[Resolvido!]Mensagem "AE" no Internet Explorer

[Erickson 0]

Gente gostaria de obter ajuda de vocês, já li varios topicos parecido mas não consigui resolver o problema.

 

são entorno de umas 5 maquinas que estão com o mesmo problema.

Ao clicar no icone Internet Explorer exibe a mensagem "AE" e o numero "5" ou "18" e o botão OK.

 

Em determinadas maquinas ao tentar abrir o Windows Explorer trava a maquina.

 

 

Segue as informações de uma das maquinas obtida do HIJACKTHIS

obrigado

Erickson

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:52:01, on 26/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\RDS\RMClient\PMCTray.exe

C:\WINDOWS\system32\userinit.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\hijackthis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: HTTfile - {E1A9050F-532C-45A8-A6B2-1A03D5DA8927} - C:\WINDOWS\system32\sfmapi.ocx

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

[Sam Spade 2]

Olá Erickson! O log mostra um malware que infecta os arquivos executáveis (programas). Você deve fazer isso em todas as máquinas infectadas.

 

Baixe esta ferramenta: http://linhadefensiva.uol.com.br/dl/remdelf2b

 

IMPORTANTE: Após o download, mova o arquivo para C:\

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Reinicie o computador em Modo Seguro ou Modo de Segurança;

 

2 - Digite no Executar: C:\RemDelf\RemDelf.exe C: e clique em Ok;

 

OBS: Se você possui outras unidades de disco, você deve adiciná-las no

comando da seguinte forma (C:\RemDelf C: D:)

 

- Será aberta uma tela do prompt do MS-DOS.

 

3 - Aguarde até que a verificação seja concluída.

 

- Quando o processo for concluído, pressione a tecla ENTER para que o computador seja reiniciado.

 

4 - Gere um novo log com o HijackThis em modo normal e poste.

[Erickson 0]

:natal_w00t: Obrigado por está ajudando a resolver o problema

 

segue apos a execução do programa que foi recomendado.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 13:36:40, on 27/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe

C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\RDS\RMClient\PMCTray.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\userinit.exe

C:\Arquivos de programas\HP\hpcoretech\comp\hptskmgr.exe

C:\Documents and Settings\Administrador\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: HTTfile - {E1A9050F-532C-45A8-A6B2-1A03D5DA8927} - C:\WINDOWS\system32\sfmapi.ocx

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

 

Erickson

[Sam Spade 2]

Ok, reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Faça um scan com o HijackThis, marque a entrada abaixo e clique em

 

O2 - BHO: HTTfile - {E1A9050F-532C-45A8-A6B2-1A03D5DA8927} - C:\WINDOWS\system32\sfmapi.ocx

 

Reinicie em modo normal, faça um scan com o HijackThis e salve/poste o log. Informe se ainda está com o problema.

[Erickson 0]

Ok, reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Faça um scan com o HijackThis, marque a entrada abaixo e clique em

 

O2 - BHO: HTTfile - {E1A9050F-532C-45A8-A6B2-1A03D5DA8927} - C:\WINDOWS\system32\sfmapi.ocx

 

Reinicie em modo normal, faça um scan com o HijackThis e salve/poste o log. Informe se ainda está com o problema.

 

 

 

********************************************************************************

*************

 

 

 

Rodei todos os metodos que foi passado

mas tem 2 maquinas ainda que permanecem travando quando abrem o Windows Explorer

utilizando o HijackThis

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:38:24, on 3/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\mrigo\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ADOX.Key - {91070C68-B954-4D0A-880C-1385E9D8C943} - C:\WINDOWS\system32\g711codc.ocx

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: RM.Host.Service - Unknown owner - C:\CorporeRM\RM.Net\RM.Host.Service.exe" -sRM.Host.Service (file missing)

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

[Sam Spade 2]

Ok, vamos usar o KillBox para deletar o arquivo do Delf.

 

Rode-o, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\system32\g711codc.ocx

 

Clique no botão . Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Faça um scan com o HijackThis, marque a entrada abaixo, se ainda a encontrar e clique em

 

O2 - BHO: ADOX.Key - {91070C68-B954-4D0A-880C-1385E9D8C943} - C:\WINDOWS\system32\g711codc.ocx

 

Rode o RemDelf conforme as instruções anteriores.

 

Reinicie em modo normal, gere um novo log com o HijackThis e poste.

 

Se for possível, tire provisoriamente este PC da rede, para que não seja reinfectado.

