[Resolvido!] Pc abrindo janelas iexplorer sozinho

[Fábio Luis 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:26:06, on 16/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos De Programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos De Programas\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Arquivos De Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos De Programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: qndsfmao - {A8160B32-92A5-48CB-839D-D4C5D05054E4} - C:\WINDOWS\qndsfmao.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: *.bancoreal.com.br

O15 - Trusted Zone: *.banrisul.com.br

O15 - Trusted Zone: *.bb.com.br

O15 - Trusted Zone: *.bradesco.com.br

O15 - Trusted Zone: *.caixa.gov.br

O15 - Trusted Zone: *.hsbc.com.br

O15 - Trusted Zone: *.itau.com.br

O15 - Trusted Zone: *.realsecureweb.com.br

O15 - Trusted Zone: *.santanderbanespa.com.br

O15 - Trusted Zone: *.unibanco.com.br

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C18E4E31-D277-45B4-B890-5D2D453C80EA}: NameServer = 200.204.0.10,200.204.0.138

O21 - SSODL: evgratsm - {D098E48B-DE86-46BA-B7C3-D220DB1BB7B9} - C:\WINDOWS\evgratsm.dll

O21 - SSODL: kvxqmtre - {2E41E416-161E-4FF4-8A7C-181CF6FF7539} - C:\WINDOWS\kvxqmtre.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 4326 bytes

[DigRam 144]

Bom Dia! Fábio Luis

 

<@> Vá a este Link,e baixe:

 

< Malwarebytes >

 

<@> Escolha o escaneamento Completo! ( Full Scan )

<@> Desabilite programas de proteção,ao executar o malwarebytes.

<@> Para uma ação mais efetiva,execute-o estando em Modo de Segurança. << Importante!

<@> Terminando,reinicie em Modo Normal!

<@> Repita o scan,e escolha o escaneamento rápido!

-----------------------------

<@> Poste,os relatórios:

 

<!> MBAM.txt ( 2 Relatórios ) + HijackThis,atualizado.

 

Abraços!

[Fábio Luis 0]

Seguem os log´s:

 

Modo segurança

 

Malwarebytes' Anti-Malware 1.20

Versão do banco de dados: 960

Windows 5.1.2600 Service Pack 2

 

00:46:23 17/07/2008

mbam-log-7-17-2008 (00-46-13).txt

 

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 72332

Tempo decorrido: 33 minute(s), 42 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 7

Valores do Registro infectados: 3

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 3

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\TypeLib\{85648929-03b0-4c51-8a26-37328566258f} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{a8160b32-92a5-48cb-839d-d4c5d05054e4} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{509ea051-4754-4202-a62c-6f561fa47a39} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{d098e48b-de86-46ba-b7c3-d220db1bb7b9} (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\qndsfmao.bwob (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\qndsfmao.toolbar.1 (Trojan.FakeAlert) -> No action taken.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a8160b32-92a5-48cb-839d-d4c5d05054e4} (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> No action taken.

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

C:\System Volume Information\_restore{25DDC4CA-92A6-4C16-95D8-E0C6DF8B0121}\RP86\A0024638.exe (Trojan.FakeAlert) -> No action taken.

C:\System Volume Information\_restore{25DDC4CA-92A6-4C16-95D8-E0C6DF8B0121}\RP86\A0024790.exe (Rogue.Installer) -> No action taken.

C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> No action taken.

________________________________________________________________________________

_________________

Modo normal:

 

Malwarebytes' Anti-Malware 1.20

Versão do banco de dados: 960

Windows 5.1.2600 Service Pack 2

 

00:52:20 17/07/2008

mbam-log-7-17-2008 (00-52-09).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 43492

Tempo decorrido: 3 minute(s), 30 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 1

Chaves do Registro infectadas: 7

Valores do Registro infectados: 3

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 1

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> No action taken.

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\TypeLib\{85648929-03b0-4c51-8a26-37328566258f} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{a8160b32-92a5-48cb-839d-d4c5d05054e4} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{509ea051-4754-4202-a62c-6f561fa47a39} (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{d098e48b-de86-46ba-b7c3-d220db1bb7b9} (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\qndsfmao.bwob (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\qndsfmao.toolbar.1 (Trojan.FakeAlert) -> No action taken.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a8160b32-92a5-48cb-839d-d4c5d05054e4} (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> No action taken.

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> No action taken.

[Fábio Luis 0]

Me desculpe esqueci o log do hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:52:40, on 17/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos De Programas\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos De Programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: qndsfmao - {A8160B32-92A5-48CB-839D-D4C5D05054E4} - C:\WINDOWS\qndsfmao.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: *.bancoreal.com.br

O15 - Trusted Zone: *.banrisul.com.br

O15 - Trusted Zone: *.bb.com.br

O15 - Trusted Zone: *.bradesco.com.br

O15 - Trusted Zone: *.caixa.gov.br

O15 - Trusted Zone: *.hsbc.com.br

O15 - Trusted Zone: *.itau.com.br

O15 - Trusted Zone: *.realsecureweb.com.br

O15 - Trusted Zone: *.santanderbanespa.com.br

O15 - Trusted Zone: *.unibanco.com.br

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C18E4E31-D277-45B4-B890-5D2D453C80EA}: NameServer = 200.204.0.10,200.204.0.138

O21 - SSODL: evgratsm - {D098E48B-DE86-46BA-B7C3-D220DB1BB7B9} - C:\WINDOWS\evgratsm.dll

O21 - SSODL: kvxqmtre - {2E41E416-161E-4FF4-8A7C-181CF6FF7539} - C:\WINDOWS\kvxqmtre.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 4236 bytes

[DigRam 144]

Bom Dia! Fábio Luis

 

>@< Faça o download do SmitfraudFix.

