279dr36
Membro Junior
Registrado
147 Mensagens
0 Curtidas
Eu já tive esse poblema com o virus eu li um tutorial em algum lugar que era para reparar eu fui e reparei e pego normal o pc
Avast
Wings
Cyber Highlander
Registrado
20.3K Mensagens
1.2K Curtidas
*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:
File::
c:\windows\system32\C.tmp
c:\documents and settings\Trabalho\reader_s.exe
c:\windows\services.exe
c:\windows\services.ex_
c:\windows\system32\8.tmp
c:\windows\system32\5.tmp
c:\windows\system32\17.tmp
c:\windows\system32\15.tmp
c:\windows\system32\13.tmp
c:\windows\system32\11.tmp
c:\windows\system32\10.tmp
c:\windows\system32\E.tmp
c:\windows\system32\7.tmp
c:\windows\system32\4.tmp
c:\windows\system32\A.tmp
c:\windows\system32\3.tmp
c:\windows\system32\19.tmp
c:\windows\system32\16.tmp
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
c:\windows\system32\35.tmp
c:\windows\adobe.bat
c:\windows\system32\31.tmp
c:\windows\system32\2C.tmp
c:\windows\aspack.ini
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
c:\windows\system32\reader_s.exe
FCopy::
c:\windows\system32\dllcache\explorer.exe | c:\windows\explorer.exe
c:\windows\system32\dllcache\userinit.exe | c:\windows\system32\userinit.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"reader_s"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"reader_s"=-
"services"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"reader_s"=-
"services"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Curr entversion\policies\explorer\Run]
"services"=-
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Cur rentversion\policies\explorer\Run]
"services"=-
*Salve o arquivo no desktop como CFScript.txt
*Arraste o arquivo para o Combofix conforme ilustração abaixo:
*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!
*Ao final do procedimento, o programa será fechado automaticamente e será mostrado o relatório
*Cole o relatório criado em C:\combofix.txt e novo log do hijack
Mtspeakline
Membro Senior
Registrado
336 Mensagens
6 Curtidas
Wings, ms aí não deletará o explorer.exe?
279dr36
Membro Junior
Registrado
147 Mensagens
0 Curtidas
Wings Passei Tbm o Nod32 ele excluiu os arquivos aqui mais dps eu baixo de novo tudo vou te passar o log do hija
279dr36
Membro Junior
Registrado
147 Mensagens
0 Curtidas
Novo Log Hijack dps de Passar Nod32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:58:31, on 25/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Windows SteadyState\SCTSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
C:\ARQUIV~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\ARQUIV~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Windows SteadyState\Bubble.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\vmware-ufad.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\WinRAR\WinRAR.exe
C:\Arquivos de programas\WinRAR\WinRAR.exe
C:\DOCUME~1\Trabalho\CONFIG~1\Temp\Rar$EX01.140\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Arquivos de programas\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Arquivos de programas\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Bubble] C:\Arquivos de programas\Windows SteadyState\Bubble.exe
O4 - HKLM\..\Run: [Logoff] C:\Arquivos de programas\Windows SteadyState\SCTUINotify.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Trabalho\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Trabalho\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Serviço 'Gateway de camada de aplicativo' (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Serviço de indexação (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Alocador Remote Procedure Call (RPC) (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe
--
End of file - 7609 bytes
279dr36
Membro Junior
Registrado
147 Mensagens
0 Curtidas
Ixi Excluiu tudo msm Até o cmd ,Caulculadora e agora ??
Wings
Cyber Highlander
Registrado
20.3K Mensagens
1.2K Curtidas
Por favor...cole o log do combofix.
O worm ainda está ativo.
Estou achando que a saída mais rápida será formatar o PC.
279dr36
Membro Junior
Registrado
147 Mensagens
0 Curtidas
Djoni Filho
General de Pijama
Registrado
2.9K Mensagens
209 Curtidas
Se o seu problema foi resolvido, por gentileza va ao inicio do seu topico, clique em editar > modo avançado e adicione (resolvido) ao titulo. Grato
Cordialmente,
Djoni Filho.
Fazer pergunta
