[Resolvido!] TR/Vundo.Gen

D@vid · Dezembro 17, 2009

:seta: Conforme prometido, abaixo estão os logs. Os arquivos temporários infectados voltaram qdo entrei aqui no forum, pra responder-lhes, pode ser coincidencia.

Scan Status:

Scan: 1

Start Scan: 12/17/09 11:04:01

Scan Targets: Running Processes;Entry Points;C:\

Virus Definitions: 12/16/09

Scan Count: 762297

Risks Found: 3

Risks resolved: 2

Risks unresolved: 1

Scan Time: 4143 sec

Complete Scan: 12/17/09 12:13:04

Resolved Threats:

Trojan Horse

Virus ID: 25464

Risk: High

Categories: Vírus

State: Deleted

-----------

Infection:

c:\david\softwares\everest4.10.1091\install\keygen.exe

Browser Cache

Infostealer.Bancos

Virus ID: 40050

Risk: High

Categories: Vírus

State: Deleted

-----------

Infection:

c:\documents and settings\user\dados de aplicativos\thinstall\tuneup utilities 2008\4000009300002i\integrator.exe

Registry:

HKEY_USERS\S-1-5-21-2025429265-2052111302-839522115-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN->iexplore.exe:1

Browser Cache

Unresolved Threats:

Trojan Horse

Virus ID: 25464

Risk: High

Categories: Vírus

State: Repair Failed

-----------

File:

C:\David\Softwares\Wireless.rar

--------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:10:29, on 17/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Cobian Backup 9\Cobian.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\Arquivos de programas\Cobian Backup 9\cbInterface.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\user\Meus documentos\My Completed Downloads\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\ARQUIV~1\DAP\DAPIEL~1.DLL

O4 - HKLM\..\Run: [OrderReminder] C:\Arquivos de programas\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe

O4 - HKLM\..\Run: [Cobian Backup 9] "C:\Arquivos de programas\Cobian Backup 9\Cobian.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Arquivos de programas\XemiComputers\Active Desktop Calendar\ADC.exe

O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Arquivos de programas\DAP\DAP.EXE" /STARTUP

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [DOS2USB] C:\Arquivos de programas\DOS2USB\DOS2USB.exe

O4 - HKCU\..\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe

O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe

O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {5067a26b-1337-4436-8afe-ee169c2da79f} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067a26b-1337-4436-8afe-ee169c2da79f} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Skype - {77bf5300-1474-4ec7-9980-d32b190e9b07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [java_sun] Java (Sun)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{15855B23-1630-4ED2-A003-E23A5B59F8EE}: NameServer = 200.204.0.10,200.204.0.138

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AVG Anti-Spyware Driver - Unknown owner - (no file)

O23 - Service: AVG Anti-Spyware Guard - Unknown owner - (no file)

O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Atualizações Automáticas (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 10917 bytes

-----------------------------------------------------------------

17/12/2009,08:38:36 ---------------------------------------------------------

17/12/2009,08:38:39 Keyfile contains a valid license. The Avira AntiVir Personal - Free Antivirus will run as a fully functional version!

17/12/2009,08:38:39 AntiVir Guard version: 9.00.01.32,engine version 8.2.1.108,VDF version: 7.10.1.243

17/12/2009,08:38:40 AntiVir Guard was enabled.

17/12/2009,08:38:40 Avira AntiVir Personal - Free Antivirus has been started successfully!

17/12/2009,08:38:40 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Files to scan: All files

- Device mode: scan files on open, scan files on close

- Actions: ask the user

- Scan archive: Enabled

- Maximum recursion depth: 1

- Maximum number of files: 10

- Maximum size (Kb): 1000

- Heuristic: Enabled

- Win32 file heuristic: Medium detection level

- Logfile report level Default

17/12/2009,08:57:24 Update process started!

17/12/2009,08:57:26 Current Engine Version: 8.2.1.114

17/12/2009,08:57:26 Current Pattern File: 7.10.2.13

17/12/2009,09:05:53 [WARNING] Contains recognition pattern of the WORM/Joleee.ejr.6 worm!

C:\WINDOWS\system32\userini.exe

[uSER] AUTORIDADE NT\NETWORK SERVICE

[iNFO] No right to access the file.

17/12/2009,09:06:01 [WARNING] Contains recognition pattern of the WORM/Joleee.ejr.6 worm!

C:\WINDOWS\system32\userini.exe

[uSER] AUTORIDADE NT\NETWORK SERVICE

[iNFO] No right to access the file.

17/12/2009,09:13:47 [WARNING] Is the TR/Vundo.Gen Trojan!