 

Gere um log com o HijackThis nas duas outras máquinas e poste, identificando como máquina 2 e máquina 3, o log de cada uma.

[Erickson 0]

Feito procedimento conforme a msg anterior

parece que resolveu o problema de travar a maquina ao abrir o explorer da primeira maquina.

 

Segue o logs da Maquina2 e 3

 

 

 

MAQUINA 02

 

Logfile of HijackThis v1.99.1

Scan saved at 16:33:40, on 4/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\administrator\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Microsoft.Aspnet.Snapin.PropertyPageExtension - {AFAE7E5E-EC78-4DD8-91A3-4130D8DBA349} - C:\WINDOWS\system32\nwscript.dll

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Pandion.lnk = C:\Arquivos de programas\Pandion\Pandion.exe

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: RM.Host.Service - Unknown owner - C:\CorporeRM\RM.Net\RM.Host.Service.exe" -sRM.Host.Service (file missing)

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

 

 

 

MAQUINA 03

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:47:18, on 4/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrador\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Arquivos de programas\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Arquivos de programas\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: Microsoft.SqlServer.Management.Nmo.SubscriptionChronicle.9 - {FB9D3AC6-A482-4801-9C48-DF7316769084} - C:\WINDOWS\system32\cmdial32.ocx

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Arquivos de programas\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\ARQUIV~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\ARQUIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [defender] c:\\dfndrff_7.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RMClient\MplSetUp.exe

O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroScoutOptions.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\npjpi150_06.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.es.getran.com.br/sah/js/smsx.cab

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {3F888695-9B41-4B29-9F44-6B560E464A16} (ssh Class) - https://cpne.bradesco.com.br/scpseg.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {D84A0B2D-912D-4570-B99A-8FCAA6F8CA01} (APIInterface Class) - http://www.es.getran.com.br/sna/loginout/l.../objSecuBSP.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\guard.tmp (file missing)

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\mv88l9lu1.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Arquivos de programas\RDS\ddsschednt.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InterbaseGuardian - Inprise Corporation - C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBGuard.EXE

O23 - Service: InterbaseServer - Inprise Corporation - C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBServer.exe

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Arquivos de programas\RDS\RsiSvc.exe

O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Arquivos de programas\RDS\srscandr.exe

O23 - Service: SOption - RICOH Company Ltd. - C:\Arquivos de programas\RDS\SOption.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

 

Obrigado

[Sam Spade 2]

Ok, vou passar as instruções para cada PC. Salve ou imprima as mesmas:

 

MAQUINA 02

 

1 - Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\system32\nwscript.dll

 

Clique no botão . Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Faça um scan com o HijackThis, marque a entrada abaixo, se ainda a encontrar e clique em

 

O2 - BHO: Microsoft.Aspnet.Snapin.PropertyPageExtension - {AFAE7E5E-EC78-4DD8-91A3-4130D8DBA349} - C:\WINDOWS\system32\nwscript.dll

 

3 - Rode o RemDelf conforme as instruções anteriores.

 

Reinicie em modo normal, gere um novo log com o HijackThis e salve.

 

 

MAQUINA 03

 

Esta máquina está bem infectada. Teremos de continuar com ela em novos posts, mas por agora, vamos resolver o problema com o Delf que é o mais urgente.

 

1 - Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\system32\cmdial32.ocx

 

Clique no botão . Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Faça um scan com o HijackThis, marque a entrada abaixo, se ainda a encontrar e clique em

 

O2 - BHO: Microsoft.SqlServer.Management.Nmo.SubscriptionChronicle.9 - {FB9D3AC6-A482-4801-9C48-DF7316769084} - C:\WINDOWS\system32\cmdial32.ocx

 

3 - Rode o RemDelf conforme as instruções anteriores.

 

Reinicie em modo normal, gere um novo log com o HijackThis e salve.

 

 

Poste os logs das duas máquinas. Informe se o travamento acabou e se sabe o que são estas entradas na máquina 2.

 

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

 

IMPORTANTE: Os logs do HijackThis que irá postar devem ser gerados em modo normal para que todos os processos apareçam.

