[Resolvido!]Analise de log

[rosanaloretti 0]

:!:

Ola bom dia!!

Favor analisem este log, pois a maquina esta lenta e ao passar o panda on line deu 3 malware.

Aguardo retorno.

:blink:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:03:13, on 22/4/08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\j\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: (no name) - {437E288B-276F-C6CF-5CC3-869CF799CDA2} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1390067357-688789844-854245398-1003\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe (User '?')

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2364621F-25AD-4502-9A15-5B6BE5486DFF}: NameServer = 200.165.132.148,200.149.55.140

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 6070 bytes

 

 

 

Este log abaixo e o do Panda on line.

 

 

;*******************************************************************************

*********************************************************************************

*******************

ANALYSIS: 2008-04-22 10:44:55

PROTECTIONS: 1

MALWARE: 3

SUSPECTS: 0

;*******************************************************************************

*********************************************************************************

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

=================================================================================

===================

Avira AntiVir PersonalEdition 8.0.1.15 No Yes

;===============================================================================

=================================================================================

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

=================================================================================

===================

00049433 Adware/Gator Adware No 0 Yes No C:\System Volume Information\_restore{8CAFB257-6C57-4F11-BC9E-6BC64EBFD158}\RP326\A0208694.exe

00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\j\Cookies\j@uol.com[1].txt

00268779 Adware/Lop Adware No 0 Yes No C:\Arquivos de programas\Adverts\uninst.exe

;===============================================================================

=================================================================================

===================

SUSPECTS

Sent Location x

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

VULNERABILITIES

Id Severity Description x

;===============================================================================

=================================================================================

===================

;===============================================================================

=================================================================================

===================

[Sam Spade 2]

Olá rosanaloretti! Das 3 detecções do Panda, apenas a última é válida. A primeira foi na restauração do sistema e só seria infectada se precisasse usar a restauração por algum motivo, A segunda é apenas um tracking cookie e não oferece perigo. Veja sobre isso neste artigo:

 

Publicitários defendem tracking cookies

 

Salve ou imprima estas instruções:

 

1 - Abra o HijackThis e clique em Do a system scan only. Aguarde o exame acabar.

 

Cada entrada tem uma caixa do lado esquerdo. Marque apenas as caixas das entradas abaixo:

 

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)

 

O2 - BHO: (no name) - {437E288B-276F-C6CF-5CC3-869CF799CDA2} - (no file)

 

O3 - Toolbar: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)

 

O8 - Extra context menu item: Crawler Search - tbr:iemenu

 

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)

 

Ficará com um sinal V dentro de cada caixa.

 

Clique então em . Dê o Ok para a pergunta e depois feche o HijackThis.

 

2 - Pelo Painel de controle > Adicionar/remover programas > se encontrar, desinstale: Adverts

 

3 - Vá em Arquivos de programas e delete a pasta Adverts.

 

4 - Faça uma limpeza nos temporários e corrija erros no Registro com o CCleaner.

 

5 - Vá no Painel de Controle > Sistema > Restauração do Sistema > marque Desativar a restauração do sistema > Aplicar > OK.

Depois desmarque novamente.

 

Após ter feito isso, o PC estará limpo. :thumbsup:

 

Abraço.

[rosanaloretti 0]

:seta:

Bom dia!!

Realizei o procedimento que pedistes mas na hora que exclui os itens o spybot perguntava se era permitida essa entrada cliquei em negar e depois perguntou novamente se era pemitida cliqueiem permitir ok logo apos fui e riniciar e deu a seguinte msg marcada com um sinal de x em vermelho acess violation at address 0046c405 in module teatime.exe reade of addess 00000010

cliquei em reiniciar pasei o panda novamente e o pc nao estava infectado mas fiz novamente o hi

jackthis e segue novo log para analise.

Desde ja agradeco!!!

Um abraco Rosana.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:18:19, on 23/4/08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\j\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1390067357-688789844-854245398-1003\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe (User '?')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2364621F-25AD-4502-9A15-5B6BE5486DFF}: NameServer = 200.165.132.148,200.149.55.140

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 5732 bytes

[Sam Spade 2]

Ok, o TeaTimer do Spybot retornou uma das entradas.

