[Resolvido] &nbspInfectado com o ceara.com/0xf04.pac

[Netow 0]

Olá, estava procurando alguma forma de deletar o malware que está fazendo com que nas minhas conexões do internet explorer, em usar script de configuração automatica aparece o link http://www.cearainfo.com/0xf04.pac ! Não consegui a solução para o meu problema então venho pedir ajuda dos senhores!

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:23:12, on 28/04/2011

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16722)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe

C:\Program Files (x86)\Vivo 3G\Vivo 3G.exe

C:\Program Files (x86)\Vivo 3G\CMUpdater.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Orbitdownloader\orbitdm.exe

C:\Program Files (x86)\Orbitdownloader\orbitnet.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Program Files (x86)\GbPlugin\gbieh.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files (x86)\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [RTSS] "C:\Program Files (x86)\MSI Afterburner\Bundle\OSDServer\RTSSWrapper.exe" /s

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O15 - Trusted Zone: www.bancobrasil.com.br

O15 - Trusted Zone: www14.bancobrasil.com.br

O15 - Trusted Zone: www2.bancobrasil.com.br

O15 - Trusted Zone: www.bb.com.br

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A76AE1D-3765-4228-A1FA-84A19935EF3B}: NameServer = 200.142.132.32 200.220.227.57

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\Program Files (x86)\GbPlugin\gbieh.dll

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Serviço do Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~2\GbPlugin\GbpSv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: O&O Defrag (OODefragAgent) - O&O Software GmbH - C:\Program Files\OO Software\Defrag\oodag.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 9030 bytes

[wings 22]

Olá Netow

 

 

*Baixe o OTS e salve-o no desktop

*Execute-o e selecione a opção:

[x] Scan All Users

*Clique [Quick Scan] e cole o relatório apresentado

 

Caso o relatório fique demasiadamente grande...

 

*Acesse este link

*Clique [Enviar arquivo]

*Localize o arquivo OTS.txt no desktop

*Clique [Abrir] > [Créer le lien Cjoint]

*Cole o endereço criado

[Netow 0]

Ok, feito! O link é:

http://cjoint.com/?ADDfdlUwLGk

[wings 22]

Abra o arquivo C:\Windows\SysNative\Drivers\etc\hosts e cole o conteúdo.

[Netow 0]

Amigo, não consigo acessar essa pasta, da o seguinte erro:

O Windows não pode localizar a pasta C:\Windows\SysNative\Drivers\etc\hosts. Verifique a ortografia e tente novamente.

[wings 22]

*Baixe o HostsXpert e salve-o no desktop

*Extraia para o desktop e execute-o

*Clique [Editing] > [Copy to Clipboard] > [Copy Host File]

*Cole aqui no fórum.

[Netow 0]

# copyright © 1993-2009 microsoft corp.

#

# this is a sample hosts file used by microsoft tcp/ip for windows.

#

# this file contains the mappings of ip addresses to host names. each

# entry should be kept on an individual line. the ip address should

# be placed in the first column followed by the corresponding host name.

# the ip address and the host name should be separated by at least one

# space.

#

# additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# for example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

 

# localhost name resolution is handled within dns itself.

# 127.0.0.1 localhost

# ::1 localhost

127.0.0.1 serial.alcohol-soft.com

127.0.0.1 www.alcohol-soft.com

127.0.0.1 images.alcohol-soft.com

127.0.0.1 trial.alcohol-soft.com

127.0.0.1 alcohol-soft.com

[wings 22]

*Selecione e copie o código abaixo:

[unregister Dlls]

[Registry - Safe List]

< FireFox Settings [Prefs.js] > -> C:\Users\Netow\AppData\Roaming\Mozilla\FireFox\Profiles\tmk8jlzp.default\prefs.js

YN -> network.proxy.autoconfig_url -> "http://www.cearainfo.com/0xf04.pac"

YN -> network.proxy.socks_port -> 80

YN -> network.proxy.type -> 2

[Alternate Data Streams]

NY -> @Alternate Data Stream - 204 bytes -> C:\Windows\SysWow64\drivers:GbpKmAp.lst

[Empty Temp Folders]

[Reboot]

*Execute o OTS

*Clique no espaço abaixo de "Paste Fix Here", e cole o código

*Clique [Run Fix]

*O PC será reiniciado

*Cole o relatório apresentado

[Netow 0]

All Processes Killed

[Registry - Safe List]

Prefs.js: "http://www.cearainfo.com/0xf04.pac"'>http://www.cearainfo.com/0xf04.pac" removed from network.proxy.autoconfig_url

Prefs.js: 80 removed from network.proxy.socks_port

Prefs.js: 2 removed from network.proxy.type

[Alternate Data Streams]

ADS C:\Windows\SysWow64\drivers:GbpKmAp.lst deleted successfully.

[Empty Temp Folders]

 

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 56502 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Netow

->Temp folder emptied: 8859492 bytes

->Temporary Internet Files folder emptied: 534859 bytes

->Java cache emptied: 221779 bytes

->FireFox cache emptied: 20551707 bytes

->Google Chrome cache emptied: 9694850 bytes

->Flash cache emptied: 2326 bytes

 

User: Public

->Temp folder emptied: 0 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 1619120 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 543692 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 40,00 mb

 

< End of fix log >

OTS by OldTimer - Version 3.1.42.0 fix logfile created on 04292011_011235

 

Files\Folders moved on Reboot...

C:\Users\Netow\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

 

Registry entries deleted on Reboot...

 

Ainda está aparecendo no Internet Explorer na aba conexões, configurações, na caixa usar script de configuração automática o link http://www.cearainfo.com/0xf04.pac :(

[wings 22]

*Execute novamente o OTS e selecione a opção:

[x] Scan All Users

*Clique [Quick Scan]

 

*Acesse este link

*Clique [Enviar arquivo]

*Localize o arquivo OTS.txt no desktop

*Clique [Abrir] > [Créer le lien Cjoint]

*Cole o endereço criado

[Netow 0]

O link:

http://cjoint.com/11av/ADDgBxx8Uu8.htm

[wings 22]

*Baixe o OTL e salve-o no desktop

*Execute-o e selecione as opções:

[X] Verificar All Users

Exame Extra do Registro: [X] Usar SafeList

[X] Ignorar Arquivos Microsoft

[X] Usar WhiteList para Nomes de Companhias

[X] Verificar Purity

*Clique no espaço abaixo de "Exames Personalizados/Correções" e cole o código:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

*Clique [Verificar]

*Cole os relatórios apresentados (OTL.txt e Extras.txt localizados no desktop)

 

Caso os relatórios fiquem demasiadamente grandes...

 

*Acesse este link

*Clique [Enviar arquivo]

*Localize o arquivo OTL.txt no desktop

*Clique [Abrir] > [Créer le lien Cjoint]

*Cole o endereço criado

*Faça o mesmo procedimento para o relatório Extras.txt

[Netow 0]

links:

OTL.TXT

http://cjoint.com/?ADDgJGzNeLW}

EXTRAS.TXT

http://cjoint.com/?ADDgKoWyOjl

[wings 22]

O link do OTL.txt não está acessível.

 

Cole um novo link.

[Netow 0]

Ok!

http://cjoint.com/?ADDgSohvFSe

Agora deu?

[wings 22]

*No IE, clique em [Ferramentas] > [Opções da Internet]

*Na aba "Conexões", clique [Configurações da Lan]

*Em “Usar script de configuração automática” delete a URL terminada com .pac

*Reinicie o IE

 

Informe se corrigiu.

 

 

*Baixe o Bankerfix e salve-o no desktop

*Execute-o, clique [OK] > [sIM] (se pedir alguma atualização) > [OK] > [ENTER]

*Ao finalizar, tecle [ENTER]

*Cole o relatório C:\LinhaDefensiva\relatorio.txt

[Netow 0]

Minha conexão com a internet em meu pc caiu, pois estou usando 3G, a mesma não quér se conectar e então não consigo fazer o que pedes. Posso dar a resposta e darmos continuação a outro momento, talvez amanhã quando a conexão voltar ao normal? Obrigado por toda sua ajuda até o momento!

[wings 22]

Minha conexão com a internet em meu pc caiu, pois estou usando 3G, a mesma não quér se conectar e então não consigo fazer o que pedes. Posso dar a resposta e darmos continuação a outro momento, talvez amanhã quando a conexão voltar ao normal? Obrigado por toda sua ajuda até o momento!

 

Tudo bem....aguardaremos.

[Netow 0]

Amigo, passei o bankerfix, e aparentemente o sistema está limpo!

Não aparece mais no internet explorer o link!

Você quér que eu poste mais algum logfile de algum programa?

Agradeço-te muito pela ajuda! :lol:

[wings 22]

Se está tudo OK, vamos remover os programas.

 

 

1.

*Delete o Bankerfix e a pasta C:\LinhaDefensiva

 

2.

*Execute o OTL e clique [Limpeza] > [OK]

*O PC será reiniciado

 

 

Um abraço e boa sorte. :)