Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

fc_consoni

[Resolvido!] disapareceu PrdMgr.exe

Recommended Posts

Boa tarde!

 

Provavelmente deve ser algum tipo de virus, alem de não entrar na rede, tambem não acessa a internet, conforme uma dica aqui do forum que quando não se sabe direito o que cada coisa faz é melhor postar para quem sabe diagnosticar então seque o log do HijackThis abaixo:

 

________________________

Logfile of HijackThis v1.99.1

Scan saved at 08:42:30, on 6/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

 

C:\WINDOWS\system32\drivers\FmMgr.exe

 

 

C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

C:\Arquivos de programas\OpenOffice.org 2.0\program\soffice.exe

C:\Arquivos de programas\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashSimpl.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Documents and Settings\Cliente\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\PrdMgr.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"

O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Arquivos de programas\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?03b447226ba547fb9430535b3189e8f2

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?03b447226ba547fb9430535b3189e8f2

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{E270385E-CBC0-44F5-85B4-50823CFE41AA}: NameServer = 201.10.120.2,201.10.128.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{FDF2F365-C19E-4632-A382-88115FBC5F66}: NameServer = 201.10.120.2,201.10.128.3

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

_________________________________________________________

 

antecipadamente já agradeço a todos!

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça o download do SDFix

 

Reinicie seu computador, e aperte a tecla F8 (F5 em alguns casos) intermitentemente durante a inicialização, até aparecer um menu onde você deverá escolher a opção Modo Seguro.

 

1. Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat

2. Tecle Y para que a ferramenta inicie o processo de remoção

3. Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente

4. Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.

5. Uma janela com o relatório do SDFix irá aparecer.

6. Copie e cole este relatório na sua resposta (se for postar na area de remoção de malware). Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Relatorio SDfix

 

SDFix: Version 1.232

Run by Administrador on ter 07/10/2008 at 09:13

 

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

C:\WINDOWS\system32\Microsoft\backup.ftp Found

C:\WINDOWS\system32\Microsoft\backup.tftp Found

 

Checking files:

 

Genuine:

C:\WINDOWS\system32\Microsoft\backup.ftp

C:\WINDOWS\system32\Microsoft\backup.tftp

 

Dummy:

C:\WINDOWS\system32\ftp.exe

C:\WINDOWS\system32\tftp.exe

C:\WINDOWS\system32\dllcache\ftp.exe

C:\WINDOWS\system32\dllcache\tftp.exe

 

Files copied to SDFix\Backups

 

Restoring files if backups are found

 

Final Check:

 

Genuine:

C:\WINDOWS\system32\Microsoft\backup.ftp

C:\WINDOWS\system32\Microsoft\backup.tftp

C:\WINDOWS\system32\ftp.exe

C:\WINDOWS\system32\tftp.exe

C:\WINDOWS\system32\dllcache\ftp.exe

C:\WINDOWS\system32\dllcache\tftp.exe

 

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\Photo_13301.zip - Deleted

C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe - Deleted

C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted

C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-07 09:26:57

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\PAC_MEC\\pac_main.exe"="C:\\Arquivos de programas\\PAC_MEC\\pac_main.exe:*:Disabled:pac_main"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Wed 1 Oct 2008 76,288 ..SHR --- "C:\WINDOWS\system32\drivers\FmMgr.exe"

Wed 3 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ea39eb67545fd2ec9095bec39ab77c7\BITF.tmp"

Mon 17 Dec 2007 23,552 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\~WRL0003.tmp"

Mon 17 Dec 2007 23,552 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\~WRL0003.tmp"

Wed 15 Mar 2006 95,232 A..H. --- "C:\Documents and Settings\Cliente\Meus documentos\Secretaria\micro_01\Mapas das salas\~WRL1239.tmp"

Fri 19 Oct 2007 122,368 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\elias biz\pre vespertino\~WRL1699.tmp"

Fri 31 Aug 2007 32,768 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\elias biz\pre vespertino\~WRL2165.tmp"

Fri 31 Aug 2007 76,288 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\elias biz\pre vespertino\~WRL3338.tmp"

Thu 20 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Escola Rio Caet‚\2¦ serie\~WRL2457.tmp"

Thu 19 Apr 2007 25,600 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Escola - Palmeira\4¦ serie\~WRL1321.tmp"

