[Resolvido!] Worm/Trojane/SkyNet

[visitante_xp 0]

Iae povo...

 

Estou com problemas uns worms trojane e até uns cookies...]

 

Ta fazendo abrir janela de internet sozinha e meu USB não ta mais lendo...(alguns dispositivos)

 

Analisem por favor...

 

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:26:16, on 7/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exeC:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exeC:\Arquivos de programas\AVG\AVG9\avgchsvx.exeC:\Arquivos de programas\AVG\AVG9\avgrsx.exeC:\Arquivos de programas\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\AVG\AVG9\avgwdsvc.exeC:\Arquivos de programas\Bonjour\mDNSResponder.exeC:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exeC:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\slserv.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\AVG\AVG9\avgnsx.exeC:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\VTtrayp.exeC:\WINDOWS\system32\VTTimer.exeC:\Arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exeC:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exeC:\Arquivos de programas\Intel\Wireless\Bin\EOUWiz.exeC:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exeC:\ARQUIV~1\AVG\AVG9\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abacos.inf.br/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.50:3128O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [VTTrayp] VTtrayp.exeO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [IntelZeroConfig] "C:\Arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [IntelWireless] "C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [EOUApp] "C:\Arquivos de programas\Intel\Wireless\Bin\EOUWiz.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logonO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLMO4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\adm04\CONFIG~1\Temp\herss.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://crmontesinai.ddns.com.br/cab/OCXChecker_6110.cabO16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://crmontesinai.ddns.com.br/cab/DownloadFile_7000.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abacosO17 - HKLM\Software\..\Telephony: DomainName = abacosO17 - HKLM\System\CCS\Services\Tcpip\..\{6856452D-2FF5-4B4F-81E9-008054ED107F}: NameServer = 192.168.0.50,192.168.0.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = abacosO17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exeO23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exeO23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exeO23 - Service: Squid - Unknown owner - C:\squid\sbin\squid.exe (file missing)O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe--End of file - 8334 bytes

 

Espero que eu tenha feito certo...

 

Abraço!!!

[wings 22]

Boa tarde A.H.P

 

 

1.

*Baixe o USBFix e salve-o no desktop

*Desative temporariamente seu antivírus

*Espete o Pendrive no PC e não remova-o até que eu solicite!

*Duplo clique em UsbFix

*Tecle P > [ENTER]

*Tecle 1 > [ENTER] e aguarde o término

*Cole o relatório criado em C:\UsbFix.txt

 

Há uma contaminação por wareout também....depois resolveremos isto.

[visitante_xp 0]

Poxa, só por curiosidade eu tentei colocar o PEN no PC e deu certo, funcionou perfeito...

 

Ele só não reconhece o meu mp4... :/

 

Bom, segui as instruções... e agora?

[wings 22]

*Cole o relatório criado em C:\UsbFix.txt

[visitante_xp 0]

############################## | UsbFix V6.059 |

 

User : adm04 () # LEANDRO

Update on 01/12/2009 by Chiquitine29, C_XX & Chimay8

Start at: 16:06:56 | 7/12/2009

Website : http://pagesperso-orange.fr/NosTools/index.html

Contact : FindyKill.Contact@gmail.com

 

Intel® Celeron® M processor 1.30GHz

Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3

Internet Explorer 8.0.6001.18702

Windows Firewall Status : Enabled

 

C:\ -> Disco fixo local # 37,25 Go (24,71 Go free) # NTFS

D:\ -> Disco CD-ROM

 

############################## | Processos activos |

 

C:\WINDOWS\System32\smss.exe 540

C:\WINDOWS\system32\csrss.exe 604

C:\WINDOWS\system32\winlogon.exe 628

C:\WINDOWS\system32\services.exe 672

C:\WINDOWS\system32\lsass.exe 684

C:\WINDOWS\system32\svchost.exe 848

C:\WINDOWS\system32\svchost.exe 944

C:\WINDOWS\System32\svchost.exe 1036

C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe 1076

C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe 1116

C:\WINDOWS\system32\svchost.exe 1224

C:\WINDOWS\system32\svchost.exe 1364

C:\WINDOWS\system32\spoolsv.exe 1668

C:\Arquivos de programas\Bonjour\mDNSResponder.exe 2036

C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe 208

C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe 364

C:\WINDOWS\system32\slserv.exe 476

C:\WINDOWS\system32\svchost.exe 648

C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe 2168

C:\WINDOWS\System32\alg.exe 2284

C:\WINDOWS\Explorer.EXE 2644

C:\WINDOWS\system32\VTtrayp.exe 2872

C:\WINDOWS\system32\VTTimer.exe 2880

C:\Arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exe 2888

C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe 2896

C:\Arquivos de programas\Intel\Wireless\Bin\EOUWiz.exe 2904

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe 2912

C:\WINDOWS\SOUNDMAN.EXE 2936

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe 2944

C:\WINDOWS\system32\ctfmon.exe 3020

C:\Arquivos de programas\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe 2688

