[Resolvido!]Suspeita de virus

[gabriel_jsmbr 0]

ola pessoal do imasters estou com um problema sem querer eu instalei um controle active no me pc da depois disso fica um icone na barra de taferas que fica me informando que meu pc está com virus, dai fui no painel de controle/adicionar e remover programas e desinstalei esse controle active e meu pc reeiniciou sozinho.Depois fui novamente e lá estava um programa escrito internet explore secure bar, tentei remover mais ai de novo meu pc reenicia e o programa continua lá e quando clicko no balão que informa sobre o tal virus abre uma pagina da internet e entra num site de anti virus, gostaria que vcs me ajudasem obrigado segue meu log

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:24:39, on 28/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Video ActiveX Access\imsmain.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avgnt.exe

C:\arquivos de programas\powerstrip\pstrip.exe

C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\Arquivos de programas\Video ActiveX Access\imsmn.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mpbtn.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\a-squared Free\a2free.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avscan.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Gabriel_jsmelo\Meus documentos\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Arquivos de programas\Video ActiveX Access\iesplg.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Arquivos de programas\Video ActiveX Access\iesbpl.dll (file missing)

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [LClock] C:\Arquivos de programas\LClock\LClock.exe

O4 - HKLM\..\Run: [PowerStrip] c:\arquivos de programas\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Arquivos de programas\DAP\DAP.EXE" /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Blaero Start Orb.lnk = C:\Arquivos de programas\Blaero Start Orb\Blaero Start Orb.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Assistente Tecnico Speedy.lnk = C:\Arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CCS\Services\Tcpip\..\{E538E80A-8208-4981-937E-796E7381C026}: NameServer = 85.255.113.109,85.255.112.141

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CS2\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.109 85.255.112.141

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

[Sam Spade 2]

Olá gabriel_jsmbr! O log mostra uma infecção pelo smitfraud, que é a sua queixa principal e outra pelo WareOut, malware que alterou as suas configurações de rede:

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CCS\Services\Tcpip\..\{E538E80A-8208-4981-937E-796E7381C026}: NameServer = 85.255.113.109,85.255.112.141

85.255.113.109,85.255.112.141 < DNS de domínios maliciosos que instalam o UnSpyPC, o KillAndClean ou o WareOut (anti spywares maliciosos), contra a vontade do usuário.

 

Na remoção do malware poderá ter problemas com a sua conexão e terá de reconfigurar a rede.

 

Ligue para o seu provedor e peça que informe o DNS primário e o secundário. Ou veja se consegue neste link.

 

EXEMPLO:

 

DNS do Speedy:

 

Primário: 200.205.125.58

 

Secundário: 200.205.125.57

Na próxima etapa, quando informar os DNS, terá as intruções para remoção do WareOut.

 

Baixe > SmitFraudFix

 

Antes de prosseguir, desabilite a proteção do seu anti vírus. Extraia os arquivos do SmitFraudFix para o seu desktop.

 

Reinicie o PC e aperte F8 intermitentemente. No menu que vai aparecer, escolha: modo seguro.

 

Dê um duplo-clique em smitfraudfix.cmd.

Escolha a opção 2.

Quando perguntar Do you want to clean the registry? , escolha o sim (y).

 

Reinicie em modo normal, habilite novamente o seu anti vírus, faça um scan com o HijackThis e salve/poste o log, juntamente com o log do SmitFraudFix (rapport.txt), que encontrará em C:\

[gabriel_jsmbr 0]

beleza segue os log

 

Logfile of HijackThis v1.99.1

Scan saved at 00:18:22, on 30/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\notepad.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avgnt.exe

C:\arquivos de programas\powerstrip\pstrip.exe

C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mpbtn.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Documents and Settings\Gabriel_jsmelo\Meus documentos\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Arquivos de programas\Video ActiveX Access\iesplg.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [LClock] C:\Arquivos de programas\LClock\LClock.exe

O4 - HKLM\..\Run: [PowerStrip] c:\arquivos de programas\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Arquivos de programas\DAP\DAP.EXE" /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Blaero Start Orb.lnk = C:\Arquivos de programas\Blaero Start Orb\Blaero Start Orb.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Assistente Tecnico Speedy.lnk = C:\Arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

 

 

SmitFraudFix v2.197

 

Scan done at 0:12:42,37, s b 30/06/2007

Run from C:\Documents and Settings\Gabriel_jsmelo\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\DOCUME~1\GABRIE~1\FAVORI~1\Online Security Test.url Deleted

Problem while deleting C:\Arquivos de programas\Video ActiveX Access\

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"="cslsm.exe"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

 

C:\Arquivos de programas\Video ActiveX Access Deleted

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

[Sam Spade 2]

Ok, obteve as informações dos DNS com o provedor?

[gabriel_jsmbr 0]

opá beleza então eu liguei para o provedor e espliquei para que eu precisaria do numero da dns e eles me sugeriram que eu realizase o procedimento no qual você me passou e depois solicitace o numero.no proximo post eu irei te passar, mas estou com uma duvida no link que você me passou tem esse numero? por que eu olhei lá e vi o numero do dns do meu provedor na lista só queria saber se todos são iguais.

[Sam Spade 2]

Os DNS são de acordo com o seu provedor e a cidade onde mora. Baixe:

 

FixWareOut > salve no desktop.

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Dê um duplo-clique em cima do Fixwareout.exe para proceder a instalação. Clique no botão Next e depois em Install.

 

Verifique se a caixa Run fixit está marcada e depois clique em Finish.

 

Siga as instruções do programa e quando perguntar se quer reiniciar (restart), dê o sim.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Vai demorar um pouco para reiniciar e carregar completamente, aguarde.

 

2 - Faça um scan com o HijackThis, marque as entradas abaixo, que ainda encontrar e clique em

 

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Arquivos de programas\Video ActiveX Access\iesplg.dll (file missing)

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

 

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 85.255.113.109 85.255.112.141

 

3 - Vá no Painel de Controle > Conexões de rede > escolha a sua conexão: Banda Larga ou Dial-up.

 

Clique com o botão direito do mouse e em Propriedades.

 

Escolha Rede > Protocolo TCP/IP e clique em Propriedades.

 

Marque: Especificar endereços de servidor e nome.

 

Nos campos DNS primário e DNS secundário digite os informados pelo provedor.

 

Clique OK duas vezes e reinicie o computador normalmente.

 

4 - Faça um scan com o HijackThis e salve/poste o log e também o report.txt que irá encontrar em C:\fixwareout\report.txt.

[gabriel_jsmbr 0]

bla fiz tudo como você me falou segue log

 

Logfile of HijackThis v1.99.1

Scan saved at 20:06:25, on 3/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\AntiVir PersonalEdition Classic\avgnt.exe

C:\arquivos de programas\powerstrip\pstrip.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Assistente Tecnico Speedy\bin\mpbtn.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Documents and Settings\Gabriel_jsmelo\Meus documentos\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://terra.com.br/

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [LClock] C:\Arquivos de programas\LClock\LClock.exe

O4 - HKLM\..\Run: [PowerStrip] c:\arquivos de programas\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Arquivos de programas\DAP\DAP.EXE" /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Blaero Start Orb.lnk = C:\Arquivos de programas\Blaero Start Orb\Blaero Start Orb.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Assistente Tecnico Speedy.lnk = C:\Arquivos de programas\Assistente Tecnico Speedy\bin\matcli.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Arquivos de programas\MP3 Player Utilities 4.00\AMVConverter\grab.html

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Arquivos de programas\MP3 Player Utilities 4.00\MediaManager\grab.html

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 200.204.0.10 200.204.0.138

O17 - HKLM\System\CCS\Services\Tcpip\..\{E538E80A-8208-4981-937E-796E7381C026}: NameServer = 200.204.0.10,200.204.0.138

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B124A52-B8DC-4483-A033-7EFC7549EE26}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

 

 

 

ixwareout Last edited 6/27/2007

Post this report in the forums please

...

»»»»»Prerun check

HKLM\SOFTWARE\~\Winlogon\ "System"="cslsm.exe"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0B124A52-B8DC-4483-A033-7EFC7549EE26}

"nameserver"="85.255.113.109" <Value cleared.

 

Liberação do cache do DNS Resolver bem-sucedida.

 

 

System was rebooted successfully.

 

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "system"=""

....

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2mdm" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4459FC168ADA-005A-3C74-5BD4-E1D1DD0F{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}785C5E363432-79EA-C554-C5F9-577C2110{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "bqumd" Deleted

....

»»»»» Misc files.

C:\WINDOWS\system32\{C54B26B1-1536-47EC-A2E6-0F1695CDC246}.exe Deleted

C:\WINDOWS\System32\kernel32.exe Deleted

....

»»»»» Checking for older varients.

....

»»»»» Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="\"C:\\Arquivos de programas\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

"LClock"="C:\\Arquivos de programas\\LClock\\LClock.exe"

"PowerStrip"="c:\\arquivos de programas\\powerstrip\\pstrip.exe"

"DownloadAccelerator"="\"C:\\Arquivos de programas\\DAP\\DAP.EXE\" /STARTUP"

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

[Sam Spade 2]

Os logs estão limpos. Está tudo bem agora?

[gabriel_jsmbr 0]

beleza agora está tudo ok !!! mais uma vez agradeço pela colaboração muito obrigado mesmo!!!!

[Sam Spade 2]

Ok, leia estes artigos sobre segurança:

 

Proteja seu PC

Cuidados ao navegar na net.

 

Para finalizar, vá no Painel de Controle > Sistema > Restauração do Sistema > marque Desativar a restauração do sistema > Aplicar > OK.

Depois desmarque novamente.

 

Abraço.

[Sam Spade 2]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.