[Erickson 0]

Muitooo bommm

parou de travar o Explorer

Muito obrigado

 

Segue o resultado do Hijack This

 

 

 

MAQUINA 02

 

Logfile of HijackThis v1.99.1

Scan saved at 13:37:46, on 8/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Pandion\Pandion.exe

C:\Arquivos de programas\RDS\RMClient\PMCTray.exe

C:\Documents and Settings\administrator\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Pandion.lnk = C:\Arquivos de programas\Pandion\Pandion.exe

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: RM.Host.Service - Unknown owner - C:\CorporeRM\RM.Net\RM.Host.Service.exe" -sRM.Host.Service (file missing)

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

 

 

 

MAQUINA03

 

Logfile of HijackThis v1.99.1

Scan saved at 11:52:48, on 8/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\msdtc.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBGuard.EXE

c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Arquivos de programas\RDS\RsiSvc.exe

C:\Arquivos de programas\RDS\srscandr.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\RDS\ddsschednt.exe

C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBServer.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\ARQUIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Documents and Settings\Proprietário\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Arquivos de programas\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Arquivos de programas\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Arquivos de programas\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Arquivos de programas\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\ARQUIV~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\ARQUIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [defender] c:\\dfndrff_7.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RMClient\MplSetUp.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [googletalk] "C:\Arquivos de programas\Google\Google Talk\googletalk.exe" /autostart

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARQUIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZRfox000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.es.getran.com.br/sah/js/smsx.cab

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {3F888695-9B41-4B29-9F44-6B560E464A16} (ssh Class) - https://cpne.bradesco.com.br/scpseg.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {D84A0B2D-912D-4570-B99A-8FCAA6F8CA01} (APIInterface Class) - http://www.es.getran.com.br/sna/loginout/l.../objSecuBSP.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\guard.tmp (file missing)

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\mv88l9lu1.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Arquivos de programas\RDS\ddsschednt.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InterbaseGuardian - Inprise Corporation - C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBGuard.EXE

O23 - Service: InterbaseServer - Inprise Corporation - C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBServer.exe

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Arquivos de programas\RDS\RsiSvc.exe

O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Arquivos de programas\RDS\srscandr.exe

O23 - Service: SOption - RICOH Company Ltd. - C:\Arquivos de programas\RDS\SOption.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

 

 

 

 

 

 

Ok, vou passar as instruções para cada PC. Salve ou imprima as mesmas:

 

MAQUINA 02

 

1 - Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\system32\nwscript.dll

 

Clique no botão . Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Faça um scan com o HijackThis, marque a entrada abaixo, se ainda a encontrar e clique em

 

O2 - BHO: Microsoft.Aspnet.Snapin.PropertyPageExtension - {AFAE7E5E-EC78-4DD8-91A3-4130D8DBA349} - C:\WINDOWS\system32\nwscript.dll

 

3 - Rode o RemDelf conforme as instruções anteriores.

 

Reinicie em modo normal, gere um novo log com o HijackThis e salve.

 

 

MAQUINA 03

 

Esta máquina está bem infectada. Teremos de continuar com ela em novos posts, mas por agora, vamos resolver o problema com o Delf que é o mais urgente.

 

1 - Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\system32\cmdial32.ocx

 

Clique no botão . Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Faça um scan com o HijackThis, marque a entrada abaixo, se ainda a encontrar e clique em

 

O2 - BHO: Microsoft.SqlServer.Management.Nmo.SubscriptionChronicle.9 - {FB9D3AC6-A482-4801-9C48-DF7316769084} - C:\WINDOWS\system32\cmdial32.ocx

 

3 - Rode o RemDelf conforme as instruções anteriores.

 

Reinicie em modo normal, gere um novo log com o HijackThis e salve.

 

 

Poste os logs das duas máquinas. Informe se o travamento acabou e se sabe o que são estas entradas na máquina 2.

 

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

 

IMPORTANTE: Os logs do HijackThis que irá postar devem ser gerados em modo normal para que todos os processos apareçam.

[Sam Spade 2]

Ok, para a Máquina 2 faltou informar se reconhece estas entradas:

 

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

 

Para a Máquina 3, baixe > SmitFraudFix

 

Antes de prosseguir, desabilite a proteção do seu anti vírus. Extraia os arquivos do SmitFraudFix para o seu desktop.

 

No Painel de Controle > Adicionar/Remover programas > desinstale:

 

MyWebSearch ou MyWay

 

Reinicie o PC e aperte F8 intermitentemente. No menu que vai aparecer, escolha: modo seguro.

 

Dê um duplo-clique em smitfraudfix.cmd.

Escolha a opção 2.

Quando perguntar Do you want to clean the registry? , escolha o sim (y).

 

Reinicie em modo normal, habilite novamente o seu anti vírus.

