[Arquivado] exmodul32.exe

[Trinitario 0]

Oi Garcia, desculpe por ter postado no lugar errado. Preciso de ajuda em relação ao vírus exmodul como tinha descrito.

 

Desde já, agradeço

 

Logfile of HijackThis v1.99.1

Scan saved at 14:19:58, on 23/05/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\ANE\ANE.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\LckFldService.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\system32\ntvdm.exe

C:\Documents and Settings\Administrador\Meus documentos\Jocley\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://www.uff.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

http://red.clientapps.yahoo.com/customize/...ttp://www.yahoo

 

.com/ext/search/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://red.clientapps.yahoo.com/customize/...http://www.yaho

 

o.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer

 

= :8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

 

C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} -

 

C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} -

 

C:\WINDOWS\system32\mscfg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} -

 

C:\WINDOWS\Downloaded Program Files\gbieh.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Arquivos de

 

programas\DAP\DAPIEBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de

 

programas\google\googletoolbar2.dll (file missing)

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} -

 

C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos

 

comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de

 

programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Mapa de caracteres para NT] "C:\windows\charmapnt.exe"

O4 - HKLM\..\Run: [babylon Client] C:\Arquivos de programas\Babylon\Babylon.exe

 

-AutoStart

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus!

 

3\MsgPlus.exe"

O4 - HKLM\..\Run: [ffpsrv] c:\windows\ffpext\ffpsrv.exe

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program

 

Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program

 

Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [Mercora] "C:\Arquivos de programas\Mercora\MercoraClient.exe"

 

-startup

O4 - HKLM\..\Run: [CostAware] C:\Arquivos de

 

programas\NetInternals\CostAware\niIPCApp.exe

O4 - HKLM\..\Run: [unlockerAssistant] C:\Arquivos de

 

programas\Unlocker\UnlockerAssistant.exe

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de

 

programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe

 

/title="CorelDRAW Graphics Suite 12" /date=052306 serial=dr12wex-1504397-kty

 

lang=BP

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos

 

comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos

 

comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [FinePrint Dispatcher v5]

 

"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [WinMX] C:\Arquivos de programas\WinMX\WinMX.exe -m

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download

 

Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [Trash it Scheduler] C:\Arquivos de programas\Trash it!\Trash

 

it Scheduler.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus!

 

3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [ADCRec] C:\Arquivos de programas\XemiComputers\ADC Sound

 

Recorder\ADCRec.exe

O4 - HKCU\..\Run: [utility Ping] C:\Arquivos de programas\Utility Ping\Utility

 

Ping.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe"

 

/nosplash /minimized

O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Arquivos de

 

programas\Innovative Solutions\Advanced Uninstaller PRO 2006 version

 

7\monitor.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe"

 

/background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos

 

comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de

 

programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Agenda de Telefones e Compromissos.lnk =

 

C:\Agenda\Agenda.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft

 

Office\Office10\OSA.EXE

O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm

O8 - Extra context menu item: &Google Search - res://c:\arquivos de

 

programas\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de

 

programas\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\arquivos de

 

programas\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de

 

programas\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download &all with DAP -

 

C:\ARQUIV~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel -

 

res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\arquivos de

 

programas\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de

 

programas\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

 

programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} -

 

C:\ARQUIV~1\DAP\DAP.EXE

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

 

C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

 

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

 

programas\Messenger\msmsgs.exe (file missing)

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O12 - Plugin for .cdx: C:\Arquivos de programas\Internet

 

Explorer\plugins\Npcdn32.dll

O12 - Plugin for .chm: C:\Arquivos de programas\Internet

 

Explorer\PLUGINS\Npcdn32.dll

O12 - Plugin for .fch: C:\Arquivos de programas\Internet

 

Explorer\PLUGINS\NPC3DS.dll

O12 - Plugin for .pdb: C:\Arquivos de programas\Internet

 

Explorer\PLUGINS\NPC3DS.dll

O14 - IERESET.INF:

 

SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: *.moove.com

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) -

 

https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E364BA66-EBA0-466A-912D-4AB6B28B90D6}:

 

NameServer = 200.20.0.18,200.20.10.17

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

 

"C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: A1Monitor7320175135 - Unknown owner - C:\Arquivos de

 

programas\A1Monitor\VMonitor.EXE (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de

 

programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -

 

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil

 

Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de

 

programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de

 

programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -

 

C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe

O23 - Service: LckFldService - Unknown owner -

 

C:\WINDOWS\system32\LckFldService.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner -

 

C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: RemoteShellServer - Unknown owner - C:\Arquivos de

 

programas\Argonne National

 

Lab\MPICH.NT.1.2.1\RemoteShell\Bin\RemoteShellServer.exe (file missing)

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

[jgarcia 1]

Opa Trinitario,

 

Execute o Active Scan da Panda e retorne com o resultado.