 

Selecione e copie o conteúdo dentro do QUOTE:

 

@echo off

:: Edited 9:48 AM 9/21/2007

:: s!ri thanks for sharing your script

:: Please do not mirror this batch

if [%OS%]==[Windows_NT] set path=%windir%;%SystemRoot%\system32

 

VER|find "Windows 2000">NUL

IF NOT ERRORLEVEL 1 GOTO NT

 

VER|find "Windows XP">NUL

IF NOT ERRORLEVEL 1 GOTO NT

 

VER|find "Windows 95">NUL

IF NOT ERRORLEVEL 1 GOTO win

 

VER|find "Windows 98">NUL

IF NOT ERRORLEVEL 1 GOTO win

 

VER|find "Windows Millennium">NUL

IF NOT ERRORLEVEL 1 GOTO winme

 

VER|find "Windows 2003">NUL

IF NOT ERRORLEVEL 1 GOTO NT

 

echo Unsupported Version

goto last

 

:NT

Echo.

Echo SpyBot and Tea Timer must be closed!! & pause

Echo.

CScript /?>nul 2>&1 && echo/Check OK>log1.txt || echo/Windows Script Host access is disabled on this machine. >log2.txt

if exist log1.txt goto continue

 

echo Post this in the forum please.>>log2.txt & start notepad log2.txt & exit

 

:continue

if exist log1.txt del log1.txt

 

echo.Option Explicit>GetPaths.vbs

echo.>>GetPaths.vbs

echo Dim Shell>>GetPaths.vbs

echo Dim KeyPath>>GetPaths.vbs

echo Dim ObjFileSystem>>GetPaths.vbs

echo Dim ObjOutputFile>>GetPaths.vbs

echo Dim ObjRegExp>>GetPaths.vbs

echo Dim File>>GetPaths.vbs

echo Dim TmpVar>>GetPaths.vbs

echo Dim Var>>GetPaths.vbs

echo Dim Accent>>GetPaths.vbs

 

echo.>>GetPaths.vbs

echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs

echo File = "SetPaths.bat">>GetPaths.vbs

echo.>>GetPaths.vbs

echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs

echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs

echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs

echo Set ObjRegExp = New RegExp>>GetPaths.vbs

echo.>>GetPaths.vbs

 

echo Function ShortFileName(Path)>>GetPaths.vbs

echo Dim f>>GetPaths.vbs

echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs

echo ShortFileName = f.ShortPath>>GetPaths.vbs

echo End Function>>GetPaths.vbs

 

echo Function Accents(Str)>>GetPaths.vbs

echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs

echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs

echo ObjRegExp.Global = True>>GetPaths.vbs

echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs

echo End Function>>GetPaths.vbs

echo.>>GetPaths.vbs

 

echo TmpVar = Shell.RegRead (KeyPath ^& "AppData")>>GetPaths.vbs

echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs

echo Var = "Set AppData=" ^& TmpVar>>GetPaths.vbs

echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs

echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath ^& "Common AppData")>>GetPaths.vbs

echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs

echo Var = "Set CommonAppData=" ^& TmpVar>>GetPaths.vbs

echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs

echo ObjOutputFile.Close>>GetPaths.vbs

echo Set objFileSystem = Nothing>>GetPaths.vbs

echo Set Shell = Nothing>>GetPaths.vbs

echo Set ObjRegExp = nothing>>GetPaths.vbs

echo.>>GetPaths.vbs

 

 

cscript //I //nologo GetPaths.vbs

del GetPaths.vbs

Call SetPaths.bat

del SetPaths.bat

 

 

(@echo off

del /q %CommonAppData%\spybot~1\Snapshots\*.*

del /q %CommonAppData%\spybot~1\Snapshots2\*.*

del /q %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe

del /q %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe

del /q %CommonAppData%\spybot~1\excludes\ProcWhite.sbe

del /q %CommonAppData%\spybot~1\excludes\ProcBlack.sbe

del /q %CommonAppData%\spybot~1\excludes\UpdateDL.sbe

del /q %CommonAppData%\spybot~1\logs\resident.log

)>NUL 2>&1

Echo.

Echo Finished & pause & exit

 

:win

Echo.

Echo SpyBot and Tea Timer must be closed!!

pause

echo.Option Explicit>GetPaths.vbs

echo.>>GetPaths.vbs

echo Dim Shell>>GetPaths.vbs

echo Dim KeyPath>>GetPaths.vbs

echo Dim ObjFileSystem>>GetPaths.vbs

echo Dim ObjOutputFile>>GetPaths.vbs

echo Dim ObjRegExp>>GetPaths.vbs

echo Dim File>>GetPaths.vbs

echo Dim TmpVar>>GetPaths.vbs

echo Dim Var>>GetPaths.vbs

echo Dim Accent>>GetPaths.vbs

 

echo.>>GetPaths.vbs

echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs

echo File = "SetPaths.bat">>GetPaths.vbs

echo.>>GetPaths.vbs

echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs

echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs

echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs

echo Set ObjRegExp = New RegExp>>GetPaths.vbs

echo.>>GetPaths.vbs

 

echo Function ShortFileName(Path)>>GetPaths.vbs

echo Dim f>>GetPaths.vbs

echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs

echo ShortFileName = f.ShortPath>>GetPaths.vbs

echo End Function>>GetPaths.vbs

 

echo Function Accents(Str)>>GetPaths.vbs

echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs

echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs

echo ObjRegExp.Global = True>>GetPaths.vbs

echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs

echo End Function>>GetPaths.vbs

echo.>>GetPaths.vbs

 

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs

echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs

echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs

echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs

echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs

echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs

echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs

echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs

echo ObjOutputFile.Close>>GetPaths.vbs

echo Set objFileSystem = Nothing>>GetPaths.vbs

echo Set Shell = Nothing>>GetPaths.vbs

echo Set ObjRegExp = nothing>>GetPaths.vbs

echo.>>GetPaths.vbs

 

 

cscript //I //nologo GetPaths.vbs

del GetPaths.vbs

Call SetPaths.bat

del SetPaths.bat

 

 

 

 

deltree /y %AppData%\spybot~1\snapshots\*.*

deltree /y %AppData%\spybot~1\Snapshots2\*.*

del %AppData%\spybot~1\logs\resident.log

del %AppData%\spybot~1\excludes\ProcBlack.sbe

del %AppData%\spybot~1\excludes\ProcWhite.sbe

del %AppData%\spybot~1\excludes\RegKeyWhite.sbe

del %AppData%\spybot~1\excludes\RegKeyBlack.sbe

del %AppData%\spybot~1\excludes\UpdateDL.sbe

cls

Echo.

Echo Finished

exit

 

 

 

:winme

Echo.

Echo SpyBot and Tea Timer must be closed!!

pause

echo.Option Explicit>GetPaths.vbs

echo.>>GetPaths.vbs

echo Dim Shell>>GetPaths.vbs

echo Dim KeyPath>>GetPaths.vbs

echo Dim ObjFileSystem>>GetPaths.vbs

echo Dim ObjOutputFile>>GetPaths.vbs

echo Dim ObjRegExp>>GetPaths.vbs

echo Dim File>>GetPaths.vbs

echo Dim TmpVar>>GetPaths.vbs

echo Dim Var>>GetPaths.vbs

echo Dim Accent>>GetPaths.vbs

 

echo.>>GetPaths.vbs

echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs

echo File = "SetPaths.bat">>GetPaths.vbs

echo.>>GetPaths.vbs

echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs

echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs

echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs

echo Set ObjRegExp = New RegExp>>GetPaths.vbs

echo.>>GetPaths.vbs

 

echo Function ShortFileName(Path)>>GetPaths.vbs

echo Dim f>>GetPaths.vbs

echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs

echo ShortFileName = f.ShortPath>>GetPaths.vbs

echo End Function>>GetPaths.vbs

 

echo Function Accents(Str)>>GetPaths.vbs

echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs

echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs

echo ObjRegExp.Global = True>>GetPaths.vbs

echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs

echo End Function>>GetPaths.vbs

echo.>>GetPaths.vbs

 

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs

echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs

echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs

echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs

echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs

echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs

echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs

echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs

echo ObjOutputFile.Close>>GetPaths.vbs

echo Set objFileSystem = Nothing>>GetPaths.vbs

echo Set Shell = Nothing>>GetPaths.vbs

echo Set ObjRegExp = nothing>>GetPaths.vbs

echo.>>GetPaths.vbs

 

 

cscript //I //nologo GetPaths.vbs

del GetPaths.vbs

Call SetPaths.bat

del SetPaths.bat

 

 

del /y %CommonAppData%\spybot~1\snapshots\*.*

del /y %CommonAppData%\spybot~1\snapshots2\*.*

del %CommonAppData%\spybot~1\excludes\UpdateDL.sbe

del %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe

del %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe

del %CommonAppData%\spybot~1\excludes\ProcWhite.sbe

del %CommonAppData%\spybot~1\excludes\ProcBlack.sbe

del %CommonAppData%\spybot~1\logs\resident.log

cls

Echo.

Echo Finished

exit

 

:last

echo Press any key to exit,..

pause

exit

Abra o Bloco de notas e cole o conteúdo do QUOTE.

Salve colocando em "nome do arquivo:" TeaTimer_Reset.bat

Em "Salvar com o tipo:" escolha todos os arquivos

Salve na sua área de trabalho.

Ele deverá ficar com um ícone igual a este ->

 

 

Salve ou imprima estas instruções:

 

1 - Abra o Spybot. No menu superior, vá em Modo e selecione a opção Avançado. Confirme.

Clique no botão Ferramentas e depois em Residente

Desmarque a opção Ativar "TeaTimer" do Residente (proteção geral das configurações de sistema).

Saia do programa.

 

Feche qualquer janela do SpyBot e execute o arquivo TeaTimer_Reset.bat.

 

Obs: Esse arquivo foi feito especificamente para o seu computador, e não deve ser utilizado em nenhum outro computador.

 

***Só torne a ativar o Teatimer após terminar os procedimentos***

 

2 - Abra o HijackThis e clique em Do a system scan only. Aguarde o exame acabar.

 

Cada entrada tem uma caixa do lado esquerdo. Marque apenas a caixa da entrada abaixo:

 

O3 - Toolbar: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)

 

Ficará com um sinal V dentro da caixa.

 

Clique então em . Dê o Ok para a pergunta e depois gere um novo log do HijackThis e poste.

[rosanaloretti 0]

Bom dia!!

Apos configurar o spybot segue o novo log para que seja analisado.

Desde ja agradeco.

Obrigada!!

Rosana.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:58:27, on 24/4/08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\j\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2364621F-25AD-4502-9A15-5B6BE5486DFF}: NameServer = 200.165.132.148,200.149.55.140

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 5327 bytes

[Sam Spade 2]

Ok, o log está limpo. Leia estes artigos sobre segurança:

 

Proteja seu PC

Cuidados ao navegar na net.

 

Para finalizar, Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui para ver como.

 

Abraço.

[rosanaloretti 0]

Sam Spade

Boa noite!!

Gostaria de saber se apos eu ler estas instruçoes que me mandaste posso apagar o que você pediu que eu baixasse como o TeaTimer que se encontra na area de trabalho como tb um backup?

Abraço.

Rosana :thumbsup:

[rosanaloretti 0]

Sam Spade

Bom dia!!

Entao ja desabilitei e habilitei o ponto de restauracao.

Aguardo sua resposta em relacao apagar o tea timer e o backup.

Obrigada!

[Sam Spade 2]

Olá, deve estar se referindo ao TeaTimer_Reset.bat. Sim, pode deletar e o backup do HijackThis também.

 

Abraço.

[rosanaloretti 0]

Sam Spade

Obrigada entao caso resolvido.

:clap:

[Sam Spade 2]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.