 

Faça um scan com o HijackThis e salve/poste o log, juntamente com o log do SmitFraudFix (rapport.txt), que encontrará em C:\

[Erickson 0]

Ok, para a Máquina 2 faltou informar se reconhece estas entradas:

 

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

 

Para a Máquina 3, baixe > SmitFraudFix

 

Antes de prosseguir, desabilite a proteção do seu anti vírus. Extraia os arquivos do SmitFraudFix para o seu desktop.

 

No Painel de Controle > Adicionar/Remover programas > desinstale:

 

MyWebSearch ou MyWay

 

Reinicie o PC e aperte F8 intermitentemente. No menu que vai aparecer, escolha: modo seguro.

 

Dê um duplo-clique em smitfraudfix.cmd.

Escolha a opção 2.

Quando perguntar Do you want to clean the registry? , escolha o sim (y).

 

Reinicie em modo normal, habilite novamente o seu anti vírus.

 

Faça um scan com o HijackThis e salve/poste o log, juntamente com o log do SmitFraudFix (rapport.txt), que encontrará em C:\

 

 

***********************************************************

 

MAQUINA 03

 

Segue o Hijack This apos os procedimentos.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:00:50, on 10/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\msdtc.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBGuard.EXE

c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\CorporeRM\RM.Net\RM.Host.Service.exe

C:\Arquivos de programas\RDS\RsiSvc.exe

C:\Arquivos de programas\RDS\srscandr.exe

c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\RDS\ddsschednt.exe

C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBServer.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe

C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Proprietário\Desktop\Vacina\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [googletalk] "C:\Arquivos de programas\Google\Google Talk\googletalk.exe" /autostart

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZRfox000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.es.getran.com.br/sah/js/smsx.cab

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {3F888695-9B41-4B29-9F44-6B560E464A16} (ssh Class) - https://cpne.bradesco.com.br/scpseg.cab

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {D84A0B2D-912D-4570-B99A-8FCAA6F8CA01} (APIInterface Class) - http://www.es.getran.com.br/sna/loginout/l.../objSecuBSP.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\guard.tmp (file missing)

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\mv88l9lu1.dll (file missing)

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Arquivos de programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Arquivos de programas\RDS\ddsschednt.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InterbaseGuardian - Inprise Corporation - C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBGuard.EXE

O23 - Service: InterbaseServer - Inprise Corporation - C:\Arquivos de programas\CAIXA\SEFIP\IB6\Bin\IBServer.exe

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

O23 - Service: RM.Host.Service - Unknown owner - C:\CorporeRM\RM.Net\RM.Host.Service.exe" -sRM.Host.Service (file missing)

O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Arquivos de programas\RDS\RsiSvc.exe

O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Arquivos de programas\RDS\srscandr.exe

O23 - Service: SOption - RICOH Company Ltd. - C:\Arquivos de programas\RDS\SOption.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

[Sam Spade 2]

Baixe: Look2Me-Destroyer > salve no desktop.

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Dê um duplo-clique no Look2Me-Destroyer.exe (todas as janelas e programas deverão estar fechados). Marque Run this program as a task e na mensagem de que o programa vai fechar e reabrir em alguns segundos, clique em OK.

 

2 - Quando abrir novamente, clique em Scan for L2M. Faz parte do processo, ícones e desktop desaparecerem. Ao final do scan, clique em Remove L2M. Na mensagem Done Scanning, clique em OK.

 

3- Aguarde até aparecer esta mensagem: Done removing infected files! Look2Me-Destroyer will now shutdown your computer e então clique em OK.

 

O computador irá desligar e precisará ligá-lo novamente.

 

4 - Faça um scan com o HijackThis e salve/poste o log, mais o Look2Me-Destroyer.txt que encontrará no C:\

 

OBS: Ainda não informou se reconhece estas entradas:

 

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

[Erickson 0]

Caraaaa to ferrado aqui mesmo

mas 3 pcs com o mesmo problema.

Como podemos identificar os arquivos que estao infectados.

 

OBS: "ColarIsto" é um programa tipo Pos It

 

Obrigadooo pela ajudaaaaa

Erickson

 

 

MAQUINA 04 - Trava o Windows Explorer

 

Logfile of HijackThis v1.99.1

Scan saved at 11:15:45, on 12/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\system32\sistray.exe

C:\Arquivos de programas\RDS\RMClient\PMCTray.exe

C:\Arquivos de programas\Outlook Express\msimn.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\kamorim\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DXTransform.Microsoft.DXLUTBuilder.1 - {C098FF31-4C9D-4CB5-9964-4E3C51743F99} - C:\WINDOWS\system32\kbdbu.ocx

