[Resolvido!]Acusando trojam direto..

[Edvan 30]

Analisem por favor estes dois logs, pois a maquina apresenta sinal de virus...

 

 

Maq. de Paulo...

 

Logfile of HijackThis v1.99.1

Scan saved at 12:19:47, on 27/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\system32\cmd.exe

C:\Arquivos de programas\CoolSMS\CoolSMS.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=051007 serial=dr12wex-1504397-kty lang=EN

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Arquivos de programas\AutoCAD 2002\AcPreview.ocx

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

 

 

Maq. de Rita

 

Logfile of HijackThis v1.99.1

Scan saved at 08:37:11, on 30/7/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\WINNT\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\explorer.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\webHancer\Programs\whagent.exe

C:\Arquivos de programas\webHancer\Programs\whsurvey.exe

C:\Arquivos de programas\Svchost\svchost.exe

C:\Arquivos de programas\Winamp\winampa.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\AutoCAD 2002\acad.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jucheck.exe

C:\WINNT\System32\svchost.exe

C:\Arquivos de programas\Microsoft Office\OFFICE11\EXCEL.EXE

C:\Meus documentos\FUNCIONARIOS\PAULO\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

F2 - REG:system.ini: Shell=explorer.exe c:\windows\crss.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINNT\Downloaded Program Files\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINNT\Downloaded Program Files\gbiehabn.dll

O2 - BHO: MediaCompressObj Class - {C4D8022B-93FB-493A-8C22-3224CFB4F29F} - C:\WINNT\system32\MediaCompressPlugin.dll

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Arquivos de programas\webHancer\programs\whiehlpr.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [webHancer Agent] C:\Arquivos de programas\webHancer\Programs\whagent.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Arquivos de programas\webHancer\Programs\whsurvey.exe

O4 - HKLM\..\Run: [svchost] C:\Arquivos de programas\Svchost\svchost.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKCU\..\Run: [incrediMail] C:\Arquivos de programas\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [dark] C:\WINNT\kwxini.lnk

O4 - Global Startup: captura.bat.lnk = C:\aplic\captura.bat

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\ARQUIV~1\YAHOO!\COMMON\yhexbmesbr.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\ARQUIV~1\YAHOO!\COMMON\yhexbmesbr.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138876476814

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.atrativa.com.br/yahoo/mjolauncher.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://paulomarcio83.multiply.com/photos/uploader.cab

O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O20 - AppInit_DLLs: C:\ARQUIV~1\Google\GOOGLE~2\GOEC62~1.DLL

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

 

 

Desde ja agradeço pela ajuda de todos os Moderadores, estão fazendo um trabalho fantastico... :thumbsup: :thumbsup:

[jgarcia 1]

Opa Edvan,

 

Baixe o ComboFix em:

ComboFix

 

1) Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir. O processo vai durar, em média, 10 minutos;

2) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

3) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

4) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

5) Para parar ou sair do ComboFix, tecle "N";

6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

Abraços.

 

PS.: Poste os logs em separado, a exemplo de seu post inicial.

[Edvan 30]

Maq. de Rita

 

 

 

ComboFix 07-08-04.3 - "Personal" 07/08/2007 9:04:05.1 [GMT -3:00] - FAT32

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1046.18.Verdadeiro

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Arquivos de programas\webhancer

C:\Arquivos de programas\webhancer\Programs\license.txt

C:\Arquivos de programas\webhancer\Programs\readme.txt

C:\Arquivos de programas\webhancer\Programs\sporder.dll

C:\Arquivos de programas\webhancer\Programs\webhdll.dll

C:\Arquivos de programas\webhancer\Programs\whagent.exe

C:\Arquivos de programas\webhancer\Programs\whagent.ini

C:\Arquivos de programas\webhancer\Programs\whiehlpr.dll

C:\Arquivos de programas\webhancer\Programs\whinstaller.exe

C:\Arquivos de programas\webhancer\Programs\whsurvey.exe

C:\Arquivos de programas\webhancer\Programs\whSurvey.ini

 

 

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

 

 

2007-08-07 09:04 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_348.dat

2007-08-07 09:03 51,200 --a------ C:\WINNT\nircmd.exe

2007-07-13 18:25 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_2cc.dat

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

28/05/07 08:26 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_408.dat

27/07/07 18:18 1632 --a------ C:\WINNT\system32\d3d8caps.dat

19/01/07 08:54 99008 --a------ C:\Arquivos de programas\avg75avwt_440a914.exe

01/02/06 16:17 271 ---h----- C:\Arquivos de programas\desktop.ini

01/02/06 16:17 22040 ---h----- C:\Arquivos de programas\folder.htt

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4D8022B-93FB-493A-8C22-3224CFB4F29F}]

21/09/06 08:27 163840 --a------ C:\WINNT\system32\MediaCompressPlugin.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe" [19/06/03 12:05 C:\WINNT\system32\mobsync.exe]

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [24/04/07 08:36 ]

"MessengerPlus3"="C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [05/10/06 14:46 ]

"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [16/09/05 08:43 ]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [06/02/06 10:49 ]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe" [10/11/05 13:03 ]

"Svchost"="C:\Arquivos de programas\Svchost\svchost.exe" [03/03/06 08:40 ]

"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [21/06/06 14:14 ]

"Google Desktop Search"="C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" [14/08/06 14:01 ]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IncrediMail"="C:\Arquivos de programas\IncrediMail\bin\IncMail.exe" [29/01/06 15:22 ]

"MessengerPlus3"="C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" [05/10/06 14:46 ]

"CoolSMS"="" []

"dark"="C:\WINNT\kwxini.lnk" [29/06/07 08:15 ]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"^SetupICWDesktop"=C:\Arquivos de programas\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"internat.exe"=internat.exe

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

captura.bat.lnk - C:\aplic\captura.bat [2006-12-06 10:53:35]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\WINNT\Downloaded Program Files\gbiehabn.dll [10/01/07 13:08 222392]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\WINNT\Downloaded Program Files\gbiehCef.dll [04/08/06 11:25 211264]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\ARQUIV~1\Google\GOOGLE~2\GOEC62~1.DLL

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

@="Driver"

 

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys

R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys

S2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe

S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS

S3 lsermous;Logitech Serial Mouse Driver;C:\WINNT\system32\DRIVERS\lsermous.sys

S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys

S3 P1130VID;Creative WebCam NX Pro;C:\WINNT\system32\DRIVERS\P1130Vid.sys

 

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-07 09:06:05

Windows 5.0.2195 Service Pack 4 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 07/08/2007 9:06:31

C:\ComboFix-quarantined-files.txt ... 07/08/07 09:06

 

--- E O F ---

 

 

OBS: o log da maquina de Paulo mando depois pois a sala dele está fechada...

[jgarcia 1]

Opa Edvan,

 

Poste um novo log do HijackThis (máq. Rita).

 

Abraços.

[Edvan 30]

Log do HijackThis (máq. Rita) gerado. qualquer coisa me fale...

 

Logfile of HijackThis v1.99.1

Scan saved at 13:00:53, on 9/8/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\WINNT\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\Svchost\svchost.exe

C:\Arquivos de programas\Winamp\winampa.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jucheck.exe

C:\WINNT\System32\svchost.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Personal\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINNT\Downloaded Program Files\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINNT\Downloaded Program Files\gbiehabn.dll

O2 - BHO: MediaCompressObj Class - {C4D8022B-93FB-493A-8C22-3224CFB4F29F} - C:\WINNT\system32\MediaCompressPlugin.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [svchost] C:\Arquivos de programas\Svchost\svchost.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKCU\..\Run: [incrediMail] C:\Arquivos de programas\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [dark] C:\WINNT\kwxini.lnk

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - Global Startup: captura.bat.lnk = C:\aplic\captura.bat

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\ARQUIV~1\YAHOO!\COMMON\yhexbmesbr.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\ARQUIV~1\YAHOO!\COMMON\yhexbmesbr.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138876476814

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.atrativa.com.br/yahoo/mjolauncher.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://paulomarcio83.multiply.com/photos/uploader.cab

O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O20 - AppInit_DLLs: C:\ARQUIV~1\Google\GOOGLE~2\GOEC62~1.DLL

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

[jgarcia 1]

Opa Edvan,

 

1. Baixe o BankerFix.

 

2. Desative o seu anti-vírus temporariamente.

 

3. Dê um duplo-clique sobre o bankerfix.exe. Uma mensagem aparecerá avisando que o mesmo será baixado via internet. Clique em Ok -> Ok. Aperte Enter e aguarde o término do scan.

 

4. Terminado o scan, leia a mensagem na tela e aperte Enter novamente.

 

5. Habilite o seu anti-vírus.

 

6. Retorne com um novo log do HijackThis, juntamente com o relatorio.txt do BankerFix (ele estará em C:\LinhaDefensiva\).

 

7. Depois de postar a sua resposta você poderá deletar a pasta LinhaDefensiva contida no C.

 

Abraços.

[Edvan 30]

OBS: A Maquina de Paulo e de Rita ja foram resolvidas.... valeu pela ajuda Garcia...

 

Garcia por favor dê uma olhada nesse log da Maquina DE ALEXANDRE...

 

 

Pc de Alexandre apresenta virus constantemente.......

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:12:00, on 21/08/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS.0\Explorer.EXE

C:\WINDOWS.0\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS.0\system32\VTTimer.exe

C:\WINDOWS.0\system32\VTtrayp.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\Arquivos de programas\Eset\nod32krn.exe

C:\WINDOWS.0\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS.0\system32\wscntfy.exe

C:\WINDOWS.0\System32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashSimpl.exe

C:\Documents and Settings\Administrador.USUARIO-731F849\Dados de aplicativos\Simply Super Software\Trojan Remover\acf10E1.exe

C:\Documents and Settings\Administrador.USUARIO-731F849\Dados de aplicativos\Simply Super Software\Trojan Remover\acf10E1.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS.0\system32\wuauclt.exe

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4100 Series em VENUS] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P40 "Auto EPSON Stylus CX4100 Series em VENUS" /O19 "\\VENUS\Impressora6" /M "Stylus CX4100"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A001F4F-2DCB-4A4B-9AB3-3509F7B7DD41}: NameServer = 192.168.1.1

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

O23 - Service: PostgreSQL Database Server (cadunico) (pgsql-cadunico) - PostgreSQL Global Development Group - C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

 

Aguardo respostas..... :thumbsup: :thumbsup:

 

 

 

Pc de Armando........

 

Logfile of HijackThis v1.99.1

Scan saved at 14:56:18, on 22/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe

C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\Arquivos de programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\System32\svchost.exe

C:\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O17 - HKLM\System\CCS\Services\Tcpip\..\{B157CC24-7327-4E78-9BA5-A227131F662C}: NameServer = 192.168.0.4

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Arquivos de programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[Edvan 30]

Garcia aqui na rede da minha cidade todos os pc´s que abre o www.google.com.br aparece essa foto que está aí em baixo:

 

o que pode ser? será que tem um virus na rede? são todos os computadores que aparece está foto..... ate os pc´s da Prefeitura também...

 

 

[jgarcia 1]

Opa Edvan,

 

Siga as instruções contidas no Post # 2.

 

Abraços.

[Edvan 30]

Olá Garcia boa tarde para você, queria dar continuidade aos postes anteriores... a Maquina 1 que é a de Paulo e a Maquina 2 que é a de Rita, mais infeslimente meu patrão pediu para formatar..quando fiquei sabendo os dois pc´s ja estavam formatado... por isso que coloquei aquela observação dizendo que os computadores foram resolvidos.... desculpe não ter explicado..

 

se você puder ohar os outros dois log´s ficarei grato.. o de Alexandre e Armando... e dar uma olhda na foto que postei por favor... pois achei suspeita..

 

Desde ja agradeço...

[jgarcia 1]

Olá Garcia boa tarde para você, queria dar continuidade aos postes anteriores... a Maquina 1 que é a de Paulo e a Maquina 2 que é a de Rita, mais infeslimente meu patrão pediu para formatar..quando fiquei sabendo os dois pc´s ja estavam formatado... por isso que coloquei aquela observação dizendo que os computadores foram resolvidos.... desculpe não ter explicado..

 

se você puder ohar os outros dois log´s ficarei grato.. o de Alexandre e Armando... e dar uma olhda na foto que postei por favor... pois achei suspeita..

 

Desde ja agradeço...

Você se confundiu... Preciso que execute as ações do Post # 2 nos PC's do Alexandre e do Armando. ;)

 

Quanto à figura, preciso que você verifique quais são os endereços contidos nos links do trecho abaixo:

 

"Nesse interim, sugerimos que você use um aplicativo antivírus ou de detecção de spyware..."

... para isto basta posicionar o mouse sobre o link, dar um clique-direito e escolher Propriedades.

 

Aguardo retorno.

 

Abraços.

[Edvan 30]

Log do Pc de Alexandre, Depois passo no outro...de Armando..

 

 

 

ComboFix 07-08-30.3 - "Administrador" 2007-08-31 14:32:26.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.172 [GMT -3:00]

* Created a new restore point

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Autorun.inf

 

 

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))

 

 

2007-08-31 14:31 51,200 --a------ C:\WINDOWS.0\nircmd.exe

2007-08-31 13:33 <DIR> d-------- C:\Mixesoft

2007-08-30 09:33 <DIR> d-------- C:\Arquivos de programas\PacWriter

2007-08-27 08:18 82,258 --a------ C:\WINDOWS.0\system32\drivers\klin.dat

2007-08-27 08:18 82,258 --a------ C:\WINDOWS.0\system32\drivers\klick.dat

2007-08-27 08:18 27,424 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.dat

2007-08-27 08:18 2,689,824 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.dat

2007-08-27 08:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\Kaspersky Lab

2007-08-27 08:18 <DIR> d-------- C:\Arquivos de programas\Kaspersky Lab

2007-08-27 08:00 <DIR> d-------- C:\WINDOWS.0\BDOSCAN8

2007-08-22 10:27 <DIR> d-------- C:\DOCUME~1\JEJ\Meus documentos

2007-08-21 16:10 218,112 --a------ C:\HijackThis.exe

2007-08-21 16:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\TEMP

2007-08-20 11:37 18,176 --a------ C:\WINDOWS.0\system32\drivers\sermouse.sys

2007-08-20 09:26 302,592 --a------ C:\WINDOWS.0\IsUn0407.exe

2007-08-20 09:26 <DIR> d-------- C:\Arquivos de programas\my-world

2007-08-20 08:25 139,264 --a------ C:\WINDOWS.0\NeoUninstall.exe

2007-08-20 08:25 <DIR> d-------- C:\Program Files

2007-08-17 14:54 <DIR> d-------- C:\Arquivos de programas\eMule

2007-08-13 11:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\ImgBurn

2007-08-08 14:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\WinZip

2007-08-08 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Google

2007-08-08 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\Google

2007-08-08 14:26 <DIR> d-------- C:\Arquivos de programas\Google

2007-08-06 13:18 <DIR> d-------- C:\Arquivos de programas\Cartoonist

2007-08-01 09:49 299,520 --a------ C:\WINDOWS.0\uninst.exe

2007-08-01 09:24 <DIR> d-------- C:\WINDOWS.0\pss

2007-07-26 09:14 <DIR> d-------- C:\DOCUME~1\CLIENT~1\Meus documentos

2007-07-26 09:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\EPSON

2007-07-24 08:12 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\SWF Studio

2007-07-23 14:31 46,080 --a------ C:\WINDOWS.0\system32\escimgd.dll

2007-07-23 14:31 29,696 --a------ C:\WINDOWS.0\system32\escwiad.dll

2007-07-23 14:31 22,016 --a------ C:\WINDOWS.0\system32\esccmd.dll

2007-07-12 13:47 <DIR> d-------- C:\Arquivos de programas\Winamp

2007-07-12 11:21 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.USU\UserData

2007-07-12 09:35 <DIR> d-------- C:\Arquivos de programas\Horrum

2007-07-11 20:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\Contacts

2007-07-11 20:15 <DIR> d----c--- C:\WINDOWS.0\system32\DRVSTORE

2007-07-11 17:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Lavasoft

2007-07-11 17:40 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2007-07-11 17:03 3,269 --a------ C:\CefCubStat.DAT

2007-07-11 17:03 165,376 --a------ C:\WINDOWS.0\system32\UNWISE.EXE

2007-07-11 17:03 <DIR> d-------- C:\CAIXA

2007-07-11 08:59 916,849 --a------ C:\WINDOWS.0\system32\libiconv-2.dll

2007-07-11 08:59 32,256 --a------ C:\WINDOWS.0\system32\libintl-2.dll

2007-07-11 08:59 200,704 --a------ C:\WINDOWS.0\system32\ssleay32.dll

2007-07-11 08:59 154,758 --a------ C:\WINDOWS.0\system32\libpq.dll

2007-07-11 08:59 1,064,960 --a------ C:\WINDOWS.0\system32\libeay32.dll

2007-07-11 08:59 <DIR> dr-h----- C:\DOCUME~1\cadunico\Dados de aplicativos

2007-07-11 08:59 <DIR> dr------- C:\DOCUME~1\cadunico\Menu Iniciar

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Modelos

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Configura‡äes locais

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Ambiente de rede

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Ambiente de impressÆo

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\nodtmpb

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\Meus documentos

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\Favoritos

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\DADOSD~1\Real

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-08-31 10:55 37724 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.idx

2007-08-31 10:55 2972 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.idx

2007-08-20 08:00 --------- d-------- C:\Arquivos de programas\GameTop.com

2007-08-20 07:18 --------- d-------- C:\Arquivos de programas\MSN Messenger

2007-07-23 14:31 --------- d-------- C:\Arquivos de programas\epson

2007-07-19 13:28 --------- d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Real

2007-06-15 10:21 219648 --a------ C:\WINDOWS.0\system32\uxtheme.dll

2007-06-15 10:21 219648 --a------ C:\WINDOWS.0\system32\dllcache\uxtheme.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]

"VTTimer"="VTTimer.exe" [2004-07-12 22:57 C:\WINDOWS.0\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2004-06-21 15:57 C:\WINDOWS.0\system32\VTTrayp.exe]

"Auto EPSON Stylus CX4100 Series em VENUS"="C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.exe" [2005-03-08 00:00]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 20:50]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

"tscuninstall"=%systemroot%\system32\tscupgrd.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSharedDocuments"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS.0\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS.0\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4100 Series]

C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P26 "EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS.0\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

C:\Arquivos de programas\Winamp\winampa.exe

 

R2 pgsql-cadunico;PostgreSQL Database Server (cadunico);C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe runservice -N "pgsql-cadunico" -D "C:\ARQUIV~1\Caixa\CADUNI~1\data\"

S0 viasraid;viasraid;C:\WINDOWS.0\system32\drivers\viasraid.sys

 

*Newly Created Service* - CATCHME

 

Contents of the 'Scheduled Tasks' folder

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At1.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-31 12:00:00 C:\WINDOWS.0\Tasks\At10.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-31 13:00:00 C:\WINDOWS.0\Tasks\At11.job

2007-08-30 14:00:00 C:\WINDOWS.0\Tasks\At12.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-30 15:00:00 C:\WINDOWS.0\Tasks\At13.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-30 16:00:00 C:\WINDOWS.0\Tasks\At14.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-31 17:00:00 C:\WINDOWS.0\Tasks\At15.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-30 18:00:00 C:\WINDOWS.0\Tasks\At16.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-30 19:00:00 C:\WINDOWS.0\Tasks\At17.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-22 20:00:00 C:\WINDOWS.0\Tasks\At18.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At19.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At2.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-20 22:00:00 C:\WINDOWS.0\Tasks\At20.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At21.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At22.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At23.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At24.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At3.job

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At4.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At5.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At6.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At7.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-28 10:00:00 C:\WINDOWS.0\Tasks\At8.job - C:\WINDOWS.0\system32\GMXqs588.exe

2007-08-31 11:00:00 C:\WINDOWS.0\Tasks\At9.job - C:\WINDOWS.0\system32\GMXqs588.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-31 14:41:29

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-08-31 14:43:37

C:\ComboFix-quarantined-files.txt ... 2007-08-31 14:43

 

--- E O F ---

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:48:36, on 31/08/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\System32\svchost.exe

C:\WINDOWS.0\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS.0\system32\VTTimer.exe

C:\WINDOWS.0\system32\VTtrayp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\WINDOWS.0\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS.0\system32\wscntfy.exe

C:\WINDOWS.0\System32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS.0\explorer.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4100 Series em VENUS] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P40 "Auto EPSON Stylus CX4100 Series em VENUS" /O19 "\\VENUS\Impressora6" /M "Stylus CX4100"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A001F4F-2DCB-4A4B-9AB3-3509F7B7DD41}: NameServer = 192.168.1.1

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS.0\system32\klogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: PostgreSQL Database Server (cadunico) (pgsql-cadunico) - PostgreSQL Global Development Group - C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

 

 

 

 

ObS: quanto a figura não está mais aparecendo aquelas mensagens de: "aplicativo antivírus ou de detecção de spyware"

[jgarcia 1]

Opa Edvan,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS.0\Tasks\At1.job

C:\WINDOWS.0\Tasks\At2.job

C:\WINDOWS.0\Tasks\At3.job

C:\WINDOWS.0\Tasks\At4.job

C:\WINDOWS.0\Tasks\At6.job

C:\WINDOWS.0\Tasks\At7.job

C:\WINDOWS.0\Tasks\At8.job

C:\WINDOWS.0\Tasks\At9.job

C:\WINDOWS.0\Tasks\At10.job

C:\WINDOWS.0\Tasks\At11.job

C:\WINDOWS.0\Tasks\At12.job

C:\WINDOWS.0\Tasks\At13.job

C:\WINDOWS.0\Tasks\At14.job

C:\WINDOWS.0\Tasks\At15.job

C:\WINDOWS.0\Tasks\At16.job

C:\WINDOWS.0\Tasks\At17.job

C:\WINDOWS.0\Tasks\At18.job

C:\WINDOWS.0\Tasks\At19.job

C:\WINDOWS.0\Tasks\At20.job

C:\WINDOWS.0\Tasks\At21.job

C:\WINDOWS.0\Tasks\At22.job

C:\WINDOWS.0\Tasks\At23.job

C:\WINDOWS.0\Tasks\At24.job

C:\WINDOWS.0\system32\GMXqs588.exe

C:\WINDOWS.0\IsUn0407.exe

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie em Modo Normal.

 

Delete o conteúdo da pasta C:\!Killbox.

 

Poste novos logs do ComboFix e HijackThis.

 

Um abraço.

[Edvan 30]

PC de Alexandre está Pronto está aí suas solicitações todos os 2 log´s são novos...

 

 

ComboFix 07-08-30.3 - "Administrador" 2007-08-31 17:24:09.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.147 [GMT -3:00]

 

 

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))

 

 

2007-08-31 17:07 <DIR> d-------- C:\!KillBox

2007-08-31 14:31 51,200 --a------ C:\WINDOWS.0\nircmd.exe

2007-08-31 13:33 <DIR> d-------- C:\Mixesoft

2007-08-30 09:33 <DIR> d-------- C:\Arquivos de programas\PacWriter

2007-08-27 08:18 82,258 --a------ C:\WINDOWS.0\system32\drivers\klin.dat

2007-08-27 08:18 82,258 --a------ C:\WINDOWS.0\system32\drivers\klick.dat

2007-08-27 08:18 32,288 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.dat

2007-08-27 08:18 2,858,272 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.dat

2007-08-27 08:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\Kaspersky Lab

2007-08-27 08:18 <DIR> d-------- C:\Arquivos de programas\Kaspersky Lab

2007-08-27 08:00 <DIR> d-------- C:\WINDOWS.0\BDOSCAN8

2007-08-22 10:27 <DIR> d-------- C:\DOCUME~1\JEJ\Meus documentos

2007-08-21 16:10 218,112 --a------ C:\HijackThis.exe

2007-08-21 16:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\TEMP

2007-08-20 11:37 18,176 --a------ C:\WINDOWS.0\system32\drivers\sermouse.sys

2007-08-20 09:26 <DIR> d-------- C:\Arquivos de programas\my-world

2007-08-20 08:25 139,264 --a------ C:\WINDOWS.0\NeoUninstall.exe

2007-08-20 08:25 <DIR> d-------- C:\Program Files

2007-08-17 14:54 <DIR> d-------- C:\Arquivos de programas\eMule

2007-08-13 11:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\ImgBurn

2007-08-08 14:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\WinZip

2007-08-08 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Google

2007-08-08 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\Google

2007-08-08 14:26 <DIR> d-------- C:\Arquivos de programas\Google

2007-08-06 13:18 <DIR> d-------- C:\Arquivos de programas\Cartoonist

2007-08-01 09:49 299,520 --a------ C:\WINDOWS.0\uninst.exe

2007-08-01 09:24 <DIR> d-------- C:\WINDOWS.0\pss

2007-07-26 09:14 <DIR> d-------- C:\DOCUME~1\CLIENT~1\Meus documentos

2007-07-26 09:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\EPSON

2007-07-24 08:12 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\SWF Studio

2007-07-23 14:31 46,080 --a------ C:\WINDOWS.0\system32\escimgd.dll

2007-07-23 14:31 29,696 --a------ C:\WINDOWS.0\system32\escwiad.dll

2007-07-23 14:31 22,016 --a------ C:\WINDOWS.0\system32\esccmd.dll

2007-07-12 13:47 <DIR> d-------- C:\Arquivos de programas\Winamp

2007-07-12 11:21 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.USU\UserData

2007-07-12 09:35 <DIR> d-------- C:\Arquivos de programas\Horrum

2007-07-11 20:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\Contacts

2007-07-11 20:15 <DIR> d----c--- C:\WINDOWS.0\system32\DRVSTORE

2007-07-11 17:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Lavasoft

2007-07-11 17:40 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2007-07-11 17:03 3,269 --a------ C:\CefCubStat.DAT

2007-07-11 17:03 165,376 --a------ C:\WINDOWS.0\system32\UNWISE.EXE

2007-07-11 17:03 <DIR> d-------- C:\CAIXA

2007-07-11 08:59 916,849 --a------ C:\WINDOWS.0\system32\libiconv-2.dll

2007-07-11 08:59 32,256 --a------ C:\WINDOWS.0\system32\libintl-2.dll

2007-07-11 08:59 200,704 --a------ C:\WINDOWS.0\system32\ssleay32.dll

2007-07-11 08:59 154,758 --a------ C:\WINDOWS.0\system32\libpq.dll

2007-07-11 08:59 1,064,960 --a------ C:\WINDOWS.0\system32\libeay32.dll

2007-07-11 08:59 <DIR> dr-h----- C:\DOCUME~1\cadunico\Dados de aplicativos

2007-07-11 08:59 <DIR> dr------- C:\DOCUME~1\cadunico\Menu Iniciar

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Modelos

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Configura‡äes locais

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Ambiente de rede

2007-07-11 08:59 <DIR> d--h----- C:\DOCUME~1\cadunico\Ambiente de impressÆo

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\nodtmpb

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\Meus documentos

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\Favoritos

2007-07-11 08:59 <DIR> d-------- C:\DOCUME~1\cadunico\DADOSD~1\Real

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-08-31 17:13 40748 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.idx

2007-08-31 17:13 4028 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.idx

2007-08-20 08:00 --------- d-------- C:\Arquivos de programas\GameTop.com

2007-08-20 07:18 --------- d-------- C:\Arquivos de programas\MSN Messenger

2007-07-23 14:31 --------- d-------- C:\Arquivos de programas\epson

2007-07-19 13:28 --------- d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Real

2007-06-15 10:21 219648 --a------ C:\WINDOWS.0\system32\uxtheme.dll

2007-06-15 10:21 219648 --a------ C:\WINDOWS.0\system32\dllcache\uxtheme.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]

"VTTimer"="VTTimer.exe" [2004-07-12 22:57 C:\WINDOWS.0\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2004-06-21 15:57 C:\WINDOWS.0\system32\VTTrayp.exe]

"Auto EPSON Stylus CX4100 Series em VENUS"="C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.exe" [2005-03-08 00:00]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 20:50]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

"tscuninstall"=%systemroot%\system32\tscupgrd.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSharedDocuments"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS.0\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS.0\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4100 Series]

C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P26 "EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS.0\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

C:\Arquivos de programas\Winamp\winampa.exe

 

R2 pgsql-cadunico;PostgreSQL Database Server (cadunico);C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe runservice -N "pgsql-cadunico" -D "C:\ARQUIV~1\Caixa\CADUNI~1\data\"

S0 viasraid;viasraid;C:\WINDOWS.0\system32\drivers\viasraid.sys

 

 

Contents of the 'Scheduled Tasks' folder

2007-08-13 19:31:03 C:\WINDOWS.0\Tasks\At5.job - C:\WINDOWS.0\system32\GMXqs588.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-31 17:26:03

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-08-31 17:27:12

C:\ComboFix-quarantined-files.txt ... 2007-08-31 17:27

C:\ComboFix2.txt ... 2007-08-31 14:43

 

--- E O F ---

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:30:15, on 31/08/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\System32\svchost.exe

C:\WINDOWS.0\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS.0\system32\VTTimer.exe

C:\WINDOWS.0\system32\VTtrayp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\WINDOWS.0\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS.0\system32\wscntfy.exe

C:\WINDOWS.0\System32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS.0\explorer.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4100 Series em VENUS] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P40 "Auto EPSON Stylus CX4100 Series em VENUS" /O19 "\\VENUS\Impressora6" /M "Stylus CX4100"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A001F4F-2DCB-4A4B-9AB3-3509F7B7DD41}: NameServer = 192.168.1.1

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS.0\system32\klogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: PostgreSQL Database Server (cadunico) (pgsql-cadunico) - PostgreSQL Global Development Group - C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

 

 

 

 

 

OBS: PC DE ARMANDO QUE FALTAVA...

 

 

ComboFix 07-08-30.3 - "Administrador" 2007-08-31 18:06:38.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.173 [GMT -3:00]

* Created a new restore point

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\ADMINI~1\DADOSD~1\addon.dat

C:\WINDOWS\system32\dllcache\klog.dat

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_ODDYSEE

 

 

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))

 

 

2007-08-31 18:06 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-22 16:27 <DIR> d-------- C:\Arquivos de programas\Psychic Doom 97D High Exp

2007-08-22 14:55 218,112 --a------ C:\HijackThis.exe

2007-08-21 08:57 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2007-08-21 08:57 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2007-08-19 21:37 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe

2007-08-19 21:37 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll

2007-08-19 21:37 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys

2007-08-19 21:35 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0

2007-08-19 21:34 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

2007-08-19 17:10 2,374,472 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll

2007-08-19 16:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2007-08-17 08:16 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData

2007-08-16 20:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2007-08-16 10:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Image Zone Express

2007-08-15 15:38 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Lavasoft

2007-08-15 14:54 57,407 --a------ C:\WINDOWS\system32\ANICtl.dll

2007-08-15 14:54 49,152 --a------ C:\WINDOWS\system32\AQCKGen.dll

2007-08-15 14:54 368,640 --a------ C:\WINDOWS\system32\ANIWZCS2.dll

2007-08-15 14:54 221,184 --a------ C:\WINDOWS\system32\wlanapi.dll

2007-08-15 14:54 212,992 --a------ C:\WINDOWS\system32\aIPH.dll

2007-08-15 14:54 143,360 --a------ C:\WINDOWS\system32\WlanApp.dll

2007-08-15 14:54 1,323,095 --a------ C:\WINDOWS\system32\odSupp_M.dll

2007-08-15 14:53 36,864 --a------ C:\WINDOWS\system32\ANIOApi.dll

2007-08-15 14:53 28,205 --a------ C:\WINDOWS\system32\ANIO.sys

2007-08-15 14:53 11,904 --a------ C:\WINDOWS\system32\anio4.sys

2007-08-15 14:53 <DIR> d-------- C:\Arquivos de programas\D-Link

2007-08-15 14:53 <DIR> d-------- C:\Arquivos de programas\ANI

2007-08-14 16:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\HP

2007-08-13 21:09 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData

2007-08-13 21:05 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DADOSD~1\HP

2007-08-13 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\HP

2007-08-13 21:02 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\HP

2007-08-13 21:00 <DIR> d-------- C:\Arquivos de programas\Hewlett-Packard

2007-08-13 20:59 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Hewlett-Packard

2007-08-13 20:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2007-08-13 20:57 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll

2007-08-13 20:57 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe

2007-08-13 20:57 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe

2007-08-13 20:57 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll

2007-08-13 20:57 306,688 --a------ C:\WINDOWS\IsUninst.exe

2007-08-13 20:57 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll

2007-08-13 20:57 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll

2007-08-13 20:57 <DIR> d-------- C:\Arquivos de programas\HP

2007-08-13 20:55 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll

2007-08-13 20:55 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys

2007-08-13 20:55 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll

2007-08-13 20:55 282,624 -ra------ C:\WINDOWS\system32\HPZc3212.dll

2007-08-13 20:55 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys

2007-08-13 20:55 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys

2007-08-13 20:55 119,027 --a------ C:\WINDOWS\hpoins11.dat

2007-08-13 20:54 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2007-08-13 20:49 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2007-08-10 14:14 304,182 --a------ C:\StiImg.dat

2007-08-10 14:12 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2007-08-10 14:12 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2007-08-10 14:12 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2007-08-10 14:12 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2007-08-10 14:12 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2007-08-10 14:12 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2007-08-10 14:12 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2007-08-10 14:11 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll

2007-08-10 14:02 <DIR> d-------- C:\WINDOWS\PAC207

2007-08-10 14:02 <DIR> d-------- C:\Arquivos de programas\PC Camera

2007-08-10 14:02 <DIR> d-------- C:\Arquivos de programas\Common Files

2007-08-02 16:26 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Help

2007-08-02 10:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\CyberLink

2007-07-31 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\CyberLink

2007-07-30 21:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Media Player Classic

2007-07-30 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy

2007-07-30 18:48 <DIR> d-------- C:\Arquivos de programas\Lavasoft

2007-07-30 18:48 <DIR> d-------- C:\Arquivos de programas\CCleaner

2007-07-30 17:44 40,960 --a------ C:\Arquivos de programas\Uninstall_CDS.exe

2007-07-30 17:44 <DIR> d-------- C:\Arquivos de programas\CyberLink DVD Solution

2007-07-30 17:41 102,912 --------- C:\WINDOWS\system32\Vb6stkit.dll

2007-07-30 17:41 102,160 --------- C:\WINDOWS\system32\VB6KO.DLL

2007-07-30 13:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Corel

2007-07-30 13:31 <DIR> d--h----- C:\Arquivos de programas\InstallShield Installation Information

2007-07-30 13:31 <DIR> d-------- C:\WINDOWS\Corel

2007-07-30 13:29 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Corel

2007-07-30 13:27 <DIR> d-------- C:\Arquivos de programas\Corel

2007-07-30 13:25 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\InstallShield

2007-07-30 13:14 308,224 --a------ C:\WINDOWS\IsUn0416.exe

2007-07-29 22:27 <DIR> d-------- C:\Arquivos de programas\Innovative Solutions

2007-07-29 22:25 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Nero

2007-07-29 22:21 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll

2007-07-29 22:21 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll

2007-07-29 22:21 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

2007-07-29 22:21 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2007-07-29 22:21 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2007-07-29 22:21 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll

2007-07-29 22:21 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Ahead

2007-07-29 22:21 <DIR> d-------- C:\Arquivos de programas\Ahead

2007-07-29 22:19 17,920 --a------ C:\WINDOWS\system32\mdimon.dll

2007-07-29 22:18 <DIR> d-------- C:\Arquivos de programas\Microsoft.NET

2007-07-29 22:17 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-07-29 22:15 <DIR> dr-h----- C:\MSOCache

2007-07-29 22:13 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2007-07-29 22:12 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dados de aplicativos

2007-07-29 22:12 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Meus documentos

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-29 22:01 4128 --a------ C:\WINDOWS\system32\drivers\INFCACHE.1

2007-06-26 11:09 660992 --------- C:\WINDOWS\system32\dllcache\wininet.dll

2007-06-26 10:57 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll

2007-06-26 03:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-26 03:10 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll

2007-06-19 10:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-19 10:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll

2007-06-14 15:09 96768 --------- C:\WINDOWS\system32\dllcache\inseng.dll

2007-06-14 15:09 616448 --------- C:\WINDOWS\system32\dllcache\urlmon.dll

2007-06-14 15:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll

2007-06-14 15:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll

2007-06-14 15:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll

2007-06-14 15:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll

2007-06-14 15:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll

2007-06-14 15:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll

2007-06-14 15:09 3079680 --------- C:\WINDOWS\system32\dllcache\mshtml.dll

2007-06-14 15:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll

2007-06-14 15:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll

2007-06-14 15:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll

2007-06-14 15:09 151552 --------- C:\WINDOWS\system32\dllcache\cdfview.dll

2007-06-14 15:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll

2007-06-14 15:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll

2007-06-14 15:09 1055744 --------- C:\WINDOWS\system32\dllcache\danim.dll

2007-06-14 15:09 1024000 --------- C:\WINDOWS\system32\dllcache\browseui.dll

2007-06-14 11:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe

2007-06-13 10:21 1035264 --a------ C:\WINDOWS\explorer.exe

2007-06-13 10:21 1035264 --------- C:\WINDOWS\system32\dllcache\explorer.exe

--------- C:\Arquivos de programas\Serviços on-line

--------- C:\Arquivos de programas\Arquivos comuns\Serviços

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]

"RemoteControl"="C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]

"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]

"D-Link AirPlus G"="C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 11:41]

"ANIWZCS2Service"="C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49]

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-08-20 18:02]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2005-08-13 22:34]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

"tscuninstall"=%systemroot%\system32\tscupgrd.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSharedDocuments"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSharedDocuments"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 nwprovau

 

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F9E9A340-D1F1-11D0-821E-POISONIVY2007}]

C:\WINDOWS\system32\dllcache\poisonivy.exe s

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-31 18:10:00

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-08-31 18:11:36 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-31 18:11

 

--- E O F ---

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 18:14:21, on 31/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe

C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.cade.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Arquivos de programas\D-Link\AirPlus G\AirGCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Arquivos de programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O17 - HKLM\System\CCS\Services\Tcpip\..\{B157CC24-7327-4E78-9BA5-A227131F662C}: NameServer = 192.168.0.4

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Arquivos de programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

 

PASSEI TAMBÉM O BankerFix NO PC DE ARMANDO...

 

BankerFix 2.4 - Removedor de Bankers

Linha Defensiva - http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

Data: 31/8/2007 - 18:16

-------------------------------------------------------

Lista de Definição: 2007-08-18-1

=======================================================

 

 

Killando arquivos em Help

-----------------------------------

 

Killing '*'

 

Removendo Arquivos em Help

-----------------------------------

 

 

Arquivos ruins restantes

-----------------------------------

 

 

----- Fim -------------------------

[jgarcia 1]

Opa Edvan,

 

Vamos lá.

 

PC ALEXANDRE

 

1ª Etapa

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS.0\Tasks\At5.job

C:\WINDOWS.0\system32\GMXqs588.exe

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Reinicie em Modo Normal.

 

Delete o conteúdo da pasta C:\!Killbox.

 

Poste novos logs do ComboFix e HijackThis.

 

PARA AMBOS

 

Submeta o arquivo abaixo ao site da Jotti:

 

C:\windows\System32\syssetup.dll

 

... retorne com o resultado.

 

Um abraço.

[Edvan 30]

Log´s do pc de Alexandre.... do ComboFix e HijackThis.......

 

OBs: depois mando do Armando....

 

 

 

ComboFix 07-08-30.3 - "Administrador" 2007-09-03 17:04:54.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.174 [GMT -3:00]

 

 

((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))

 

 

2007-09-03 14:47 466,944 --a------ C:\WINDOWS.0\Resident Evil.scr

2007-09-03 14:47 28,672 --a------ C:\WINDOWS.0\system32\ssconfig.exe

2007-09-03 14:47 180,224 --a------ C:\WINDOWS.0\UninstallWSST.exe

2007-09-03 14:47 1,292,788 --a------ C:\WINDOWS.0\Resident Evil.dat

2007-09-03 08:28 <DIR> d-------- C:\Arquivos de programas\Aulete digital

2007-09-03 08:28 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\MGB

2007-09-03 08:08 2,481,067 --a------ C:\WINDOWS.0\Resident Evil 4.scr

2007-08-31 14:31 51,200 --a------ C:\WINDOWS.0\nircmd.exe

2007-08-31 13:33 <DIR> d-------- C:\Mixesoft

2007-08-30 09:33 <DIR> d-------- C:\Arquivos de programas\PacWriter

2007-08-27 08:18 82,061 --a------ C:\WINDOWS.0\system32\drivers\klick.dat

2007-08-27 08:18 81,549 --a------ C:\WINDOWS.0\system32\drivers\klin.dat

2007-08-27 08:18 40,992 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.dat

2007-08-27 08:18 3,127,072 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.dat

2007-08-27 08:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\Kaspersky Lab

2007-08-27 08:18 <DIR> d-------- C:\Arquivos de programas\Kaspersky Lab

2007-08-27 08:00 <DIR> d-------- C:\WINDOWS.0\BDOSCAN8

2007-08-22 10:27 <DIR> d-------- C:\DOCUME~1\JEJ\Meus documentos

2007-08-21 16:10 218,112 --a------ C:\HijackThis.exe

2007-08-21 16:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\TEMP

2007-08-20 11:37 18,176 --a------ C:\WINDOWS.0\system32\drivers\sermouse.sys

2007-08-20 09:26 <DIR> d-------- C:\Arquivos de programas\my-world

2007-08-20 08:25 139,264 --a------ C:\WINDOWS.0\NeoUninstall.exe

2007-08-20 08:25 <DIR> d-------- C:\Program Files

2007-08-17 14:54 <DIR> d-------- C:\Arquivos de programas\eMule

2007-08-13 11:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\ImgBurn

2007-08-08 14:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\WinZip

2007-08-08 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Google

2007-08-08 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.0\DADOSD~1\Google

2007-08-08 14:26 <DIR> d-------- C:\Arquivos de programas\Google

2007-08-06 13:18 <DIR> d-------- C:\Arquivos de programas\Cartoonist

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-09-03 16:59 4868 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.idx

2007-09-03 16:59 44732 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.idx

2007-08-20 08:00 --------- d-------- C:\Arquivos de programas\GameTop.com

2007-08-20 07:18 --------- d-------- C:\Arquivos de programas\MSN Messenger

2007-08-15 15:55 --------- d-------- C:\Arquivos de programas\Winamp

2007-07-26 09:14 --------- d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\EPSON

2007-07-24 08:12 --------- d-------- C:\Arquivos de programas\Arquivos comuns\SWF Studio

2007-07-23 14:31 --------- d-------- C:\Arquivos de programas\epson

2007-07-19 13:28 --------- d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Real

2007-07-12 09:35 --------- d-------- C:\Arquivos de programas\Horrum

2007-07-11 17:41 --------- d-------- C:\DOCUME~1\ADMINI~1.USU\DADOSD~1\Lavasoft

2007-07-11 17:40 --------- d-------- C:\Arquivos de programas\Lavasoft

2007-06-15 10:21 219648 --a------ C:\WINDOWS.0\system32\uxtheme.dll

2007-06-15 10:21 219648 --a------ C:\WINDOWS.0\system32\dllcache\uxtheme.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]

"VTTimer"="VTTimer.exe" [2004-07-12 22:57 C:\WINDOWS.0\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2004-06-21 15:57 C:\WINDOWS.0\system32\VTTrayp.exe]

"Auto EPSON Stylus CX4100 Series em VENUS"="C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.exe" [2005-03-08 00:00]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 20:50]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"

"tscuninstall"=%systemroot%\system32\tscupgrd.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSharedDocuments"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS.0\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users.WINDOWS.0\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS.0\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4100 Series]

C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P26 "EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS.0\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

C:\Arquivos de programas\Winamp\winampa.exe

 

R2 pgsql-cadunico;PostgreSQL Database Server (cadunico);C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe runservice -N "pgsql-cadunico" -D "C:\ARQUIV~1\Caixa\CADUNI~1\data\"

S0 viasraid;viasraid;C:\WINDOWS.0\system32\drivers\viasraid.sys

 

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-03 17:06:37

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-09-03 17:07:41

C:\ComboFix-quarantined-files.txt ... 2007-09-03 17:07

C:\ComboFix2.txt ... 2007-08-31 17:27

C:\ComboFix3.txt ... 2007-08-31 14:43

 

--- E O F ---

 

 

______________________x_______________________

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:12:54, on 03/09/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS.0\System32\smss.exe

C:\WINDOWS.0\system32\winlogon.exe

C:\WINDOWS.0\system32\services.exe

C:\WINDOWS.0\system32\lsass.exe

C:\WINDOWS.0\system32\svchost.exe

C:\WINDOWS.0\System32\svchost.exe

C:\WINDOWS.0\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS.0\system32\VTTimer.exe

C:\WINDOWS.0\system32\VTtrayp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\WinZip\WZQKPICK.EXE

C:\WINDOWS.0\system32\svchost.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS.0\system32\wscntfy.exe

C:\WINDOWS.0\System32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS.0\explorer.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\WINDOWS.0\system32\rundll32.exe

C:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:8080

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4100 Series em VENUS] C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P40 "Auto EPSON Stylus CX4100 Series em VENUS" /O19 "\\VENUS\Impressora6" /M "Stylus CX4100"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4A001F4F-2DCB-4A4B-9AB3-3509F7B7DD41}: NameServer = 192.168.1.1

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS.0\system32\klogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.0\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: PostgreSQL Database Server (cadunico) (pgsql-cadunico) - PostgreSQL Global Development Group - C:\ARQUIV~1\Caixa\CADUNI~1\bin\pg_ctl.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

 

 

Submeta o arquivo abaixo ao site da Jotti:

 

C:\windows\System32\syssetup.dll

 

... retorne com o resultado

 

Não deu certo abrir o link, será que o mesmo está completo? apresentou isso: Error: unable to connect to database. The administrator has already been notified, it is not necessary to contact us.

 

Ja consegui Submeter o arquivo ao site da Jotti..

 

Service load: 0% 100%

 

File: syssetup.dll

Status: OK

MD5: 24c5f35c7b4e54fa7840c6cabea14561

Packers detected: -

Bit9 reports: File not found

 

Scanner results

Scan taken on 04 Sep 2007 13:18:28 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

[jgarcia 1]

Opa Edvan,

 

Os logs parecem limpos. Como andam as máquina?

[Edvan 30]

Então o pc de Alexandre está limpo...

 

Agora só falta eu fazer os procedimentos no pc de Armando, vou fazer isso depois..pois ele mora um pouco distante...

 

 

Se você quiser ou puder veja esse log do pc de Daniella por favor...

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:10:20, on 5/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\sm56hlpr.exe

C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Arquivos de programas\Google\Google Talk\googletalk.exe

C:\Arquivos de programas\Fortes Informática\RemProtDeamon.exe

C:\Arquivos de programas\Java\jre1.5.0_05\bin\jucheck.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Arquivos de programas\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Arquivos de programas\Netropa\Onscreen Display\OSD.exe

C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Arquivos de programas\FireBird\FireBird_1_5\bin\fbguard.exe

C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\FireBird\FireBird_1_5\bin\fbserver.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVL.EXE /FU "C:\WINDOWS\TEMP\E_S304.tmp" /EF "HKLM"

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [RemProtDeamon] C:\Arquivos de programas\Fortes Informática\RemProtDeamon.exe -a

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Arquivos de programas\FireBird\FireBird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Arquivos de programas\FireBird\FireBird_1_5\bin\fbserver.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe

[jgarcia 1]

Opa Edvan,

 

O log da Daniella não possui entradas anormais.

 

Abraços.

[Edvan 30]

Valeu jgarcia pela ajuda...

 

seria bom eu abrir outro poste ou poderia postar nesse mesmo ja aberto?

 

 

porque tenho mais log´s para postar!!

 

 

 

Maquina de Decinho:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 09:22:42, on 8/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\CCProxy\CCProxy.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE

C:\Arquivos de programas\Winamp\winampa.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HijackThis_v1.99.1.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Auto EPSON Stylus CX4100 Series em START-GAME3] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P46 "Auto EPSON Stylus CX4100 Series em START-GAME3" /O22 "\\START-GAME3\EPSONSty" /M "Stylus CX4100"

O4 - HKLM\..\Run: [\\Start-game3\EPSON Stylus CX4100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P40 "\\Start-game3\EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"

O4 - HKLM\..\Run: [ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P26 "EPSON Stylus CX4100 Series" /O6 "USB001" /M "Stylus CX4100"

O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Arquivos de programas\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: CCProxy - Unknown owner - C:\CCProxy\CCProxy.exe" -service (file missing)