Wed 22 Aug 2007 33,280 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\F bio\ED_FISICA\~WRL0003.tmp"

Wed 22 Aug 2007 89,088 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\F bio\ED_FISICA\~WRL0208.tmp"

Wed 22 Aug 2007 34,304 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\F bio\ED_FISICA\~WRL0280.tmp"

Wed 22 Aug 2007 89,088 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\F bio\ED_FISICA\~WRL1490.tmp"

Wed 22 Aug 2007 53,248 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\F bio\ED_FISICA\~WRL1501.tmp"

Wed 22 Aug 2007 89,088 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\F bio\ED_FISICA\~WRL3695.tmp"

Thu 9 Mar 2006 139,776 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Neglie\5_serie\~WRL0669.tmp"

Thu 17 Aug 2006 588,800 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Neglie\present_continuous\~WRL2051.tmp"

Mon 7 May 2007 40,448 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\temporaria\Patr¡cia\~WRL2025.tmp"

Tue 9 Sep 2008 118,272 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\N¶O DELETAR\mapa de notas 1 a 4 s‚rie\ARTES, ED_FISICA, ITALIANO\~WRL0738.tmp"

Tue 8 Apr 2008 114,688 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\MAPA_GN_2008\~WRL3300.tmp"

Thu 31 Mar 2005 57,344 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\micro_01\~WRL0001.tmp"

Thu 31 Mar 2005 56,832 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\micro_01\~WRL0991.tmp"

Wed 5 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\micro_01\~WRL1548.tmp"

Thu 31 Mar 2005 57,344 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\Liz\Liz\~WRL0001.tmp"

Thu 31 Mar 2005 56,832 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\Liz\Liz\~WRL0991.tmp"

Wed 5 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\Liz\Liz\~WRL1548.tmp"

Wed 9 May 2007 271,360 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Escola Rio Caet‚\1¦ serie\2007\~WRL2312.tmp"

Thu 20 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Escola - Palmeira\2¦ serie\2007\~WRL2661.tmp"

Tue 8 Apr 2008 114,688 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\MAPA_GN_2008\~WRL3300.tmp"

Thu 31 Mar 2005 57,344 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\micro_01\~WRL0001.tmp"

Thu 31 Mar 2005 56,832 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\micro_01\~WRL0991.tmp"

Wed 5 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\micro_01\~WRL1548.tmp"

Fri 1 Sep 2006 19,456 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\temporaria\Lydio\601\~WRL3100.tmp"

Thu 20 Sep 2007 28,672 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\2007\mapa_geral_notas\~WRL0714.tmp"

Thu 20 Sep 2007 24,576 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\2007\mapa_geral_notas\~WRL1010.tmp"

Thu 20 Sep 2007 29,696 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\2007\mapa_geral_notas\~WRL1537.tmp"

Thu 20 Sep 2007 25,088 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\2007\mapa_geral_notas\~WRL2622.tmp"

Thu 20 Sep 2007 28,672 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\2007\mapa_geral_notas\~WRL2956.tmp"

Thu 20 Sep 2007 28,672 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\2007\mapa_geral_notas\~WRL0714.tmp"

Thu 20 Sep 2007 24,576 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\2007\mapa_geral_notas\~WRL1010.tmp"

Thu 20 Sep 2007 29,696 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\2007\mapa_geral_notas\~WRL1537.tmp"

Thu 20 Sep 2007 25,088 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\2007\mapa_geral_notas\~WRL2622.tmp"

Thu 20 Sep 2007 28,672 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\2007\mapa_geral_notas\~WRL2956.tmp"

Tue 9 Sep 2008 118,272 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\MAPA_GN_2008\ARTES, ED_FISICA, ITALIANO\~WRL0738.tmp"

Thu 30 Aug 2007 154,624 ...H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\lydio\Inglˆs\6¦ serie\601\~WRL0556.tmp"

Thu 17 Aug 2006 588,800 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\temporaria\Lydio\601\present_continuous\~WRL2051.tmp"

Tue 2 May 2006 51,200 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\liz\Liz\Liz\micro_01\2006\mapas_ed_fis_arte\~WRL1363.tmp"

Mon 1 Aug 2005 108,544 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\2005\ativ_escolas_int\Rosalino\cruzadinha_do_h_separar_silabas\~WRL0053.tmp"

