Logo Hardware.com.br
iuritauros
iuritauros Novo Membro Registrado
4 Mensagens 0 Curtidas

[Resolvido] Analise no HiJackThis

#1 Por iuritauros 01/04/2010 - 10:17
[resolvido]

Galera é o seguinte, sou novo aqui e estou precisando da ajuda de vc`s, to com um virus muito chato em meu notebook, formatei mais o danado continua na maquina, já usei o AVG e AVAST eles acusam mais não conseguem remove-lo, o nome do maledeto é WINXP.EXE.. procurei como remover esse virus mais so encontrei informações em Ingles, vou posta o LOG do HiJackThis e AVZ aqui, quem puder ajudar eu fiquei grato eternamento..


Segue o LOG do HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:31, on 1/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\IURIEH~1\CONFIG~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\CoolSMS\CoolSMS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\Iuri E Hohlenwerger\Desktop\avz4\avz.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CoolSMS] C:\Arquivos de programas\CoolSMS\CoolSMS.exe /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5763 bytes


Log do AVZ:


AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 1/4/2010 10:04:09
Database loaded: signatures - 269067, NN profile(s) - 2, malware removal microprograms - 56, signature database released 31.03.2010 14:07
Heuristic microprograms loaded: 382
PVS microprograms loaded: 9
Digital signatures of system files loaded: 191412
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights
System Restore: Disabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055B6E0
KiST = 80503734 (284)
Function NtClose (19) intercepted (805BAEB4->AA7A9C56), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateKey (29) intercepted (80622048->AA7A9B12), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateProcessEx (30) - machine code modification Method of JmpTo. jmp AA7B6502\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateSection (32) - machine code modification Method of JmpTo. jmp AA7B6326\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (806224D8->AA7AA0C6), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (806226A8->AA7A9FF0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BC890->AA7A96E8), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtLoadDriver (61) - machine code modification Method of JmpTo. jmp AA7B6460\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenKey (77) intercepted (806233DE->AA7A9BEC), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805C9C46->AA7A9628), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenThread (80) intercepted (805C9ED2->AA7A968C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (80620102->AA7A9D0C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtRenameKey (C0) intercepted (80621A6E->AA7AA194), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (80620450->AA7A9CCC), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80620708->AA7A9E4C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateSection (805A9DEE) - machine code modification Method of JmpTo. jmp AA7B6326 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function ObInsertObject (805C1810) - machine code modification Method of JmpTo. jmp AA7B3972 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function ObMakeTemporaryObject (805BAEDA) - machine code modification Method of JmpTo. jmp AA7B24BA \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Functions checked: 284, intercepted: 12, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = AA7B5FEE -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_CLOSE] = AA7B602E -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_WRITE] = AA7B610A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = AA7B614A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Checking - complete
2. Scanning RAM
Number of processes found: 37
Number of modules loaded: 364
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Danger - process debugger "drwtsn32.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "dwwinxp.exe" = "C:\WINDOWS\system32\winxp.exe"
Danger - process debugger "MSConfig.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "procexp.exe" = "\winxp.exe"
Danger - process debugger "regedit.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "rstrui.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "taskmgr.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)
>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)
>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)
>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)
>> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da área de trabalho do NetMeeting)
>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> System process debugger detected
>> System Restore settings blocked
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 64516, extracted from archives: 47916, malicious software found 0, suspicions - 0
Scanning finished at 1/4/2010 10:14:35
Time of scanning: 00:10:27
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference


Desde já agradeço a ajuda de todos
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#2 Por Wings
01/04/2010 - 10:24
Bom dia....

*Baixe o USBFix e salve-o no desktop
*Desative temporariamente seu antiví*rus

Clique com o botão direito do mouse no ícone do Avast que fica rodando ao lado do relógio > Selecione "Pausar a proteção residente" > Confirme.

*Espete o Pendrive no PC
*Duplo clique em UsbFix
*Tecle P > [ENTER]
*Tecle 1 > [ENTER] e aguarde o término
*Remova o Pendrive
*Cole o relatório criado em C:\UsbFix.txt
iuritauros
iuritauros Novo Membro Registrado
4 Mensagens 0 Curtidas
#5 Por iuritauros
01/04/2010 - 10:38
Demorou.. tou usando minha camera como pendrive de boa ? ta fazendo daqui a pouco colo o log aqui.. vlw

Segue log do UBSfix


############################## | UsbFix V6.100 |

User : Iuri E Hohlenwerger (Administradores) # TECHNOTA-011D4A
Update on 18/03/2010 by El Desaparecido , C_XX & Chimay8
Start at: 10:34:58 | 1/4/2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : [email]FindyKill.Contact@gmail.com[/email]

Genuine Intel(R) CPU T2060 @ 1.60GHz
Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2
Internet Explorer 6.0.2900.2180
Windows Firewall Status : Enabled
AV : avast! Antivirus 5.0.83886542 [ (!) Disabled | Updated ]

C:\ -> Disco fixo local # 39,06 Go (32,87 Go free) # NTFS
D:\ -> Disco fixo local # 72,73 Go (8,04 Go free) [Dados] # NTFS
E:\ -> Disco CD-ROM
F:\ -> Disco removível # 1,83 Go (1,83 Go free) # FAT32

################## | Ficheiros # pastas infeciosos |

C:\WINDOWS\System32\winjpg.jpg
C:\DOCUME~1\IURIEH~1\CONFIG~1\Temp\Setup.exe
C:\winfile.jpg
C:\HijackThis.exe
D:\winfile.jpg
F:\winfile.jpg

################## | Registro |

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "regdiit"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwinxp.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] "DisableSR"

################## | Mountpoints2 |


################## | Vaccin |

(!) Este computador não é vacinada!

