[Resolvido!]Foto_celular.zip - Vírus no meu MSN!

[Void.22 0]

Bom, venho aqui pedir ajuda. Um virus maldito esta no meu msn <_<

Eu já passei o avast, antispyware e nada mudou.

Toda vez q eu converso com alguem no msn, o virus chama a atençao da pessoa e envia o arquivo de nome Foto_celular.zip

Estive lendo alguns posts anteriores e já antecipei, baixei o BankerFix e o hijackthis e salvei o log.. aí vai ele:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:12, on 19/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllcache\explorer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\verify.exe

C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRAM FILES\MSN Messenger\msnmsgr.exe

C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\PROGRAM FILES\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.positivoinformatica.com.br

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [win] C:\WINDOWS\verify.exe

O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LightDialer] C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak software updater.lnk = C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.positivoinformatica.com.br

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4CEB3-4E85-4E60-858C-566F79C22BB8}: NameServer = 200.149.55.142 200.165.132.154

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

 

Me ajudem !!! Desde já agradeço !

[DigRam 144]

Bom Dia Void.22!

 

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Feche todas as janelas e execute a ferramenta!

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar < Enter >

>@< Aguarde a conclusão!

>@< Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

 

Abraços!

[Void.22 0]

Relatório do ComboFix

 

ComboFix 07-08-14.4 - "Owner" 2007-08-19 13:51:01.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.61 [GMT -3:00]

 

ADS removed - svchost.exe: deleted 68 bytes in 1 streams.

ADS removed - ntoskrnl.exe: deleted 4864 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Owner\APPLIC~1\addon.dat

C:\foto_celular.scr

C:\foto_celular.zip

C:\WINDOWS\system32\_000008_.tmp.dll

C:\WINDOWS\system32\_000110_.tmp.dll

C:\WINDOWS\system32\dllcache\klog.dat

C:\WINDOWS\system32\oddysee.exe

C:\WINDOWS\system32\ssvschost.sys

 

 

((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))

 

 

2007-08-19 13:56 24,064 --a------ C:\Foto_celular.scr

2007-08-19 13:56 0 --ahsc--- C:\WINDOWS\system32\dllcache\klog.dat

2007-08-19 13:55 30,720 --a------ C:\WINDOWS\system32\oddysee.exe

2007-08-19 13:49 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-18 21:46 <DIR> d-------- C:\PROGRAM FILES\Trend Micro

2007-08-17 22:12 24,064 --a------ C:\WINDOWS\system32\poison.sys

2007-08-06 16:23 86,016 --a------ C:\WINDOWS\unvise32qt.exe

2007-08-06 16:23 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll

2007-08-06 16:23 290,816 --a------ C:\WINDOWS\system32\KPDPM.dll

2007-08-06 16:23 225,280 --a------ C:\WINDOWS\system32\KPDPMUI.dll

2007-08-06 16:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime

2007-08-06 16:23 <DIR> d-------- C:\PROGRAM FILES\QuickTime

2007-08-06 16:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime

2007-08-06 16:22 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs

2007-08-06 16:22 <DIR> d-------- C:\PROGRAM FILES\Common Files\Kodak

2007-08-06 16:21 <DIR> d-------- C:\WINDOWS\system32\color

2007-08-06 16:21 <DIR> d-------- C:\KPCMS

2007-07-31 21:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

2007-07-31 21:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2007-07-22 23:11 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-07-22 23:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll

2007-07-20 20:30 1,156 --a------ C:\WINDOWS\mozver.dat

2007-07-20 17:24 0 --a------ C:\WINDOWS\nsreg.dat

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-08-19 13:52 2136064 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2007-08-18 21:28 --------- d-------- C:\Program Files\MSN Messenger

2007-08-18 03:59 2180352 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-08-15 15:45 --------- d-------- C:\Program Files\MessengerDiscovery

2007-08-06 16:22 --------- d-------- C:\Program Files\Kodak

2007-08-04 00:39 --------- d-------- C:\Program Files\Common Files\DVDVIDEOSOFT

2007-07-27 19:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe

2007-07-27 19:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2007-07-27 19:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2007-07-27 19:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-07-27 18:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2007-07-27 18:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2007-07-27 18:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr

2007-07-20 16:24 --------- d-------- C:\Program Files\Windows Live Toolbar

2007-07-15 23:14 --------- d-------- C:\Program Files\CCleaner

2007-07-13 23:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Avant Profiles

2007-07-06 17:57 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\LimeWire

2007-06-30 00:12 --------- d-------- C:\Program Files\Common Files\InstallShield

2007-06-26 12:13 851968 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll

2007-06-26 11:09 658944 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll

2007-06-26 03:08 1104896 --a--c--- C:\WINDOWS\system32\dllcache\msxml3.dll

2007-06-26 03:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-23 09:57 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR

2007-06-19 21:56 2378 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin

2007-06-19 20:54 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-06-19 10:31 282112 --a--c--- C:\WINDOWS\system32\dllcache\gdi32.dll

2007-06-19 10:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-14 15:09 96256 --a--c--- C:\WINDOWS\system32\dllcache\inseng.dll

2007-06-14 15:09 615424 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll

2007-06-14 15:09 55808 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll

2007-06-14 15:09 532480 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll

2007-06-14 15:09 474112 --a--c--- C:\WINDOWS\system32\dllcache\shlwapi.dll

2007-06-14 15:09 449024 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll

2007-06-14 15:09 39424 --a--c--- C:\WINDOWS\system32\dllcache\pngfilt.dll

2007-06-14 15:09 357888 --a--c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll

2007-06-14 15:09 3058688 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll

2007-06-14 15:09 251392 --a--c--- C:\WINDOWS\system32\dllcache\iepeers.dll

2007-06-14 15:09 205312 --a--c--- C:\WINDOWS\system32\dllcache\dxtrans.dll

2007-06-14 15:09 16384 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll

2007-06-14 15:09 151040 --a--c--- C:\WINDOWS\system32\dllcache\cdfview.dll

2007-06-14 15:09 1494528 --a--c--- C:\WINDOWS\system32\dllcache\shdocvw.dll

2007-06-14 15:09 146432 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll

2007-06-14 15:09 1054208 --a--c--- C:\WINDOWS\system32\dllcache\danim.dll

2007-06-14 15:09 1023488 --a--c--- C:\WINDOWS\system32\dllcache\browseui.dll

2007-06-14 11:07 18432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe

2007-06-13 07:23 138523 ---h-c--- C:\WINDOWS\system32\dllcache\poisonivy.exe

2007-06-13 07:23 1033216 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe

2007-06-13 07:23 1033216 --a------ C:\WINDOWS\explorer.exe

2007-06-11 23:51 10834944 --a--c--- C:\WINDOWS\system32\dllcache\wmp.dll

2007-05-24 16:37 180224 --ahs---- C:\WINDOWS\system32\yxnwc.dll

2007-05-24 16:36 180224 --ahs---- C:\WINDOWS\system32\yxowk.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2006-01-11 20:08 C:\WINDOWS\SOUNDMAN.EXE]

"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 21:51 C:\WINDOWS\AGRSMMSG.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 18:03]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 16:50]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 19:03]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-06 16:23]

"win"="C:\WINDOWS\verify.exe" [2007-01-30 20:41]

"winlogon"="C:\WINDOWS\csrss.exe" []

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

"LightDialer"="C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE" [2006-08-08 13:21]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 09:44:06 Lei]

Kodak software updater.lnk - C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 Lei]

Software Kodak EasyShare.lnk - C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 Lei]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableChangePassword"=1 (0x1)

"DisableLockWorkstation"=1 (0x1)

"NoColorChoice"=1 (0x1)

"NoVisualStyleChoice"=1 (0x1)

"NoDispAppearancePage"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"SetVisualStyle"=

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisablePersonalDirChange"=1 (0x1)

"Intellimenus"=1 (0x1)

"LockTaskbar"=1 (0x1)

"NoChangeAnimation"=1 (0x1)

"NoCloseDragDropBands"=1 (0x1)

"NoDFSTab"=1 (0x1)

"NoLogoff"=1 (0x1)

"NoManageMyComputerVerb"=1 (0x1)

"NoMovingBands"=1 (0x1)

"NoNetConnectDisconnect"=1 (0x1)

"NoNetworkConnections"=1 (0x1)

"NoRecentDocsNetHood"=1 (0x1)

"NoSecurityTab"=1 (0x1)

"NoSharedDocuments"=1 (0x1)

"NoStartMenuNetworkPlaces"=1 (0x1)

"NoTaskGrouping"=0 (0x0)

"StartMenuLogOff"=1 (0x1)

"DisallowCpl"=1 (0x1)

"ForceClassicControlPanel"=0 (0x0)

"NoChangeStartMenu"=1 (0x1)

"NoRecentDocsHistory"=1 (0x1)

"NoRecentDocsMenu"=1 (0x1)

"NoSetTaskbar"=1 (0x1)

"NoTrayContextMenu"=1 (0x1)

"NoSimpleStartMenu"=0 (0x0)

"NoStartMenuPinnedList"=0 (0x0)

"NoOnlinePrintsWizard"=1 (0x1)

"NoWebServices"=1 (0x1)

"NoActiveDesktopChanges"=1 (0x1)

"NoWebView"=0 (0x0)

"NoEnumEntireNetwork"=1 (0x1)

"HideRunAsVerb"=1 (0x1)

"NoThumbnailCache"=1 (0x1)

"NoActiveDesktop"=0 (0x0)

"ForceActiveDesktopOn"=0 (0x0)

 

R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys

R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys

S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys

S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys

S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys

S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys

S3 Oddysee;Oddysee;\??\C:\WINDOWS\system32\ntoskrnl.exe:kernel

S3 UXDCMN;UXDCMN;\??\C:\sysprep\wst\UXDCMN.SYS

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]

AutoRun\command- P:\Setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f6cc7c-75c9-11db-8b37-806d6172696f}]

AutoRun\command- D:\install.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F9E9A340-D1F1-11D0-821E-POISONIVY2007}]

C:\WINDOWS\system32\dllcache\poisonivy.exe s

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-19 13:56:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\ntoskrnl.exe:kernel 4864 bytes executable

 

scan completed successfully

hidden files: 1

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Oddysee]

"ImagePath"="\??\C:\WINDOWS\system32\ntoskrnl.exe:kernel"

 

Completion time: 2007-08-19 14:00:30 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-19 13:59

 

--- E O F ---

 

 

Relatório do HijackThis

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:01, on 19/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllcache\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\verify.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe

C:\PROGRAM FILES\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.positivoinformatica.com.br

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [win] C:\WINDOWS\verify.exe

O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LightDialer] C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak software updater.lnk = C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.positivoinformatica.com.br

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

 

--

End of file - 5748 bytes

[Void.22 0]

tipo...meu computador soh esta com esse virus no MSN: C:\Foto_celular.zipEu tenho velox...ai fico conectado o dia todo...qndo passa um tempo o avast avisa q tem cavalo de troia...ai eu removo o virus....e fica nisso o dia inteiro, avisando q um cavalo de troia esta tentando infectar meu pc . é isso todo dia. Sendo q eu só fico no msn e orkut...nao entro em mais nenhum site....de vez em qndo eu entro em alguns sites pra poder baixar música,mas são sites confiáveis!!Entao eu pergunto: Esses cavalos de troia q o avast detecta é por causa desse virus (Foto_celular.zip) q esta no meu msn ?abraço !!

[DigRam 144]

tipo...meu computador soh esta com esse virus no MSN: C:\Foto_celular.zip

 

Eu tenho velox...ai fico conectado o dia todo...qndo passa um tempo o avast avisa q tem cavalo de troia...ai eu removo o virus....e fica nisso o dia inteiro, avisando q um cavalo de troia esta tentando infectar meu pc . é isso todo dia.

Sendo q eu só fico no msn e orkut...nao entro em mais nenhum site....de vez em qndo eu entro em alguns sites pra poder baixar música,mas são sites confiáveis!!

 

Entao eu pergunto: Esses cavalos de troia q o avast detecta é por causa desse virus (Foto_celular.zip) q esta no meu msn ?

 

abraço !!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Boa Noite Void.22!

 

Entao eu pergunto: Esses cavalos de troia q o avast detecta é por causa desse virus (Foto_celular.zip) q esta no meu msn ?

>@< Sim!

>@< Crie um ponto de restauração,antes de executar êstes procedimentos!

>@< Configure o Windows para que mostre: Ver todos os Arquivos,até os ocultos!

>@< Desabilite as proteções residentes de AntiVírus e AntiSpywares!

>@< Faça o download da EliStarA.

>@< Baixe-a para o Desktop!

>@< Faça o download do EliTriIP.

>@< Baixe-o para o Desktop!

>@< Ps: Ambas,as ferramentas,estarão na página descargas ( Descargas > Utilidades SATINFO ).

>@< Selecione as ferramentas ( Uma por vez! ) e clique no pé da página,no botão Descargar xxx.Onde xxx é a denominação da ferramenta escolhida!

>@< Faça o download do Clean.

>@< Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável para o Desktop! ( Atalho. )

>@< O executável é um ícone denominado: clean.cmd

>@< Reinicie o computador e entre em Modo de Segurança.

>@< Execute,primeiro,a ferramenta: EliStartA.

>@< Vá ao seu ícone e execute-a!

>@< Aceite as condições propostas e aguarde o término do scan.Aguarde!Pois vai demorar um pouco para concluír a varredura do PC.

>@< Terminando,execute a ferramenta EliTriIP.

>@< O scan desta ferramenta é mais rápido!

>@< Terminando,execute o programa de limpeza profunda ( clean ) com um duplo clique no seu executável.

>@< Abrir-se-á um prompt com três opções: Escolha o dois ( 2 )!

>@< Aperte Enter! >> Aperte Enter,novamente! >> Aguarde!

>@< Aperte Enter,novamente!

>@< Surgirá um relatório ( rapport_clean ),que voçê deverá copiar e postar para análise.

>@< Poste o relatório infoSAT.txt que está na raíz C:\ ( Disco Local-C ) + rapport_clean.

>@< Poste,também,um nôvo Log do HijackThis,feito em Modo Normal,na sua resposta.

>@< Ps: A ferramenta EliStarA,deletará (Opcional! ) a sua página inicial!Posteriormente,voçê à configurará novamente.

 

Abraços!

[Void.22 0]

tipo...eu acho q o clean não esta funcionando =/

pq eu teclo e fecha a janela !!

 

e aparece essa mensagem:

files missed,did you unzip the wole archive?

the script can not further be executed...

press any key to continue...

 

Procurei o relatorio rapport_clean e não achei =/

Ma eu tenho esse programa: CCleaner..serve??

 

Relatorio do Infosat.txt

 

Mon Aug 20 22:44:25 2007

EliStartPage v14.50 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

Por favor, envienos una muestra del fichero

C:\Muestras\FOTO_CELULAR.SCR.Muestra EliStartPage v14.50

a "virus@satinfo.es". Gracias.

C:\FOTO_CELULAR.SCR --> Eliminado

C:\FOTO_CELULAR.ZIP --> Eliminado

C:\WINDOWS\SYSTEM32\ODDYSEE.EXE --> Eliminado MalWare.Celular

Por favor, envienos una muestra del fichero

C:\Muestras\OSSMTP.DLL.Muestra EliStartPage v14.50

a "virus@satinfo.es". Gracias.

C:\WINDOWS\SYSTEM32\OSSMTP.DLL --> Eliminado

Entrada Eliminada [HKLM\...\Run] "winlogon"="C:\WINDOWS\csrss.exe"

Eliminada Class, "{0A1C811C-88FF-493B-98A9-83B4A649ACD9}" -> C:\WINDOWS\system32\OSSMTP.DLL

Eliminada Class, "{A71C9F09-FD16-4EFD-A939-A7157371B850}" -> C:\WINDOWS\system32\OSSMTP.DLL

Eliminada Class, "{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}" -> C:\WINDOWS\system32\OSSMTP.DLL

Eliminada Class, "{C2A3FF36-C3A5-4334-968C-1DEA85AAA772}" -> C:\WINDOWS\system32\OSSMTP.DLL

Eliminado Servicio, "Oddysee"

Eliminada Clave "HKLM\...\Image File Execution Options\Your Image File Name Here without a path"

Restaurado fichero de Configuración del IE, (IERESET.INF)

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Mon Aug 20 22:48:01 2007

EliStartPage v14.50 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

C:\QooBox\Quarantine\C\WINDOWS\system32\ODDYSEE.EXE.VIR --> Eliminado, MalWare.Celular

C:\QooBox\Quarantine\C\WINDOWS\system32\SSVSCHOST.SYS.VIR --> Eliminado, MalWare.Celular

 

Mon Aug 20 22:52:28 2007

EliTriIP v3.78 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

Entrada Eliminada [HKLM\...\Run] "win"="C:\WINDOWS\verify.exe"

Entrada Eliminada [HKLM\...\Run] "winlogon"="C:\WINDOWS\csrss.exe"

 

Mon Aug 20 22:52:49 2007

EliStartPage v14.50 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

Por favor, envienos una muestra del fichero

C:\Muestras\FOTO_CELULAR.SCR.Muestra EliStartPage v14.50

a "virus@satinfo.es". Gracias.

C:\FOTO_CELULAR.SCR --> Eliminado

C:\FOTO_CELULAR.ZIP --> Eliminado

Entrada Eliminada [HKLM\...\Run] "winlogon"="C:\WINDOWS\csrss.exe"

Restaurado fichero de Configuración del IE, (IERESET.INF)

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Mon Aug 20 22:57:41 2007

EliStartPage v14.50 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Acción Directa):

Por favor, envienos una muestra del fichero

C:\Muestras\FOTO_CELULAR.SCR.Muestra EliStartPage v14.50

a "virus@satinfo.es". Gracias.

C:\FOTO_CELULAR.SCR --> Eliminado

C:\FOTO_CELULAR.ZIP --> Eliminado

C:\WINDOWS\SYSTEM32\ODDYSEE.EXE --> Eliminado MalWare.Celular

Entrada Eliminada [HKLM\...\Run] "winlogon"="C:\WINDOWS\csrss.exe"

Eliminado Servicio, "Oddysee"

Restaurado fichero de Configuración del IE, (IERESET.INF)

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Mon Aug 20 22:57:58 2007

EliStartPage v14.50 ©2007 S.G.H. / Satinfo S.L.

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

Mon Aug 20 23:02:40 2007

EliTriIP v3.78 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Acción Directa):

Entrada Eliminada [HKLM\...\Run] "win"="C:\WINDOWS\verify.exe"

Entrada Eliminada [HKLM\...\Run] "winlogon"="C:\WINDOWS\csrss.exe"

 

Mon Aug 20 23:02:45 2007

EliTriIP v3.78 ©2007 S.G.H. / Satinfo S.L.

---------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

 

 

Relatorio do Hijack

Obs.: Eu coloquei nesse comando: Do a system scan and save a logfile

esta certo ou nao ??

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:22 Lei, on 20/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dllcache\explorer.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\verify.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRAM FILES\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [win] C:\WINDOWS\verify.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LightDialer] C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak software updater.lnk = C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.positivoinformatica.com.br

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4CEB3-4E85-4E60-858C-566F79C22BB8}: NameServer = 200.149.55.142 200.165.132.154

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

[Void.22 0]

aaa !! e mais uma coisinha...eu tava dando uma olhada no relatorio e vi q apareceu:foto_celular -> eliminadomas qndo eu fui olhar ele ainda estava lah <_< soh pra avisar soh ^^obrigado por esta me ajudando!!abraço!

[DigRam 144]

Boa Noite Void.22!

 

tipo...eu acho q o clean não esta funcionando =/

pq eu teclo e fecha a janela !!

e aparece essa mensagem:

files missed,did you unzip the wole archive?

the script can not further be executed...

press any key to continue...

>@< O computador não está configurado,para aceitar a leitura deste script. Aborte o procedimento!

Procurei o relatorio rapport_clean e não achei =/

Ma eu tenho esse programa: CCleaner..serve??

>@< Para cookies e temporários,sim!Mas,não é o caso!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

>@< Faça o download do KillBox.

>@< Salve-o no Desktop!

>@< Abra o KillBox e marque Delete on reboot.

>@< Insira ou digite na caixa Full path of file to delete,o seguinte ficheiro:

 

C:\WINDOWS\system32\dllcache\explorer.exe

 

>@< Clique no botão X e,na pergunta sobre o reboot,diga Não

>@< Coloque,agora,o ficheiro:

 

C:\WINDOWS\csrss.exe

 

>@< Clique no botão X e,na pergunta...,diga Não!

 

>@< E,por fim,coloque na caixa,o ficheiro:

 

C:\WINDOWS\verify.exe

 

>@< Clique no botão X e,na pergunta,confirme!

>@< O computador,vai reiniciar!

>@< Aproveite êste reboot,e entre em Modo de Segurança.

>@< Abra o HijackThis e clique em Do a system scan only.

>@< Marque as entradas,logo abaixo,e clique em Fix checked!

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [win] C:\WINDOWS\verify.exe

>@< Reinicie,normalmente,o computador!

>@< Faça e poste,um nôvo Log do HJT,na sua resposta.

 

Abraços!

[Void.22 0]

Fiz tudo q você disse...o unico problema é q não tem esses 2:

O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe

O4 - HKLM\..\Run: [win] C:\WINDOWS\verify.exe

 

Relatório do Hijack

 

tuLogfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:09, on 21/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\explorer.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\PROGRAM FILES\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LightDialer] C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak software updater.lnk = C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.positivoinformatica.com.br

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4CEB3-4E85-4E60-858C-566F79C22BB8}: NameServer = 200.149.55.142 200.165.132.154

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

 

--

End of file - 5247 bytes

 

To indo dormir!! rsrs

abraço!

[DigRam 144]

Bom Dia Void.22!

 

>@< As entradas,referidas,foram removidas por EliStarA.

>@< Execute,novamente,o ComboFix e poste o relatório. ( ComboFix.txt )

>@< Poste,também,um nôvo Log do HijackThis.

 

Abraços!

[Void.22 0]

Relatorio do ComboFix

 

ComboFix 07-08-14.4 - "Owner" 2007-08-21 13:23:36.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.46 [GMT -3:00]

 

ADS removed - ntoskrnl.exe: deleted 4864 bytes in 1 streams.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\Owner\APPLIC~1\addon.dat

C:\foto_celular.scr

C:\foto_celular.zip

C:\WINDOWS\system32\dllcache\klog.dat

C:\WINDOWS\system32\oddysee.exe

 

 

((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))

 

 

2007-08-21 13:29 30,720 --a------ C:\WINDOWS\system32\oddysee.exe

2007-08-21 13:29 24,064 --a------ C:\Foto_celular.scr

2007-08-21 13:29 0 --ahsc--- C:\WINDOWS\system32\dllcache\klog.dat

2007-08-21 00:33 <DIR> d-------- C:\!KillBox

2007-08-21 00:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2007-08-21 00:23 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2007-08-21 00:23 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2007-08-21 00:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2007-08-21 00:22 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2007-08-21 00:22 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2007-08-21 00:22 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe

2007-08-20 22:44 <DIR> d-------- C:\Muestras

2007-08-19 13:49 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-18 21:46 <DIR> d-------- C:\PROGRAM FILES\Trend Micro

2007-08-17 22:12 24,064 --a------ C:\WINDOWS\system32\poison.sys

2007-08-06 16:23 86,016 --a------ C:\WINDOWS\unvise32qt.exe

2007-08-06 16:23 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll

2007-08-06 16:23 290,816 --a------ C:\WINDOWS\system32\KPDPM.dll

2007-08-06 16:23 225,280 --a------ C:\WINDOWS\system32\KPDPMUI.dll

2007-08-06 16:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime

2007-08-06 16:23 <DIR> d-------- C:\PROGRAM FILES\QuickTime

2007-08-06 16:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime

2007-08-06 16:22 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs

2007-08-06 16:22 <DIR> d-------- C:\PROGRAM FILES\Common Files\Kodak

2007-08-06 16:21 <DIR> d-------- C:\WINDOWS\system32\color

2007-08-06 16:21 <DIR> d-------- C:\KPCMS

2007-07-31 21:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

2007-07-31 21:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2007-07-22 23:11 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-07-22 23:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-08-21 13:24 2136064 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe

2007-08-21 00:22 --------- d-------- C:\Program Files\Alwil Software

2007-08-18 21:28 --------- d-------- C:\Program Files\MSN Messenger

2007-08-18 03:59 2180352 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-08-15 15:45 --------- d-------- C:\Program Files\MessengerDiscovery

2007-08-06 16:22 --------- d-------- C:\Program Files\Kodak

2007-08-04 00:39 --------- d-------- C:\Program Files\Common Files\DVDVIDEOSOFT

2007-07-20 16:24 --------- d-------- C:\Program Files\Windows Live Toolbar

2007-07-15 23:14 --------- d-------- C:\Program Files\CCleaner

2007-07-13 23:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Avant Profiles

2007-07-06 17:57 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\LimeWire

2007-06-30 00:12 --------- d-------- C:\Program Files\Common Files\InstallShield

2007-06-26 12:13 851968 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll

2007-06-26 11:09 658944 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll

2007-06-26 03:08 1104896 --a--c--- C:\WINDOWS\system32\dllcache\msxml3.dll

2007-06-26 03:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-23 09:57 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR

2007-06-19 21:56 2378 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin

2007-06-19 10:31 282112 --a--c--- C:\WINDOWS\system32\dllcache\gdi32.dll

2007-06-19 10:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-14 15:09 96256 --a--c--- C:\WINDOWS\system32\dllcache\inseng.dll

2007-06-14 15:09 615424 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll

2007-06-14 15:09 55808 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll

2007-06-14 15:09 532480 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll

2007-06-14 15:09 474112 --a--c--- C:\WINDOWS\system32\dllcache\shlwapi.dll

2007-06-14 15:09 449024 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll

2007-06-14 15:09 39424 --a--c--- C:\WINDOWS\system32\dllcache\pngfilt.dll

2007-06-14 15:09 357888 --a--c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll

2007-06-14 15:09 3058688 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll

2007-06-14 15:09 251392 --a--c--- C:\WINDOWS\system32\dllcache\iepeers.dll

2007-06-14 15:09 205312 --a--c--- C:\WINDOWS\system32\dllcache\dxtrans.dll

2007-06-14 15:09 16384 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll

2007-06-14 15:09 151040 --a--c--- C:\WINDOWS\system32\dllcache\cdfview.dll

2007-06-14 15:09 1494528 --a--c--- C:\WINDOWS\system32\dllcache\shdocvw.dll

2007-06-14 15:09 146432 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll

2007-06-14 15:09 1054208 --a--c--- C:\WINDOWS\system32\dllcache\danim.dll

2007-06-14 15:09 1023488 --a--c--- C:\WINDOWS\system32\dllcache\browseui.dll

2007-06-14 11:07 18432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe

2007-06-13 07:23 138523 ---h-c--- C:\WINDOWS\system32\dllcache\poisonivy.exe

2007-06-13 07:23 1033216 --a------ C:\WINDOWS\explorer.exe

2007-06-11 23:51 10834944 --a--c--- C:\WINDOWS\system32\dllcache\wmp.dll

2007-05-24 16:37 180224 --ahs---- C:\WINDOWS\system32\yxnwc.dll

2007-05-24 16:36 180224 --ahs---- C:\WINDOWS\system32\yxowk.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2006-01-11 20:08 C:\WINDOWS\SOUNDMAN.EXE]

"AGRSMMSG"="AGRSMMSG.exe" [2006-02-15 21:51 C:\WINDOWS\AGRSMMSG.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 18:03]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 16:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-06 16:23]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 19:03]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

"LightDialer"="C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE" [2006-08-08 13:21]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 09:44:06 Lei]

Kodak software updater.lnk - C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 Lei]

Software Kodak EasyShare.lnk - C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 03:47:22 Lei]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableChangePassword"=1 (0x1)

"DisableLockWorkstation"=1 (0x1)

"NoColorChoice"=1 (0x1)

"NoVisualStyleChoice"=1 (0x1)

"NoDispAppearancePage"=1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"SetVisualStyle"=

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"DisablePersonalDirChange"=1 (0x1)

"Intellimenus"=1 (0x1)

"LockTaskbar"=1 (0x1)

"NoChangeAnimation"=1 (0x1)

"NoCloseDragDropBands"=1 (0x1)

"NoDFSTab"=1 (0x1)

"NoManageMyComputerVerb"=1 (0x1)

"NoMovingBands"=1 (0x1)

"NoNetConnectDisconnect"=1 (0x1)

"NoNetworkConnections"=1 (0x1)

"NoRecentDocsNetHood"=1 (0x1)

"NoSecurityTab"=1 (0x1)

"NoSharedDocuments"=1 (0x1)

"NoStartMenuNetworkPlaces"=1 (0x1)

"NoTaskGrouping"=0 (0x0)

"StartMenuLogOff"=1 (0x1)

"DisallowCpl"=1 (0x1)

"ForceClassicControlPanel"=0 (0x0)

"NoRecentDocsHistory"=1 (0x1)

"NoRecentDocsMenu"=1 (0x1)

"NoSetTaskbar"=1 (0x1)

"NoTrayContextMenu"=1 (0x1)

"NoSimpleStartMenu"=0 (0x0)

"NoStartMenuPinnedList"=0 (0x0)

"NoOnlinePrintsWizard"=1 (0x1)

"NoWebServices"=1 (0x1)

"NoWebView"=0 (0x0)

"NoEnumEntireNetwork"=1 (0x1)

"HideRunAsVerb"=1 (0x1)

"NoThumbnailCache"=1 (0x1)

"NoLogoff"=1 (0x1)

"NoChangeStartMenu"=1 (0x1)

"NoActiveDesktopChanges"=1 (0x1)

"NoActiveDesktop"=0 (0x0)

"ForceActiveDesktopOn"=0 (0x0)

 

R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys

R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys

S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys

S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys

S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys

S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys

S3 Oddysee;Oddysee;\??\C:\WINDOWS\system32\ntoskrnl.exe:kernel

S3 UXDCMN;UXDCMN;\??\C:\sysprep\wst\UXDCMN.SYS

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]

AutoRun\command- P:\Setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71f6cc7c-75c9-11db-8b37-806d6172696f}]

AutoRun\command- D:\install.exe

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F9E9A340-D1F1-11D0-821E-POISONIVY2007}]

C:\WINDOWS\system32\dllcache\poisonivy.exe s

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-21 13:29:06

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\system32\ntoskrnl.exe:kernel 4864 bytes executable

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Oddysee]

"ImagePath"="\??\C:\WINDOWS\system32\ntoskrnl.exe:kernel"

 

Completion time: 2007-08-21 13:36:57 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-21 13:36

C:\ComboFix2.txt ... 2007-08-19 14:00

 

--- E O F ---

 

 

 

Relatorio do Hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:42, on 21/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\PROGRAM FILES\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LightDialer] C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak software updater.lnk = C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.positivoinformatica.com.br

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4CEB3-4E85-4E60-858C-566F79C22BB8}: NameServer = 200.149.55.142 200.165.132.154

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

 

--

End of file - 5265 bytes

 

 

Abraços!

[Void.22 0]

achei isso aqui:

 

2006-08-03 05:00	  2804224	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\_000110_.tmp.dll.vir2006-08-03 05:00	  34304	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir2007-06-13 07:23	  22040	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\addon.dat.vir2007-08-21 12:04	  24064	--a------	C:\Qoobox\Quarantine\C\Foto_celular.scr.vir2007-08-21 12:04	  30720	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\oddysee.exe.vir2007-08-21 13:24	  16890	--a------	C:\Qoobox\Quarantine\C\Foto_celular.zip.vir2007-08-21 13:25	  86707	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\klog.dat.virFolder PATH listingVolume serial number is EC71-489FC:\QOOBOX\---Quarantine	+---C	|   |   Foto_celular.scr.vir	|   |   Foto_celular.zip.vir	|   |   	|   +---DOCUME~1	|   |   \---Owner	|   |	   \---APPLIC~1	|   |			   addon.dat.vir	|   |			   	|   \---WINDOWS	|	   \---system32	|		   |   oddysee.exe.vir	|		   |   _000008_.tmp.dll.vir	|		   |   _000110_.tmp.dll.vir	|		   |   	|		   \---dllcache	|				   klog.dat.vir	|				   	\---Registry_backups

[Void.22 0]

CONSEGUI TIRAR O VIRUS DIGRAM !!!! :joia: :clap: :D :yay:

 

Baixei um programa: O nome dele é: Removedor Foto_Celular V 1.16

Da uma olhada no relatorio do Hijack pra ver se esta tudo bem!!

 

Relatorio do programa Removedor Foto_Celular V 1.16

 

Removedor Foto_Celular V 1.16

http://taticas.forumotion.com/index.htm

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

Data:21/08/2007 - Hora:19:30:39 por "Owner" em Modo Normal

.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

 

Analisando arquivos...

----------------------------

 

C:\Foto_celular.scr »»»»»»»»»»» infectado removido

C:\Foto_celular.zip »»»»»»»»»»» infectado removido

C:\WINDOWS\system32\oddysee.exe »»»»»»»»»»» infectado removido

C:\WINDOWS\system32\poison.sys »»»»»»»»»»» infectado removido

C:\WINDOWS\system32\dllcache\poisonivy.exe »»»»»»»»»»» infectado removido

C:\WINDOWS\system32\dllcache\klog.dat »»»»»»»»»»» infectado removido

C:\Documents and Settings\Owner\Application Data\addon.dat »»»»»»»»»»» infectado removido

 

--------------------------------------------------------------------------------------------

 

Localizando ADS...

------------------------

 

Verificando: C:\WINDOWS

»»»»»»»»»» Limpo!

 

Verificando: C:\WINDOWS\system32

»»»»»»»»»» Limpo!

 

Verificando: C:\WINDOWS\system32\svchost.exe

»»»»»»»»»» Limpo!

 

Verificando: C:\WINDOWS\system32\ntoskrnl.exe

»»»»»»»»»» Limpo!

 

 

Finalizando Limpeza...

-----------------------------

 

--------------------------------------------------------------------------------------------

Finalizado!

--------------------------------------------------------------------------------------------

 

 

Relatorio do Hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:46 Lei, on 21/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\PROGRAM FILES\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LightDialer] C:\PROGRAM FILES\Velox\Discador\DISCADOR.EXE

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\PROGRAM FILES\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak software updater.lnk = C:\PROGRAM FILES\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Software Kodak EasyShare.lnk = C:\PROGRAM FILES\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.positivoinformatica.com.br

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{96F4CEB3-4E85-4E60-858C-566F79C22BB8}: NameServer = 200.149.55.142 200.165.132.154

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

 

 

Obrigado por me ajudar DigRam !!

te agradeço muito !!!

[DigRam 144]

Boa Noite Voide.22!

 

>@< Quando estava para lhe passar êste procedimento,voçê veio com a solução do site do colega Mr.Coruj@.

>@< A ferramenta está fazendo muito sucesso,na remoção do Foto Celular!

>@< Não lhe passei antes,por causa do Login e,nem todos aceitam fazê-lo,para baixar uma ferramenta.

>@< Mas,voçê estava disposto e,pelo visto,o malware foi removido.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Crie um Ponto de Restauração do Sistema,Limpo!

Clique com o botão direito do mouse em cima de Meu Computador >> Propriedades >> Restauração do Sistema >> Marque: Desativar Restauração do Sistema >> Aplicar >> Ok.

Depois,desmarque novamente! >> Aplicar >> Ok.

Para maiores detalhes,vá em:< Docs >

>@< O Log está Limpo!

>@< Bom trabalho!

 

Abraços!

[jgarcia 1]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é preciso enviar uma Mensagem Privada para um Moderador com um link para o tópico.