[Resolvido!]Malware desativou o Gerenciador de Tarefas

[P4nd4x 0]

Peguei este viruz, retirei ele no msconfig mais ele continuou o FireWall deu Block nele foi possivel pegar o IP do servidor que baixa os arquivos, mais me parece bloqueado ou é so um "Fake" o ip é 81.177.22.109 tava pela porta 80 da Web mais tinha uma segunda 0.0.0.0 1016 algo assim mais nenhum aplicativo rodando.

 

Ai ta meu Log, seria possivel analisar ^^

outra coisa desativou meu gerenciador de Tarefas, sabe como reativalo???

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:27:27, on 11/2/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\Explorer.EXE

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

E:\WINDOWS\SOUNDMAN.EXE

E:\WINDOWS\system32\RUNDLL32.EXE

E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BL.EXE

E:\WINDOWS\system32\kernels88.exe

E:\WINDOWS\system32\ctfmon.exe

E:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

E:\Arquivos de programas\DAEMON Tools\daemon.exe

E:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

E:\WINDOWS\system32\nvsvc32.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

E:\WINDOWS\System32\svchost.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

E:\Arquivos de programas\Internet Explorer\iexplore.exe

E:\WINDOWS\system32\wuauclt.exe

C:\KillBox\KillBox.exe

E:\Documents and Settings\Ciro\Meus documentos\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.hardwiredplanet.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [ink Monitor] E:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [nTrayFw] E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BL.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [system] E:\WINDOWS\system32\kernels88.exe

O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "E:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "E:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

O4 - Startup: Adobe Gamma.lnk = E:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - E:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

[P4nd4x 0]

Passei agora o SmitFraudFix v2.141 e o HickJack sei la o nome ^^

os log estao ai a baixo

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:40:43, on 11/2/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\system32\spoolsv.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

E:\WINDOWS\SOUNDMAN.EXE

E:\WINDOWS\system32\RUNDLL32.EXE

E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BL.EXE

E:\WINDOWS\system32\ctfmon.exe

E:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

E:\Arquivos de programas\DAEMON Tools\daemon.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

E:\WINDOWS\system32\nvsvc32.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

E:\WINDOWS\System32\svchost.exe

E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

E:\Arquivos de programas\Internet Explorer\iexplore.exe

E:\WINDOWS\system32\rundll32.exe

E:\WINDOWS\explorer.exe

E:\Documents and Settings\Ciro\Meus documentos\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [ink Monitor] E:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [nTrayFw] E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BL.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "E:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "E:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

O4 - Startup: Adobe Gamma.lnk = E:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = E:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O10 - Unknown file in Winsock LSP: e:\windows\system32\nvappfilter.dll

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - E:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - E:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe

 

 

 

 

 

 

SmitFraudFix v2.141

 

Scan done at 14:37:42,00, dom 11/02/2007

Run from E:\Documents and Settings\Ciro\Meus documentos\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

[Sam Spade 2]

Olá P4nd4x! O log está limpo. Baixe: Task-Fix

 

Execute-o e clique em "Sim".

O Gerenciador de Tarefas deve estar funcionando.

[Sam Spade 2]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.