 

Abraços.

[Trinitario 0]

Olá Garcia! Já passei o ActiveScan do Panda. O log está abaixo,Abraços!Incident Status Location Virus:Trj/Lootseek.BO Disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\26exmscfgl.exe Virus:Trj/Lootseek.BO Disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\53exmscfgl.exe Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@ad.yieldmanager[2].txt Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@admotion.com[2].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@adopt.hbmediapro[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@advertising[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@as-us.falkag[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@atdmt[1].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@atwola[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@belnk[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@burstnet[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@casalemedia[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@com[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@de.uol.com[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@dist.belnk[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@doubleclick[1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@errorsafe[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@fastclick[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@google.com[1].txt Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@hotlog[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@ig.com[1].txt Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@landing.domainsponsor[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@mediaplex[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@microsofteup.112.2o7[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@overture[1].txt Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@paypopup[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@questionmarket[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@realmedia[1].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@revenue[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@server.iad.liveperson[2].txt Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@spylog[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@statcounter[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@statse.webtrendslive[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@terra.com[1].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@tradedoubler[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@tribalfusion[1].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@tucows[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@uol.com[2].txt Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@versiontracker[2].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@webpower[1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@winfixer[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@www.errorsafe[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@www.myaffiliateprogram[2].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@xiti[1].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@z1.adserver[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@zedo[2].txt

[jgarcia 1]

Opa Trinitario,

 

Baixe o CCleaner em:

CCleaner

 

Execute o CCleaner e clique em Executar Cleaner.

 

Execute o Active Scan da Panda novamente e veja se ainda detecta algo.

 

Um abraço.

[Trinitario 0]

Oi Garcia, tudo bom? Fiz o que você me mandou: baixei o CCleaner e executei-o, mas o exmodul32 continua aparecendo toda vez que reinicio o Windows XP. O que você me sugere agora?Um forte abraço.

[jgarcia 1]

Opa Trinitario,

 

Baixe o SilentRunners.

 

Extraia o arquivo SillentRunners.vbs para o C. Dê duplo clique sobre o arquivo para executá-lo.

 

Após executá-lo aguarde até que seja gerado um documento denominado Startup Programs (USUÁRIO) data. Copie o conteúdo deste documento e cole aqui.

 

Abraços.

 

Obs.: Caso o seu AV detecte o arquivo como sendo um script malicioso não se preocupe e autorize a execução.

[Trinitario 0]

Oi Garcia, como vai você? Eu já fiz o que você me pediu.

 

O conteúdo do arquivo está abaixo,

 

 

Um grande abraço!

 

 

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"WinMX" = "C:\Arquivos de programas\WinMX\WinMX.exe -m" [file not found]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Free Download Manager" = "C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun" [file not found]

"DateReminder" = (empty string)

"Trash it Scheduler" = "C:\Arquivos de programas\Trash it!\Trash it Scheduler.exe" [file not found]

"MessengerPlus3" = ""C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]

"ADCRec" = "C:\Arquivos de programas\XemiComputers\ADC Sound Recorder\ADCRec.exe" [file not found]

"Utility Ping" = "C:\Arquivos de programas\Utility Ping\Utility Ping.exe" [file not found]

"Skype" = ""C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"msnmsgr" = ""C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"TkBellExe" = ""C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"SunJavaUpdateSched" = "C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"EmsaBandwidthMonitor" = (empty string)

"Mapa de caracteres para NT" = ""C:\windows\charmapnt.exe"" [file not found]

"Babylon Client" = "C:\Arquivos de programas\Babylon\Babylon.exe -AutoStart" ["Babylon Ltd."]

"MessengerPlus3" = ""C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]

"ffpsrv" = "c:\windows\ffpext\ffpsrv.exe" [file not found]

"webHancer Agent" = ""C:\Program Files\webHancer\Programs\whAgent.exe"" [file not found]

"webHancer Survey Companion" = ""C:\Program Files\webHancer\Programs\whSurvey.exe"" [file not found]

"Mercora" = ""C:\Arquivos de programas\Mercora\MercoraClient.exe" -startup" [file not found]

"CostAware" = "C:\Arquivos de programas\NetInternals\CostAware\niIPCApp.exe" [file not found]

"UnlockerAssistant" = "C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe" [file not found]

"ANE.exe" = "C:\ANE\ANE.exe" ["NOVA ERA Informática"]

"CorelDRAW Graphics Suite 11b" = "C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052306 serial=dr12wex-1504397-kty lang=BP" [file not found]

"ISUSPM Startup" = ""C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]

"ISUSScheduler" = ""C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"FinePrint Dispatcher v5" = ""C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM" ["FinePrint Software, LLC"]

"avast!" = "C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"QuickTime Task" = ""C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"iTunesHelper" = ""C:\Arquivos de programas\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{259F616C-A300-44F5-B04A-ED001A26C85C}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Solid Converter PDF"

\InProcServer32\(Default) = "C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]

{40205287-E793-41AC-B95C-D8D064BA33CA}\(Default) = (no title provided)

-> {HKLM...CLSID} = "CCfg Object"

\InProcServer32\(Default) = "C:\WINDOWS\system32\mscfg.dll" ["TODO: <Company name>"]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\Office10\msohev.dll" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{9C8A2F1F-8B7D-46F9-843E-1A907BCA67D0}" = "File and Folder Protector Context Menu Handler"

-> {HKLM...CLSID} = "File and Folder Protector Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\ffpext\FFPExt.dll" [file not found]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32\(Default) = "C:\ARQUIV~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{259F616C-A300-44F5-B04A-ED001A26C85C}" = "SolidConverter extension"

-> {HKLM...CLSID} = "Solid Converter PDF"

\InProcServer32\(Default) = "C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"

-> {HKLM...CLSID} = "IE Navigation Bar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"

-> {HKLM...CLSID} = "IE AutoComplete"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"

-> {HKLM...CLSID} = "IE Menu Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"

-> {HKLM...CLSID} = "IE IShellFolderBand"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"

-> {HKLM...CLSID} = "&Links"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"

-> {HKLM...CLSID} = "IE Fade Task"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"

-> {HKLM...CLSID} = "IE Tracking Shell Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"

-> {HKLM...CLSID} = "IE Menu Site"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "C:\Arquivos de programas\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "GinaDLL" = "C:\WINDOWS\system32\awgina.dll" ["Symantec Corporation"]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

File and Folder Protector\(Default) = "{9C8A2F1F-8B7D-46F9-843E-1A907BCA67D0}"

-> {HKLM...CLSID} = "File and Folder Protector Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\ffpext\FFPExt.dll" [file not found]

SolidConverterPDF\(Default) = "{259F616C-A300-44F5-B04A-ED001A26C85C}"

-> {HKLM...CLSID} = "Solid Converter PDF"

\InProcServer32\(Default) = "C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"

-> {HKLM...CLSID} = "RtClkCtxMenu Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

File and Folder Protector\(Default) = "{9C8A2F1F-8B7D-46F9-843E-1A907BCA67D0}"

-> {HKLM...CLSID} = "File and Folder Protector Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\ffpext\FFPExt.dll" [file not found]

LockFolder\(Default) = "{4852341A-43E6-4994-B29B-E82904992884}"

-> {HKLM...CLSID} = "LckFldMenu.Locker"

\InProcServer32\(Default) = "C:\Arquivos de programas\FolderAccess\LckFldMenu.dll" ["Topdownloads Network"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32\(Default) = "C:\Arquivos de programas\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

File and Folder Protector\(Default) = "{9C8A2F1F-8B7D-46F9-843E-1A907BCA67D0}"

-> {HKLM...CLSID} = "File and Folder Protector Context Menu Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\ffpext\FFPExt.dll" [file not found]

SolidConverterPDF\(Default) = "{259F616C-A300-44F5-B04A-ED001A26C85C}"

-> {HKLM...CLSID} = "Solid Converter PDF"

\InProcServer32\(Default) = "C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"

-> {HKLM...CLSID} = "RtClkCtxMenu Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Alegria.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\G03W\Scratch\gxx.scr" [null data]

 

 

Startup items in "Administrador" & "All Users" startup folders:

---------------------------------------------------------------

 

C:\Documents and Settings\Administrador\Menu Iniciar\Programas\Inicializar

"Adobe Gamma" -> shortcut to: "C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Agenda de Telefones e Compromissos" -> shortcut to: "C:\Agenda\Agenda.exe" [file not found]

"Microsoft Office" -> shortcut to: "C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

 

 

Enabled Scheduled Tasks:

------------------------

 

"Symantec NetDetect" -> launches: "C:\Arquivos de programas\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\arquivos de programas\google\googletoolbar2.dll" [file not found]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{F2CF5485-4E02-4F68-819C-B92DE9277049}"

-> {HKLM...CLSID} = "&Links"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{62999427-33FC-4BAF-9C9C-BCE6BD127F08}" = "DAP Bar"

-> {HKLM...CLSID} = "DAP Bar"

\InProcServer32\(Default) = "C:\Arquivos de programas\DAP\DAPIEBar.dll" [empty string]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

-> {HKLM...CLSID} = "&Google"

\InProcServer32\(Default) = "c:\arquivos de programas\google\googletoolbar2.dll" [file not found]

"{259F616C-A300-44F5-B04A-ED001A26C85C}" = (no title provided)

-> {HKLM...CLSID} = "Solid Converter PDF"

\InProcServer32\(Default) = "C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in"

\InProcServer32\(Default) = "C:\ARQUIV~1\Java\JRE15~4.0_0\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\

"ButtonText" = "Run DAP"

"Exec" = "C:\ARQUIV~1\DAP\DAP.EXE" ["Speedbit Ltd."]

 

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\

"ButtonText" = "Yahoo! Messenger"

"MenuText" = "Yahoo! Messenger"

"Exec" = "C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [file not found]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp"

[strings]: SAFESITE_VALUE="search.msn.com.br"

 

Missing lines (compared with English-language version):

[strings]: 2 lines

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

avast! Antivirus, avast! Antivirus, ""C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

iPod Service, iPodService, ""C:\Arquivos de programas\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]

LckFldService, LckFldService, "C:\WINDOWS\system32\LckFldService.exe" [null data]

Lexar JD31, LxrJD31s, "LxrJD31s.exe" [null data]

Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

pcAnywhere Host Service, awhost32, "C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Keyboard Driver Filters:

------------------------

 

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Alder Fax Port\Driver = "C:\WINDOWS\system32\alderlcm.dll" [null data]

BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]

CUSTPDF Writer Monitor\Driver = "custmon2k.dll" [null data]

FPR5:\Driver = "fpmon5.dll" ["FinePrint Software, LLC"]

pcAnywhere Remote Printing\Driver = "awmon.dll" ["Symantec Corporation"]

PDF995 Monitor\Driver = "pdf995mon.dll" [null data]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 14 seconds)

[jgarcia 1]

Opa Trinitario,

 

Poste um novo log do HijackThis.

 

Abraços.

[Trinitario 0]

Fala Garcia!

 

o log do HijackThis está logo abaixo

 

Abraços!!!

 

Logfile of HijackThis v1.99.1

Scan saved at 09:06:48, on 06/06/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\ANE\ANE.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\LckFldService.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrador\Meus documentos\Jocley\Programas\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uff.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: CCfg Object - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Arquivos de programas\DAP\DAPIEBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll (file missing)

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Mapa de caracteres para NT] "C:\windows\charmapnt.exe"

O4 - HKLM\..\Run: [babylon Client] C:\Arquivos de programas\Babylon\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [ffpsrv] c:\windows\ffpext\ffpsrv.exe

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [Mercora] "C:\Arquivos de programas\Mercora\MercoraClient.exe" -startup

O4 - HKLM\..\Run: [CostAware] C:\Arquivos de programas\NetInternals\CostAware\niIPCApp.exe

O4 - HKLM\..\Run: [unlockerAssistant] C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052306 serial=dr12wex-1504397-kty lang=BP

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [WinMX] C:\Arquivos de programas\WinMX\WinMX.exe -m

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [Trash it Scheduler] C:\Arquivos de programas\Trash it!\Trash it Scheduler.exe

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [ADCRec] C:\Arquivos de programas\XemiComputers\ADC Sound Recorder\ADCRec.exe

O4 - HKCU\..\Run: [utility Ping] C:\Arquivos de programas\Utility Ping\Utility Ping.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Agenda de Telefones e Compromissos.lnk = C:\Agenda\Agenda.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm

O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARQUIV~1\DAP\DAP.EXE

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O12 - Plugin for .cdx: C:\Arquivos de programas\Internet Explorer\plugins\Npcdn32.dll

O12 - Plugin for .chm: C:\Arquivos de programas\Internet Explorer\PLUGINS\Npcdn32.dll

O12 - Plugin for .fch: C:\Arquivos de programas\Internet Explorer\PLUGINS\NPC3DS.dll

O12 - Plugin for .pdb: C:\Arquivos de programas\Internet Explorer\PLUGINS\NPC3DS.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: *.moove.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E364BA66-EBA0-466A-912D-4AB6B28B90D6}: NameServer = 200.20.0.18,200.20.10.17

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: A1Monitor7320175135 - Unknown owner - C:\Arquivos de programas\A1Monitor\VMonitor.EXE (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Arquivos de programas\Symantec\pcAnywhere\awhost32.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: RemoteShellServer - Unknown owner - C:\Arquivos de programas\Argonne National Lab\MPICH.NT.1.2.1\RemoteShell\Bin\RemoteShellServer.exe (file missing)

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

[jgarcia 1]

Opa Trinitario,

 

Vamos ao ataque.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

Baixe o WinsockFix.

 

Em algumas ocasiões a remoção de webHancer provoca a perda de conexão à internet (talvez não ocorra com você).

 

Se, após desinstalar o webHancer, você perder a conexão, execute o WinsockFix.exe e então clique em Fix.

 

Desinstale:

--> webHancer

 

Utilize Adicionar / Remover programas.

 

Desinstale e reinicie após tê-lo desinstalado.

 

OBS.: Caso não encontre algum(ns) do(s) programa(s) apenas passe para o próximo e/ou para a próxima etapa.

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

Baixe, mas não execute ainda.

 

2ª Etapa

 

Faça o seguinte:

 

Iniciar -->Executar --> digite services.msc e dê OK.

 

Procure o serviço Windows Log.

 

Dê um clique direito nele e vá para Propriedades.

 

Clique em Parar e modifique o Tipo de Inicialização para Desativado.

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\Program Files\webHancer

C:\WINDOWS\system32\nvsvcd.exe

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

3ª Etapa

 

Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8 até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Open the Misc Tools section.

 

Clique em Delete an NT service.

 

Coloque:

Windows Log

 

Elimine o serviço.

 

Execute o HijackThis novamente, clique em Do a system scan only e marque:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O15 - Trusted Zone: *.moove.com

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Clique em Fix Checked.

 

4ª Etapa

 

Reinicie em modo normal.

 

Poste o novo log do HijackThis.

 

Aguardo retorno.

 

Um abraço.

[Trinitario 0]

Olá Garcia, olha só. Não pretendo mais tentar remover esse virus pois ele nunca mais se manifestou. Diariamente ou quase, o antivirus que uso o detectava. Contudo, de uns dias prá cá, ele nunca mais se manifestou. É estranho, não detectei nada também rodando no gerenciador de processos que tenho. (nota: sempre via o processo do virus rodando quando ele estava presente na máquina). Portanto, desde então o exmodul32.exe nunca mais apareceu... Talvez o gerador dele foi corrompido, pois costumo instalar e desinstalar periodicamente programas no computador que uso. Alguma dll ou arquivo em que ele parasitava deve ter sumido... Enfim, o virus nunca mais se manifestou! O que você acha disso?Um abraço!Jocley

[Cubanos 0]

Amigo,

 

Faça um log novamente e analise-o nesse site: http://www.hijackthis.de/index.php

 

Removi o exmodul32.exe do meu PC graças a esse site.

 

É só gerar o log copiar e colar no site e Analyse!

 

boa sorte!

[jgarcia 1]

O que você acha disso?

Acho que você deve seguir as recomendações de meu post anterior e enviar um novo log. ;)

[Shine 0]

TÓPICO ARQUIVADO

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada

para um moderador da área juntamente com o link para este tópico e explique

o motivo da reabertura.