C:\Arquivos de programas\Internet Explorer\iexplore.exe 2784

C:\Arquivos de programas\Internet Explorer\iexplore.exe 3144

C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe 1008

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe 4016

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe 3336

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe 2796

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe 2544

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe 2924

C:\WINDOWS\system32\wbem\wmiprvse.exe 3672

 

################## | Ficheiros # pastas infeciosos |

 

C:\WINDOWS\System32\Temp.exe

C:\DOCUME~1\adm04\CONFIG~1\Temp\140.exe

C:\DOCUME~1\adm04\CONFIG~1\Temp\cvasds0.dll

C:\DOCUME~1\adm04\CONFIG~1\Temp\cvasds1.dll

C:\DOCUME~1\adm04\CONFIG~1\Temp\herss.exe

C:\autorun.inf

C:\autorun.inf -> ficheiro chamado : "C:\xmor.exe" ( Presente ! )

 

################## | Spyware.OnlineGames |

 

C:\mbvd.exe

C:\xmor.exe

 

################## | Registro # Chaves infectieuses |

 

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdoosoft"

[HKLM\SOFTWARE\Classes\CLSID\MADOWN]

[HKCR\CLSID\MADOWN]

[HKLM\software\microsoft\shared tools\msconfig\startupreg\cdoosoft]

[HKLM\software\microsoft\windows nt\currentversion\winlogon] "Taskman"

 

################## | Registro # Mountpoints2 |

 

HKCU\..\..\Explorer\MountPoints2\{026f5b60-ae4a-11dc-ad0c-806d6172696f}

Shell\AutoRun\command =C:\mbvd.exe

Shell\open\Command =C:\mbvd.exe

 

################## | Cracks / Keygens / Serials |

 

"C:\Arquivos de programas\Adobe\Adobe Dreamweaver CS4\Adobe_Dreamweaver_CS4_DownloadTotal\Adobe.Dreamweaver.CS4_bY_downloadtotal.nireblog.com\Keygen.exe"

21/04/2007 03:11 |Size 53760 |Crc32 ba4fddcc |Md5 169d11dec220edc1831b01f3a733c8d1

 

 

################## | ! Fim do relatório # UsbFix V6.059 ! |

[wings 22]

Mantenha o Pendrive espetado!!

 

 

*Duplo clique em UsbFix

*Tecle P > [ENTER]

*Tecle 2 > [ENTER] e aguarde o término

*Cole o relatório criado em C:\UsbFix.txt

[visitante_xp 0]

Ta ai...

 

 

############################## | UsbFix V6.059 |

 

User : adm04 () # LEANDRO

Update on 01/12/2009 by Chiquitine29, C_XX & Chimay8

Start at: 16:43:30 | 7/12/2009

Website : http://pagesperso-orange.fr/NosTools/index.html

Contact : FindyKill.Contact@gmail.com

 

Intel® Celeron® M processor 1.30GHz

Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3

Internet Explorer 8.0.6001.18702

Windows Firewall Status : Enabled

 

C:\ -> Disco fixo local # 37,25 Go (24,71 Go free) # NTFS

D:\ -> Disco CD-ROM

 

############################## | Processos activos |

 

