[Resolvido!]Meu pc não acessa determinado servidor, ..

DigRam · Julho 26, 2008

Diz aê Dig ..

Velho fiz aqui mais ainda continua na mesma ... ta rolando o seguinte eu passo o spybot ele detecta essa mudança de DNS pelo trojan ... eu deleto ai eu acesso o tranquilo ...mais toda vez que eu ligo o pc tenho que fazer o mesmo processo ... a ideia de formartação ou de reinstalar o sistema ja quase me convencendo ... ou você acha que ainda pode ter algum software que tire isso ...

Obrigado!!

---------------------

Opa! RomanMG

Boa Tarde!

<!> Ainda não queimamos todos os cartuchos,e a formatação é o último recurso.

---------------------

<@> Faça uma verificação,ao arquivo Hosts,e veja se está no padrão.

<@> No Windows XP,verifique: => C:\WINDOWS\SYSTEM32\DRIVERS\ETC<--

<@> Abra esta pasta,e localize o arquivo Hosts,que abre somente com o Bloco de Notas.

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

<!> No Hosts padronizado,não poderemos ter informações abaixo de: 127.0.0.1 localhost

<!> Tendo dúvidas,execute esta ferramenta: HostsXpert <-- Ela colocará o Hosts,no padrão!

---------------------

>@< Faça o download do HostsXpert.

>@< Salve-o no Desktop!

>@< Descompacte-o e execute: HostsXpert.exe

>@< Feche todas as janelas e o navegador!

>@< Clique em Restore Microsoft's Hosts file >> Ok.

>@< Finalize o programa!

>@< Reinicie o computador!

>@< Verifique se o problema permanece!

>@< Ps: Antes de rodar a ferramenta,não esqueça de desabilitar o Spybot. ( TeaTimer )

Abraços!

JackDenio · Julho 28, 2008

<@> Faça uma verificação,ao arquivo Hosts,e veja se está no padrão.
<@> No Windows XP,verifique: => C:\WINDOWS\SYSTEM32\DRIVERS\ETC<--

<@> Abra esta pasta,e localize o arquivo Hosts,que abre somente com o Bloco de Notas.

E aê ... velho essa pasta não existe no meu sistema, e ao tentar executar o HostsXpert me aparece

Cannot create file: C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

DigRam · Julho 28, 2008

<@> Faça uma verificação,ao arquivo Hosts,e veja se está no padrão.
<@> No Windows XP,verifique: => C:\WINDOWS\SYSTEM32\DRIVERS\ETC<--

<@> Abra esta pasta,e localize o arquivo Hosts,que abre somente com o Bloco de Notas.

E aê ... velho essa pasta não existe no meu sistema, e ao tentar executar o HostsXpert me aparece
Cannot create file: C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

----------------------

Opa! RomanMG

Boa Tarde!

<!> Se não existe a pasta ETC,busque copiá-la de outro computador ( Windows XP ) para o diretório Drivers.

<!> Desabilite o Spybot,pois o mesmo impede modificações no Hosts.

-----------------------

<@> Vá a esta página,e baixe: < >

<@> Clique em Download: hosts.zip <-- ,para baixar o arquivo. ( .bat )

<@> Salve-o no Disco Local-C e descompácte-o aí mesmo!

<@> Dê um duplo-clique,em: mvps.bat

<@> Ps: Execute-o apenas uma vez!

<@> Reinicie o computador!

<@> Posteriormente,pare o serviço: "Cliente DNS"

<@> Vá em Iniciar --> Executar --> Digite: services.msc --> Clique: OK.

<@> Busque por: Cliente DNS

<!> Cliente DNS desabilitado: < >

<@> Reinicie o computador!

Ps: Com esta proteção adicional,ao Hosts,poderá ocorrer bloqueios à tentativas de invazão.Negue sempre,a permissão!

<!> Veja este exemplo: < >

<!> Execute,novamente,o Fixwareout e poste o relatório + HJT,atualizado.

Abraços!

JackDenio · Julho 28, 2008

E aê ... velho emm relação a :

<@> Faça uma verificação,ao arquivo Hosts,e veja se está no padrão.<@> No Windows XP,verifique: => C:\WINDOWS\SYSTEM32\DRIVERS\ETC<-- <@> Abra esta pasta,e localize o arquivo Hosts,que abre somente com o Bloco de Notas.

continua com o mesmo erro ...agora quanto a última dica a vai:

Fixwareout:

Username "Dˆnio" - 28/07/2008 19:43:31 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AFA72D52-9DB8-41E5-A40E-077CA7F760CD}

"nameserver"="85.255.116.68" <Value cleared.

Não foi possível liberar o cache do DNS Resolver:A função falhou durante a execução.

System was rebooted successfully.

~~~~~ Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

~~~~~ Misc files.

....

~~~~~ Checking for older varients.

....

~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"SynTPEnh"="C:\\Arquivos de programas\\Synaptics\\SynTP\\SynTPEnh.exe"

"SunJavaUpdateSched"="\"C:\\Arquivos de programas\\Java\\jre1.6.0_07\\bin\\jusched.exe\""

"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"

"Dell QuickSet"="C:\\Arquivos de programas\\Dell\\QuickSet\\quickset.exe"

"SigmatelSysTrayApp"="stsystra.exe"

"PDVDDXSrv"="\"C:\\Arquivos de programas\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe\""

"ECenter"="C:\\Dell\\E-Center\\EULALauncher.exe"

"BigDogPath"="C:\\WINDOWS\\VM_STI.EXE Vimicro USB PC Camera (VC0305)"

"NeroFilterCheck"="C:\\Arquivos de programas\\Arquivos comuns\\Nero\\Lib\\NeroCheck.exe"

"SecurDisc"="C:\\Arquivos de programas\\Nero\\Nero8\\InCD\\NBHGui.exe"

"InCD"="C:\\Arquivos de programas\\Nero\\Nero8\\InCD\\InCD.exe"

"Adobe Reader Speed Launcher"="\"C:\\Arquivos de programas\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

"avgnt"="\"C:\\Arquivos de programas\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

"is-UVJKN"="\"C:\\Documents and Settings\\All Users\\Desktop\\Kaspersky Lab Tool\\is-UVJKN\\is-UVJKN.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"StartCCC"="C:\\Arquivos de programas\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"

"MessengerPlus3"="\"C:\\Arquivos de programas\\MessengerPlus! 3\\MsgPlus.exe\" /WinStart"

"MSMSGS"="\"C:\\Arquivos de programas\\Messenger\\msmsgs.exe\" /background"

"msnmsgr"="\"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe\" /background"

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Arquivos de programas\\Arquivos comuns\\Nero\\Lib\\NMBgMonitor.exe\""

"WMPNSCFG"="C:\\Arquivos de programas\\Windows Media Player\\WMPNSCFG.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it...

~~~~~ End report ~~~~~

JackDenio · Julho 28, 2008

HJT:

Logfile of HijackThis v1.99.1

Scan saved at 19:48:55, on 28/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Nero\Nero8\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe

c:\wamp\apache2\bin\httpd.exe

c:\wamp\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\wamp\apache2\bin\httpd.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Arquivos de programas\Dell\QuickSet\quickset.exe

C:\WINDOWS\stsystra.exe

C:\Arquivos de programas\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\VM_STI.EXE

C:\Arquivos de programas\Nero\Nero8\InCD\NBHGui.exe

C:\Arquivos de programas\Nero\Nero8\InCD\InCD.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Arquivos de programas\Dell\BAE\BAE.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [synTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Arquivos de programas\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Arquivos de programas\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera (VC0305)

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Arquivos de programas\Nero\Nero8\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Arquivos de programas\Nero\Nero8\InCD\InCD.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [is-UVJKN] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-UVJKN\is-UVJKN.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [startCCC] C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://www.hostrevenda.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5FC1E714-875E-43A5-B0F4-6D3495AFAE44}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{AFA72D52-9DB8-41E5-A40E-077CA7F760CD}: NameServer = 85.255.116.68 85.255.112.141

O17 - HKLM\System\CCS\Services\Tcpip\..\{E50DF39F-0628-481E-A2F6-A43E330BF1A1}: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apache2 - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero8\InCD\InCDsrv.exe

O23 - Service: is-UVJKN - Unknown owner - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-UVJKN\is-UVJKN.exe" -r (file missing)

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

DigRam · Julho 29, 2008

Boa Noite! RomanMG

>@< Faça o download do SmitfraudFix.

>@< Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável ( SmitfraudFix.cmd ),para o Desktop.

>@< Reinicie o computador em Modo de Segurança!

>@< Execute o SmitfraudFix.cmd <!>

>@< Aperte a opção 2 >> Enter.

>@< Quando aparecer a mensagem: Do you want to clean the registry,aperte a opção Y >> Enter.

>@< Reinicie,normalmente,o computador!

>@< Caso tenha ocorrido mudanças,no desktop,corrija nas propriedades de vídeo.( Tema )

>@< Copie o Log ( rapport.txt ) e poste,na sua resposta + HijackThis,atualizado.

Abraços!

JackDenio · Julho 29, 2008

E aê Dig, fiz o que você disse so que o programa nunca executou, quando cliquei me pediu pra apertar qualquer tecla pra continuar mas nunca continuou ..

DigRam · Julho 29, 2008

E aê Dig, fiz o que você disse so que o programa nunca executou, quando cliquei me pediu pra apertar qualquer tecla pra continuar mas nunca continuou ..

-----------------------

Opa! RomanMG

Boa Noite!

<@> Delete a ferramenta,e baixe outra,para o Desktop!

<@> Descompacte-a aí mesmo!

<@> Execute-a em Modo de Segurança!

------------------------

<@> Poste: rapport.txt + HJT,atualizado.

Abraços!

JackDenio · Julho 31, 2008

Ta ai o rapport:

SmitFraudFix v2.332

Scan done at 12:31:35,68, qui 31/07/2008

Run from C:\Documents and Settings\Dˆnio\Desktop\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5A2B4C41-432B-41F2-9FB9-7C7431E879EC}: DhcpNameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5FC1E714-875E-43A5-B0F4-6D3495AFAE44}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E50DF39F-0628-481E-A2F6-A43E330BF1A1}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5A2B4C41-432B-41F2-9FB9-7C7431E879EC}: DhcpNameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{5FC1E714-875E-43A5-B0F4-6D3495AFAE44}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS1\Services\Tcpip\..\{E50DF39F-0628-481E-A2F6-A43E330BF1A1}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{5A2B4C41-432B-41F2-9FB9-7C7431E879EC}: DhcpNameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{5FC1E714-875E-43A5-B0F4-6D3495AFAE44}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\..\{E50DF39F-0628-481E-A2F6-A43E330BF1A1}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{E50DF39F-0628-481E-A2F6-A43E330BF1A1}: NameServer=208.67.220.220,208.67.222.222

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

HJT:

Logfile of HijackThis v1.99.1

Scan saved at 18:04:05, on 31/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Arquivos de programas\Dell\QuickSet\quickset.exe

C:\WINDOWS\stsystra.exe

C:\Arquivos de programas\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\VM_STI.EXE

C:\Arquivos de programas\Nero\Nero8\InCD\NBHGui.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Nero\Nero8\InCD\InCD.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Arquivos de programas\Nero\Nero8\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe

c:\wamp\apache2\bin\httpd.exe

c:\wamp\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\wamp\apache2\bin\httpd.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Outlook Express\msimn.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\Notepad.exe