Michael_c 0 Denunciar post Postado Dezembro 10, 2009 Boa Tarde Galera! Estou com um Malware chato, ele fica abrindo popups no meu Windows Explorer deste endereço: ad.yieldmanager.com. Tenho instalado anti-virus da Mcafee (Security Center), tudo atualizado, licenciado, etc, mas ele não detectou nada... Abaixo alguns procedimentos que já tentei: - Instalei o Ad-Aware (não detectou nada); - Instalei o Windows Defender (ñão detectou nada); - Instalei o CCleaner, fiz uma varredura, porém o problema persiste. - Também instalei o Malwarebytes, fiz uma varredura completa e não foi detectado nada também. - Fiz uma varredura com o HiJackThis e abaixo segue o LOG: _____________________ Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 16:49:34, on 10/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Arquivos de programas\Java\jre6\bin\jqs.exe C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe C:\Arquivos de programas\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\nvsvc32.exe C:\Arquivos de programas\Persits Software\AspEmail\BIN\EmailAgent.exe C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\mqsvc.exe c:\ARQUIV~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\mqtgsvc.exe C:\Arquivos de programas\Windows Defender\MSASCui.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\ctfmon.exe C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe C:\ARQUIV~1\MI3AA1~1\rapimgr.exe C:\Arquivos de programas\UltraVNC\winvnc.exe C:\WINDOWS\explorer.exe C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe c:\ARQUIV~1\mcafee\VIRUSS~1\mcvsshld.exe C:\Arquivos de programas\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\ARQUIV~1\mcafee\msk\mskapbho.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Arquivos de programas\McAfee\VirusScan\scriptsn.dll O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [mcagent_exe] "C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: UltraVNC Server.lnk = C:\Arquivos de programas\UltraVNC\winvnc.exe O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1251934096156 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: NppracoxUna - {DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0} - C:\WINDOWS\system32\nppracox.dll O23 - Service: Persits Software Email Agent (EmailAgent) - Unknown owner - C:\ARQUIV~1\PERSIT~1\AspEmail\EMAILA~1\BIN\EMAILA~1.EXE (file missing) O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MSK\MskSrver.exe O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Arquivos de programas\Persits Software\AspEmail\BIN\EmailAgent.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe -- End of file - 8793 bytes ____________________________________ Não sei mais o que fazer, alguém tem uma dica? Obrigado. Michael C. Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Dezembro 11, 2009 Boa Tarde! Michael_c <@> Baixe: < SmitfraudFix > ( ...by siri.urz ) <@> Salve-o no Disco Local-C e descompacte-o aí mesmo! <@> Reinicie o computador,em Modo de Segurança! <@> Execute o SmitfraudFix.cmd,com um duplo-clique. <@> Aperte a opção 2 --> Enter. <@> Quando aparecer a mensagem: Do you want to clean the registry,aperte a opção Y. <@> Aperte Enter! --> Aguarde! <@> Reinicie,normalmente,o computador! <@> Caso tenha ocorrido mudanças,no desktop,corrija nas propriedades de vídeo.( Tema ) <@> Copie o Log ( rapport.txt ) e poste-o,na sua resposta + HijackThis,atualizado. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
Michael_c 0 Denunciar post Postado Dezembro 12, 2009 DigRam, Muito obrigado pela ajuda, fiz os procedimentos, o desempenho do computador melhor, ele estava travando, e lento em algumas ocasiões. O incoveniente é que o ad.yieldmanager.com continua abrindo os popups... Abaixo seguem os logs gerados: SmitFraudFix v2.424 Scan done at 1:23:51,54, s b 12/12/2009 Run from C:\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0}"="NppracoxUna" [HKEY_CLASSES_ROOT\CLSID\{DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0}\InProcServer32] @="C:\WINDOWS\system32\nppracox.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0}\InProcServer32] @="C:\WINDOWS\system32\nppracox.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost 127.0.0.1 adobeereg.com 127.0.0.1 activate.adobe.com »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix Agent.OMZ.Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» RK »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{F723C38F-10F8-45BE-905D-B599CC881775}: DhcpNameServer=201.6.0.113 201.6.0.42 HKLM\SYSTEM\CS1\Services\Tcpip\..\{F723C38F-10F8-45BE-905D-B599CC881775}: DhcpNameServer=201.6.0.113 201.6.0.42 HKLM\SYSTEM\CS3\Services\Tcpip\..\{F723C38F-10F8-45BE-905D-B599CC881775}: DhcpNameServer=201.6.0.113 201.6.0.42 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=201.6.0.113 201.6.0.42 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=201.6.0.113 201.6.0.42 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=201.6.0.113 201.6.0.42 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! "System"="" »»»»»»»»»»»»»»»»»»»»»»»» RK.2 »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0}"="NppracoxUna" [HKEY_CLASSES_ROOT\CLSID\{DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0}\InProcServer32] @="C:\WINDOWS\system32\nppracox.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0}\InProcServer32] @="C:\WINDOWS\system32\nppracox.dll" »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 01:33:09, on 12/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Arquivos de programas\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Arquivos de programas\Java\jre6\bin\jqs.exe C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe C:\WINDOWS\Explorer.EXE C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe C:\Arquivos de programas\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Arquivos de programas\Persits Software\AspEmail\BIN\EmailAgent.exe C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe C:\Arquivos de programas\Windows Defender\MSASCui.exe C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\ctfmon.exe C:\ARQUIV~1\MI3AA1~1\rapimgr.exe C:\Arquivos de programas\UltraVNC\winvnc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe C:\WINDOWS\system32\wuauclt.exe C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Arquivos de programas\TrendMicro\HiJackThis\HiJackThis.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\ARQUIV~1\mcafee\msk\mskapbho.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Arquivos de programas\McAfee\VirusScan\scriptsn.dll O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [mcagent_exe] "C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: UltraVNC Server.lnk = C:\Arquivos de programas\UltraVNC\winvnc.exe O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251934096156 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: NppracoxUna - {DF77E339-A5EB-45A9-94D4-5D6F3D0BC2E0} - C:\WINDOWS\system32\nppracox.dll O23 - Service: Persits Software Email Agent (EmailAgent) - Unknown owner - C:\ARQUIV~1\PERSIT~1\AspEmail\EMAILA~1\BIN\EMAILA~1.EXE (file missing) O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MSK\MskSrver.exe O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Arquivos de programas\Persits Software\AspEmail\BIN\EmailAgent.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe -- End of file - 8077 bytes Mais uma vez, obrigado pela ajuda. Abraços, Michael C. Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Dezembro 12, 2009 Bom Dia! Michael_c »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost 127.0.0.1 adobeereg.com 127.0.0.1 activate.adobe.com ---------------------- ---------------------- 127.0.0.1 ad.yieldmanager.com 127.0.0.1 yieldmanager.com »»»»»»»»»»»»»»»»»»»»»»»» VACFix <!> Reparei que o hosts,contém domínios à serem bloqueados. Isso decorre,muitas vezes,da ação protetora do antispyware Spybot. Verifique se existe,em seu hosts,as linhas que estão em destaque. <!> Vá em Iniciar --> Executar --> Digite: notepad %systemroot%\system32\drivers\etc\hosts <!> Ps: Surgirão informações em um Bloco de Notas --> Selecione e copie para este tópico. <><><><><><><><><><><> <@> Submeta este ficheiro,abaixo,à uma análise em: < VirSCAN.org > <!> C:\WINDOWS\system32\nppracox.dll <-- <@> Clique em "Enviar arquivo...". <@> Localizado o ficheiro,em seu PC,clique em "Upload" --> Aguarde! <@> Na mensagem,clique em: "Verificar novamente" <@> Concluindo,copie e envie-nos o link ao relatório. <@> Exemplo: Foi verificado o arquivo NodeRefresh.dll,cujo link ao relatório segue abaixo: <@> Link: --> < > Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
Michael_c 0 Denunciar post Postado Dezembro 12, 2009 DigRam, Verifiquei o Hosts e não tem as linhas indicadas, segue abaixo o conteúdo do Hosts: # Copyright © 1993-1999 Microsoft Corp. # # Este é um arquivo HOSTS de exemplo usado pelo Microsoft TCP/IP para Windows. # # Este arquivo contém os mapeamentos de endereços IP para nomes de host. Cada # entrada deve ser mantida em uma linha individual. O endereço IP deve # ser colocado na primeira coluna, seguido do nome de host correspondente. # O endereço IP e o nome do host devem ser separados por pelo menos um # espaço. # # Adicionalmente, comentários (como estes) podem ser inseridos em linhas # individuais ou após o nome de computador indicado por um símbolo '#'. # # Por exemplo: # # 102.54.94.97 rino.acme.com # servidor de origem # 38.25.63.10 x.acme.com # host cliente x 127.0.0.1 localhost 127.0.0.1 adobeereg.com 127.0.0.1 activate.adobe.com Fiz a verificação do arquivo indicado no VirScan, segue abaixo o resultado e o link: VirSCAN.org Scanned Report : Scanned time : 2009/12/13 06:19:51 (CST) Scanner results: 16% Software(6/37) encontrou código malicioso! File Name : nppracox.dll File Size : 372736 byte File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi MD5 : e664a9abe359c6e3dcbacad9dd03cd21 SHA1 : 41f9a36e8dd6c1b3b6bfe4d78052efcd5aac7133 Online report : http://virscan.org/report/377f32eab36a6a24f3398383b8215b08.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 4.5.0.8 20091212050408 2009-12-12 6.26 Trojan-Downloader.Win32.VB!IK AhnLab V3 2009.12.13.00 2009.12.13 2009-12-13 1.17 - AntiVir 8.2.1.108 7.10.1.219 2009-12-11 0.12 TR/VB.Downloader.Gen Antiy 2.0.18 20091211.3462203 2009-12-11 0.02 - Arcavir 2009 200912112021 2009-12-11 0.06 - Authentium 5.1.1 200912121540 2009-12-12 1.28 - AVAST! 4.7.4 091212-1 2009-12-12 0.03 - AVG 8.5.288 270.14.105/2561 2009-12-13 0.34 - BitDefender 7.81008.4720506 7.29421 2009-12-13 4.25 - CA (VET) 35.1.0 7170 2009-12-10 9.71 - ClamAV 0.95.2 10156 2009-12-12 0.06 - Comodo 3.13 3220 2009-12-12 0.94 - CP Secure 1.3.0.5 2009.12.12 2009-12-12 0.08 - Dr.Web 4.44.0.9170 2009.12.12 2009-12-12 7.55 - F-Prot 4.4.4.56 20091212 2009-12-12 1.22 - F-Secure 7.02.73807 2009.12.12.02 2009-12-12 9.37 - Fortinet 11.260- 11.260 2009-12-12 0.24 - GData 19.9272/19.621 20091212 2009-12-12 6.08 - ViRobot 20091212 2009.12.12 2009-12-12 0.43 - Ikarus T3.1.01.74 2009.12.12.74746 2009-12-12 4.22 Trojan-Downloader.Win32.VB JiangMin 13.0.900 2009.12.12 2009-12-12 6.43 - Kaspersky 5.5.10 2009.12.12 2009-12-12 0.07 - KingSoft 2009.2.5.15 2009.12.12.20 2009-12-12 0.55 - McAfee 5.3.00 5830 2009-12-12 3.39 - Microsoft 1.5302 2009.12.12 2009-12-12 6.67 - Norman 6.01.09 6.01.00 2009-12-12 4.01 W32/DLoader.ABJBG Panda 9.05.01 2009.12.12 2009-12-12 1.91 - Trend Micro 9.000-1003 6.688.04 2009-12-13 0.03 - Quick Heal 10.00 2009.12.12 2009-12-12 1.25 Trojan.BHO.aarj Rising 20.0 22.25.05.04 2009-12-12 1.05 - Sophos 3.02.0 4.48 2009-12-13 2.81 - Sunbelt 3.9.2386.2 5557 2009-12-11 1.98 - Symantec 1.3.0.24 20091212.004 2009-12-12 0.07 - nProtect 20091210.02 6563203 2009-12-10 3.70 Trojan/W32.BHO.372736 The Hacker 6.5.0.2 v00092 2009-12-12 0.74 - VBA32 3.12.12.0 20091211.2059 2009-12-11 2.32 - VirusBuster 4.5.11.10 10.116.3/2014358 2009-12-12 2.49 - LINK'>http://virscan.org/report/377f32eab36a6a24f3398383b8215b08.html"]LINK RESULTADO VIRSCAN Obrigado, Michael C. Compartilhar este post Link para o post Compartilhar em outros sites
DigRam 144 Denunciar post Postado Dezembro 13, 2009 Boa Noite! Michael_c # Copyright © 1993-1999 Microsoft Corp.## Este é um arquivo HOSTS de exemplo usado pelo Microsoft TCP/IP para Windows.## Este arquivo contém os mapeamentos de endereços IP para nomes de host. Cada# entrada deve ser mantida em uma linha individual. O endereço IP deve# ser colocado na primeira coluna, seguido do nome de host correspondente.# O endereço IP e o nome do host devem ser separados por pelo menos um# espaço.## Adicionalmente, comentários (como estes) podem ser inseridos em linhas# individuais ou após o nome de computador indicado por um símbolo '#'.## Por exemplo:## 102.54.94.97 rino.acme.com # servidor de origem# 38.25.63.10 x.acme.com # host cliente x127.0.0.1 localhost127.0.0.1 ad.yieldmanager.com127.0.0.1 yieldmanager.com <@> Copie estas informações para o Bloco de Notas. <@> Salve-as com o nome: hosts <@> Ao clicar no X,salve-as neste diretório: etc <!> C:\WINDOWS\system32\drivers\etc <-- <@> Confirme a solicitação,ao pedir se deseja salvar as alterações! <@> Confirme,também,sua substituição ao primitivo. <@> Reinicie o computador,ao concluir. <><><><><><><><><><> <@> Baixe: < Norman Malware Cleaner > <@> Salve-o no desktop. <@> Abra o arquivo e clique em Executar --> Accept. <@> Clique em Add,para adicionar ou Remove,para remover unidades/setores à serem escaneados. ( C:\*.*,D:\*.*,E:\*.*,etc... ) <@> Reinicie em Modo Seguro. <@> Clique em "Start scan" --> Aguarde! <@> Terminando,poste o relatório,que estará no desktop. ( NFix_2009-xx-xx_yy-yy-yy.log ) <-- <@> Poste,também,HijackThis atualizado. Abraços! Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Janeiro 13, 2010 Tópico Arquivado Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado. Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura. Compartilhar este post Link para o post Compartilhar em outros sites
