Ir para conteúdo
Fórum Script Brasil
  • 0

W32.Chir.b

raphael_suporte

Perguntado por raphael_suporte,

 Share

Pergunta

raphael_suporte

raphael_suporte

Postado
Postado

Boa tarde amigos, estou com problemas com essa praga

segue abaixo meu log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:44:40, on 22/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Automatos\Auto Update\aau.exe

C:\Program Files\Automatos\Desktop Agent\aengine.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Automatos\Software Uninstaller\CopyUninstallLogFiles.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\Program Files\Portable Google Talk\googletalk\googletalk.exe

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Symantec AntiVirus\VPC32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe

C:\WINDOWS\system32\svchost.exe

D:\Documents and Settings\U90640\Desktop\HiJackThis.exe

C:\WINDOWS\system32\igfxsrvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.20.164.146/central/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com/

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

F2 - REG:system.ini: Shell=explorer.exe wproxp.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe ,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TelemarManager] "C:\Program Files\Automatos\Manager\manager.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/

O15 - Trusted Zone: *.accenture.com

O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sanapplhm01.telemar/marketing_ptb/1...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sanapplhm01.telemar/marketing_ptb/1...Gantt_Chart.cab

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - https://mylearning.accenture.com/accenture/...uleServices.cab

O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab

O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://sfadev01.telemar/ecommunications_pt...x_HI_Client.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab

O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telemar.corp.net

O17 - HKLM\Software\..\Telephony: DomainName = telemar.corp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E592B3C-3D1F-4F6A-9788-A0169219B6EC}: Domain = telemar.corp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telemar.corp.net

O23 - Service: Automatos Auto Update 0 - Automatos - C:\Program Files\Automatos\Auto Update\aau.exe

O23 - Service: Automatos Desktop Agent (AutomatosDesktopAgent) - Automatos Inc. - C:\Program Files\Automatos\Desktop Agent\aengine.exe

O23 - Service: BusinessWare 3.1.7 1 - Unknown owner - C:\Program Files\Vitria\BW31\bin\win32\bserv.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O23 - Service: Automatos ® Uninstall (Uninstall) - Automatos Inc. - C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 6925 bytes

Link para o comentário
Compartilhar em outros sites

11 respostass a esta questão

Posts Recomendados

  • 0
JackSSA

JackSSA

Postado
Postado

Faça o download do Malwarebytes Anti-Malware

http://www.besttechie.net/mbam/mbam-setup.exe

  • Faça a instalação dando um duplo clique em mbam-setup.exe.
  • Marque Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware, e clique em Concluir.
  • Marque Verificação Rápida e depois clique em Verificar.
  • Quando o scan terminar, clique em Ok e em Mostrar Resultados para ver o log.
  • Se algo for detectado, veja se tudo está marcado e clique em Remover.
  • O log é automaticamente gravado e pode ser consultado clicando em Logs do menu principal do programa.
  • Copie e cole o conteúdo desse log na sua próxima resposta.
  • Poste também um novo Log do Hijackthis.
Link para o comentário
Compartilhar em outros sites
  • 0
raphael_suporte

raphael_suporte

Postado
  • Autor
Postado

Jackass, já tinha passando esse programa outro dia, porem aparentemente não havia resolvido, vamos ver se agora vai... bom então vou colocar o Log aqui:

do primeiro dia:

alwarebytes' Anti-Malware 1.38

Versão do banco de dados: 2297

Windows 5.1.2600 Service Pack 2

25/06/2009 13:12:26

mbam-log-2009-06-25 (13-12-26).txt

Tipo de Verificação: Rápida

Objetos verificados: 164428

Tempo decorrido: 9 minute(s), 29 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 1

Chaves do Registro infectadas: 0

Valores do Registro infectados: 0

Ítens do Registro infectados: 4

Pastas infectadas: 2

Arquivos infectados: 23

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

C:\WINDOWS\system32\imapdd.dll (Worm.Autorun) -> Delete on reboot.

Chaves do Registro infectadas:

(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.ActMon) -> Data: c:\windows\system32\boot.vbs -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Pastas infectadas:

d:\documents and settings\U90640\Application Data\dxdlls (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640_Bkp\Application Data\dxdlls (Worm.Autorun) -> Quarantined and deleted successfully.

