[Arquivado] Minha Area de Trabalho e minha Barra de Tarefas sumir

henriqqq · Maio 24, 2009

ComboFix 09-05-23.04 - Henrique 24/05/2009 15:30.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.223.96 [GMT -3:00]

Executando de: c:\documents and settings\Henrique\Desktop\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Henrique\Dados de aplicativos\BITS

c:\documents and settings\Henrique\Dados de aplicativos\BITS\BITS.ini

c:\documents and settings\Henrique\Dados de aplicativos\BITS\DHTTable.dat

c:\documents and settings\Henrique\Dados de aplicativos\BITS\ProxyList.ini

c:\documents and settings\Henrique\Dados de aplicativos\BITS\UPnP.ini

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-24 to 2009-05-24 ))))))))))))))))))))))))))))

.

2009-05-23 23:02 . 2009-05-23 23:02 -------- d-----w C:\PenClean

2009-05-23 22:36 . 2009-05-23 22:36 -------- d-----w C:\!KillBox

2009-05-23 21:26 . 2009-05-24 18:21 -------- d-----w c:\arquivos de programas\Malware Avenger

2009-05-23 18:51 . 2009-05-23 18:51 -------- d-----w c:\arquivos de programas\ESET

2009-05-21 22:39 . 2009-05-21 22:39 -------- d-----w c:\documents and settings\Henrique\Dados de aplicativos\Malwarebytes

2009-05-21 22:39 . 2009-05-21 22:39 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-05-21 22:39 . 2009-05-24 18:21 -------- d-----w c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-05-21 18:54 . 2009-05-21 19:22 -------- d-----w c:\documents and settings\Administrador\Modelos

2009-05-21 18:54 . 2009-05-21 19:22 -------- d-----w c:\documents and settings\Administrador\Dados de aplicativos

2009-05-21 18:54 . 2009-05-21 19:22 -------- d-----w c:\documents and settings\Administrador\Configurações locais

2009-05-21 18:54 . 2009-05-21 19:22 -------- d-s---w c:\documents and settings\Administrador

2009-05-16 18:19 . 2009-05-16 18:19 -------- d-----w c:\arquivos de programas\TagRename

2009-05-12 18:42 . 2009-05-12 18:42 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Equation Wizard

2009-04-29 19:01 . 2009-04-29 20:15 -------- d-----w c:\documents and settings\Henrique\Dados de aplicativos\Hamachi

2009-04-29 19:00 . 2009-04-29 19:00 25280 ----a-w c:\windows\system32\drivers\hamachi.sys

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-19 23:49 . 2009-01-16 18:30 -------- d-----w c:\arquivos de programas\McAfee

2009-05-11 21:16 . 2009-01-19 18:25 -------- d-----w c:\documents and settings\Henrique\Dados de aplicativos\uTorrent

2009-04-11 17:28 . 2009-04-11 17:28 -------- d-----w c:\arquivos de programas\EA SPORTS

2009-04-10 01:14 . 2009-04-10 00:52 -------- d-----w c:\arquivos de programas\Harry Potter - Quidditch World Cup

2009-04-05 16:29 . 2009-04-05 16:29 -------- d-----w C:\Arquivos de Programas RFB

2009-04-05 16:14 . 2009-04-05 16:15 410984 ----a-w c:\windows\system32\deploytk.dll

2009-04-05 16:14 . 2009-04-05 16:14 -------- d-----w c:\arquivos de programas\Java

2009-04-05 16:12 . 2009-04-05 16:12 152576 ----a-w c:\documents and settings\Henrique\Dados de aplicativos\Sun\Java\jre1.6.0_13\lzma.dll

2009-03-31 18:36 . 2009-03-31 18:36 -------- d-----w c:\arquivos de programas\SystemRequirementsLab

.

------- Sigcheck -------

[7] 2004-08-04 03:45 14336 5DE3E7B6F7624552F2F06664F110820D c:\windows\$NtServicePackUninstall$\svchost.exe

[7] 2008-04-13 21:21 14336 ED2D69CD4B0EBE37EFE11D4DC4ABC68F c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2008-04-13 21:21 17408 43763079E261B60708ECD3DC075B6DAD c:\windows\system32\svchost.exe

[7] 2004-08-04 03:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 c:\windows\$NtServicePackUninstall$\winlogon.exe

[7] 2008-04-13 21:21 509952 71D440F79B711627B12B567FB2EADB42 c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-13 21:21 512000 7A7AEAEB152EEF747CCA0BA94D3AD355 c:\windows\system32\winlogon.exe

[7] 2004-08-04 03:45 108544 CC73C4430C2FC27FDE16A0A4E3678148 c:\windows\$NtServicePackUninstall$\services.exe

[7] 2008-04-13 21:21 109056 EE7999BAACA84CFAA03726E677EE2A33 c:\windows\ServicePackFiles\i386\services.exe

[-] 2008-04-13 21:21 111104 9B1B6563A11ACB0849BAFEBB75EC703B c:\windows\system32\services.exe

[7] 2004-08-04 03:45 13312 35C6463B3C5F62D2B20C953B6E1538E9 c:\windows\$NtServicePackUninstall$\lsass.exe

[7] 2008-04-13 21:21 13312 9607142710D3B64AB7FCCE4BE4E30D37 c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2008-04-13 21:21 14848 0B8696184D17D62DF2C20E143EAF81CF c:\windows\system32\lsass.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Utility Tray.lnk

backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Henrique^Menu Iniciar^Programas^Inicializar^Reboot.exe]

path=c:\documents and settings\Henrique\Menu Iniciar\Programas\Inicializar\Reboot.exe

backup=c:\windows\pss\Reboot.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"c:\\Arquivos de programas\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

.

- - - - ORFÃOS REMOVIDOS - - - -

HKLM-RunOnce-UsbFix - c:\usbfix\UsbFix.cmd

HKLM-RunOnce-<NO NAME> - (no file)

SafeBoot-procexp90.Sys

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.terra.com.br/portal/

IE: Baixar Link Utiizando Gerenciador Mega... - c:\arquivos de programas\Megaupload\Mega Manager\mm_file.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {A88398A1-D02D-4E60-ADDA-3A72AF63A761} = 200.204.0.10 200.204.0.138

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-24 15:33

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-162531612-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{73D9C432-171D-DF2B-4A4E-CF7EC46FD0EE}*]

@Allowed: (Read) (RestrictedCode)

"gajebkoodhbkac"=hex:63,61,6a,61,6e,6c,00,00

.

Tempo para conclusão: 2009-05-24 15:35

ComboFix-quarantined-files.txt 2009-05-24 18:35

Pré-execução: 7.797.231.616 bytes disponíveis

Pós execução: 7.950.917.632 bytes disponíveis

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5

120

OBS: Antes de finalizar o ComboFix, apareceu uma janela falando que o explorer.exe não foi encontrado, certifique-se que digitou corretamente, etc.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:42:19, on 24/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\Henrique\CONFIG~1\Temp\Rar$EX01.547\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Arquivos de programas\Megaupload\Mega Manager\MegaIEMn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Baixar Link Utiizando Gerenciador Mega... - C:\Arquivos de programas\Megaupload\Mega Manager\mm_file.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_b...sreqlab_srl.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.sparkpea.net/controls/msnchat45.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{A88398A1-D02D-4E60-ADDA-3A72AF63A761}: NameServer = 200.204.0.10 200.204.0.138

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--

End of file - 4905 bytes

Power Max · Maio 24, 2009

Delete a pasta qoobox que está localizada em C:\, delete também o Log ComboFix.txt também localizado em C:\.

:seta: Sugiro que imprima ou salve os procedimentos abaixo, e não use a Internet até terminado o procedimento.

Selecione e copie o texto dentro do CODE (caixa branca) abaixo:

File::c:\documents and settings\Henrique\Menu Iniciar\Programas\Inicializar\Reboot.exec:\windows\pss\Reboot.exeStartupFolder::c:\arquivos de programas\Malware AvengerRegistry::[-HKLM\~\startupfolder\C:^Documents and Settings^Henrique^Menu Iniciar^Programas^Inicializar^Reboot.exe]

Abra o Bloco de notas e cole o que copiou. Salve então, na Área de Trabalho (Desktop), com o nome de CFScript.txt

Agora arraste o CFScript.txt para o ComboFix conforme a demonstração abaixo:

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um Log, que estará em C:\ComboFix.txt.

Poste um novo Log com o HijackThis em Modo Normal juntamente com log do Combofix em ComboFix.txt e nos diga como está o seu PC depois disto.

henriqqq · Maio 24, 2009

O ComboFix não reiniciou automaticamente e novamente falou que 'explorer.exe' não pode ser encontrado. Tomei a liberdade de reiniciar e o PC continua com o problema de não aparecer o Desktop e a barra do iniciar

LOGS

ComboFix 09-05-23.04 - Henrique 24/05/2009 17:35.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.223.131 [GMT -3:00]

Executando de: c:\documents and settings\Henrique\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Henrique\Desktop\CFScript.txt

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::

c:\documents and settings\Henrique\Menu Iniciar\Programas\Inicializar\Reboot.exe

c:\windows\pss\Reboot.exeStartup