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Pandion.lnk = C:\Arquivos de programas\Pandion\Pandion.exe

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

 

 

 

 

MAQUINA 05 - Trava o Windows Explorer

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:21:56, on 12/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\UltraVNC\WinVNC.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Documents and Settings\cbelmont\Meus documentos\Carla\VolumeWatcher\SPUVolumeWatcher.exe

C:\Arquivos de programas\RDS\RMClient\PMCTray.exe

\Engenharia04\c$\Arquivos de programas\OpenOffice.org 2.0\program\soffice.exe

\Engenharia04\c$\Arquivos de programas\OpenOffice.org 2.0\program\soffice.BIN

C:\Arquivos de programas\Outlook Express\msimn.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\gbiehCef.dll

O2 - BHO: CertificateAuthority.ServerPolicy - {ED5C5354-A267-47F1-AC09-D7A9A464BC39} - C:\WINDOWS\system32\comrepl.ocx

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: Ferramenta de Verificação de Mídia do Cyber-shot Viewer.lnk = C:\Documents and Settings\cbelmont\Meus documentos\Carla\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Startup: OpenOffice.org 2.0.lnk = Arquivos de programas\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {05574F48-FEE1-4A0A-9013-B8A85C7C6CCE} (VacPro.int_ver20a) - http://www.muiegaozsicur.com/ocx/int_ver20a.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: RM.Host.Service - Unknown owner - C:\CorporeRM\RM.Net\RM.Host.Service.exe" -sRM.Host.Service (file missing)

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

 

 

 

 

MAQUINA 06 - Ao abrir o IE aparece a mensagem "AE"

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:20:02, on 12/1/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\Pandion\Pandion.exe

C:\Speedagenda\SpeedAgenda.exe

C:\Arquivos de programas\BrOffice.org 2.0\program\soffice.exe

C:\Arquivos de programas\BrOffice.org 2.0\program\soffice.BIN

C:\Arquivos de programas\RDS\RMClient\PMCTray.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Temp\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacavalcante.com.br/grupo/site.php

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SAPI.SpSharedRecognizer.1 - {7A9B2F42-8A45-4464-A384-F1028143906F} - C:\WINDOWS\system32\msdatsrc.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbiehCef.dll

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [JobHisInit] C:\Arquivos de programas\RDS\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Arquivos de programas\RDS\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKCU\..\Run: [MicroSys-CheckAjour] C:\Arquivos de programas\Micro-Sys Software\Ajour\ChkAjour.exe

O4 - Startup: BrOffice.org 2.0.lnk = C:\Arquivos de programas\BrOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Pandion.lnk = C:\Arquivos de programas\Pandion\Pandion.exe

O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Arquivos de programas\RDS\RMClient\PMClient.exe

O4 - Global Startup: Speed Agenda.lnk = C:\Speedagenda\SpeedAgenda.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {3F888695-9B41-4B29-9F44-6B560E464A16} (ssh Class) - https://cpne.bradesco.com.br/scpseg.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161780643453

O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: RM.Host.Service - Unknown owner - C:\CorporeRM\RM.Net\RM.Host.Service.exe" -sRM.Host.Service (file missing)

 

 

 

********************************************************************************

**

 

 

 

Baixe: Look2Me-Destroyer > salve no desktop.

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Dê um duplo-clique no Look2Me-Destroyer.exe (todas as janelas e programas deverão estar fechados). Marque Run this program as a task e na mensagem de que o programa vai fechar e reabrir em alguns segundos, clique em OK.

 

2 - Quando abrir novamente, clique em Scan for L2M. Faz parte do processo, ícones e desktop desaparecerem. Ao final do scan, clique em Remove L2M. Na mensagem Done Scanning, clique em OK.

 

3- Aguarde até aparecer esta mensagem: Done removing infected files! Look2Me-Destroyer will now shutdown your computer e então clique em OK.

 

O computador irá desligar e precisará ligá-lo novamente.

 

4 - Faça um scan com o HijackThis e salve/poste o log, mais o Look2Me-Destroyer.txt que encontrará no C:\

 

OBS: Ainda não informou se reconhece estas entradas:

 

O4 - Startup: ColarIsto.exe

O4 - Global Startup: ColarIsto.exe

[Sam Spade 2]

Caraaaa to ferrado aqui mesmo

mas 3 pcs com o mesmo problema.

Como podemos identificar os arquivos que estao infectados.

A entrada do delf no log é um BHO (Browser Helper Object) que aparece nas entradas 02 do HijackThis.

 

Um BHO legítimo, geralmente tem um arquivo de extensão .dll. O do delf geralmente é extensão .ocx.

 

São raros os BHO com esta extensão. O do Adobe Acrobat é uma delas:

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

Assim você olha no log, um BHO que tenha extensão .ocx. Na máquina 4 é esta a entrada do delf:

 

O2 - BHO: DXTransform.Microsoft.DXLUTBuilder.1 - {C098FF31-4C9D-4CB5-9964-4E3C51743F99} - C:\WINDOWS\system32\kbdbu.ocx

Então, você aplica o que foi feito anteriormente, deletando com o KillBox o arquivo. Indicando o caminho:

 

C:\WINDOWS\system32\kbdbu.ocx

 

E depois em modo de segurança, marca a entrada no HijackThis e clica em Fix checked:

 

O2 - BHO: DXTransform.Microsoft.DXLUTBuilder.1 - {C098FF31-4C9D-4CB5-9964-4E3C51743F99} - C:\WINDOWS\system32\kbdbu.ocx

 

Após ter feito isso rode o RemDelf.

 

================================

 

Identificando a da máquina 5:

 

O2 - BHO: CertificateAuthority.ServerPolicy - {ED5C5354-A267-47F1-AC09-D7A9A464BC39} - C:\WINDOWS\system32\comrepl.ocx

Siga o mesmo esquema.

 

================================

 

Identificando a da máquina 6:

 

Nesta máquina, o delf usou um BHO com extensão .dll, pois não existe nenhum BHO com extensão .ocx, a não ser o legítimo da Adobe. Portanto, é óbvio que é uma .dll.

 

Pelas características do nome do BHO e vendo que os outros BHO's são legítimos, identifica-se a do delf:

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SAPI.SpSharedRecognizer.1 - {7A9B2F42-8A45-4464-A384-F1028143906F} - C:\WINDOWS\system32\msdatsrc.dll <<< aqui

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbiehCef.dll

Assim ficará fácil para você identificar em outras máquinas o BHO e seguir as instruções em todas que estiverem infectadas.

[Erickson 0]

Maquina 04 e 05

estão ok

 

Valeu

Obrigado.

 

 

Caraaaa to ferrado aqui mesmo

mas 3 pcs com o mesmo problema.

Como podemos identificar os arquivos que estao infectados.

A entrada do delf no log é um BHO (Browser Helper Object) que aparece nas entradas 02 do HijackThis.

 

Um BHO legítimo, geralmente tem um arquivo de extensão .dll. O do delf geralmente é extensão .ocx.

 

São raros os BHO com esta extensão. O do Adobe Acrobat é uma delas:

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

Assim você olha no log, um BHO que tenha extensão .ocx. Na máquina 4 é esta a entrada do delf:

 

O2 - BHO: DXTransform.Microsoft.DXLUTBuilder.1 - {C098FF31-4C9D-4CB5-9964-4E3C51743F99} - C:\WINDOWS\system32\kbdbu.ocx

Então, você aplica o que foi feito anteriormente, deletando com o KillBox o arquivo. Indicando o caminho:

 

C:\WINDOWS\system32\kbdbu.ocx

 

E depois em modo de segurança, marca a entrada no HijackThis e clica em Fix checked:

 

O2 - BHO: DXTransform.Microsoft.DXLUTBuilder.1 - {C098FF31-4C9D-4CB5-9964-4E3C51743F99} - C:\WINDOWS\system32\kbdbu.ocx

 

Após ter feito isso rode o RemDelf.

 

================================

 

Identificando a da máquina 5:

 

O2 - BHO: CertificateAuthority.ServerPolicy - {ED5C5354-A267-47F1-AC09-D7A9A464BC39} - C:\WINDOWS\system32\comrepl.ocx

Siga o mesmo esquema.

 

================================

 

Identificando a da máquina 6:

 

Nesta máquina, o delf usou um BHO com extensão .dll, pois não existe nenhum BHO com extensão .ocx, a não ser o legítimo da Adobe. Portanto, é óbvio que é uma .dll.

 

Pelas características do nome do BHO e vendo que os outros BHO's são legítimos, identifica-se a do delf:

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: SAPI.SpSharedRecognizer.1 - {7A9B2F42-8A45-4464-A384-F1028143906F} - C:\WINDOWS\system32\msdatsrc.dll <<< aqui

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbiehCef.dll

Assim ficará fácil para você identificar em outras máquinas o BHO e seguir as instruções em todas que estiverem infectadas.

[Sam Spade 2]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.