C:\WINDOWS\System32\smss.exe 540

C:\WINDOWS\system32\csrss.exe 604

C:\WINDOWS\system32\winlogon.exe 628

C:\WINDOWS\system32\services.exe 672

C:\WINDOWS\system32\lsass.exe 684

C:\WINDOWS\system32\svchost.exe 848

C:\WINDOWS\system32\svchost.exe 944

C:\WINDOWS\System32\svchost.exe 1044

C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exe 1076

C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exe 1120

C:\Arquivos de programas\AVG\AVG9\avgchsvx.exe 1152

C:\Arquivos de programas\AVG\AVG9\avgrsx.exe 1160

C:\WINDOWS\system32\svchost.exe 1224

C:\WINDOWS\system32\svchost.exe 1404

C:\Arquivos de programas\AVG\AVG9\avgcsrvx.exe 1468

C:\WINDOWS\system32\spoolsv.exe 1668

C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe 2020

C:\Arquivos de programas\Bonjour\mDNSResponder.exe 2044

C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe 216

C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exe 372

C:\WINDOWS\system32\slserv.exe 588

C:\WINDOWS\system32\svchost.exe 864

C:\Arquivos de programas\AVG\AVG9\avgnsx.exe 1216

C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe 2144

C:\WINDOWS\System32\alg.exe 2280

C:\WINDOWS\system32\userinit.exe 2512

C:\WINDOWS\system32\userinit.exe 2628

C:\WINDOWS\Explorer.EXE 2696

C:\WINDOWS\system32\wbem\wmiprvse.exe 2896

C:\WINDOWS\system32\wuauclt.exe 3072

 

################## | Ficheiros # pastas infeciosos |

 

Supprimido ! C:\WINDOWS\System32\Temp.exe

Supprimido ! C:\DOCUME~1\adm04\CONFIG~1\Temp\140.exe

Supprimido ! C:\DOCUME~1\adm04\CONFIG~1\Temp\cvasds0.dll

Supprimido ! C:\DOCUME~1\adm04\CONFIG~1\Temp\cvasds1.dll

Supprimido ! C:\DOCUME~1\adm04\CONFIG~1\Temp\herss.exe

C:\autorun.inf -> ficheiro chamado : "C:\xmor.exe" ( Presente ! )

Supprimido ! C:\xmor.exe

Supprimido ! C:\autorun.inf

 

################## | Spyware.OnlineGames |

 

Supprimido ! C:\mbvd.exe

 

################## | Registro # Chaves infectieuses |

 

Supprimido ! [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdoosoft"

Supprimido ! [HKLM\SOFTWARE\Classes\CLSID\MADOWN]

Supprimido ! [HKLM\software\microsoft\shared tools\msconfig\startupreg\cdoosoft]

 

################## | Registro # Mountpoints2 |

 

 

################## | Listing |

 

[19/12/2007 17:19|--a------|0] C:\AUTOEXEC.BAT

[02/12/2009 09:59|---hs----|211] C:\boot.ini

[28/10/2001 16:06|-rahs----|4952] C:\Bootfont.bin

[19/12/2007 17:19|--a------|0] C:\CONFIG.001

[03/04/2009 15:46|--a------|2982] C:\CONFIG.SYS

[19/12/2007 17:19|-rahs----|0] C:\IO.SYS

[19/12/2007 17:19|-rahs----|0] C:\MSDOS.SYS

[03/08/2004 23:38|-rahs----|47564] C:\NTDETECT.COM

[03/01/2009 20:16|-rahs----|251696] C:\ntldr

[?|?|?] C:\pagefile.sys

[07/12/2009 16:48|--a------|3293] C:\UsbFix.txt

 

################## | Vaccinação |

 

# C:\autorun.inf -> Folder criado por UsbFix.

 

################## | Cracks / Keygens / Serials |

 

"C:\Arquivos de programas\Adobe\Adobe Dreamweaver CS4\Adobe_Dreamweaver_CS4_DownloadTotal\Adobe.Dreamweaver.CS4_bY_downloadtotal.nireblog.com\Keygen.exe"

21/04/2007 03:11 |Size 53760 |Crc32 ba4fddcc |Md5 169d11dec220edc1831b01f3a733c8d1

 

 

################## | Upload |

 

Favor enviar o arquivo : C:\DOCUME~1\adm04\Desktop\UsbFix_Upload_Me_ABACOS.zip : http://chiquitine.changelog.fr/Sample/Upload.php

Obrigado pela sua contribuição .

[wings 22]

1.

*Duplo clique em UsbFix

*Tecle P > [ENTER]

*Tecle 5 > [ENTER]

 

2.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop:

*Instale o programa

*Ao finalizar, se alguma atualização existir,o download será automático. Aguarde...

*Terminada a atualização, o programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as unidades a serem examinadas

*Remova o que for encontrado

*Ao término do scan poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] e finalmente clique em [OK]. Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Reinicie o PC

*Abra novamente o programa Malwarebytes e na aba [Logs] clique no arquivo mbam-log-ano-mês-data.txt

*Clique em [Abrir], copie, cole-o na sua próxima resposta e novo log do hijack

[visitante_xp 0]

Ta ai o log do Anti-Malware

Malwarebytes' Anti-Malware 1.42Versão do banco de dados: 3321Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187028/12/2009 14:14:13mbam-log-2009-12-08 (14-14-13).txtTipo de Verificação: Completa (C:\|D:\|)Objetos verificados: 232322Tempo decorrido: 1 hour(s), 30 minute(s), 47 second(s)Processos da Memória infectados: 0Módulos de Memória Infectados: 0Chaves do Registro infectadas: 2Valores do Registro infectados: 1Ítens do Registro infectados: 1Pastas infectadas: 0Arquivos infectados: 5Processos da Memória infectados:(Nenhum ítem malicioso foi detectado)Módulos de Memória Infectados:(Nenhum ítem malicioso foi detectado)Chaves do Registro infectadas:HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.Valores do Registro infectados:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.Ítens do Registro infectados:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.Pastas infectadas:(Nenhum ítem malicioso foi detectado)Arquivos infectados:C:\RECYCLER\S-1-5-21-8416076620-8435755235-373779917-0449\MsMxEng.exe (Worm.Autorun.B) -> Delete on reboot.C:\WINDOWS\system32\gaopdxkytlcfpl.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\gaopdxilqgdwme.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrador\Configurações locais\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

 

E esse é o do HiJack...

 

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:23:38, on 8/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exeC:\Arquivos de programas\AVG\AVG9\avgchsvx.exeC:\Arquivos de programas\AVG\AVG9\avgrsx.exeC:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exeC:\Arquivos de programas\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\AVG\AVG9\avgwdsvc.exeC:\Arquivos de programas\Bonjour\mDNSResponder.exeC:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exeC:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\slserv.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\AVG\AVG9\avgnsx.exeC:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\VTtrayp.exeC:\WINDOWS\system32\VTTimer.exeC:\Arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exeC:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exeC:\Arquivos de programas\Intel\Wireless\Bin\EOUWiz.exeC:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exeC:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exeC:\ARQUIV~1\AVG\AVG9\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet ExplorerR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.50:3128O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG9\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dllO4 - HKLM\..\Run: [VTTrayp] VTtrayp.exeO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [IntelZeroConfig] "C:\Arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [IntelWireless] "C:\Arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [EOUApp] "C:\Arquivos de programas\Intel\Wireless\Bin\EOUWiz.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logonO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLMO4 - HKLM\..\Run: [AVG9_TRAY] C:\ARQUIV~1\AVG\AVG9\avgtray.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://crmontesinai.ddns.com.br/cab/OCXChecker_6110.cabO16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://crmontesinai.ddns.com.br/cab/DownloadFile_7000.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abacosO17 - HKLM\Software\..\Telephony: DomainName = abacosO17 - HKLM\System\CCS\Services\Tcpip\..\{6856452D-2FF5-4B4F-81E9-008054ED107F}: NameServer = 192.168.0.50,192.168.0.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = abacosO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG9\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exeO23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exeO23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Arquivos de programas\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Arquivos de programas\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exeO23 - Service: Squid - Unknown owner - C:\squid\sbin\squid.exe (file missing)O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe--End of file - 8037 bytes

 

E agora?

[wings 22]

Boa tarde A.H.P

 

 

1.

*Abra o programa Malwarebytes e na aba [Quarentena], selecione todos os resultados e clique em [Remover tudo]

*Clique na aba [Logs], selecione o relatório e clique em [Remover]

 

2.

*Desative temporariamente seu antivírus

 

Iniciar > Programas > AVG

Abra a Interface do usuário do AVG

Clique duas vezes na Proteção Residente

Desmarque a opção "Proteção Residente ativa"

Salve as alterações

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela, conforme abaixo, será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

 

*Após a instalação, clique em [sIM] para continuar.

 

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[visitante_xp 0]

Desculpe ter demorado a postar...

 

Ta ai o relatório:

ComboFix 09-12-21.04 - adm04 22/12/2009  10:42:05.1.1 - x86Microsoft Windows XP Professional  5.1.2600.3.1252.55.1046.18.495.146 [GMT -2:00]Executando de: c:\documents and settings\adm04\Desktop\ComboFix.exe.(((((((((((((((((((((((((((((((((((((   Outras Exclusões   ))))))))))))))))))))))))))))))))))))))))))))))))))).c:\recycler\S-1-5-21-1408761325-0785716068-794368169-4141c:\recycler\S-1-5-21-8416076620-8435755235-373779917-0449c:\windows\EventSystem.logc:\windows\system32\test.dll.((((((((((((((((   Arquivos/Ficheiros criados de 2009-11-22 to 2009-12-22  )))))))))))))))))))))))))))).2009-12-22 12:41 . 2009-12-22 12:41	12568	----a-w-	c:\windows\system32\drivers\PROCEXP113.SYS2009-12-18 16:06 . 2009-12-02 12:25	294680	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avglngx.dll2009-12-18 12:53 . 2008-04-14 02:20	81920	----a-w-	c:\windows\system32\ieencode.dll2009-12-18 12:46 . 2009-10-29 07:42	246272	-c----w-	c:\windows\system32\dllcache\ieproxy.dll2009-12-18 12:45 . 2009-10-29 07:42	12800	-c----w-	c:\windows\system32\dllcache\xpshims.dll2009-12-18 12:44 . 2009-10-02 04:44	92160	-c----w-	c:\windows\system32\dllcache\iecompat.dll2009-12-17 18:40 . 2009-12-17 18:40	2238	----a-r-	c:\documents and settings\adm04\Dados de aplicativos\Microsoft\Installer\{4DDEADA8-25B8-41CB-9989-8F16D50A8E9C}\ARPPRODUCTICON.exe2009-12-17 18:39 . 2009-12-17 18:39	--------	d-----w-	c:\arquivos de programas\Microsoft CAPICOM 2.1.0.2 SDK2009-12-14 18:52 . 2009-12-14 18:52	--------	d-----w-	c:\arquivos de programas\A.E.T. Europe B.V2009-12-14 16:16 . 2009-06-24 15:16	114304	----a-w-	c:\windows\system32\drivers\cxbu0wdm.sys2009-12-14 16:16 . 2009-12-14 16:16	--------	d-----w-	c:\arquivos de programas\OMNIKEY2009-12-14 16:15 . 2009-12-14 16:15	--------	d-----w-	C:\OMNIKEY2009-12-14 11:59 . 2009-12-02 12:26	798488	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avginet.dll2009-12-09 11:09 . 2009-12-22 11:53	--------	d-----w-	c:\windows\ie8updates2009-12-09 11:04 . 2009-12-09 11:04	--------	d-sh--w-	c:\documents and settings\Default User\IETldCache2009-12-08 17:44 . 2009-12-08 17:44	--------	d-----w-	C:\found.0002009-12-08 17:15 . 2009-06-21 21:48	153088	-c----w-	c:\windows\system32\dllcache\triedit.dll2009-12-08 17:04 . 2009-07-10 13:27	1315328	-c----w-	c:\windows\system32\dllcache\msoe.dll2009-12-08 16:53 . 2008-04-21 21:15	216064	-c----w-	c:\windows\system32\dllcache\wordpad.exe2009-12-08 16:41 . 2009-08-06 21:23	274288	----a-w-	c:\windows\system32\mucltui.dll2009-12-08 16:41 . 2009-08-06 21:23	215920	----a-w-	c:\windows\system32\muweb.dll2009-12-08 14:38 . 2009-12-08 14:38	--------	d-----w-	c:\documents and settings\adm04\Dados de aplicativos\Malwarebytes2009-12-08 14:38 . 2009-12-03 18:14	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys2009-12-08 14:38 . 2009-12-08 14:38	--------	d-----w-	c:\arquivos de programas\Malwarebytes' Anti-Malware2009-12-08 14:38 . 2009-12-08 14:38	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes2009-12-08 14:38 . 2009-12-03 18:13	19160	----a-w-	c:\windows\system32\drivers\mbam.sys2009-12-07 18:03 . 2009-12-08 14:38	--------	d-----w-	C:\UsbFix2009-12-07 16:24 . 2009-12-08 16:23	--------	d-----w-	C:\HiJackThis2009-12-03 14:43 . 2009-12-03 14:43	--------	d-sh--w-	c:\documents and settings\Administrador\PrivacIE2009-12-03 14:43 . 2009-12-03 14:43	--------	d-sh--w-	c:\documents and settings\Administrador\IETldCache2009-12-02 17:31 . 2009-12-02 17:31	3963160	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgcorex.dll2009-12-02 17:31 . 2009-12-02 12:26	497944	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgchjwx.dll2009-12-02 17:30 . 2009-12-02 17:30	844056	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgupd.exe2009-12-02 17:30 . 2009-12-02 17:30	1658136	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgupd.dll2009-12-02 12:26 . 2009-12-02 13:30	--------	d-----w-	C:\$AVG2009-12-02 12:26 . 2009-12-02 12:26	360584	----a-w-	c:\windows\system32\drivers\avgtdix.sys2009-12-02 12:25 . 2009-12-02 15:49	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\avg92009-11-30 13:00 . 2004-05-17 13:04	41984	------w-	c:\windows\system32\drivers\DGIVECP.SYS2009-11-24 16:05 . 2009-11-24 16:05	2560	----a-w-	c:\windows\_MSRSTRT.EXE2009-11-24 15:13 . 2004-08-25 12:33	1056768	----a-w-	c:\windows\system32\roboex32.dll2009-11-24 15:13 . 2002-08-15 12:18	49152	----a-w-	c:\windows\system32\inetwh32.dll2009-11-24 15:12 . 2008-10-07 14:10	208896	----a-w-	c:\windows\system32\wgsrvins.dll2009-11-24 15:12 . 2002-08-15 12:18	11264	----a-w-	c:\windows\system32\sporder.dll2009-11-24 12:56 . 2009-11-24 12:56	--------	d-----w-	c:\documents and settings\adm04\Dados de aplicativos\OpenDNS Updater.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-12-14 12:00 . 2009-12-14 12:01	2352920	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgresf.dll2009-12-09 17:32 . 2009-09-29 17:25	--------	d-----w-	c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help2009-12-02 12:25 . 2009-12-14 12:01	562456	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgsrmx.dll2009-12-02 12:25 . 2009-12-14 12:01	1494088	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgwd.dll2009-12-02 12:25 . 2009-12-14 12:01	744728	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgscanx.exe2009-12-02 12:25 . 2009-12-14 12:01	361752	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgsrmax.exe2009-12-02 12:25 . 2009-12-14 12:01	1336600	----a-w-	c:\documents and settings\All Users\Dados de aplicativos\avg9\update\backup\avgssff.dll2009-12-02 12:25 . 2009-10-01 17:41	--------	d-----w-	c:\arquivos de programas\AVG2009-12-02 11:56 . 2009-10-09 18:53	--------	d-----w-	c:\documents and settings\adm04\Dados de aplicativos\Skype2009-11-26 18:42 . 2009-04-01 19:42	--------	d-----w-	c:\arquivos de programas\Alterdata2009-11-19 17:48 . 2009-11-19 17:48	--------	d-----w-	c:\arquivos de programas\jFinanças Rede2009-11-12 12:18 . 2009-11-12 12:18	--------	d-----w-	c:\arquivos de programas\AnalogX2009-11-12 12:18 . 2009-11-12 12:18	--------	d-----w-	c:\arquivos de programas\Advanced IP Scanner2009-11-06 15:41 . 2009-11-06 15:41	--------	d-----w-	c:\arquivos de programas\v70202009-11-06 15:41 . 2007-12-19 20:09	--------	d--h--w-	c:\arquivos de programas\InstallShield Installation Information2009-10-30 11:53 . 2009-10-30 11:48	--------	d-----w-	c:\arquivos de programas\office Convert Pdf to Jpg Jpeg Tiff2009-10-28 12:45 . 2009-10-28 12:45	0	----a-w-	c:\windows\nsreg.dat2009-10-20 11:14 . 2001-10-28 18:07	50002	----a-w-	c:\windows\system32\perfc016.dat2009-10-20 11:14 . 2001-10-28 18:07	347886	----a-w-	c:\windows\system32\perfh016.dat2009-10-01 18:29 . 2007-12-19 21:38	21035	----a-w-	c:\windows\system32\drivers\AegisP.sys2009-09-28 19:30 . 2009-09-28 19:30	1961720	----a-w-	c:\documents and settings\adm04\Dados de aplicativos\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..*Nota* entradas vazias e legítimas por defeito não são mostradas. REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"VTTrayp"="VTtrayp.exe" [2004-10-11 143360]"VTTimer"="VTTimer.exe" [2004-10-22 53248]"IntelZeroConfig"="c:\arquivos de programas\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]"IntelWireless"="c:\arquivos de programas\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]"EOUApp"="c:\arquivos de programas\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 569413]"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143872]"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-07 503808]"AVG9_TRAY"="c:\arquiv~1\AVG\AVG9\avgtray.exe" [2009-12-14 2033432]"CertificateRegistration"="aetcrss1.exe" [2007-10-17 163840][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"HonorAutoRunSetting"= 0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"HonorAutoRunSetting"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-12-02 12:26	12464	----a-w-	c:\windows\system32\avgrsstx.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]2007-03-30 16:34	25263144	----a-w-	c:\arquivos de programas\Skype\Phone\Skype.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\BTW (D)\\Spylite.exe"="c:\\Arquivos de programas\\Messenger\\msmsgs.exe"="c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"="\\\\Abacosserver\\DADOS\\ARQUIVOS DE PROGRAMAS\\GRACCO\\APLICATIVOS\\GRACCO SERVIDOR.EXE"="c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"="c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"="c:\\Arquivos de programas\\TeamViewer\\Version4\\TeamViewer.exe"="c:\\Mowes\\mysql\\bin\\mysqld-nt.exe"="c:\\Mowes\\apache2\\bin\\httpd.exe"="c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"="c:\\Arquivos de programas\\AVG\\AVG9\\avgupd.exe"="c:\\Arquivos de programas\\AVG\\AVG9\\avgnsx.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/10/2009 15:42 333192]R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/12/2009 10:26 360584]R2 avg9wd;AVG Free WatchDog;c:\arquivos de programas\AVG\AVG9\avgwdsvc.exe [2/12/2009 10:25 285392]S0 mwguehuo;mwguehuo;c:\windows\system32\drivers\uebdsip.sys --> c:\windows\system32\drivers\uebdsip.sys [?]S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [14/12/2009 14:16 114304]S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [20/9/2009 09:56 9472][HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\aetsprov]2007-10-18 15:06	77824	----a-w-	c:\windows\system32\aetsprov.dll.------- Scan Suplementar -------.uStart Page = hxxp://www.google.com.br/uInternet Settings,ProxyServer = 192.168.0.50:3128IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000Trusted Zone: certisign.com.br\gestaoarTrusted Zone: certisign.com.br\wwwTCP: {6856452D-2FF5-4B4F-81E9-008054ED107F} = 192.168.0.50,192.168.0.1DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - hxxp://crmontesinai.ddns.com.br/cab/OCXChecker_6110.cabDPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://crmontesinai.ddns.com.br/cab/DownloadFile_7000.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-12-22 10:54Windows 5.1.2600 Service Pack 3 NTFSProcurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucessoarquivos/ficheiros ocultos: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NTSquid]"ImagePath"="c:\squid\sbin\squid.exe --ntservice:NTSquid"--[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Squid]"ImagePath"="c:\squid\sbin\squid.exe --ntservice:Squid".--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL".--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------- - - - - - - > 'winlogon.exe'(624)c:\arquivos de programas\Bonjour\mdnsNSP.dllc:\windows\system32\aetcsss1.dllc:\windows\system32\aetpkss1.dll- - - - - - - > 'lsass.exe'(680)c:\arquivos de programas\Bonjour\mdnsNSP.dll.Tempo para conclusão: 2009-12-22  11:01:01ComboFix-quarantined-files.txt  2009-12-22 13:00Pré-execução: 20 pasta(s) 25.098.911.744 bytes disponíveisPós execução: 25 pasta(s) 25.628.930.048 bytes disponíveisWindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - 89F3C5E170BCED67EFA3E4FB1D1DE236

[wings 22]

Como está a máquina?

 

 

*Abra o bloco de notas, copie e cole nele todo o código abaixo:

 

FileLook::

c:\windows\system32\drivers\uebdsip.sys

 

*Salve o arquivo no desktop como CFScript.txt

 

*Arraste o arquivo para o combofix conforme a ilustração abaixo:

 

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[visitante_xp 0]

Wings, a máquina voutou a funcionar perfeitamente.

 

Ainda assim devo seguir com o procedimento?

[wings 22]

Wings, a máquina voutou a funcionar perfeitamente.

 

Ainda assim devo seguir com o procedimento?

 

OK...time que está ganhando não se mexe...rs

 

1.

*Clique em [iniciar] > [Executar] > digite: combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Surgirá a mensagem: "ComboFix está desinstalado"

 

*Clique [OK]

*Delete o arquivo C:\combofix.txt

 

 

Um abraço.

[visitante_xp 0]

beleza...

 

Vlw Wings...

 

Abraço!!!

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.