Mon 1 Aug 2005 79,872 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\2005\ativ_escolas_int\Rosalino\cruzadinha_do_h_separar_silabas\~WRL1316.tmp"

Mon 1 Aug 2005 89,088 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\2005\ativ_escolas_int\Rosalino\cruzadinha_do_h_separar_silabas\~WRL3788.tmp"

Mon 1 Aug 2005 207,360 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\2005\ativ_escolas_int\Rosalino\cruzadinha_do_h_separar_silabas\~WRL3926.tmp"

Thu 9 Mar 2006 139,776 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\2006\2006\Neglie\5_serie\~WRL0669.tmp"

Thu 17 Aug 2006 588,800 ...HR --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\2006\2006\Neglie\present_continuous\~WRL2051.tmp"

Tue 2 May 2006 51,200 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Alex\Liz\Liz\2006\mapas_ed_fis_arte\~WRL1363.tmp"

Tue 2 May 2006 51,200 A..H. --- "C:\Documents and Settings\Cliente\Desktop\fabio\Meus documentos\Liz\Liz\micro_01\2006\mapas_ed_fis_arte\~WRL1363.tmp"

 

Finished!

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Poste um novo log do hijackthis

Compartilhar este post


Link para o post
Compartilhar em outros sites

^^ to com o mesmo problema cara... varios micros tão vindo pra ca com esse problema cara...

alguns resolvi reinstalando o windows e passando o Smith Fraud Fix... mas esse aki agora nao resolveu.. continua o erro

 

quem conseguir uma solução pf avisa aew

 

 

abração

Compartilhar este post


Link para o post
Compartilhar em outros sites
- Poste um novo log do hijackthis

 

Bom dia Sr. Perfect

Segue o novo log

 

_____

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:12:36, on 9/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\Hijack\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\PrdMgr.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"

O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{E270385E-CBC0-44F5-85B4-50823CFE41AA}: NameServer = 201.10.120.2,201.10.128.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{FDF2F365-C19E-4632-A382-88115FBC5F66}: NameServer = 201.10.120.2,201.10.128.3

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 4066 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Baixe: < ComboFix.exe >

- Salve-o no Desktop!

- Desabilite as proteções residente de: antivírus,antispywares e firewall. ( Menos o do Windows! )

- Feche todas as janelas e execute a ferramenta!

 

Caso aconteça a notificação de: Aplicativo Win32 inválido,delete a ferramenta e faça,novamente,o download.

Salve-a no desktop,renomeada como: Kombo.exe

Ps: Nomeie durante o salvamento,e não após salvá-la!

Ps: Caso ocorra alguma mensagem de erro,rode o ComboFix.exe em Modo de Segurança.

Ps: Evite executar,voluntariamente,esta ferramenta!Siga,àcima,todas as recomendações propostas.

- Abrirá a janela Auto Scan. Aguarde!

- Digite a opção para continuar! >> Enter

- Aguarde a conclusão!

- Durante o scan,evite manusear o mouse ou teclado! <-- Importante!

- Para parar ou sair do ComboFix,tecle "N".

----------------------

- Terminando,poste o relatório: C:\ComboFix.txt

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa tarde Mr. Perfect, conforme segue abaixo o combofix e um novo log hijack

 

combofix

ComboFix 08-10-08.05 - Cliente 2008-10-09 13:45:12.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.243 [GMT -3:00]

Executando de: C:\Documents and Settings\Cliente\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\Microsoft\backup.ftp

C:\WINDOWS\system32\Microsoft\backup.tftp

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))))

.

 

2008-10-08 16:15 . 2008-10-08 16:15 8,932,144 --a------ C:\ADM01_Temp.zip

2008-10-07 14:01 . 2008-10-07 14:01 <DIR> d-------- C:\Arquivos de programas\AxBx

2008-10-07 13:58 . 2008-10-09 13:41 60,064 --a------ C:\WINDOWS\Photo_13301.zip

2008-10-07 13:20 . 2008-10-07 13:20 <DIR> d-------- C:\Arquivos de programas\CCleaner

2008-10-07 09:11 . 2008-10-07 09:11 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 09:03 . 2008-10-07 09:30 <DIR> d-------- C:\SDFix

