..S.R 234.302 228,81 K mshtml.dll Tue 4 Oct 2005 22:26:18 A.... 3.013.120 2,87 M mzdocs.dll Fri 9 Dec 2005 9:15:26 ..S.R 235.931 230,40 K risman.dll Thu 8 Dec 2005 14:50:08 ..S.R 236.630 231,08 K shell32.dll Fri 23 Sep 2005 1:07:08 A.... 8.480.256 8,09 M vop6renu.dll Fri 9 Dec 2005 9:04:30 ..S.R 233.997 228,51 K wqaueng1.dll Fri 9 Dec 2005 9:31:04 ..S.R 234.214 228,72 K wrlogo~1.dll Thu 27 Oct 2005 16:47:08 A.... 492.544 481,00 K wrlzma.dll Thu 27 Oct 2005 16:47:06 A.... 17.920 17,50 K20 items found: 20 files (8 H/S), 0 directories. Total of file sizes: 14.669.443 bytes 13,99 MLocate .tmp files:No matches found.**********************************************************************************Directory Listing of system files: O volume na unidade C ‚ Programas O n£mero de s‚rie do volume ‚ B0E8-6E40 Pasta de C:\WINDOWS\System3209/12/2005 10:00 234.302 k8800ilme8qa0.dll09/12/2005 09:31 234.214 wqaueng1.dll09/12/2005 09:15 235.931 mzdocs.dll09/12/2005 09:15 237.051 f02mlaf11d2.dll09/12/2005 09:04 233.997 VOP6RENU.DLL09/12/2005 08:52 234.985 CPMMTB32.DLL08/12/2005 14:50 236.630 rIsman.dll08/12/2005 14:46 236.017 f4j2le1o1h.dll03/11/2005 11:40 <DIR> dllcache20/08/2005 14:37 109.568 svshost.exe16/06/2005 09:28 <DIR> Microsoft 9 arquivo(s) 1.992.695 bytes 2 pasta(s) 3.801.473.024 bytes dispon¡veis------------------------------------------------------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 08:23:21, on 12/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXEC:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exeC:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exeC:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exeC:\ARQUIV~1\Iomega\System32\AppServices.exeC:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exeC:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeC:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\AVENGINE.EXEC:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exeC:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\pavProxy.exeC:\Arquivos de programas\Iomega\AutoDisk\ADService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\HTJ\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.brR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.brO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /sO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [PaperPort PTD] C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Arquivos de programas\Scansoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintrayO4 - Startup: Palm Desktop.lnk = C:\Palm\palm.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXEO4 - Global Startup: Spy Sweeper Fix.lnk = C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperFix.batO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO17 - HKLM\System\CCS\Services\Tcpip\..\{981DE450-90C4-4FD1-99F7-B661458E0DE2}: NameServer = 200.204.0.10,200.176.2.12O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dllO23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeO23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exeO23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Dezembro 12, 2005 Caro JediForce, Ainda há o que fazer. 1ª Etapa Execute o KillBox: 1) Selecione Delete on reboot; 2) Full path of file to delete; 3) Coloque: C:\WINDOWS\System32\k8800ilme8qa0.dll - Aperte X. Responda "sim" à primeira pergunta e "não" à segunda. Repita a operação para: C:\WINDOWS\System32\wqaueng1.dllC:\WINDOWS\System32\mzdocs.dll C:\WINDOWS\System32\f02mlaf11d2.dll C:\WINDOWS\System32\VOP6RENU.DLL C:\WINDOWS\System32\CPMMTB32.DLL C:\WINDOWS\System32\rIsman.dll C:\WINDOWS\System32\f4j2le1o1h.dll C:\WINDOWS\System32\svshost.exe Caso o Killbox acuse a não existência de algum arquivo/pasta, apenas passe para o próximo. 2ª Etapa Rode o arquivo l2mfix.bat, aperte <Enter>, então digite 2 e aperte Enter novamente. Depois disso, você deverá apertar qualquer tecla e o computador será reiniciado. Após reiniciar, sua área de trabalho deve sumir e reaparecer. A correção ainda não terminou. Quando ela terminar o Bloco de Notas deve abrir com um log. Anexe este log na sua resposta como você fez antes, junto com um novo log do HijackThis. Vá até a pasta l2mfix que foi criada e copie o arquivo ntrights para o C:\ Clique em Iniciar --> Executar, digite cmd e clique em OK. Um prompt de comando vai aparecer. Digite o seguinte: cd c:\ Dê Enter. Agora digite o seguinte comando: ntrights -u Administradores +r SeDebugPrivilege > log.txt Atenção --> Certifique-se digitar este comando corretamente. Dê Enter novamente. Agora deverá existir um arquivo chamado c:\log.txt. Abra-o e cole o conteúdo aqui. Aguardo retorno. Um abraço. Compartilhar este post Link para o post Compartilhar em outros sites
JediForce 0 Denunciar post Postado Dezembro 13, 2005 Lá vai ... -------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 15:10:05, on 13/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\notepad.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe C:\ARQUIV~1\Iomega\System32\AppServices.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\pavProxy.exe C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HTJ\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.br R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.uol.com.br O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [APVXDWIN] "C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Arquivos de programas\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [indexSearch] C:\Arquivos de programas\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - Startup: Palm Desktop.lnk = C:\Palm\palm.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeperFix.bat O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O17 - HKLM\System\CCS\Services\Tcpip\..\{981DE450-90C4-4FD1-99F7-B661458E0DE2}: NameServer = 200.204.0.10,200.176.2.12 O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Arquivos de programas\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe ---------------------------------------------------------------- L2mfix Beta 121205 Creating Account. Comando conclu¡do com ˆxito. Adding Administrative privleges. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 604 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 700 'winlogon.exe' Killing PID 700 'winlogon.exe' Killing PID 700 'winlogon.exe' Killing PID 700 'winlogon.exe' . . . Cortei parte do código pois aparecia "Killing PID 700 'winlogon.exe'" centenas de vezes, o post ficaria muito grande. . . . Killing PID 700 'winlogon.exe' Killing PID 700 'winlogon.exe' Killing PID 700 'winlogon.exe' Killing PID 700 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1624 'explorer.exe' Killing PID 1624 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332 Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332 Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332 Granting SeDebugPrivilege to Administradores ... successful Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332 Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332 Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Zipping up files for submission: adding: Documents and Settings/Turismo e Eventos.TURISMOEEVENTOS/Desktop/l2mfix/backregs/notibac.reg (164 bytes security) (deflated 87%) adding: Documents and Settings/Turismo e Eventos.TURISMOEEVENTOS/Desktop/l2mfix/backregs/shell.reg (164 bytes security) (deflated 73%) Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}] @="" [HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}\InprocServer32] @="C:\\WINDOWS\\system32\\dh16gt.dLL" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{2B2DE203-B38F-432B-B12B-7B9F0213B1E5}"=- "{6EA24A3C-2EF0-4341-BF18-693837F5CF40}"=- [-HKEY_CLASSES_ROOT\CLSID\{2B2DE203-B38F-432B-B12B-7B9F0213B1E5}] [-HKEY_CLASSES_ROOT\CLSID\{6EA24A3C-2EF0-4341-BF18-693837F5CF40}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** C:\WINDOWS\System32\6EA24A3C-2EF0-4341-BF18-693837F5CF40.reg Checking for L2MFix account(0=no 1=yes): 0 --------------------------------------------------------------------- Conteudo do LOG.txt Granting SeDebugPrivilege to Administradores ... successful Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Dezembro 13, 2005 Caro JediForce, Agora sim!!! :natallaugh: O seu log está LIMPO!!! :thumbsup: Para finalizar: 1. Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui e saiba como. Abraços. Compartilhar este post Link para o post Compartilhar em outros sites
jgarcia 1 Denunciar post Postado Dezembro 15, 2005 PROBLEMA RESOLVIDO! Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico. Compartilhar este post Link para o post Compartilhar em outros sites
