[Resolvido!]Log para ser analisado. Mto obrigado^^v

[smilekr82 0]

Logfile of HijackThis v1.99.1

Scan saved at ?? 11:29:03, on 2006-07-23

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\program files\softwin\bitdefender8\bdnagent.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\explorer.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ??

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINDOWS\System32\webmailHook20051002.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Cleanx Class - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [secures23] mssecure.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKLM\..\Run: [winsystems25] winsystems.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\RunServices: [secures23] mssecure.exe

O4 - HKLM\..\RunServices: [ARP Manager] ARPMan.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java ?? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter24 Class) - http://download.netmarble.com/web/nmstarte...meStarter24.cab

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} (RewardNetwork clxLauncher Class) - http://codebase.cleanx.co.kr/codebase/launcher/WScleanx.cab

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} - http://dr-clean.co.kr/install/nochk/drclean.cab

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} (ToonsXDaum2 Control) - http://comic.daum.net/download/ToonsXDaum2.cab

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://cp.barobook.com/ocx/eBookAgent.ocx

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.fetishboy.co.kr/MagicLockOCX.cab

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} (UploadList Control) - http://mail.daum.net/hanmail-ax/hanmail.cab

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} (HIns Control) - http://www3.edaily.co.kr/BuyBuddy/buyactivex/BuyIns.CAB

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} - http://222.239.77.81/program/install/g2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A81473-8B8B-4108-933E-8244B18AD4C3}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: l2 - Unknown owner - C:\WINDOWS\system32\ll2.exe (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)

O23 - Service: SERVICE (WINDOWS) - Unknown owner - C:\WINDOWS\winlogins.exe (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

 

Obrigado novamente. :thumbsup:

[jgarcia 1]

Opa smilekr82,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

Desinstale:

-> DRClean

-> CleanX

 

Utilize Adicionar / Remover programas.

 

Desinstale, um a um, e reinicie após tê-lo feito.

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

Baixe, mas não execute ainda.

 

Baixe o SpySweeper em:

SpySweeper

 

Baixe e atualize o banco de dados, mas não execute ainda.

 

2ª Etapa

 

Faça o seguinte:

 

Iniciar -->Executar --> digite services.msc e dê OK.

 

Procure o serviço l2.

 

Dê um clique direito nele e vá para Propriedades.

 

Clique em Parar e modifique o Tipo de Inicialização para Desativado.

 

Repita a operação para:

 

netconf32

Win32 Kernel Update

SERVICE

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\Program Files\DRClean

C:\Program Files\CleanX

C:\WINDOWS\System32\win32sprot.exe

C:\WINDOWS\System32\ARPMan.exe

C:\WINDOWS\System32\mssvcc.exe

C:\WINDOWS\System32\mssecure.exe

C:\WINDOWS\System32\win32bootcfg.exe

C:\WINDOWS\System32\winsystems.exe

C:\WINDOWS\system32\ll1.exe

C:\WINDOWS\system32\ll2.exe

C:\WINDOWS\netconf32.exe

C:\WINDOWS\win32host.exe

C:\WINDOWS\winlogins.exe

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

3ª Etapa

 

Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8 até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Open the Misc Tools section.

 

Clique em Delete an NT service.

 

Coloque:

 

l2

 

Elimine o serviço.

 

Repita a operação para:

 

netconf32

Win32 Kernel Update

SERVICE

 

Execute o HijackThis novamente, clique em Do a system scan only e marque:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ??

O2 - BHO: Cleanx Class - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [secures23] mssecure.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\RunServices: [secures23] mssecure.exe

O4 - HKLM\..\RunServices: [ARP Manager] ARPMan.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKCU\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter24 Class) - http://download.netmarble.com/web/nmstarte...meStarter24.cab

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} (ToonsXDaum2 Control) - http://comic.daum.net/download/ToonsXDaum2.cab

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://cp.barobook.com/ocx/eBookAgent.ocx

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.fetishboy.co.kr/MagicLockOCX.cab

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} (UploadList Control) - http://mail.daum.net/hanmail-ax/hanmail.cab

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} (HIns Control) - http://www3.edaily.co.kr/BuyBuddy/buyactivex/BuyIns.CAB

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} - http://222.239.77.81/program/install/g2.cab

O23 - Service: l2 - Unknown owner - C:\WINDOWS\system32\ll2.exe (file missing)

O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)

O23 - Service: SERVICE (WINDOWS) - Unknown owner - C:\WINDOWS\winlogins.exe (file missing)

Clique em Fix Checked.

 

4ª Etapa

 

Ainda em Modo Seguro execute uma verificação completa com o SpySweeper.

 

5ª Etapa

 

Reinicie em Modo Normal.

 

Poste o novo log do HijackThis.

 

Aguardo retorno.

 

Um abraço.

[smilekr82 0]

Não tem opção para desinstalar esses programas.Mesmo assim vou fazer os procedimentos que você me passou.Thx ^^v

[smilekr82 0]

Aqui está. Mas ao entrar em MODO NORMAL o spybot detectou ativação de alguns programas que está na lista. Então eu bloquiei, só não sei se fiz certo. Rs. Thx

 

 

Logfile of HijackThis v1.99.1

Scan saved at ?? 12:06:21, on 2006-07-25

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\program files\softwin\bitdefender8\bdnagent.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\HNC\HncUpdate.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINDOWS\System32\webmailHook20051002.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [secures23] mssecure.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKLM\..\RunServices: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\RunServices: [secures23] mssecure.exe

O4 - HKLM\..\RunServices: [ARP Manager] ARPMan.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java ?? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} -

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} (RewardNetwork clxLauncher Class) - http://codebase.cleanx.co.kr/codebase/launcher/WScleanx.cab

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} - http://dr-clean.co.kr/install/nochk/drclean.cab

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} -

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} -

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} -

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} -

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} -

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} -

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} -

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

[jgarcia 1]

Opa smilekr82,

 

Execute o HijackThis, clique em Do a system scan only e marque:

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [secures23] mssecure.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKLM\..\RunServices: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\RunServices: [secures23] mssecure.exe

O4 - HKLM\..\RunServices: [ARP Manager] ARPMan.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} - http://dr-clean.co.kr/install/nochk/drclean.cab

Clique em Fix Checked.

 

Localize e delete:

 

C:\Program Files\DRClean <- a pasta

C:\Program Files\CleanX <- a pasta

 

Reinicie em Modo Normal.

 

Poste o novo log do HijackThis.

 

Um abraço.

[smilekr82 0]

Eu não encontrei as pastas o.0.

 

Logfile of HijackThis v1.99.1

Scan saved at ?? 2:42:45, on 2006-07-29

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\program files\softwin\bitdefender8\bdnagent.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\ezurl\easyurl.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daum.net/

O2 - BHO: Ecbso Class - {031AE275-656A-407D-B6E0-6D08E78DE258} - C:\Program Files\ezurl\ecbs.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINDOWS\System32\webmailHook20051002.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezurl] C:\Program Files\ezurl\easyurl.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java ?? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} -

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} (RewardNetwork clxLauncher Class) - http://codebase.cleanx.co.kr/codebase/launcher/WScleanx.cab

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} -

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} -

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} -

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} -

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} -

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} -

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A81473-8B8B-4108-933E-8244B18AD4C3}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

[jgarcia 1]

Opa smilekr82,

 

Execute o Active Scan da Panda e retorne com o resultado.

 

Abraços.

[smilekr82 0]

Pelo que entendi sao cookies, por isso limpei estes. ""vIncident Status Location Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.google.com.br/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.terra.com.br/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.uol.com.br/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[de.uol.com.br/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q4uoy40l.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@google.com[2].txt

[jgarcia 1]

Opa smilekr82,

 

1. Baixe o SmitfraudFix;

 

2. Desabilite a proteção do seu anti-vírus (temporariamente);

 

3. Extraia o arquivo SmitFraudFix para o seu desktop;

 

4. Reinicie em Modo Seguro;

 

5. Execute o SmitfraudFix --> Opção 2;

 

6. Responda sim (oui) à pergunta sobre a limpeza no registro;

 

7. Aguarde o término do scan e a geração do log;

 

8. Reinicie em Modo Normal;

 

9. Poste o log do SmitfraudFix (opção 2) + log HijackThis (gerado em Modo Normal).

 

Aguardo retorno.

 

Abraços.

[smilekr82 0]

SmitFraudFix v2.79Scan done at 0:30:20.25, 2006-08-03Run from C:\Documents and Settings\Administrator\?? ??\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTFix ran in safe mode»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» End

[jgarcia 1]

Opa smilekr82,

 

Poste um novo log do HijackThis.

 

Abraços.

[smilekr82 0]

Logfile of HijackThis v1.99.1

Scan saved at ?? 5:44:09, on 2006-08-04

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ezurl\easyurl.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HijackThis\HijackThis.exe

 

O2 - BHO: Ecbso Class - {031AE275-656A-407D-B6E0-6D08E78DE258} - C:\Program Files\ezurl\ecbs.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINDOWS\System32\webmailHook20051002.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezurl] C:\Program Files\ezurl\easyurl.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java ?? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} -

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} (RewardNetwork clxLauncher Class) - http://codebase.cleanx.co.kr/codebase/launcher/WScleanx.cab

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} -

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} -

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} -

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} -

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} -

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} -

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A81473-8B8B-4108-933E-8244B18AD4C3}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[jgarcia 1]

Opa smilekr82,

 

Vamos lá.

 

1ª Etapa

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\Program Files\ezurl

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie o computador em Modo Normal.

 

Execute o HijackThis, clique em Do a system scan only e marque:

O2 - BHO: Ecbso Class - {031AE275-656A-407D-B6E0-6D08E78DE258} - C:\Program Files\ezurl\ecbs.dll

O2 - BHO: (no name) - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O4 - HKLM\..\Run: [ezurl] C:\Program Files\ezurl\easyurl.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} -

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} (RewardNetwork clxLauncher Class) - http://codebase.cleanx.co.kr/codebase/launcher/WScleanx.cab

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} -

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} -

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} -

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} -

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} -

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} -

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} -

Clique em Fix Checked.

 

3ª Etapa

 

Reinicie em Modo Normal novamente.

 

Poste o novo log do HijackThis.

 

Um abraço.

[smilekr82 0]

O comp ficou louco aqui.. T_T

Eu bloquiei uma alteração no toolbar {7BD9E2A5-9F96-4B8F-8FC3-56EF2E3E7F28}

Agora não para de aparecer a janela que está sendo bloquiada. Toda hr "registry change denied"

 

Ai vai o log. Obrigado novamente jgarcia

 

Logfile of HijackThis v1.99.1

Scan saved at ?? 1:39:32, on 2006-08-11

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\HNC\HncUpdate.exe

C:\HNC\Netpia\netpia.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ezurl\easyurl.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\HijackThis\HijackThis.exe

 

O2 - BHO: Ecbso Class - {031AE275-656A-407D-B6E0-6D08E78DE258} - C:\Program Files\ezurl\ecbs.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINDOWS\System32\webmailHook20051002.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezurl] C:\Program Files\ezurl\easyurl.exe

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\Isass.exe

O4 - HKLM\..\Run: [winsystems25] winsystems.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java ?? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} -

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} -

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} -

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} -

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} -

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} -

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} -

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} -

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} -

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} -

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[jgarcia 1]

Opa smilekr82,

 

Vamos ao ataque.

 

1ª Etapa

 

1. Baixe o smitRem.exe em:

smitRem

 

Salve-o em sua área de trabalho.

 

Rode o smitRem.exe e clique em Start. Ele vai criar uma pasta na área de trabalho chamada smitRem. Não execute ainda.

 

2. Baixe o FixSF.reg em:

FixSF.reg

 

Baixe e salve-o como FixSF.reg em seu Desktop, mas não execute ainda.

 

3. Baixe o Ewido em:

Ewido

 

* Selecione "English" como idioma para a instalação;

* Clique em Next --> I Agree --> Next --> Next. Desmarque a caixa Install background guard e clique em Install e depois Finish;

* Na janela principal do Ewido clique em Actualizar no menu esquerdo e então clique em Iniciar actualização;

* Quando a atualização terminar, você verá a mensagem Actualizado com sucesso no canto inferior esquerdo;

* Pronto, mas não o execute ainda.

 

4. Baixe o CCleaner em:

CCleaner

 

Baixe, mas não execute ainda.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima estapa entraremos em Modo Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro.

 

Execute o HijackThis, clique em Do a system scan only e marque:

O2 - BHO: Ecbso Class - {031AE275-656A-407D-B6E0-6D08E78DE258} - C:\Program Files\ezurl\ecbs.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: (no name) - {DC9D1549-8BA3-4476-B6EA-23E263570E93} - (no file)

O4 - HKLM\..\Run: [ezurl] C:\Program Files\ezurl\easyurl.exe

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\Isass.exe

O4 - HKLM\..\Run: [winsystems25] winsystems.exe

O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\System32\win32bootcfg.exe

O4 - HKLM\..\Run: [DRClean] C:\Program Files\DRClean\DRCleanC.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\Run: [Windows Security Protocol] win32sprot.exe

O4 - HKLM\..\Run: [ARP Manager] ARPMan.exe

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKCU\..\Run: [cleanx] C:\Program Files\CleanX\cleanxup.exe -h

O4 - HKCU\..\Run: [ARP Manager] ARPMan.exe

O4 - HKCU\..\RunServices: [ARP Manager] ARPMan.exe

O16 - DPF: {00001024-B831-448B-9ABD-3D3DF187F359} -

O16 - DPF: {20AC97A6-EA84-437D-89F4-05EA923ADAD3} -

O16 - DPF: {217CA616-08DD-4783-9DE3-9AE02F4EB2D0} -

O16 - DPF: {458F5FA5-E8F8-4D7B-96FA-43419A71B5A7} -

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} -

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} -

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} -

O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} -

O16 - DPF: {A00B2A53-60D9-4477-ADA3-60490770C5E0} -

O16 - DPF: {B0485AF8-4034-4CCD-8CAE-69EBE198275D} -

O16 - DPF: {C3C46E1D-4929-4FE8-853E-5CD43938047D} -

Clique em Fix Checked.

 

3ª Etapa

 

Ainda em Modo Seguro:

 

1. Entre na pasta smitRem que deve estar na sua área de trabalho e rode o RunThis.bat. Pode levar algum tempo. Seja paciente.

 

2. Dê duplo-clique sobre o FixSF.reg contido em seu Desktop e responda "sim" à pergunta sobre as modificações no registro.

 

3. Execute uma verificação completa com o Ewido.

 

* Abra o Ewido e clique em Verificar --> Verificação Completa do Sistema;

* O Ewido detecta alguns programas legítimos, portanto não marque a caixa que diz Executar a ação em todas as infecções. Se o Ewido encontrar um arquivo que você acredita ser legítimo, escolha a opção "Nenhuma" e clique em OK. Caso contrário, deixe em Remover e clique em OK.

* Quando o Ewido terminar, feche-o.

 

4. Reinicie o computador em Modo Normal.

 

5. Execute o CCleaner e clique em Executar Cleaner.

 

6. Se o seu Gerenciador de Tarefas (CTRL+ALT+DEL / CTRL+SHIFT+ESC) está “desabilitado pelo administrador”, faça o download e execute o task-fix.reg.

 

Poste um novo log do HijackThis.

 

Abraços.

[smilekr82 0]

Peço desculpas por dar tanto trabalho jgarcia.

Aqui esta o log. Thx

 

 

Logfile of HijackThis v1.99.1

Scan saved at ?? 5:39:22, on 2006-08-25

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\HijackThis\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE"/P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M"Stylus Photo R200"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_06) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {9B987ABC-6665-4045-B2DF-453EC6EFE701} (OuStart Control) - http://www.0udisk.co.kr/ocx/OuStart.CAB

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A81473-8B8B-4108-933E-8244B18AD4C3}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: PE Sytray Manager - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)

[jgarcia 1]

Opa smilekr82,

 

Estamos quase matando esta praga. :devil: Falta pouco agora. :hehehe:

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

1ª Etapa

 

Faça o seguinte:

 

Iniciar -->Executar --> digite services.msc e dê OK.

 

Procure o serviço PE Sytray Manager.

 

Dê um clique direito nele e vá para Propriedades.

 

Clique em Parar e modifique o Tipo de Inicialização para Desativado.

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\HNC\HncUpdate.exe

C:\HNC\Netpia\netpia.exe

C:\WINDOWS\system32\ll1.exe

C:\WINDOWS\system32\ssmc.exe

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro.

 

Execute o HijackThis, clique em Open the Misc Tools section.

 

Clique em Delete an NT service.

 

Coloque:

 

PE Sytray Manager

 

Elimine o serviço.

 

Execute o HijackThis novamente, clique em Do a system scan only e marque:

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)

O4 - HKLM\..\Run: [HncUpdate] C:\HNC\HncUpdate.exe /A

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKCU\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_06) -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {9B987ABC-6665-4045-B2DF-453EC6EFE701} (OuStart Control) - http://www.0udisk.co.kr/ocx/OuStart.CAB

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

O23 - Service: PE Sytray Manager - Unknown owner - C:\WINDOWS\system32\ssmc.exe (file missing)

Clique em Fix Checked.

 

3ª Etapa

 

Ainda em Modo Seguro localize e delete:

 

C:\HNC <- a pasta

 

4ª Etapa

 

Reinicie em Modo Normal.

 

Poste o novo log do HijackThis.

 

Aguardo retorno.

 

Um abraço.

[smilekr82 0]

Aqui esta o log novamente

 

 

Logfile of HijackThis v1.99.1

Scan saved at ?? 10:51:33, on 2006-08-29

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\System32\ushield.exe

C:\WINDOWS\System32\mssvcc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.kr/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKLM\..\Run: [user Security Shield] ushield.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\RunServices: [user Security Shield] ushield.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [user Security Shield] ushield.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://cp.barobook.com/ocx/eBookAgent.ocx

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,21

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

[jgarcia 1]

Opa smilekr82,

 

Ao ataque...

 

1ª Etapa

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\WINDOWS\System32\ushield.exe

C:\WINDOWS\System32\mssvcc.exe

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro.

 

Execute o HijackThis, clique em Do a system scan only e marque:

O4 - HKLM\..\Run: [user Security Shield] ushield.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe

O4 - HKLM\..\RunServices: [user Security Shield] ushield.exe

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

O4 - HKCU\..\Run: [user Security Shield] ushield.exe

O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab

O16 - DPF: {90D1D09A-EE24-4284-8A97-D5E4C189AC10} (eBookAgent Control) - http://cp.barobook.com/ocx/eBookAgent.ocx

O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10

O16 - DPF: {E1CDC08F-F464-4682-AE6A-7689451387C0} (CAFE multiupload control) - http://cafeimg.hanmail.net/activex/dmcm.cab?Version=1,0,0,21

Clique em Fix Checked.

 

3ª Etapa

 

Reinicie em Modo Normal.

 

Poste o novo log do HijackThis.

 

Um abraço.

[smilekr82 0]

Logfile of HijackThis v1.99.1

Scan saved at ?? 11:54:54, on 2006-09-01

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.kr/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BrowserHook Class - {09F93072-DE5E-4B5A-B347-F80FD7CB7309} - C:\WINDOWS\System32\webmailHook20051002.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (1 ??)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P39 "EPSON Stylus Photo R200 Series (1 ??)" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [ANE.exe] C:\ANE\ANE.exe

O4 - HKLM\..\Run: [G2] C:\Program Files\G2\G2Main.exe

O4 - HKLM\..\Run: [bDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"

O4 - HKLM\..\Run: [NetpiaLite] C:\HNC\Netpia\netpia.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2A81473-8B8B-4108-933E-8244B18AD4C3}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe