[Arquivado] PC não localiza PrdMgr.exe e não se conecta a rede

S2 Luh S2 · Maio 22, 2009

Toda vez q ligo o computador da a msg q não foi possivel localizar PrdMgr.exe no seguinte destino: c:\windows\System32\

E com isso não consigo me conectar a internet. Utilizei o SdFix então a msg saiu, parou de acusar o erro quando ligo o computador mas continuo não conseguindo acessar a internet (OBS.: moden ja foi verificado, e não consta nenhum problema).

Utilizei tb o Hyjakthis como pede o forum pra colar o relatório. Irei colar os 2 relatórios, do SDFix e Hyjakthis

Então abaixo vou colar relatório SDFix e em seguida o Hyjakthis

SDFix: Version 1.240

Run by Professor on qui 21/05/2009 at 20:22

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

Checking Services :

C:\WINDOWS\system32\Microsoft\backup.ftp Found

Checking files:

Genuine:

C:\WINDOWS\system32\Microsoft\backup.ftp

C:\WINDOWS\system32\tftp.exe

C:\WINDOWS\system32\dllcache\tftp.exe

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP10.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP11.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP12.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP13.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP14.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP15.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP16.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP17.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP18.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP19.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP1A.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP1B.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP1C.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP1D.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP1E.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP1F.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP20.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP22.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP23.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP24.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP25.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP26.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP3.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP31.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP33.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP4.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP5.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP58.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP5F.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP6.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP61.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP63.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP65.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP67.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP69.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP7.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP76.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP78.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP8.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMP9.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPA.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPB.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPC.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPD.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPE.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPE5.tmp - Deleted

C:\DOCUME~1\PROFES~1\CONFIG~1\Temp\TMPF.tmp - Deleted

C:\WINDOWS\system32\drivers\FmMgr.exe - Deleted

C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-21 20:25:02

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rrsqwyeg]

"DisplayName"="System Monitor"

"Type"=dword:00000020

"Start"=dword:00000002

"ErrorControl"=dword:00000000

"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"

"ObjectName"="LocalSystem"

"Description"="Fornece gerenciamento de temas para experiência do usuário."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rrsqwyeg\Parameters]

"ServiceDll"=str(2):"C:\WINDOWS\system32\bpfnlpl.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rrsqwyeg]

"DisplayName"="System Monitor"

"Type"=dword:00000020

"Start"=dword:00000002

"ErrorControl"=dword:00000000

"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"

"ObjectName"="LocalSystem"

"Description"="Fornece gerenciamento de temas para experiência do usuário."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rrsqwyeg\Parameters]

"ServiceDll"=str(2):"C:\WINDOWS\system32\bpfnlpl.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"="C:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"="C:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe"="C:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Arquivos de programas\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Arquivos de programas\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"

"C:\\Arquivos de programas\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Arquivos de programas\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 16 Apr 2007 157,130 A.SHR --- "C:\WINDOWS\system32\bpfnlpl.dll"

Fri 28 Nov 2008 5,215,097 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\007ab7c7d6028e086bc9dab792192c9e\BIT3D.tmp"

Sat 10 Jan 2009 7,592,848 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\18e020ff36e07bfcf88a907167f7f90f\BIT25.tmp"

Wed 4 Mar 2009 5,212,511 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\23841a39b22e831bb6d17bfc00226453\BIT39.tmp"

Wed 4 Mar 2009 6,350,062 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2bd40bdf3460963993dfc0cbb1012c74\BIT23.tmp"

Wed 4 Mar 2009 9,018,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37196d5f317febb2d79dc3d0328f2bb4\BIT37.tmp"

Wed 4 Mar 2009 1,420,840 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\38c52bcb45c3107e4262937375363ff1\BIT37.tmp"

Fri 28 Nov 2008 7,645,120 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\50226dffb9a4e5b1621436717d26bee4\BIT34.tmp"

Wed 4 Mar 2009 2,800,168 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5567be01b18117d30246f70d3abbc3fb\BIT31.tmp"

Wed 4 Mar 2009 8,826,248 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\625ef27d9ce1c9d29579a994513d50bf\BIT34.tmp"

Sun 1 Feb 2009 2,558,320 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6740154a6ec052849386ece3f32cb8d4\BIT1B.tmp"

Sun 14 Dec 2008 250,716 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\67bb55bf31afcf064a34eb2cf1810033\BIT2B.tmp"

Fri 28 Nov 2008 13,863,894 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6d15ace20faed175c6da35a8a1a28c0f\BIT40.tmp"

Wed 4 Mar 2009 10,006,305 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78473a8c97917f3508141245b98df2da\BIT3C.tmp"

Wed 4 Mar 2009 9,448,904 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8d8a1db5b2c187dfff9360bceec5d807\BIT3A.tmp"

Sat 31 Jan 2009 9,015,664 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9156088442f5f4032842e258981f56dd\BIT23.tmp"

Sat 10 Jan 2009 7,771,584 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9de4903f01b4008e08b567e41ba8107e\BIT21.tmp"

Sat 31 Jan 2009 9,237,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b78797d4e2ea9a8dcbe3140f470c3736\BIT31.tmp"

Fri 28 Nov 2008 124,268 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c95b036725d475b56add0d9c3846546d\BIT39.tmp"

Wed 4 Mar 2009 5,687,304 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb185b7c3743a27be869545db996079\BIT1D.tmp"

Wed 4 Mar 2009 13,859,801 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e790bbfb0c87246fcb989eb0e7c12df2\BIT20.tmp"

Wed 4 Mar 2009 4,238,901 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fca406e0b2861ed74a38243064e8ed37\BIT2F.tmp"

Wed 4 Mar 2009 7,654,834 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd3c7de1ed508df5aaa014d6e324f086\BIT30.tmp"

Wed 4 Mar 2009 7,743,621 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0dfe972766966e534f33301bade1e80e\download\BIT41.tmp"

Mon 29 Sep 2008 76,288 A.SHR --- "C:\Documents and Settings\Professor\Meus documentos\Minhas imagens\SD-MMC (E)\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\restor.exe"

Finished!

Agora o relatório Hyjakthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:03:14, on 21/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Ahead\InCD\InCD.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\system32\sistray.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\Eset\nod32krn.exe

C:\WINDOWS\system32\o2flash.exe

C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Professor\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [inCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [iSTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Kodak software updater.lnk = C:\Arquivos de programas\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202739228562

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202739740906

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

--

End of file - 6563 bytes

E agora, alguma dica do q eu posso fazer pra consertar isso?

PedroN · Maio 22, 2009

Faça o download do ComboFix de um destes locais:

Link 1.

Link 2.

Link 3.

Importante!

Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.

Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.

Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional.

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

• Dê um duplo clique no ComboFix.exe & siga as instruções.

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

Clique em Sim, para continuar a varredura de malware.

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.

S2 Luh S2 · Maio 23, 2009

Ao instalar o programa ComboFix, ele verifica se tem o Microsoft Windows Recovery Console no computador, como no meu não tem, ele requer o download e pede autorização para automaticamente baixar o arquivo, mas como relatei acima, o problema do meu computador é justamente a conexão, q por algum virus ou malware impede a conexão.

Então gostaria de saber se tem algum site q eu possa fazer o download em uma outra maquina e em seguida passar para o PC q tá ruim para só depois executar o ComboFix.

Que site posso baixar o Microsoft Windows Recovery Console ?

PedroN · Maio 23, 2009

Oi S2 Luh S2 tenha um bom dia!

Execute novamente o combofix e quando for pedido para instalação do console de recuperação clique em NO(não) e prociga com a instalação. Poste os resultados na sua próxima resposta. ;)

S2 Luh S2 · Maio 23, 2009

Oi S2 Luh S2 tenha um bom dia!

Execute novamente o combofix e quando for pedido para instalação do console de recuperação clique em NO(não) e prociga com a instalação. Poste os resultados na sua próxima resposta. ;)

Olá ... Boa Tarde Pedro

Primeiramente obrigada pela ajuda q você tem me dado. Agora ao trabalho :

Executei o ComboFix como você falou, abaixo ta o log e em seguida o HiJackthis.

ComboFix 09-05-22.05 - Professor 23/05/2009 17:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.445.88 [GMT -3:00]

Executando de: c:\documents and settings\Professor\Desktop\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\PROFES~1\CONFIG~1\Temp\IadHide5.dll

c:\documents and settings\Professor\Configurações locais\Temp\IadHide5.dll

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-23 to 2009-05-23 ))))))))))))))))))))))))))))

.

2009-05-22 23:05 . 2009-01-18 21:35 15688 ----a-w c:\windows\system32\lsdelete.exe

2009-05-22 22:31 . 2009-01-18 21:30 64160 ----a-w c:\windows\system32\drivers\Lbd.sys

2009-05-22 22:30 . 2009-05-22 22:30 -------- dc-h--w c:\documents and settings\All Users\Dados de aplicativos\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-05-22 22:30 . 2009-01-18 21:43 2892112 -c--a-w c:\documents and settings\All Users\Dados de aplicativos\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe

2009-05-22 22:30 . 2009-05-22 22:30 -------- d-----w c:\arquivos de programas\Lavasoft

2009-05-21 23:20 . 2009-05-21 23:21 -------- d-----w c:\windows\ERUNT

2009-05-21 23:17 . 2009-05-21 23:25 -------- d-----w C:\SDFix

2009-05-21 22:30 . 2009-05-21 22:30 -------- d-----w c:\arquivos de programas\VS Revo Group

2009-05-21 22:29 . 2009-05-22 22:30 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Lavasoft