2008-10-06 16:26 . 2008-10-09 08:12 <DIR> d-------- C:\Hijack

2008-10-06 15:57 . 2006-05-15 15:48 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Modelos

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01.000\Meus documentos

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> dr------- C:\Documents and Settings\Administrador.ADM01.000\Menu Iniciar

2008-10-06 15:57 . 2008-10-06 16:01 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01.000\Favoritos

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> dr-h----- C:\Documents and Settings\Administrador.ADM01.000\Dados de aplicativos

2008-10-06 15:57 . 2008-10-09 13:46 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Configurações locais

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Ambiente de rede

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Ambiente de impressão

2008-10-06 15:57 . 2008-10-06 15:57 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01.000

2008-10-06 15:55 . 2006-05-15 15:48 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Modelos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01\Meus documentos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> dr------- C:\Documents and Settings\Administrador.ADM01\Menu Iniciar

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01\Favoritos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> dr-h----- C:\Documents and Settings\Administrador.ADM01\Dados de aplicativos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Configurações locais

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Ambiente de rede

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Ambiente de impressão

2008-10-06 15:55 . 2008-10-06 15:55 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01

2008-10-06 15:52 . 2006-05-15 15:48 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-10-06 15:52 . 2008-10-06 15:52 <DIR> d-------- C:\Documents and Settings\Administrador

2008-10-06 15:38 . 2008-10-06 15:38 <DIR> d-------- C:\Arquivos de programas\Security Process Explorer

2008-10-02 08:37 . 2008-10-02 08:37 <DIR> d-------- C:\Arquivos de programas\Realtek AC97

2008-10-02 08:37 . 2001-07-06 00:19 164 --a------ C:\WINDOWS\avrack.ini

2008-10-01 09:46 . 2008-10-01 09:46 76,288 -r-hs---- C:\WINDOWS\system32\drivers\FmMgr.exe

2008-09-30 13:12 . 2008-10-01 10:33 89,600 --a------ C:\8b4l8r9h1v9.exe

2008-09-26 16:28 . 2008-10-09 08:15 <DIR> d-------- C:\Documents and Settings\Cliente\Dados de aplicativos\OpenOffice.org2

2008-09-26 16:26 . 2008-09-26 16:26 <DIR> d-------- C:\Arquivos de programas\OpenOffice.org 2.0

2008-09-16 10:54 . 2008-09-16 12:43 4,681,472,000 --a------ C:\oleo.ISO

2008-09-16 10:46 . 2008-09-16 13:11 4,681,472,000 --a------ C:\UNDEFINED.ISO

2008-09-16 09:49 . 2008-09-16 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-09-16 09:49 . 2008-09-16 09:49 <DIR> d-------- C:\Arquivos de programas\DVD Shrink

2008-09-16 09:16 . 2008-09-16 13:32 <DIR> d-------- C:\UNDEFINED

2008-09-16 09:11 . 2008-09-16 09:11 <DIR> d-------- C:\Arquivos de programas\DVD Decrypter

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-09 16:41 45,056 ----a-w C:\WINDOWS\system32\ftp.exe

2008-10-09 16:41 359,808 ------w C:\WINDOWS\system32\drivers\tcpip.sys

2008-10-09 16:41 17,408 ----a-w C:\WINDOWS\system32\tftp.exe

2008-10-09 16:38 --------- d-----w C:\Arquivos de programas\Winamp

2008-10-07 18:37 --------- d-----w C:\Arquivos de programas\Windows Live Toolbar

2008-10-02 11:37 --------- d-----w C:\Arquivos de programas\AvRack

2008-09-30 19:07 59,904 --sh--r C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

2008-09-08 13:28 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-09-08 13:26 --------- d-----w C:\Documents and Settings\Cliente\Dados de aplicativos\AdobeUM

.