Arquivos infectados:

d:\documents and settings\U90640\application data\dxdlls\boot.vbs (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\dxdlg.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapd.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdb.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdb.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdc.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapdd.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\imapde.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\U90640\application data\dxdlls\isetup.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\boot.vbs (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\dxdlg.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapd.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdb.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdb.exe (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdc.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapdd.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\imapde.dll (Worm.Autorun) -> Quarantined and deleted successfully.

d:\documents and settings\u90640_bkp\application data\dxdlls\isetup.exe (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\boot.vbs (Spyware.ActMon) -> Delete on reboot.

C:\WINDOWS\system32\imapde.dll (Spyware.ActMon) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wproxp.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\etc\hints.exe (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\imapdd.dll (Worm.Autorun) -> Delete on reboot.

____________________________________________________________________________________________________________

De hoje ( não foi encontrado nada, porem haviam arquivos em quarentena que foram removidos )

Malwarebytes' Anti-Malware 1.39

Versão do banco de dados: 2481

Windows 5.1.2600 Service Pack 2

22/07/2009 17:30:40

mbam-log-2009-07-22 (17-30-40).txt

Tipo de Verificação: Rápida

Objetos verificados: 178028

Tempo decorrido: 2 minute(s), 15 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 0

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 0

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:

(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

Arquivos infectados:

(Nenhum ítem malicioso foi detectado)

___________________________________________________________________________________

Log do HiJackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:43:18, on 22/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Automatos\Auto Update\aau.exe

C:\Program Files\Automatos\Desktop Agent\aengine.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\explorer.exe

c:\bginfo.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\runouce.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Portable Google Talk\googletalk\googletalk.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Documents and Settings\U90640\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.20.164.146/portal/portal.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.telemar.corp.net:8350/wsw5.pac

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

F2 - REG:system.ini: Shell=explorer.exe wproxp.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe ,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [skyTel]SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TelemarManager] "C:\Program Files\Automatos\Manager\manager.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\WINDOWS\is-D6L1K.exe" /REG

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKUS\S-1-5-19\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Gwpl] E:\gwpl\gwpl62.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/

O15 - Trusted Zone: *.accenture.com

O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sanapplhm01.telemar/marketing_ptb/1...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sanapplhm01.telemar/marketing_ptb/1...Gantt_Chart.cab

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - https://mylearning.accenture.com/accenture/...uleServices.cab

O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab

O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://sfadev01.telemar/ecommunications_pt...x_HI_Client.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab

O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telemar.corp.net

O17 - HKLM\Software\..\Telephony: DomainName = telemar.corp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E592B3C-3D1F-4F6A-9788-A0169219B6EC}: Domain = telemar.corp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telemar.corp.net

O23 - Service: Automatos Auto Update 0 - Automatos - C:\Program Files\Automatos\Auto Update\aau.exe

O23 - Service: Automatos Desktop Agent (AutomatosDesktopAgent) - Automatos Inc. - C:\Program Files\Automatos\Desktop Agent\aengine.exe

O23 - Service: BusinessWare 3.1.7 1 - Unknown owner - C:\Program Files\Vitria\BW31\bin\win32\bserv.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O23 - Service: Automatos ® Uninstall (Uninstall) - Automatos Inc. - C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 7885 bytes

Link para o comentário
Compartilhar em outros sites
  • 0
JackSSA

JackSSA

Postado
Postado

Faça o download do Random's System Information Tool (RSIT)

http://images.malwareremoval.com/random/RSIT.exe

Salve na sua área de trabalho.

  • Execute o RSIT.exe
  • Haverá uma janela informativa:
  • List files/folders created or modified in the last: 1 month
  • Clique em Continue.

Quando terminar, dois blocos de notas serão abertos:

log.txt -> abrirá maximizado

info.txt -> abrirá minimizado.

Poste o conteúdo do arquivo log.txt.

Uma cópia desses arquivos ficará salva na pasta C:\RSIT

Obs: Se o seu firewall alertar sobre o arquivo rsit.exe tentando se conectar, certifique-se de permitir (allow).

Link para o comentário
Compartilhar em outros sites
  • 0
JackSSA

JackSSA

Postado
Postado
======File associations======

.ini - open - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe" "%1"

.js - edit -

.js - open - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe" "%1"

.txt - open - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uedit32.exe" "%1"

As associações dele estão corrompidas, vamos tentar restaurar.

Baixe o ComboFix e salve no desktop.

Nota: Por favor, Não utilize o ComboFix por conta própria. O uso incorreto poderá danificar o seu computador. A ferramenta apenas deve ser utilizada sob supervisão de Analistas de remoção de malware.

  • Feche todas as janelas e programas e desabilite seu programa antivirus e antispyware.
  • Dê um duplo-clique no ComboFix.exe
  • Será solicitada a instalação do Console de Recuperação, clique em Sim para iniciar o download, siga
  • normalmente as instruções do programa.
  • Ao final, clique em Sim para continuar a verificação.
  • Quando solicitado tecle "1" em seguida Enter para prosseguir o Fix. Vai durar uma média de 10 minutos.
  • O ComboFix poderá reiniciar o PC automaticamente para completar o processo de remoção.
Quando acabar, será gerado um log, que vai estar em C:\ComboFix.txt.

Atenção:

Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, pois senão irá parar e seu desktop ficará em branco.

Para parar ou sair do ComboFix, tecle "2" e Enter.

Depois gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

Link para o comentário
Compartilhar em outros sites
  • 0
JackSSA

JackSSA

Postado
Postado

Acesse o Painel de Controle -> Adicionar ou remover programas -> procure o programa abaixo e desinstale:

AskBar BHO

Nota: Adicione ao PC seus pen-drives, mp3, mp4 e demais dispositivos USB que possua.

Baixe o PenClean e salve no seu desktop.

  • Execute o programa.
  • Selecione a opção Verificar o unidade, na caixa de lista suspensa, selecione Todas unidades e em seguida marque a caixa Log sup.
  • Clique no botão Verificar.

    <<Aguarde alguns instantes, o exame é bem rápido>>

  • Será informado se algo foi encontrado, se for encontrado será pedido para reiniciar, clique em Sim. O computador será reiniciado.
  • Faça um novo log do Hijackthis e poste junto o relatório do PenClean que estará em C:\PenClean\PenClean.txt
Link para o comentário
Compartilhar em outros sites
  • 0
raphael_suporte

raphael_suporte

Postado
  • Autor
Postado

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:26:10, on 27/07/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Automatos\Auto Update\aau.exe

C:\Program Files\Automatos\Desktop Agent\aengine.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Automatos\Software Uninstaller\CopyUninstallLogFiles.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Portable Google Talk\googletalk\googletalk.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\PVCS\Tracker\nt\pvcstkn.exe

C:\Program Files\Outlook Express\msimn.exe

D:\Documents and Settings\U90640\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.20.164.146/portal/portal.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.telemar.corp.net:8350/wsw5.pac

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)

O4 - HKLM\..\Run: [skyTel]SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TelemarManager] "C:\Program Files\Automatos\Manager\manager.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Runonce] C:\WINDOWS\system32\runouce.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: Proventia Desktop Agent.lnk = ?

O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com/

O15 - Trusted Zone: *.accenture.com

O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab

O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://sanapplhm01.telemar/marketing_ptb/1...x_HI_Client.cab

O16 - DPF: {941EA235-7669-4E09-8921-B8D1EAB5F71C} (Siebel Gantt Chart) - http://sanapplhm01.telemar/marketing_ptb/1...Gantt_Chart.cab

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - https://mylearning.accenture.com/accenture/...uleServices.cab

O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab

O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - http://sfadev01.telemar/ecommunications_pt...x_HI_Client.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://amr1-extranet.accenture.com/dana-ca...perSetupSP1.cab

O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = telemar.corp.net

O17 - HKLM\Software\..\Telephony: DomainName = telemar.corp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E592B3C-3D1F-4F6A-9788-A0169219B6EC}: Domain = telemar.corp.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = telemar.corp.net

O23 - Service: Automatos Auto Update 0 - Automatos - C:\Program Files\Automatos\Auto Update\aau.exe

O23 - Service: Automatos Desktop Agent (AutomatosDesktopAgent) - Automatos Inc. - C:\Program Files\Automatos\Desktop Agent\aengine.exe

O23 - Service: BusinessWare 3.1.7 1 - Unknown owner - C:\Program Files\Vitria\BW31\bin\win32\bserv.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)

O23 - Service: Automatos ® Uninstall (Uninstall) - Automatos Inc. - C:\Program Files\Automatos\Software Uninstaller\Uninstall.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--

End of file - 7414 bytes

.

Iniciando relatório do PenClean 2.0.6-20090606

Por Renato Victor Mejias

renatomejias@yahoo.com.br

27/07/2009 10:31:16

-----------------------------------------------------------

-----------------------------------------------------------

Arquivos excluídos da unidade D: (Resik):

Malware não detectado na unidade escolhida!

-----------------------------------------------------------

Fim da análise, a unidade verificada foi D:

Iniciando relatório do PenClean 2.0.6-20090606

Por Renato Victor Mejias

renatomejias@yahoo.com.br

27/07/2009 10:32:26

-----------------------------------------------------------

-----------------------------------------------------------

Arquivos excluídos da unidade E: (Resik):

Malware não detectado na unidade escolhida!

-----------------------------------------------------------

Fim da análise, a unidade verificada foi E:

Iniciando relatório do PenClean 2.0.6-20090606

Por Renato Victor Mejias

renatomejias@yahoo.com.br

27/07/2009 10:32:58

-----------------------------------------------------------

Malware não detectado na unidade escolhida!

-----------------------------------------------------------

Fim da análise, a unidade verificada foi C:

-----------------------------------------------------------

Link para o comentário
Compartilhar em outros sites
  • 0
JackSSA

JackSSA

Postado
Postado

Versões antigas do Java, têm vunerabilidades que alguns malwares podem usar para infectar seu sistema. Verifique se o seu sistema tem a última versão instalada:

Faça o download do JavaRa:

http://sourceforge.net/project/downloading...use_mirror=osdn

Dê um duplo-clique no JavaRa.exe. Depois clique em Search For Updates. Selecione a opção Update Using jucheck.exe. Clique então no botão Search.

Se estiver atualizado, receberá um aviso de que tem a última versão. Caso contrário, aguarde a nova versão do Java ser baixada e instalada. Depois clique no botão Remove Older Versions para que as versões antigas que existirem no PC sejam desinstaladas.

Clique em Iniciar -> Executar -> digite ComboFix /u -> Ok.

cfunins.jpg

Aguarde a desinstalação.

É extremamente aconselhado também que atualize seu Windows para o Service Pack 3. Se você já estiver com as atualizações em dias, acesse o Windows Update para baixar e instalar o Service Pack 3. Caso não esteja com as atualizações em dias, você pode baixa-lo neste endereço: Microsoft

Seu Log está limpo. Ainda há algum problema com o PC?

Link para o comentário
Compartilhar em outros sites
  • 0
raphael_suporte

raphael_suporte

Postado
  • Autor
Postado

Estou verificando isso agora, tive que reinstalar o anti-virus, pois estava com aquele problema que havia falado, assim como outros programas, que ao iniciar o pc eles não funcionam.

irei passar o anti-virus e reiniciar o pc para ver se vai funcionar.

De qualquer forma Obrigado JackSSA.

Link para o comentário
Compartilhar em outros sites
  • 0
John Maclain

John Maclain

Postado
Postado
On 7/23/2009 at 1:20 AM, JackSSA said:

Faça o download do Malwarebytes Anti-Malware

https://www.besttechie.net/mbam/wondershare-setup.exe

  • Faça a instalação dando um duplo clique em mbam-setup.exe.
  • Marque Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware, e clique em Concluir.
  • Marque Verificação Rápida e depois clique em Verificar.
  • Quando o scan terminar, clique em Ok e em Mostrar Resultados para ver o log.
  • Se algo for detectado, veja se tudo está marcado e clique em Remover.
  • O log é automaticamente gravado e pode ser consultado clicando em Logs do menu principal do programa.
  • Copie e cole o conteúdo desse log na sua próxima resposta.
  • Poste também um novo Log do Hijackthis.


Parece que você está fornecendo instruções para baixar e instalar o Malwarebytes Anti-Malware, além de realizar uma verificação usando o software. 

Link para o comentário
Compartilhar em outros sites

Participe da discussão

Você pode postar agora e se registrar depois. Se você já tem uma conta, acesse agora para postar com sua conta.

Visitante
Responder esta pergunta...

×   Você colou conteúdo com formatação.   Remover formatação

  Apenas 75 emoticons são permitidos.

×   Seu link foi incorporado automaticamente.   Exibir como um link em vez disso

×   Seu conteúdo anterior foi restaurado.   Limpar Editor

×   Você não pode colar imagens diretamente. Carregar ou inserir imagens do URL.

×
 Share
Ir para lista de Perguntas


  • Estatísticas dos Fóruns

    • Tópicos
      152,3k
    • Posts
      652,2k
×
×
  • Criar Novo...