2009-05-21 22:28 . 2009-05-21 22:28 -------- d-----w c:\documents and settings\Professor\Dados de aplicativos\AVGTOOLBAR

2009-05-21 22:27 . 2009-05-23 00:39 -------- d---a-w c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-05-21 20:12 . 2009-05-21 22:19 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Grisoft(3)

2009-05-21 20:12 . 2009-05-21 22:19 -------- d-----w c:\arquivos de programas\Grisoft(2)

2009-05-21 19:02 . 2007-08-24 22:45 101120 ----a-r c:\windows\system32\drivers\ewusbmdm.sys

2009-05-21 19:02 . 2007-08-24 22:45 24448 ----a-r c:\windows\system32\drivers\ewdcsc.sys

2009-05-20 14:08 . 2009-05-21 20:00 -------- d-----w c:\arquivos de programas\NTFS Undelete

2009-04-29 12:47 . 2009-05-21 22:26 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Grisoft

2009-04-29 12:42 . 2009-04-29 12:42 274432 ----a-w c:\windows\system32\config\systemprofile\NTUSER(3).DAT

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-23 20:19 . 2009-04-08 13:44 -------- d-----w c:\arquivos de programas\ESET

2009-05-21 22:30 . 2008-02-08 18:26 -------- d-----w c:\arquivos de programas\Mobile Partner

2009-05-21 22:30 . 2009-04-07 16:36 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\avg8

2009-04-30 16:49 . 2008-02-01 20:40 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\avg7

2009-04-10 17:40 . 2009-01-11 01:20 10 ----a-w c:\windows\popcinfo.dat

2009-04-08 13:31 . 2004-08-04 01:14 360320 ------w c:\windows\system32\drivers\tcpip.sys

2009-04-07 16:23 . 2008-02-06 13:19 -------- d-----w c:\documents and settings\Professor\Dados de aplicativos\AVG7

2009-04-05 12:28 . 2009-04-05 12:28 274432 ----a-w c:\windows\system32\config\systemprofile\NTUSER(4).DAT

2009-04-05 12:28 . 2009-04-05 12:28 274432 ----a-w c:\windows\system32\config\systemprofile\NTUSER(2).DAT

2009-02-22 23:12 . 2001-10-28 18:07 49044 ----a-w c:\windows\system32\perfc016.dat

2009-02-22 23:12 . 2001-10-28 18:07 344972 ----a-w c:\windows\system32\perfh016.dat

2004-03-11 15:27 . 2008-02-12 19:00 40960 ----a-w c:\arquivos de programas\Uninstall_CDS.exe

2007-04-16 15:53 . 2004-08-04 02:45 157130 --sha-r c:\windows\system32\bpfnlpl.dll

.

------- Sigcheck -------

[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2004-08-04 01:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2009-03-04 19:00 360064 E30AAEFE67802E4E319DAB246903A609 c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2009-04-08 13:31 360320 841A641C665D3E24504463D3C2163F92 c:\windows\system32\dllcache\tcpip.sys

[-] 2009-04-08 13:31 360320 841A641C665D3E24504463D3C2163F92 c:\windows\system32\drivers\tcpip.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\arquivos de programas\QuickTime\qttask.exe" [2008-11-29 77824]

"SMSERIAL"="c:\arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe" [2006-07-17 573440]

"RemoteControl"="c:\arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"InCD"="c:\arquivos de programas\Ahead\InCD\InCD.exe" [2004-09-07 1400944]

"Ad-Watch"="c:\arquivos de programas\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-12 16264192]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-06-25 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Kodak software updater.lnk - c:\arquivos de programas\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

Microsoft Office.lnk - c:\arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Software Kodak EasyShare.lnk - c:\arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]

Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-2-1 262144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Arquivos de programas\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/5/2009 19:31 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe [18/1/2009 18:34 921936]

S2 rrsqwyeg;System Monitor;c:\windows\system32\svchost.exe -k netsvcs [3/8/2004 23:45 14336]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [1/2/2008 17:37 238976]

--- ---

*NewlyCreated* - WNUBHDI

*Deregistered* - wnubhdi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

rrsqwyeg

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-05-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\arquivos de programas\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:34]

.

- - - - ORFÃOS REMOVIDOS - - - -

SafeBoot-procexp90.Sys

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-23 17:28

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rrsqwyeg]

"ServiceDll"="c:\windows\system32\bpfnlpl.dll"

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Ahead\InCD\InCDsrv.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\o2flash.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-05-23 17:30 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-05-23 20:30

Pré-execução: 13 pasta(s) 113.389.604.864 bytes disponíveis

Pós execução: 12 pasta(s) 113.911.824.384 bytes disponíveis

137 --- E O F --- 2009-03-04 19:06

Agora o Log do HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:32:43, on 23/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Ahead\InCD\InCD.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\system32\sistray.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\o2flash.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Professor\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\ARQUIV~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sMSERIAL] C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWTray.exe