 

------- Sigcheck -------

 

2006-04-20 09:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys

2008-10-09 13:41 359808 b25643c4b9a4323d774ef12797ba600f C:\WINDOWS\system32\dllcache\tcpip.sys

2008-10-09 13:41 359808 b25643c4b9a4323d774ef12797ba600f C:\WINDOWS\system32\drivers\tcpip.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Arquivos de programas\Winamp Toolbar\winamptb.dll" [2008-07-02 1267040]

 

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"FmMgr.exe"="C:\WINDOWS\system32\drivers\FmMgr.exe" [2008-10-01 76288]

"SoundMan"="SOUNDMAN.EXE" [2005-10-04 C:\WINDOWS\soundman.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Cliente^Menu Iniciar^Programas^Inicializar^OpenOffice.org 2.0.lnk]

path=C:\Documents and Settings\Cliente\Menu Iniciar\Programas\Inicializar\OpenOffice.org 2.0.lnk

backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Arquivos de programas\VIA\RAID\raid_t [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-07-09 18:33 36352 C:\Arquivos de programas\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2005-10-04 14:12 90112 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

--a------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

--a------ 2005-03-11 17:33 147456 C:\WINDOWS\system32\VTTrayp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\PAC_MEC\\pac_main.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{283c67e0-f421-11dc-8d1f-000fea21704e}]

\Shell\AutoRun\command - E:\2.cmd

\Shell\explore\Command - E:\2.cmd

\Shell\open\Command - E:\2.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bdf05e3-83e8-11dd-8db5-000fea21704e}]

\Shell\AutoRun\command - E:\jfvkcsy.bat

\Shell\explore\Command - E:\jfvkcsy.bat

\Shell\open\Command - E:\jfvkcsy.bat

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-10-09 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 17:39]

.

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Cliente\Dados de aplicativos\Mozilla\Firefox\Profiles\8aveba0i.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-09 13:47:29

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execuçao ---------------------

 

PROCESSOS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tsd32.dll

.

Tempo para conclusão: 2008-10-09 13:49:45

ComboFix-quarantined-files.txt 2008-10-09 16:49:30

 

Pré-execução: 16 pasta(s) 39.857.246.208 bytes disponíveis

Pós execução: 19 pasta(s) 40,206,901,248 bytes disponíveis

 

165 --- E O F --- 2007-10-11 10:14:00

 

 

hijakithis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:06:07, on 9/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\drivers\FmMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\PrdMgr.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?03b447226ba547fb9430535b3189e8f2

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{E270385E-CBC0-44F5-85B4-50823CFE41AA}: NameServer = 201.10.120.2,201.10.128.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{FDF2F365-C19E-4632-A382-88115FBC5F66}: NameServer = 201.10.120.2,201.10.128.3

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 4873 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

 

Selecione e copie o texto dentro do QUOTE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

 

File::

C:\WINDOWS\system32\drivers\FmMgr.exe

C:\WINDOWS\Photo_13301.zip

E:\2.cmd

E:\jfvkcsy.bat

Driver::

FmMgr.exe

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"FmMgr.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{283c67e0-f421-11dc-8d1f-000fea21704e}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bdf05e3-83e8-11dd-8db5-000fea21704e}]

 

Esse script foi elaborado somente para este computador, de acordo com os arquivos e chaves presentes não use-o em outro computador, pos pode trazer danos.

 

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

 

cfscript.gif

 

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

 

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

 

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

 

Poste-o junto com o novo log do hijackthis

Compartilhar este post


Link para o post
Compartilhar em outros sites

segue abaixo o resultado dos passos solicitados

 

combofix

ComboFix 08-10-08.05 - Cliente 2008-10-09 15:02:53.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.243 [GMT -3:00]

Executando de: C:\Documents and Settings\Cliente\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Cliente\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

C:\WINDOWS\Photo_13301.zip

C:\WINDOWS\system32\drivers\FmMgr.exe

E:\2.cmd

E:\jfvkcsy.bat

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\drivers\FmMgr.exe

C:\WINDOWS\system32\Microsoft\backup.ftp

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-09-09 to 2008-10-09 ))))))))))))))))))))))))))))))))

.

 

2008-10-09 14:49 . 2008-10-09 14:51 <DIR> d-------- C:\MSNCleaner

2008-10-08 16:15 . 2008-10-08 16:15 8,932,144 --a------ C:\ADM01_Temp.zip

2008-10-07 14:01 . 2008-10-07 14:01 <DIR> d-------- C:\Arquivos de programas\AxBx

2008-10-07 13:20 . 2008-10-07 13:20 <DIR> d-------- C:\Arquivos de programas\CCleaner

2008-10-07 09:11 . 2008-10-07 09:11 <DIR> d-------- C:\WINDOWS\ERUNT

2008-10-07 09:03 . 2008-10-07 09:30 <DIR> d-------- C:\SDFix

2008-10-06 16:26 . 2008-10-09 14:06 <DIR> d-------- C:\Hijack

2008-10-06 15:57 . 2006-05-15 15:48 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Modelos

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01.000\Meus documentos

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> dr------- C:\Documents and Settings\Administrador.ADM01.000\Menu Iniciar

2008-10-06 15:57 . 2008-10-06 16:01 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01.000\Favoritos

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> dr-h----- C:\Documents and Settings\Administrador.ADM01.000\Dados de aplicativos

2008-10-06 15:57 . 2008-10-09 15:04 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Configurações locais

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Ambiente de rede

2008-10-06 15:57 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01.000\Ambiente de impressão

2008-10-06 15:57 . 2008-10-06 15:57 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01.000

2008-10-06 15:55 . 2006-05-15 15:48 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Modelos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01\Meus documentos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> dr------- C:\Documents and Settings\Administrador.ADM01\Menu Iniciar

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01\Favoritos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> dr-h----- C:\Documents and Settings\Administrador.ADM01\Dados de aplicativos

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Configurações locais

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Ambiente de rede

2008-10-06 15:55 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador.ADM01\Ambiente de impressão

2008-10-06 15:55 . 2008-10-06 15:55 <DIR> d-------- C:\Documents and Settings\Administrador.ADM01

2008-10-06 15:52 . 2006-05-15 15:48 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-10-06 15:52 . 2006-05-15 12:44 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-10-06 15:52 . 2008-10-06 15:52 <DIR> d-------- C:\Documents and Settings\Administrador

2008-10-06 15:38 . 2008-10-06 15:38 <DIR> d-------- C:\Arquivos de programas\Security Process Explorer

2008-10-02 08:37 . 2008-10-02 08:37 <DIR> d-------- C:\Arquivos de programas\Realtek AC97

2008-10-02 08:37 . 2001-07-06 00:19 164 --a------ C:\WINDOWS\avrack.ini

2008-09-30 13:12 . 2008-10-01 10:33 89,600 --a------ C:\8b4l8r9h1v9.exe

2008-09-26 16:28 . 2008-10-09 08:15 <DIR> d-------- C:\Documents and Settings\Cliente\Dados de aplicativos\OpenOffice.org2

2008-09-26 16:26 . 2008-09-26 16:26 <DIR> d-------- C:\Arquivos de programas\OpenOffice.org 2.0

2008-09-16 10:54 . 2008-09-16 12:43 4,681,472,000 --a------ C:\oleo.ISO

2008-09-16 10:46 . 2008-09-16 13:11 4,681,472,000 --a------ C:\UNDEFINED.ISO

2008-09-16 09:49 . 2008-09-16 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

2008-09-16 09:49 . 2008-09-16 09:49 <DIR> d-------- C:\Arquivos de programas\DVD Shrink

2008-09-16 09:16 . 2008-09-16 13:32 <DIR> d-------- C:\UNDEFINED

2008-09-16 09:11 . 2008-09-16 09:11 <DIR> d-------- C:\Arquivos de programas\DVD Decrypter

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-09 17:52 45,056 ----a-w C:\WINDOWS\system32\ftp.exe

2008-10-09 17:52 359,808 ------w C:\WINDOWS\system32\drivers\tcpip.sys

2008-10-09 16:41 17,408 ----a-w C:\WINDOWS\system32\tftp.exe

2008-10-09 16:38 --------- d-----w C:\Arquivos de programas\Winamp

2008-10-07 18:37 --------- d-----w C:\Arquivos de programas\Windows Live Toolbar

2008-10-02 11:37 --------- d-----w C:\Arquivos de programas\AvRack

2008-09-30 19:07 59,904 --sh--r C:\WINDOWS\pchealth\helpctr\binaries\svchost.exe

2008-09-08 13:28 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-09-08 13:26 --------- d-----w C:\Documents and Settings\Cliente\Dados de aplicativos\AdobeUM

.

 

------- Sigcheck -------

 

2006-04-20 09:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys

2008-10-09 14:52 359808 b25643c4b9a4323d774ef12797ba600f C:\WINDOWS\system32\dllcache\tcpip.sys

2008-10-09 14:52 359808 b25643c4b9a4323d774ef12797ba600f C:\WINDOWS\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((((((( snapshot@2008-10-09_13.49.08.31 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-10-09 16:41:36 45,056 -c--a-w C:\WINDOWS\system32\dllcache\ftp.exe

+ 2008-10-09 17:52:56 45,056 -c--a-w C:\WINDOWS\system32\dllcache\ftp.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"SoundMan"="SOUNDMAN.EXE" [2005-10-04 C:\WINDOWS\soundman.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Cliente^Menu Iniciar^Programas^Inicializar^OpenOffice.org 2.0.lnk]

path=C:\Documents and Settings\Cliente\Menu Iniciar\Programas\Inicializar\OpenOffice.org 2.0.lnk

backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Arquivos de programas\VIA\RAID\raid_t [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

--a------ 2008-07-09 18:33 36352 C:\Arquivos de programas\Winamp\winampa.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2005-10-04 14:12 90112 C:\WINDOWS\soundman.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

--a------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

--a------ 2005-03-11 17:33 147456 C:\WINDOWS\system32\VTTrayp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avast! Antivirus"=2 (0x2)

"aswUpdSv"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\PAC_MEC\\pac_main.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

 

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2008-10-09 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job

- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 17:39]

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-09 15:04:28

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-10-09 15:06:46

ComboFix-quarantined-files.txt 2008-10-09 18:06:30

ComboFix2.txt 2008-10-09 16:49:47

 

Pré-execução: 17 pasta(s) 41.601.466.368 bytes disponíveis

Pós execução: 20 pasta(s) 41,591,898,112 bytes disponíveis

 

151 --- E O F --- 2007-10-11 10:14:00

 

hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:00:46, on 9/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\explorer.exe

C:\Hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?03b447226ba547fb9430535b3189e8f2

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{E270385E-CBC0-44F5-85B4-50823CFE41AA}: NameServer = 201.10.120.2,201.10.128.3

O17 - HKLM\System\CCS\Services\Tcpip\..\{FDF2F365-C19E-4632-A382-88115FBC5F66}: NameServer = 201.10.120.2,201.10.128.3

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

 

--

End of file - 4430 bytes

Compartilhar este post


Link para o post
Compartilhar em outros sites

Ok, o log estar limpo :)

 

- Digite no Executar combofix /u e clique em Ok e aguarde a remoção do combofix.

 

Atualize o Java.

Versões antigas têm vunerabilidades que alguns malwares podem usar para infectar seu sistema.

  • ◘ Faça download da última versão do
Java Runtime Environment (JRE) 6u7.
◘ Procure onde está escrito "Java Runtime Environment (JRE) 6update7".
◘ Clique no botão Download.
◘ Marque a opção que diz Accept License Agreement.
◘ A página será atualizada.
◘ Clique no link para download Windows Offline Installation e salve no seu desktop. (O arquivo tem em torno de 70 Mb)
◘ Feche qualquer programa que esteja executando, especialmente navegadores.
◘ Vá em Iniciar > Painel de Controle duplo clique em Adicionar ou Remover Programas e remova todas as versões antigas do Java.
Exemplos de versões antigas
Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
◘ Selecione qualquer item com nome Java Runtime Environment (JRE ou J2SE).
◘ Clique no botão Remover ou Alterar/Remover.
◘ Repita quantas vezes for necessária para remover cada versão do Java.
◘ Reincie seu computador uma vez que todas as versões do Java tenham sido removidas.
◘ Agora vá no seu desktop, clique duas vezes em jre-6u7-windows-i586-p.exe para instalar a mais nova versão.

 

Visite o Windows Update e atualize o seu sistema, baixando o Service Pack 3

 

Ou, se preferir, baixe e instale o pacote completo (+- 300 Mb):

http://www.microsoft.com/downloads/details...splayLang=pt-br

 

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner

 

◘ Abra o programa e clique em Executar Limpeza;

◘ Após isto, clique em Registro > Procurar erros > Corrigir Erros

 

- Desative e ative novamente a Restauração do Sistema

 

Leia o artigo Cuidados ao navegar na net para maiores informações sobre como evitar infecções.

Compartilhar este post


Link para o post
Compartilhar em outros sites

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.