Jump to content
Fórum Script Brasil
  • 0

W32.Chir.b


raphael_suporte

Question

Boa tarde amigos, estou com problemas com essa praga

segue abaixo meu log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:44:40, on 22/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Automatos\Auto Update\aau.exe

C:\Program Files\Automatos\Desktop Agent\aengine.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Automatos\Software Uninstaller\CopyUninstallLogFiles.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\Program Files\Portable Google Talk\googletalk\googletalk.exe

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe

C:\WINDOWS\system32\svchost.exe

D:\Documents and Settings\U90640\Desktop\HiJackThis.exe

C:\WINDOWS\system32\igfxsrvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.20.164.146/central/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com/

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

F2 - REG:system.ini: Shell=explorer.exe wproxp.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe ,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TelemarManager] "C:\Program Files\Automatos\Manager\manager.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/

O15 - Trusted Zone: *.accenture.com

O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sanapplhm01.telemar/marketing_ptb/1...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sanapplhm01.telemar/marketing_ptb/1...Gantt_Chart.cab

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - https://mylearning.accenture.com/accenture/...uleServices.cab

O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab

O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://sfadev01.telemar/ecommunications_pt...x_HI_Client.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab

O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telemar.corp.net

O17 - HKLM\Software\..\Telephony: DomainName = telemar.corp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E592B3C-3D1F-4F6A-9788-A0169219B6EC}: Domain = telemar.corp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telemar.corp.net

O23 - Service: Automatos Auto Update 0 - Automatos - C:\Program Files\Automatos\Auto Update\aau.exe

O23 - Service: Automatos Desktop Agent (AutomatosDesktopAgent) - Automatos Inc. - C:\Program Files\Automatos\Desktop Agent\aengine.exe

O23 - Service: BusinessWare 3.1.7 1 - Unknown owner - C:\Program Files\Vitria\BW31\bin\win32\bserv.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O23 - Service: Automatos ® Uninstall (Uninstall) - Automatos Inc. - C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 6925 bytes

Link to comment
Share on other sites

11 answers to this question

Recommended Posts

  • 0

Faça o download do Malwarebytes Anti-Malware

http://www.besttechie.net/mbam/mbam-setup.exe

  • Faça a instalação dando um duplo clique em mbam-setup.exe.
  • Marque Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware, e clique em Concluir.
  • Marque Verificação Rápida e depois clique em Verificar.
  • Quando o scan terminar, clique em Ok e em Mostrar Resultados para ver o log.
  • Se algo for detectado, veja se tudo está marcado e clique em Remover.
  • O log é automaticamente gravado e pode ser consultado clicando em Logs do menu principal do programa.
  • Copie e cole o conteúdo desse log na sua próxima resposta.
  • Poste também um novo Log do Hijackthis.
Link to comment
Share on other sites

  • 0

Jackass, já tinha passando esse programa outro dia, porem aparentemente não havia resolvido, vamos ver se agora vai... bom então vou colocar o Log aqui:

do primeiro dia:

alwarebytes' Anti-Malware 1.38

Versão do banco de dados: 2297

Windows 5.1.2600 Service Pack 2

25/06/2009 13:12:26

mbam-log-2009-06-25 (13-12-26).txt

Tipo de Verificação: Rápida

Objetos verificados: 164428

Tempo decorrido: 9 minute(s), 29 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 1

Chaves do Registro infectadas: 0

Valores do Registro infectados: 0

Ítens do Registro infectados: 4

Pastas infectadas: 2

Arquivos infectados: 23

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

C:\WINDOWS\system32\imapdd.dll (Worm.Autorun) -> Delete on reboot.

Chaves do Registro infectadas:

(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.ActMon) -> Data: c:\windows\system32\boot.vbs -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Pastas infectadas:

d:\documents and settings\U90640\Application Data\dxdlls (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640_Bkp\Application Data\dxdlls (Worm.Autorun) -> Quarantined and deleted successfully.

Arquivos infectados:

d:\documents and settings\U90640\application data\dxdlls\boot.vbs (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\dxdlg.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapd.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdb.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdb.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdc.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdd.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapde.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\isetup.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\boot.vbs (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\dxdlg.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapd.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdb.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdb.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdc.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdd.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapde.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\isetup.exe (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\boot.vbs (Spyware.ActMon) -> Delete on reboot.

C:\WINDOWS\system32\imapde.dll (Spyware.ActMon) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wproxp.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\etc\hints.exe (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\imapdd.dll (Worm.Autorun) -> Delete on reboot.

____________________________________________________________________________________________________________

De hoje ( não foi encontrado nada, porem haviam arquivos em quarentena que foram removidos )

Malwarebytes' Anti-Malware 1.39

Versão do banco de dados: 2481

Windows 5.1.2600 Service Pack 2

22/07/2009 17:30:40

mbam-log-2009-07-22 (17-30-40).txt

Tipo de Verificação: Rápida

Objetos verificados: 178028

Tempo decorrido: 2 minute(s), 15 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 0

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 0

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:

(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

Arquivos infectados:

(Nenhum ítem malicioso foi detectado)

___________________________________________________________________________________

Log do HiJackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:43:18, on 22/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Automatos\Auto Update\aau.exe

C:\Program Files\Automatos\Desktop Agent\aengine.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\explorer.exe

c:\bginfo.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\runouce.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Portable Google Talk\googletalk\googletalk.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Documents and Settings\U90640\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.20.164.146/portal/portal.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.telemar.corp.net:8350/wsw5.pac

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

F2 - REG:system.ini: Shell=explorer.exe wproxp.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe ,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [skyTel]SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TelemarManager] "C:\Program Files\Automatos\Manager\manager.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\WINDOWS\is-D6L1K.exe" /REG

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/

O15 - Trusted Zone: *.accenture.com

O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sanapplhm01.telemar/marketing_ptb/1...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sanapplhm01.telemar/marketing_ptb/1...Gantt_Chart.cab

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - https://mylearning.accenture.com/accenture/...uleServices.cab

O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab

O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://sfadev01.telemar/ecommunications_pt...x_HI_Client.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab

O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telemar.corp.net

O17 - HKLM\Software\..\Telephony: DomainName = telemar.corp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E592B3C-3D1F-4F6A-9788-A0169219B6EC}: Domain = telemar.corp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telemar.corp.net

O23 - Service: Automatos Auto Update 0 - Automatos - C:\Program Files\Automatos\Auto Update\aau.exe

O23 - Service: Automatos Desktop Agent (AutomatosDesktopAgent) - Automatos Inc. - C:\Program Files\Automatos\Desktop Agent\aengine.exe

O23 - Service: BusinessWare 3.1.7 1 - Unknown owner - C:\Program Files\Vitria\BW31\bin\win32\bserv.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O23 - Service: Automatos ® Uninstall (Uninstall) - Automatos Inc. - C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 7885 bytes

Link to comment
Share on other sites

  • 0

Faça o download do Random's System Information Tool (RSIT)

http://images.malwareremoval.com/random/RSIT.exe

Salve na sua área de trabalho.

  • Execute o RSIT.exe
  • Haverá uma janela informativa:
  • List files/folders created or modified in the last: 1 month
  • Clique em Continue.

Quando terminar, dois blocos de notas serão abertos:

log.txt -> abrirá maximizado

info.txt -> abrirá minimizado.

Poste o conteúdo do arquivo log.txt.

Uma cópia desses arquivos ficará salva na pasta C:\RSIT

Obs: Se o seu firewall alertar sobre o arquivo rsit.exe tentando se conectar, certifique-se de permitir (allow).

Link to comment
Share on other sites

  • 0
======File associations======

.ini - open - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe" "%1"

.js - edit -

.js - open - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe" "%1"

.txt - open - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe" "%1"

As associações dele estão corrompidas, vamos tentar restaurar.

Baixe o ComboFix e salve no desktop.

Nota: Por favor, Não utilize o ComboFix por conta própria. O uso incorreto poderá danificar o seu computador. A ferramenta apenas deve ser utilizada sob supervisão de Analistas de remoção de malware.

  • Feche todas as janelas e programas e desabilite seu programa antivirus e antispyware.
  • Dê um duplo-clique no ComboFix.exe
  • Será solicitada a instalação do Console de Recuperação, clique em Sim para iniciar o download, siga
  • normalmente as instruções do programa.
  • Ao final, clique em Sim para continuar a verificação.
  • Quando solicitado tecle "1" em seguida Enter para prosseguir o Fix. Vai durar uma média de 10 minutos.
  • O ComboFix poderá reiniciar o PC automaticamente para completar o processo de remoção.
Quando acabar, será gerado um log, que vai estar em C:\ComboFix.txt.

Atenção:

Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, pois senão irá parar e seu desktop ficará em branco.

Para parar ou sair do ComboFix, tecle "2" e Enter.

Depois gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

Link to comment
Share on other sites

  • 0

Acesse o Painel de Controle -> Adicionar ou remover programas -> procure o programa abaixo e desinstale:

AskBar BHO

Nota: Adicione ao PC seus pen-drives, mp3, mp4 e demais dispositivos USB que possua.

Baixe o PenClean e salve no seu desktop.

  • Execute o programa.
  • Selecione a opção Verificar o unidade, na caixa de lista suspensa, selecione Todas unidades e em seguida marque a caixa Log sup.
  • Clique no botão Verificar.

    <<Aguarde alguns instantes, o exame é bem rápido>>

  • Será informado se algo foi encontrado, se for encontrado será pedido para reiniciar, clique em Sim. O computador será reiniciado.
  • Faça um novo log do Hijackthis e poste junto o relatório do PenClean que estará em C:\PenClean\PenClean.txt
Link to comment
Share on other sites

  • 0

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:26:10, on 27/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Automatos\Auto Update\aau.exe

C:\Program Files\Automatos\Desktop Agent\aengine.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Automatos\Software Uninstaller\CopyUninstallLogFiles.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Portable Google Talk\googletalk\googletalk.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\Program Files\Outlook Express\msimn.exe

D:\Documents and Settings\U90640\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.20.164.146/portal/portal.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.telemar.corp.net:8350/wsw5.pac

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)

O4 - HKLM\..\Run: [skyTel]SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TelemarManager] "C:\Program Files\Automatos\Manager\manager.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/

O15 - Trusted Zone: *.accenture.com

O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sanapplhm01.telemar/marketing_ptb/1...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sanapplhm01.telemar/marketing_ptb/1...Gantt_Chart.cab

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - https://mylearning.accenture.com/accenture/...uleServices.cab

O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab

O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://sfadev01.telemar/ecommunications_pt...x_HI_Client.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab

O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telemar.corp.net

O17 - HKLM\Software\..\Telephony: DomainName = telemar.corp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E592B3C-3D1F-4F6A-9788-A0169219B6EC}: Domain = telemar.corp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telemar.corp.net

O23 - Service: Automatos Auto Update 0 - Automatos - C:\Program Files\Automatos\Auto Update\aau.exe

O23 - Service: Automatos Desktop Agent (AutomatosDesktopAgent) - Automatos Inc. - C:\Program Files\Automatos\Desktop Agent\aengine.exe

O23 - Service: BusinessWare 3.1.7 1 - Unknown owner - C:\Program Files\Vitria\BW31\bin\win32\bserv.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O23 - Service: Automatos ® Uninstall (Uninstall) - Automatos Inc. - C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 7414 bytes

.

Iniciando relatório do PenClean 2.0.6-20090606

Por Renato Victor Mejias

renatomejias@yahoo.com.br

27/07/2009 10:31:16

-----------------------------------------------------------

-----------------------------------------------------------

Arquivos excluídos da unidade D: (Resik):

Malware não detectado na unidade escolhida!

-----------------------------------------------------------

Fim da análise, a unidade verificada foi D:

Iniciando relatório do PenClean 2.0.6-20090606

Por Renato Victor Mejias

renatomejias@yahoo.com.br

27/07/2009 10:32:26

-----------------------------------------------------------

-----------------------------------------------------------

Arquivos excluídos da unidade E: (Resik):

Malware não detectado na unidade escolhida!

-----------------------------------------------------------

Fim da análise, a unidade verificada foi E:

Iniciando relatório do PenClean 2.0.6-20090606

Por Renato Victor Mejias

renatomejias@yahoo.com.br

27/07/2009 10:32:58

-----------------------------------------------------------

Malware não detectado na unidade escolhida!

-----------------------------------------------------------

Fim da análise, a unidade verificada foi C:

-----------------------------------------------------------

Link to comment
Share on other sites

  • 0

Versões antigas do Java, têm vunerabilidades que alguns malwares podem usar para infectar seu sistema. Verifique se o seu sistema tem a última versão instalada:

Faça o download do JavaRa:

http://sourceforge.net/project/downloading...use_mirror=osdn

Dê um duplo-clique no JavaRa.exe. Depois clique em Search For Updates. Selecione a opção Update Using jucheck.exe. Clique então no botão Search.

Se estiver atualizado, receberá um aviso de que tem a última versão. Caso contrário, aguarde a nova versão do Java ser baixada e instalada. Depois clique no botão Remove Older Versions para que as versões antigas que existirem no PC sejam desinstaladas.

Clique em Iniciar -> Executar -> digite ComboFix /u -> Ok.

cfunins.jpg

Aguarde a desinstalação.

É extremamente aconselhado também que atualize seu Windows para o Service Pack 3. Se você já estiver com as atualizações em dias, acesse o Windows Update para baixar e instalar o Service Pack 3. Caso não esteja com as atualizações em dias, você pode baixa-lo neste endereço: Microsoft

Seu Log está limpo. Ainda há algum problema com o PC?

Link to comment
Share on other sites

  • 0

Estou verificando isso agora, tive que reinstalar o anti-virus, pois estava com aquele problema que havia falado, assim como outros programas, que ao iniciar o pc eles não funcionam.

irei passar o anti-virus e reiniciar o pc para ver se vai funcionar.

De qualquer forma Obrigado JackSSA.

Link to comment
Share on other sites

  • 0
On 7/23/2009 at 1:20 AM, JackSSA said:

Faça o download do Malwarebytes Anti-Malware

https://www.besttechie.net/mbam/wondershare-setup.exe

  • Faça a instalação dando um duplo clique em mbam-setup.exe.
  • Marque Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware, e clique em Concluir.
  • Marque Verificação Rápida e depois clique em Verificar.
  • Quando o scan terminar, clique em Ok e em Mostrar Resultados para ver o log.
  • Se algo for detectado, veja se tudo está marcado e clique em Remover.
  • O log é automaticamente gravado e pode ser consultado clicando em Logs do menu principal do programa.
  • Copie e cole o conteúdo desse log na sua próxima resposta.
  • Poste também um novo Log do Hijackthis.


Parece que você está fornecendo instruções para baixar e instalar o Malwarebytes Anti-Malware, além de realizar uma verificação usando o software. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



  • Forum Statistics

    • Total Topics
      152.1k
    • Total Posts
      651.8k
×
×
  • Create New...