>@< Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável ( SmitfraudFix.cmd ),para o Desktop.

>@< Reinicie o computador em Modo de Segurança!

>@< Execute o SmitfraudFix.cmd <!>

>@< Aperte a opção 2 >> Enter.

>@< Quando aparecer a mensagem: Do you want to clean the registry,aperte a opção Y >> Enter.

>@< Reinicie,normalmente,o computador!

>@< Caso tenha ocorrido mudanças,no desktop,corrija nas propriedades de vídeo.( Tema )

>@< Copie o Log: ( rapport.txt ) e poste,na sua resposta + HijackThis,atualizado.

-------------------------------------

>@< Faça outro scan,com o Malwarebytes,e poste o relatório.

>@< Desta vez,procure enviar os objetos detectados para a quarentena. <-- Importante!

 

Abraços!

[Fábio Luis 0]

Segue os logs

 

SmitFraudFix v2.329

 

Scan done at 11:54:10,43, 17/07/2008

Run from C:\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

C:\WINDOWS\qndsfmao.dll deleted.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

 

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C18E4E31-D277-45B4-B890-5D2D453C80EA}: NameServer=200.204.0.10,200.204.0.138

HKLM\SYSTEM\CS1\Services\Tcpip\..\{C18E4E31-D277-45B4-B890-5D2D453C80EA}: NameServer=200.204.0.10,200.204.0.138

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:04:39, on 17/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos De Programas\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos De Programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iSUSPM Startup] C:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: *.bancoreal.com.br

O15 - Trusted Zone: *.banrisul.com.br

O15 - Trusted Zone: *.bb.com.br

O15 - Trusted Zone: *.bradesco.com.br

O15 - Trusted Zone: *.caixa.gov.br

O15 - Trusted Zone: *.hsbc.com.br

O15 - Trusted Zone: *.itau.com.br

O15 - Trusted Zone: *.realsecureweb.com.br

O15 - Trusted Zone: *.santanderbanespa.com.br

O15 - Trusted Zone: *.unibanco.com.br

O17 - HKLM\System\CCS\Services\Tcpip\..\{C18E4E31-D277-45B4-B890-5D2D453C80EA}: NameServer = 200.204.0.10,200.204.0.138

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 3267 bytes

[Fábio Luis 0]

Malwarebytes' Anti-Malware 1.20

Versão do banco de dados: 960

Windows 5.1.2600 Service Pack 2

 

12:04:36 17/07/2008

mbam-log-7-17-2008 (12-04-36).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 43436

Tempo decorrido: 3 minute(s), 30 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 1

Chaves do Registro infectadas: 3

Valores do Registro infectados: 2

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 1

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> Unloaded module successfully.

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\CLSID\{509ea051-4754-4202-a62c-6f561fa47a39} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d098e48b-de86-46ba-b7c3-d220db1bb7b9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> Delete on reboot.

[DigRam 144]

<!> Boa Noite! Fábio Luis

 

>@< Baixe: < CCleaner >

>@< Salve-o no Desktop!

>@< Com a opção < Limpador >,já selecionada,clique em Analisar.

>@< Aguarde o progresso!

>@< Terminando,clique em Executar Cleaner.

>@< Na janela que surgir,dê o Ok.

>@< Aguarde o progresso!

-------------------------------

>@< Selecionando a opção Registro,clique em Procurar erros.

>@< Terminando,clique em Corrigir erros selecionados...

>@< Na pergunta,clique em Sim!

>@< Nomeie os backups e clique em Salvar.

>@< Na janela que aparecer,clique em: Corrigir todos os erros selecionados

>@< Clique em Ok >> Fechar.

--------------------------------

Estando tudo Ok com o PC,crie um Ponto de Restauração do Sistema,completamente Limpo!

Clique com o botão direito do mouse em cima de Meu Computador >> Propriedades >> Restauração do Sistema >> Marque: Desativar Restauração do Sistema >> Aplicar >> Ok.

Depois,desmarque novamente! >> Aplicar >> Ok.

Para maiores detalhes,vá em:< Docs >

--------------------------------

>@< O log está limpo! :thumbsup:

>@< Tudo Ok?

 

Abraços!

[Fábio Luis 0]

Opa, agora está tudo bem! Muito obrigado mesmo.

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o Tópico seja reaberto é preciso enviar uma Mensagem Privada,para um Moderador,com um Link para o Tópico.