################## | ! Fim do relatório # UsbFix V6.100 ! |
iuritauros
iuritauros Novo Membro Registrado
4 Mensagens 0 Curtidas
#7 Por iuritauros
01/04/2010 - 10:54
novo log do UBSFix e hijackthis

UBSFix

############################## | UsbFix V6.100 |

User : Iuri E Hohlenwerger (Administradores) # TECHNOTA-011D4A
Update on 18/03/2010 by El Desaparecido , C_XX & Chimay8
Start at: 10:45:15 | 1/4/2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : [email]FindyKill.Contact@gmail.com[/email]

Genuine Intel(R) CPU T2060 @ 1.60GHz
Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2
Internet Explorer 6.0.2900.2180
Windows Firewall Status : Enabled
AV : avast! Antivirus 5.0.83886542 [ Enabled | Updated ]

C:\ -> Disco fixo local # 39,06 Go (32,84 Go free) # NTFS
D:\ -> Disco fixo local # 72,73 Go (8,04 Go free) [Dados] # NTFS
E:\ -> Disco CD-ROM

################## | Ficheiros # pastas infeciosos |

Supprimido ! C:\WINDOWS\System32\winjpg.jpg
Supprimido ! C:\DOCUME~1\IURIEH~1\CONFIG~1\Temp\Setup.exe
Supprimido ! C:\winfile.jpg
Supprimido ! C:\HijackThis.exe
Supprimido ! C:\Recycler\S-1-5-21-2000478354-492894223-725345543-1003
Supprimido ! D:\winfile.jpg
Supprimido ! D:\Recycler\S-1-5-21-1801674531-413027322-2147089337-1003
Supprimido ! D:\Recycler\S-1-5-21-1801674531-413027322-2147089337-1006
Supprimido ! D:\Recycler\S-1-5-21-2000478354-492894223-725345543-1003
Supprimido ! D:\Recycler\S-1-5-21-57989841-1326574676-839522115-1003
Supprimido ! D:\Recycler\S-1-5-21-776561741-1292428093-839522115-1003

################## | Registro |

Supprimido ! [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON"
Supprimido ! [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "regdiit"
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe]
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwinxp.exe]
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
Supprimido ! [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
Supprimido ! [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] "DisableSR"

################## | Mountpoints2 |


################## | Listing |

[25/03/2010 18:19|--a------|0] C:\AUTOEXEC.BAT
[25/03/2010 18:13|---hs----|211] C:\boot.ini
[28/10/2001 12:06|-rahs----|4952] C:\Bootfont.bin
[25/03/2010 18:19|--a------|0] C:\CONFIG.SYS
[01/04/2010 10:11|--a------|5764] C:\hijackthis.log
[25/03/2010 18:19|-rahs----|0] C:\IO.SYS
[29/03/2010 20:29|--a------|6] C:\ISACER.ID
[25/03/2010 18:19|-rahs----|0] C:\MSDOS.SYS
[03/08/2004 22:38|-rahs----|47564] C:\NTDETECT.COM
[03/08/2004 22:59|-rahs----|251168] C:\ntldr
[?|?|?] C:\pagefile.sys
[06/06/2009 21:22|--a------|304463] C:\PenClean.exe
[01/04/2010 10:48|--a------|3074] C:\UsbFix.txt
[24/05/2008 11:21|--a------|1193] D:\Avast 4.8 Professional Serial.txt
[25/11/2009 15:46|--a------|246784] D:\MONOGRAFIA IURI CORRIGIDA 2.doc
[13/11/2009 01:43|--a------|795724] D:\Monografia Iuri E‡a Hohlenwerger 2.docx
[06/06/2009 21:22|--a------|304463] D:\PenClean.exe
[19/01/2009 16:48|--a------|60] D:\Serial Avast 15.01.2009.txt
[26/02/2009 18:12|--a------|31085936] D:\setuppor.exe

################## | Vaccinação |

(!) Este computador não é vacinada!

################## | Upload |

Favor enviar o arquivo : C:\UsbFix_Upload_Me_TECHNOTA-011D4A.zip : http://chiquitine.changelog.fr/Sample/Upload.php
Obrigado pela sua contribuição .

################## | ! Fim do relatório # UsbFix V6.100 ! |

Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:33, on 1/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CoolSMS] C:\Arquivos de programas\CoolSMS\CoolSMS.exe /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5018 bytes

Valew amigo.. problema resolvido
Muito Obrigrado mesmo!!!
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#8 Por Wings
01/04/2010 - 11:01
1.
*Execute o hijack, clique em [Do a system scan only], selecione a entrada abaixo e clique em [Fix checked]

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

*Feche o hijack

2.
*Duplo clique em UsbFix
*Tecle P > [ENTER]
*Tecle 6 > [ENTER]

O log está limpo....smile.png


Um abraço.
© 1999-2025 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal