Pc intectado! Alguém pode me ajudar!

jesseweb · Julho 20, 2008

jesseweb · Julho 21, 2008

Novo Log do HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 13:25:36, on 21/7/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe

C:\Arquivos de programas\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\SYSTEM32\sistray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Personal\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7D9362F8-77D8-4b29-97B5-621D550890C0} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {857ca662-f4c3-5db7-7bf3-0598d141eb41} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {f07cb4c8-e50b-e9a0-d86c-175491c28069} - (no file)

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Arquivos de programas\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe

O4 - Startup: Spc.lnk = C:\Arquivos de programas\Smart PC Solutions\Smart Parental Control\SPC.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: RapidShare-Download - res://C:\Documents and Settings\Personal\Meus documentos\Downloads\RapidShare - the way YOU like it!\more-rapid.exe/RsMenExt.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -

O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/version4/w...en/AMClient.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.MSN.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://69.51.67.72:90/activex/AMC.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{19EDC603-101E-4114-BCF9-A6A9C708E8DF}: NameServer = 200.199.241.17,200.199.241.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{676105E3-D25A-4AB6-859F-6F85CBDBDF4E}: NameServer = 200.175.5.139,200.175.89.139

O17 - HKLM\System\CS1\Services\Tcpip\..\{19EDC603-101E-4114-BCF9-A6A9C708E8DF}: NameServer = 200.199.241.17,200.199.241.38

O17 - HKLM\System\CS2\Services\Tcpip\..\{19EDC603-101E-4114-BCF9-A6A9C708E8DF}: NameServer = 200.199.241.17,200.199.241.38

O17 - HKLM\System\CS3\Services\Tcpip\..\{19EDC603-101E-4114-BCF9-A6A9C708E8DF}: NameServer = 200.199.241.17,200.199.241.38

O17 - HKLM\System\CS4\Services\Tcpip\..\{19EDC603-101E-4114-BCF9-A6A9C708E8DF}: NameServer = 200.199.241.17,200.199.241.38

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe

O23 - Service: GoogleDesktopManager - Google - C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Unknown owner - C:\Arquivos de programas\iPod\bin\iPodService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

JackSSA · Julho 21, 2008

Nota: Por favor, NÃO utilize o ComboFix sozinho. É uma ferramenta poderosa criada pra lidar com infeções sofisticadas e caso não a utilize corretamente poderá danificar o seu computador. A ferramenta apenas deve ser utilizada sob supervisão de Assistentes de remoção de malware.

Baixe o Pocket KillBox

Salve em uma pasta em C:\

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Abra o KillBox e marque Delete on Reboot e na caixa Full Path of File to Delete coloque esta linha: C:\WINDOWS\SYSTEM32\tbzgynbxerhc.exe

Clique no botão , e ao perguntar Reboot Now? Clique em Não.

Abra o Hijackthis, clique em Do scan a system only, marque as entradas abaixo e clique no botão

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: (no name) - {7D9362F8-77D8-4b29-97B5-621D550890C0} - (no file)

O2 - BHO: (no name) - {857ca662-f4c3-5db7-7bf3-0598d141eb41} - (no file)

O2 - BHO: (no name) - {f07cb4c8-e50b-e9a0-d86c-175491c28069} - (no file)

Reinicie e poste um novo Log do Hijackthis feito em Modo Normal.

jesseweb · Julho 21, 2008

Fiz Tudo como recomendado! E segue abaixo o Novo Log:

Logfile of HijackThis v1.99.1

Scan saved at 17:48:28, on 21/7/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe

C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\SYSTEM32\sistray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Personal\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 27.0.0.1 www.ossoalice.it

O1 - Hosts: 127. .0.1 ossoalice.it

O1 - Hosts: 137.0.0.1 www.outlook-express-utilities.com

O1 - Hosts: !27.0.0.1 www.oxfordclockrepairs?co.uk

O1 - Hosts: 127.0.0?1 p0rt2.com

O1 - Hosts: 127. .0.1 www.paaginebianche.it

O1 - Hosts: 127/0.0.1 paaginebianche.it

O1 - Hosts: 127.0. .1 www.pafginebianche.it

O1 - Hosts: 127.0>0.1 pafginebianche.it

O1 - Hosts: 127.0.0.0 www.pafinebianche.it

O1 - Hosts: 127.0.0.0 pafinebianche.it

O1 - Hosts: 127.1.0.1 www.pagiinebianche.it

O1 - Hosts: 127.0. .1 pagimebianche.it