C:\WINDOWS\system32\tdlcmd.dll

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] The file will be deleted.

17/12/2009,11:05:08 [WARNING] Contains recognition pattern of the WORM/Joleee.ejr.6 worm!

C:\WINDOWS\system32\userini.exe

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,11:13:58 [WARNING] Is the TR/Vundo.Gen Trojan!

C:\WINDOWS\system32\tdlcmd.dll

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] The file will be deleted.

17/12/2009,11:51:59 [WARNING] Contains code of the W32/CTX Windows virus!

C:\Documents and Settings\user\Configurações locais\Temp\000007E4

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,11:52:23 [WARNING] Contains code of the W32/CTX Windows virus!

C:\Documents and Settings\user\Configurações locais\Temp\000007EA

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,11:53:04 [WARNING] Contains code of the W32/CTX Windows virus!

C:\Documents and Settings\user\Configurações locais\Temp\0000080C

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,11:53:12 [WARNING] Contains code of the W32/CTX Windows virus!

C:\Documents and Settings\user\Configurações locais\Temp\0000080E

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,11:54:30 [WARNING] Contains code of the W32/CTX Windows virus!

C:\Documents and Settings\user\Configurações locais\Temp\00000854

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,11:54:45 [WARNING] Contains code of the W32/CTX Windows virus!

C:\Documents and Settings\user\Configurações locais\Temp\00000858

[uSER] DAVID\USER

[iNFO] The file will be deleted.

17/12/2009,13:14:06 [WARNING] Is the TR/Vundo.Gen Trojan!

C:\WINDOWS\system32\tdlcmd.dll

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] No right to access the file.

17/12/2009,15:14:21 [WARNING] Is the TR/Vundo.Gen Trojan!

C:\WINDOWS\system32\tdlcmd.dll

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] The file will be deleted.

17/12/2009,17:14:31 [WARNING] Is the TR/Vundo.Gen Trojan!

C:\WINDOWS\system32\tdlcmd.dll

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] The file will be deleted.

17/12/2009,17:18:31 [WARNING] Contains recognition pattern of the DR/Delphi.Gen dropper!

C:\WINDOWS\Temp\yecg.tmp

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] The file will be deleted.

17/12/2009,17:23:49 [WARNING] Contains recognition pattern of the DR/Delphi.Gen dropper!

C:\WINDOWS\Temp\trrx.tmp

[uSER] AUTORIDADE NT\SYSTEM

[iNFO] The file will be deleted.

Ficarei no aguardo..

Grato pela atenção!!!

Power Max · Dezembro 17, 2009

:) Outros problemas foram removidos.

________________________________________

:seta: Siga, por gentileza, as dicas deste tutorial:

Tutorial do SDFix

Na sua próxima resposta poste o log que estará em C:\SDFix\Report.txt juntamente com novo log do Hijackthis e nos diga como está seu PC depois disto.

D@vid · Dezembro 18, 2009

:!: O sistema de funcionamento está diferente do descrito no Tutorial, preciso de ajuda. O avira realizou novas detecções:

18/12/2009,11:10:24 ---------------------------------------------------------

18/12/2009,11:10:27 Keyfile contains a valid license. The Avira AntiVir Personal - Free Antivirus will run as a fully functional version!

18/12/2009,11:10:27 AntiVir Guard version: 9.00.01.32,engine version 8.2.1.114,VDF version: 7.10.2.18

18/12/2009,11:10:29 AntiVir Guard was enabled.

18/12/2009,11:10:29 Avira AntiVir Personal - Free Antivirus has been started successfully!

18/12/2009,11:10:29 [CONFIG] On-Access configuration used:

- Files to scan: scan files from local drives

- Files to scan: All files

- Device mode: scan files on open, scan files on close

- Actions: ask the user

- Scan archive: Enabled

- Maximum recursion depth: 1

- Maximum number of files: 10

- Maximum size (Kb): 1000

- Heuristic: Enabled

- Win32 file heuristic: Medium detection level

- Logfile report level Default

18/12/2009,11:21:49 [WARNING] Is the TR/Crypt.XPACK.Gen Trojan!

C:\WINDOWS\system32\hmpkiig.dll

[uSER] DAVID\USER

[iNFO] The file will be deleted.

18/12/2009,11:21:55 [ERROR] Unable to delete the file:

C:\WINDOWS\system32\hmpkiig.dll

Error description: 0x00000005 - Acesso negado.

18/12/2009,11:21:55 [ERROR] Unable to delete the file:

C:\WINDOWS\system32\hmpkiig.dll

Error description: 0x00000005 - Acesso negado.

18/12/2009,11:21:55 [ERROR] Unable to delete the file:

C:\WINDOWS\system32\hmpkiig.dll

Error description: 0x00000005 - Acesso negado.

18/12/2009,11:22:32 [WARNING] Is the TR/Crypt.XPACK.Gen Trojan!

C:\WINDOWS\system32\hmpkiig.dll

[uSER] DAVID\USER

[iNFO] No right to access the file.

Fico no aguardo!!

Power Max · Dezembro 18, 2009

:!: O sistema de funcionamento está diferente do descrito no Tutorial, preciso de ajuda.

Acabei de usar o Sdfix e atualizei algumas partes do tutorial, mas pelo que notei, está mais ou menos do mesmo jeito o modo de funcionamento do Sdfix.

Veja se com estas mudanças no tutorial já está bom, ou se tiver coisas diferentes me avise por gentileza para que possamos atualizá-lo.

D@vid · Dezembro 18, 2009

Antonio, entrei no novamente no tutorial do sdfix, qdo cliquei no icone do sdfix no desktop, o avira acusou um APPR/....., ignorei e instalei o sdfix, dpois o executei apartir do C:\sdfix\ e apareceu uma tela azul com varias opções, 1,2,3,4,A,B,C,..U= baixar sdfix atualizado, utilizei esta opção, ele baixou o sdfix, não consegui descobrir onde, e abriu uma pagina de texto no bloco de notas, e qdo fechado, não aparecia mais nada, ai resolvi desligar o pc, e religar, e o windows passou pelo usuario com senha, e fica parado na proteção de tela, não carrega mais a area de trabalho, fica parado ali, não sei o q aconteceu. Estou ficando preocupado...

PS: O xp entra por um usuario convidado, carrega tudo normal, mas qdo tendo abrir algo ele fica lento ou trava...

Espero ajuda...

Power Max · Dezembro 18, 2009

Antonio, entrei no novamente no tutorial do sdfix, qdo cliquei no icone do sdfix no desktop, o avira acusou um APPR/....., ignorei e instalei o sdfix, dpois o executei apartir do C:\sdfix\ e apareceu uma tela azul com varias opções, 1,2,3,4,A,B,C,..U= baixar sdfix atualizado

Ah sim, este problema ocorreu porque você executou o Sdfix no Modo Normal do Windows. Ele só aceita ser executado no Modo Seguro.

Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização) e selecione a opção de Modo Seguro ou Modo de Segurança na tela escura que aparece.

Ai é só executar o Sdfix seguindo as dicas daquele tutorial que te passei e poste os novos logs para serem analisados.

________________________________________

e o windows passou pelo usuario com senha, e fica parado na proteção de tela, não carrega mais a area de trabalho, fica parado ali, não sei o q aconteceu. Estou ficando preocupado...

Mesmo que o desktop não esteja aparecendo, faça o seguinte:

Aperte as teclas Ctrl + Alt + Delete (Del) (aperte as três teclas ao mesmo tempo) e clique no menu: Arquivo - Executar nova tarefa... - digite: explorer.exe e clique em Ok ou aperte a tecla Enter.

Verifique se a sua área de trabalho volta ao normal.

D@vid · Dezembro 18, 2009

O explore.exe ja estava carregado nos processos, mas executei-o novamente, e não restabeleceu o desktop.

Não consigo entrar no modo de segurança, foram varias tentativas, mas não tem jeito.

Acho que precisarei de outras ferramentas!! Por favor..

Fico no aguardo!!

D@vid · Dezembro 18, 2009

sem o desktop funcionando, consegui executar o norman, e na varredura ele travou nas analises desses endereços, C:\windows\system32\winlogon.exe e C:\windows\system32\hmpkiig.dll!0x026a0000, este arquivo (hmpkiig.dll), o avira acusava ele como infectado pelo TR/Crypt.xpack.gen, antes de usar o Sdfix e parar o desktop.

Fico no aguardo!!

Power Max · Dezembro 18, 2009

Não consigo entrar no modo de segurança, foram varias tentativas, mas não tem jeito.

:seta: Para restaurar o Modo Seguro siga a dica do tutorial abaixo:

Ferramentas para reparar o Modo Seguro do Windows

Depois disto tente novamente usar o Sdfix e poste o log dele.

D@vid · Dezembro 19, 2009

As duas ferramentas não restauraram o modo seguro, ele começa a carregar os arquivos do windows, mas reinicia o pc no meio do processo de carregamento do arq. do windows.

Só tenho acesso ao gerenciador de tarefas pelo Ctrl+Alt+Del. E tem o arquivo kohboq.exe carregado nos processos, o q será q é? não parece ser do sistema.

Não tem como desativar o SDfix, pra poder retornar o desktop, pq o explorer.exe está carregado com um tamanho de uns 15 Mb, mas parece q tem alguma coisa deixando ele oculto.

Estou postando esses relatos por outro pc, e preciso muito recuperar aqele pc, pq uso muito ele no dia a dia, pra acessar bancos, e só ele é liberado.

Se você tiver um meio de contato mais rapido tipo, skype, msn, ou email. me oriente como te mando os meus, via + privado, se preferir.

Desculpe pelo trabalho, mas não gostaria de formatar essa maquina.

Espero ajuda!!!

David!!!

D@vid · Dezembro 21, 2009

Olá Anotnio!!

Num sei se fiz certo, mas como estavamos no fds, e precisarei mto dessa maquina na segunda-feira pra resolver as minhas coisas de banco por o unico pc autorizado, resolvi retirar o HD do pc, e o instalei na minha casa, tenho um pc muito semelhante ao com problema, passei o AVIRA, NOD32 onli-ne, Bit defender on-line e Mbam, foram eliminadas varias pragas, e posteriormente, desativei meu hd e reiniciei pelo outro, tentando ver se carregaria o xp, mas nao carregou.

Dei boot pelo cd de instalação do xp, e reparei a instalação do xp com sucesso, mas na reinstalação e configuração do novo xp não conseguiu completar por algumas vezes, ele reiniciava, e até acabei instalei um 2º xp, agora tenho 2 xp no pc.

Por fim, vou retornar o hd ao pc dele, e tentar completar a instalação do xp q eu usava antes, e dpois eliminar a outra instalação, e ver se tudo volta ao normal. Abaixo estão os logs das pragas elminadas. O hd na nova maquina, assumiu a unidade (F:).

Avira AntiVir Personal

Report file date: sábado, 19 de dezembro de 2009 18:03

Scanning for 1458162 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : David_Sandra

Computer name : DAVID

Version information:

BUILD.DAT : 9.0.0.418 21723 Bytes 2/12/2009 16:28:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 13/10/2009 13:26:33

AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/2/2009 12:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 20/2/2009 13:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 27/2/2009 12:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 09:35:52

VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 00:05:06

VBASE002.VDF : 7.10.1.1 2048 Bytes 19/11/2009 00:05:07

VBASE003.VDF : 7.10.1.2 2048 Bytes 19/11/2009 00:05:07

VBASE004.VDF : 7.10.1.3 2048 Bytes 19/11/2009 00:05:07

VBASE005.VDF : 7.10.1.4 2048 Bytes 19/11/2009 00:05:07

VBASE006.VDF : 7.10.1.5 2048 Bytes 19/11/2009 00:05:08

VBASE007.VDF : 7.10.1.6 2048 Bytes 19/11/2009 00:05:08

VBASE008.VDF : 7.10.1.7 2048 Bytes 19/11/2009 00:05:08

VBASE009.VDF : 7.10.1.8 2048 Bytes 19/11/2009 00:05:08

VBASE010.VDF : 7.10.1.9 2048 Bytes 19/11/2009 00:05:09

VBASE011.VDF : 7.10.1.10 2048 Bytes 19/11/2009 00:05:09

VBASE012.VDF : 7.10.1.11 2048 Bytes 19/11/2009 00:05:09

VBASE013.VDF : 7.10.1.79 209920 Bytes 25/11/2009 00:05:11

VBASE014.VDF : 7.10.1.128 197632 Bytes 30/11/2009 00:04:28

VBASE015.VDF : 7.10.1.178 195584 Bytes 7/12/2009 01:12:42

VBASE016.VDF : 7.10.1.224 183296 Bytes 14/12/2009 01:04:25

VBASE017.VDF : 7.10.1.247 182272 Bytes 15/12/2009 01:04:39

VBASE018.VDF : 7.10.1.248 2048 Bytes 15/12/2009 01:04:40

VBASE019.VDF : 7.10.1.249 2048 Bytes 15/12/2009 01:04:40

VBASE020.VDF : 7.10.1.250 2048 Bytes 15/12/2009 01:04:40

VBASE021.VDF : 7.10.1.251 2048 Bytes 15/12/2009 01:04:40

VBASE022.VDF : 7.10.1.252 2048 Bytes 15/12/2009 01:04:41

VBASE023.VDF : 7.10.1.253 2048 Bytes 15/12/2009 01:04:41

VBASE024.VDF : 7.10.1.254 2048 Bytes 15/12/2009 01:04:41

VBASE025.VDF : 7.10.1.255 2048 Bytes 15/12/2009 01:04:41

VBASE026.VDF : 7.10.2.0 2048 Bytes 15/12/2009 01:04:41

VBASE027.VDF : 7.10.2.1 2048 Bytes 15/12/2009 01:04:42

VBASE028.VDF : 7.10.2.2 2048 Bytes 15/12/2009 01:04:42

VBASE029.VDF : 7.10.2.3 2048 Bytes 15/12/2009 01:04:42

VBASE030.VDF : 7.10.2.4 2048 Bytes 15/12/2009 01:04:42

VBASE031.VDF : 7.10.2.22 173568 Bytes 18/12/2009 01:04:38

Engineversion : 8.2.1.114

AEVDF.DLL : 8.1.1.2 106867 Bytes 8/11/2009 09:38:52

AESCRIPT.DLL : 8.1.3.3 586106 Bytes 17/12/2009 01:04:46

AESCN.DLL : 8.1.3.0 127348 Bytes 13/12/2009 01:04:22

AESBX.DLL : 8.1.1.1 246132 Bytes 8/11/2009 09:38:44

AERDL.DLL : 8.1.3.4 479605 Bytes 1/12/2009 00:05:24

AEPACK.DLL : 8.2.0.3 422261 Bytes 8/11/2009 09:38:40

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 8/11/2009 09:38:38

AEHEUR.DLL : 8.1.0.186 2183544 Bytes 8/12/2009 01:12:53

AEHELP.DLL : 8.1.9.0 237943 Bytes 17/12/2009 01:04:44

AEGEN.DLL : 8.1.1.81 369014 Bytes 17/12/2009 01:04:42

AEEMU.DLL : 8.1.1.0 393587 Bytes 8/11/2009 09:38:26

AECORE.DLL : 8.1.9.1 180598 Bytes 13/12/2009 01:04:21

AEBB.DLL : 8.1.0.3 53618 Bytes 8/11/2009 09:38:20

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 10:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 26/8/2009 17:14:02

AVREP.DLL : 8.0.0.3 155905 Bytes 20/1/2009 16:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 5/12/2008 12:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 24/3/2009 17:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/1/2009 12:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/1/2009 17:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 10:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 5/12/2008 12:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 15/5/2009 17:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 13/10/2009 14:25:47

Configuration settings for the scan:

Jobname.............................: ShlExt

Configuration file..................: C:\DOCUME~1\DAVID_~1\CONFIG~1\Temp\674eb064.avp

Logging.............................: low

Primary action......................: repair

Secondary action....................: delete

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: F:,

Process scan........................: off

Scan registry.......................: off

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Deviating archive types.............: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: sábado, 19 de dezembro de 2009 18:03

Starting the file scan:

Begin scan in 'F:\' <DAVID ADM>

F:\l2mfix.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.722 program

--> l2mfix/restart.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program

[NOTE] A backup was created as '4b9a31d9.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\Arquivos de programas\DAP\Updates\Condition.dll

[WARNING] The file could not be opened!

F:\David\install.exe

[WARNING] The file could not be opened!

F:\RECYCLER\S-1-5-21-2025429265-2052111302-839522115-1003\Dc134.exe

[WARNING] The file could not be opened!

F:\RECYCLER\S-1-5-21-2025429265-2052111302-839522115-1003\Dc140.exe

[WARNING] The file could not be opened!

F:\RECYCLER\S-1-5-21-2025429265-2052111302-839522115-1003\Dc107\Portable Windows XP Live USB Edition\bartpe\I386\SYSTEM32\CALC.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] A backup was created as '4b7936bd.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\RECYCLER\S-1-5-21-2025429265-2052111302-839522115-1003\Dc107\Portable Windows XP Live USB Edition\bartpe\I386\SYSTEM32\RUNDLL32.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] A backup was created as '4b7b36da.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\WINDOWS\system32\hmpkiig.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] A backup was created as '4b9d3899.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\WINDOWS\system32\restart.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program

[NOTE] A backup was created as '4ba038a3.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\WINDOWS\system32\tdlcmd.dll

[DETECTION] Is the TR/Vundo.Gen Trojan

[NOTE] A backup was created as '4b9938a6.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\WINDOWS\system32\drivers\atapi.sys

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] A backup was created as '4b8e38d2.qua' ( QUARANTINE )

[NOTE] The file was deleted!

F:\WINDOWS\Temp\tqbv.tmp

[DETECTION] Contains recognition pattern of the WORM/SdBot.113664.1 worm

[NOTE] A backup was created as '4b8f38e1.qua' ( QUARANTINE )

[NOTE] The file was deleted!

End of the scan: sábado, 19 de dezembro de 2009 18:32

Used time: 29:02 Minute(s)

The scan has been done completely.

5448 Scanned directories

357206 Files were scanned

9 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

8 files were deleted

0 Viruses and unwanted programs were repaired

8 Files were moved to quarantine

0 Files were renamed

4 Files cannot be scanned

357193 Files not concerned

1537 Archives were scanned

4 Warnings

8 Notes

-----------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=dcd48fe9bed9614296f188be1fa6355f

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2009-12-20 01:59:10

# local_time=2009-12-19 11:59:10 (-0300, Horário brasileiro de verão)

# country="Brazil"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775125 100 94 0 32990277 4273 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=134992

# found=2

# cleaned=2

# scan_time=6196

F:\SDFix\apps\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

F:\WINDOWS\system32\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

----------------------------------------------------------------------------------------------

BIT Defender

[General]

App = "楂䑴晥湥敤⁲湏楬敮匠慣湮牥 v8"

Date = 20:12:2009

Time = 03:48:17

Scan Path = C:\;D:\;E:\;F:\;

[Engines Info]

Virus Definitions = 4752525

Engine build = "AVCORE v2.1 Windows/i386 11.0.0.33 (Nov 24 2009)"

Scan plugins = 17

Archive plugins = 44

Unpack plugins = 8

E-mail plugins = 6

System plugins = 4

[scan Statistics]

Folders = 14389

Files = 891410

Archives = 45306

Packed files = 54938

Identified viruses = 12

Infected files = 17

Warnings = 0

Suspect files = 0

Disinfected files = 0

Deleted files = 17

Copied files = 0

Moved files = 0

Renamed files = 0

I/O Errors = 222

[scan Settings]

SecondAction = Delete

FirstAction = Disinfect

Heuristics = 1

Enable Warnings = 1

Exclude Ext =

Extensions = *;

Scan Emails = 1

Scan Archives = 1

Scan Packed = 1

Scan Files = 1

Scan Boot = 1

Verify Memory = 0

[scan Results]

Line00000041 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc3.Edition\I386\SYSTEM32\ACLUI.DLL Infected with: Trojan.Generic.1618691"

Line00000040 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc3.Edition\I386\SYSTEM32\ACLUI.DLL Deleted"

Line00000039 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/ACLUI.DLL Infected with: Trojan.Generic.1618691"

Line00000038 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/ACLUI.DLL Deleted"

Line00000037 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso Update failed"

Line00000036 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/CLB.DLL Infected with: Gen:Trojan.Heur.amSfyeNTQWdi"

Line00000035 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/CLB.DLL Disinfection failed"

Line00000034 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/CLB.DLL Deleted"

Line00000033 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso Update failed"

Line00000032 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/NOTEPAD.EXE Infected with: Trojan.Generic.2562059"

Line00000031 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/NOTEPAD.EXE Deleted"

Line00000030 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso Update failed"

Line00000029 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/WSOCK32.DLL Infected with: Trojan.Generic.2571627"

Line00000028 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso=>I386/SYSTEM32/WSOCK32.DLL Deleted"

Line00000027 = "C:\RECYCLER\S-1-5-21-515967899-884357618-1801674531-1003\Dc4.iso Update failed"

Line00000026 = "C:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP8\A0001339.DLL Infected with: Trojan.Generic.1618691"

Line00000025 = "C:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP8\A0001339.DLL Deleted"

Line00000024 = "D:\David\SOFTWARES\INSTALACAO\Pen drive\Portables_para_Técnicos_em_Manutenção\AVG AntiSpyware 7.5.0.50 - Portátil\avgas.exe Infected with: Trojan.Fujacks.Remnants.A"

Line00000023 = "D:\David\SOFTWARES\INSTALACAO\Pen drive\Portables_para_Técnicos_em_Manutenção\AVG AntiSpyware 7.5.0.50 - Portátil\avgas.exe Deleted"

Line00000022 = "D:\David\SOFTWARES\INSTALACAO\Serials_2v\serials2000.exe Infected with: Trojan.Generic.2197467"

Line00000021 = "D:\David\SOFTWARES\INSTALACAO\Serials_2v\serials2000.exe Deleted"

Line00000020 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP2\A0000003.exe Infected with: Dropped:Trojan.Generic.IS.590839"

Line00000019 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP2\A0000003.exe Disinfection failed"

Line00000018 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP2\A0000003.exe Deleted"

Line00000017 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000335.exe Infected with: Backdoor.Bot.18029"

Line00000016 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000335.exe Deleted"

Line00000015 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000336.exe Infected with: Backdoor.Bot.77168"

Line00000014 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000336.exe Deleted"

Line00000013 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000337.exe Infected with: Backdoor.Bot.18029"

Line00000012 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000337.exe Deleted"

Line00000011 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP8\A0001340.exe Infected with: Trojan.Fujacks.Remnants.A"

Line00000010 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP8\A0001340.exe Deleted"

Line00000009 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP8\A0001341.exe Infected with: Trojan.Generic.2197467"

Line00000008 = "D:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP8\A0001341.exe Deleted"

Line00000007 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000328.exe Detected with: Application.Tool.722"

Line00000006 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000328.exe Disinfection failed"

Line00000005 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000328.exe Deleted"

Line00000004 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000333.dll Infected with: Trojan.Generic.2801070"

Line00000003 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000333.dll Deleted"

Line00000002 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000334.sys Infected with: Rootkit.TDSS.AH"

Line00000001 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000334.sys Disinfection failed"

Line00000000 = "F:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000334.sys Deleted"

PS: Não postei outro log hijackthis, pois estou em outro pc (casa)

Grato pela atenção!!!

Abraços.

D@vid · Dezembro 21, 2009

:natal_wink: Boa tarde Antonio!!!

:seta: Consegui reparar meu XP, e está funcionando até agora normalmente. Fiz um scaneamento do avira logo no inicio do uso, ele encontrou algumas infecções e deletou os arquivos. Só restou um incoveniente de estar com 2 xp's nesse HD, q tem uma partição só.

Eu deveria fazer algum outro procedimento por segurança e garantia? ou o melhor é esperar e ver se aparece alguma coisa mais.

Agradeço pela atenção!!!

Abraço.

Log do Avira e hijackthis:

Avira AntiVir Personal

Report file date: segunda-feira, 21 de dezembro de 2009 10:55

Scanning for 1460125 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : DAVID

Version information:

BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/aaaa 16:28:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/26/aaaa 12:34:12

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/aaaa 13:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/aaaa 14:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/aaaa 13:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/aaaa 12:45:51

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/aaaa 12:45:57

VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/aaaa 12:45:58

VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/aaaa 12:45:58

VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/aaaa 12:45:58

VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/aaaa 12:45:58

VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/aaaa 12:45:58

VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/aaaa 12:45:59

VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/aaaa 12:45:59

VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/aaaa 12:45:59

VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/aaaa 12:45:59

VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/aaaa 12:45:59

VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/aaaa 12:46:00

VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/aaaa 12:46:01

VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/aaaa 10:39:51

VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/aaaa 17:46:17

VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/aaaa 13:21:02

VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/aaaa 10:57:08

VBASE018.VDF : 7.10.1.248 2048 Bytes 12/15/aaaa 10:57:09

VBASE019.VDF : 7.10.1.249 2048 Bytes 12/15/aaaa 10:57:09

VBASE020.VDF : 7.10.1.250 2048 Bytes 12/15/aaaa 10:57:09

VBASE021.VDF : 7.10.1.251 2048 Bytes 12/15/aaaa 10:57:10

VBASE022.VDF : 7.10.1.252 2048 Bytes 12/15/aaaa 10:57:10

VBASE023.VDF : 7.10.1.253 2048 Bytes 12/15/aaaa 10:57:10

VBASE024.VDF : 7.10.1.254 2048 Bytes 12/15/aaaa 10:57:10

VBASE025.VDF : 7.10.1.255 2048 Bytes 12/15/aaaa 10:57:11

VBASE026.VDF : 7.10.2.0 2048 Bytes 12/15/aaaa 10:57:11

VBASE027.VDF : 7.10.2.1 2048 Bytes 12/15/aaaa 10:57:11

VBASE028.VDF : 7.10.2.2 2048 Bytes 12/15/aaaa 10:57:11

VBASE029.VDF : 7.10.2.3 2048 Bytes 12/15/aaaa 10:57:12

VBASE030.VDF : 7.10.2.4 2048 Bytes 12/15/aaaa 10:57:12

VBASE031.VDF : 7.10.2.27 198144 Bytes 12/21/aaaa 12:51:09

Engineversion : 8.2.1.114

AEVDF.DLL : 8.1.1.2 106867 Bytes 11/25/aaaa 12:46:18

AESCRIPT.DLL : 8.1.3.3 586106 Bytes 12/17/aaaa 10:57:16

AESCN.DLL : 8.1.3.0 127348 Bytes 12/11/aaaa 19:36:03

AESBX.DLL : 8.1.1.1 246132 Bytes 11/25/aaaa 12:46:19

AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/aaaa 10:40:09

AEPACK.DLL : 8.2.0.3 422261 Bytes 11/25/aaaa 12:46:14

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/aaaa 12:59:39

AEHEUR.DLL : 8.1.0.186 2183544 Bytes 12/7/aaaa 17:46:29

AEHELP.DLL : 8.1.9.0 237943 Bytes 12/17/aaaa 10:57:15

AEGEN.DLL : 8.1.1.81 369014 Bytes 12/17/aaaa 10:57:14

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/25/aaaa 12:46:06

AECORE.DLL : 8.1.9.1 180598 Bytes 12/11/aaaa 19:36:03

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/aaaa 17:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/aaaa 11:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 11/26/aaaa 12:34:12

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/aaaa 17:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/aaaa 13:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/aaaa 18:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/aaaa 13:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/aaaa 18:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/aaaa 11:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/aaaa 13:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/aaaa 18:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/26/aaaa 12:34:12

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\arquivos de programas\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: repair

Secondary action....................: delete

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: segunda-feira, 21 de dezembro de 2009 10:55

Starting search for hidden objects.

'49433' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'java.exe' - '1' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned

Scan process 'wmiadap.exe' - '1' Module(s) have been scanned

Scan process 'skypePM.exe' - '1' Module(s) have been scanned

Scan process 'avnotify.exe' - '1' Module(s) have been scanned

Scan process 'Skype.exe' - '1' Module(s) have been scanned

Scan process 'DAP.exe' - '1' Module(s) have been scanned

Scan process 'ADC.exe' - '1' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned

Scan process 'cbInterface.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'igfxtray.exe' - '1' Module(s) have been scanned

Scan process 'Cobian.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'OrderReminder.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'msdtc.exe' - '1' Module(s) have been scanned

Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned

Scan process 'dllhost.exe' - '1' Module(s) have been scanned

Scan process 'WgaTray.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'RichVideo.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'gbpsv.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

47 processes with 47 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

Catched Exception in SCAN_Registry

ACCESS_VIOLATION

EAX = 00000000 EBX = 00000000

ECX = 0000014C EDX = 00469224

ESI = 00469214 EDI = 00000000

EIP = 7C91B1FA EBP = 0249FCF8

ESP = 0249FC84 Flg = 00010246

CS = 00000023 SS = 0000001B

Starting the file scan:

Begin scan in 'C:\' <DAVID ADM>

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\user\Dados de aplicativos\kohboq.exe

[DETECTION] Contains recognition pattern of the WORM/SdBot.113664.1 worm

[NOTE] A backup was created as '4b97769d.qua' ( QUARANTINE )

[WARNING] The file could not be deleted!

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The file was deleted!

C:\System Volume Information\_restore{72CFB27F-800A-4FCE-A029-333DFAD562A2}\RP1\A0000033.exe

[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program

[NOTE] A backup was created as '4b5f79d5.qua' ( QUARANTINE )

[NOTE] The file was deleted!

C:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000329.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] A backup was created as '4b5f79e3.qua' ( QUARANTINE )

[NOTE] The file was deleted!

C:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000330.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] A backup was created as '48094904.qua' ( QUARANTINE )

[NOTE] The file was deleted!

C:\System Volume Information\_restore{E434C68A-ECB1-4622-9653-ABB3CD1EC930}\RP7\A0000331.dll

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] A backup was created as '4b5f79e5.qua' ( QUARANTINE )

[NOTE] The file was deleted!

End of the scan: segunda-feira, 21 de dezembro de 2009 11:51

Used time: 56:08 Minute(s)

The scan has been done completely.

6975 Scanned directories

414880 Files were scanned

6 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

5 files were deleted

0 Viruses and unwanted programs were repaired

6 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

414873 Files not concerned

2050 Archives were scanned

3 Warnings

6 Notes

49433 Objects were scanned with rootkit scan

0 Hidden objects were found

--------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:19:32, on 21/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Hewlett-Packard\OrderReminder\OrderReminder.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Cobian Backup 9\Cobian.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Cobian Backup 9\cbInterface.exe

C:\Arquivos de programas\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\user\Meus documentos\My Completed Downloads\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O2 - BHO: (no name) - {DB665F73-0C24-4B0B-BB84-44A561FE12E5} - c:\windows\system32\hmpkiig.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\ARQUIV~1\DAP\DAPIEL~1.DLL

O4 - HKLM\..\Run: [OrderReminder] C:\Arquivos de programas\Hewlett-Packard\OrderReminder\OrderReminder.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Cobian Backup 9] "C:\Arquivos de programas\Cobian Backup 9\Cobian.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE