virus

marcelito · Agosto 30, 2007

apareceu no meu pc um icone amarelo no canto direito avisando que tinha um spyware lendo no forum baixei programas tipo killbox (o qual no soube executar) ,ewido ,hijacksthis,e smitfraudfix fiz varredura com os que consegui o icone amarelo despareceu ,mais o pc ainda no me reconhece como administrador , e cada vez que executo algum programa o pasta aparece um arquivo thumb que nao sei que que e (sou leigo ) favor peço ajuda eis os relatorios das varedurasLogfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 15:11:22, on 30/8/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Ahead\InCD\InCDsrv.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\WINDOWS\SOUNDMAN.EXEC:\Arquivos de programas\Ahead\InCD\InCD.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exeC:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exeC:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exeC:\Arquivos de programas\Nikon\NkView6\NkvMon.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exeC:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\msiexec.exeC:\Documents and Settings\Marcelo\Desktop\pacote\HiJackThis_v2.exeF2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [inCD] "C:\Arquivos de programas\Ahead\InCD\InCD.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [AVG7_CC] "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUPO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\nbj.exe"O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exeO4 - Global Startup: NkvMon.exe.lnk = C:\Arquivos de programas\Nikon\NkView6\NkvMon.exeO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O17 - HKLM\System\CCS\Services\Tcpip\..\{EFD46C11-6792-4191-877A-E6C4CD2E490F}: NameServer = 200.147.255.101 200.221.11.100O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.iniO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe--End of file - 4084 byteseis o de ewido---------------------------------------------------------AVG Anti-Spyware - Relatório de verificação--------------------------------------------------------- + Criação: 12:39:19 30/8/2007 + Resultado da verificação: C:\System Volume Information\_restore{6905E30B-7637-4460-BB11-F15267D4D61C}\RP151\A0194847.exe -> Adware.Trymedia : Limpo.C:\System Volume Information\_restore{6905E30B-7637-4460-BB11-F15267D4D61C}\RP149\A0189723.exe -> Adware.Webdir : Limpo.C:\System Volume Information\_restore{6905E30B-7637-4460-BB11-F15267D4D61C}\RP129\A0163710.exe -> Backdoor.Sturf : Limpo com backup (em quarentena).C:\System Volume Information\_restore{6905E30B-7637-4460-BB11-F15267D4D61C}\RP129\A0163711.exe -> Backdoor.Sturf : Limpo com backup (em quarentena).C:\System Volume Information\_restore{6905E30B-7637-4460-BB11-F15267D4D61C}\RP129\A0163712.exe -> Backdoor.Sturf : Limpo com backup (em quarentena).C:\Documents and Settings\Marcelo\Cookies\marcelo@2o7[2].txt -> TrackingCookie.2o7 : Limpo.C:\Documents and Settings\Marcelo\Cookies\marcelo@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Limpo.C:\Documents and Settings\Marcelo\Cookies\marcelo@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : Limpo.C:\Documents and Settings\Marcelo\Cookies\marcelo@atdmt[2].txt -> TrackingCookie.Atdmt : Limpo.C:\Documents and Settings\Marcelo\Cookies\marcelo@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Limpo.C:\System Volume Information\_restore{6905E30B-7637-4460-BB11-F15267D4D61C}\RP157\A0203609.cmd -> Trojan.Disabler.i : Limpo com backup (em quarentena).::Fim do relatórioeis o de smitfraudfixSmitFraudFix v2.217Scan done at 13:47:03,28, qui 30/08/2007Run from C:\Documents and Settings\Marcelo\Desktop\pacote\SmitfraudFixOS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Ahead\InCD\InCDsrv.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\printer.exeC:\WINDOWS\SOUNDMAN.EXEC:\Arquivos de programas\Ahead\InCD\InCD.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exeC:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exeC:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exeC:\Arquivos de programas\Nikon\NkView6\NkvMon.exeC:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hostshosts file corrupted !192.168.200.3 download.microsoft.com192.168.200.3 downloads.microsoft.com192.168.200.3 go.microsoft.com192.168.200.3 microsoft.com192.168.200.3 msdn.microsoft.com192.168.200.3 office.microsoft.com192.168.200.3 support.microsoft.com192.168.200.3 windowsupdate.microsoft.com192.168.200.3 www.microsoft.com192.168.200.3 pandasoftware.com192.168.200.3 www.pandasoftware.com»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32C:\WINDOWS\system32\hadjajr.ini FOUND !C:\WINDOWS\system32\printer.exe FOUND !C:\WINDOWS\system32\vtr???.dll FOUND !C:\WINDOWS\system32\WinAvXX.exe FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Marcelo»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Marcelo\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start MenuC:\DOCUME~1\Marcelo\MENUIN~1\PROGRA~1\INICIA~1\system.exe FOUND !C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1\autorun.exe FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Marcelo\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» Desktop»»»»»»»»»»»»»»»»»»»»»»»» C:\Arquivos de programas »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"="C:\\WINDOWS\\system32\\hadjajr.ini"»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: WAN (PPP/SLIP) InterfaceDNS Server Search Order: 200.221.11.101DNS Server Search Order: 200.147.255.100HKLM\SYSTEM\CCS\Services\Tcpip\..\{EFD46C11-6792-4191-877A-E6C4CD2E490F}: NameServer=200.221.11.101 200.147.255.100HKLM\SYSTEM\CS2\Services\Tcpip\..\{EFD46C11-6792-4191-877A-E6C4CD2E490F}: NameServer=200.221.11.101 200.147.255.100»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» Endobrigado e por favor me ajuden!!!!!!!!!!!!!!!!!!!!!!!!!!!!

jgarcia · Agosto 30, 2007

Opa marcelito,

Baixe o ComboFix em:

ComboFix

1) Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir. O processo vai durar, em média, 10 minutos;

2) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

3) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

4) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

5) Para parar ou sair do ComboFix, tecle "N";

6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

Abraços.

marcelito · Agosto 31, 2007

caro amigo o combo fix escaneo em menos de 2 minutos e nao reinicio o pc aqui esta o resultado da varredura

ComboFix 07-08-30.3 - "Marcelo" 2007-08-30 21:18:57.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.152 [GMT -3:00]

* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Marcelo\Desktop\internet explorer.lnk

C:\WINDOWS\system32\csrs.txt

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))

2007-08-30 21:17 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-30 13:56 177,743 --a------ C:\Pass2.cmd

2007-08-30 13:47 2,008 --a------ C:\WINDOWS\system32\tmp.reg

2007-08-30 12:40 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-08-30 12:40 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-08-30 12:40 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-08-30 10:52 <DIR> d-------- C:\!KillBox

2007-08-30 10:41 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-08-29 18:56 <DIR> d-------- C:\Arquivos de programas\mst software

2007-08-29 17:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-08-27 20:31 <DIR> d-------- C:\Arquivos de programas\EA GAMES

2007-08-27 16:35 <DIR> d-------- C:\GameRival

2007-08-27 16:35 <DIR> d-------- C:\Arquivos de programas\Gold Miner

2007-08-27 16:34 <DIR> d-------- C:\Arquivos de programas\ReflexiveArcade

2007-08-27 13:05 <DIR> d-------- C:\Arquivos de programas\Slots_Trucking

2007-08-27 12:25 <DIR> d-------- C:\Arquivos de programas\Alien 3

2007-08-25 19:03 <DIR> d--hs---- C:\WINDOWS\ftpcache

2007-08-25 18:00 149,504 --a------ C:\WINDOWS\UNWISE.EXE

2007-08-25 18:00 <DIR> d-------- C:\Arquivos de programas\Vampirjagd2

2007-08-25 17:27 <DIR> d-------- C:\Arquivos de programas\Smileyville demo

2007-08-25 14:09 <DIR> d-------- C:\Arquivos de programas\Wiering Software

2007-08-23 16:08 <DIR> d-------- C:\Arquivos de programas\AxBx

2007-08-23 12:11 <DIR> d-------- C:\Arquivos de programas\LocoXmasdemo

2007-08-23 11:39 <DIR> d-------- C:\Arquivos de programas\Family Games

2007-08-23 11:23 122,880 --a------ C:\WINDOWS\UnGins.exe

2007-08-23 11:23 <DIR> d-------- C:\Arquivos de programas\SillyBalls

2007-08-23 11:20 <DIR> d-------- C:\Downloads

2007-08-22 16:14 <DIR> d-------- C:\Arquivos de programas\Slots_Paris

2007-08-18 22:44 <DIR> d-------- C:\Arquivos de programas\Eagleslots Games

2007-08-18 11:14 <DIR> d-------- C:\Gunsdemo

2007-08-16 22:11 <DIR> d-------- C:\DOCUME~1\Marcelo\DADOSD~1\Nokia

2007-08-15 20:01 <DIR> d-------- C:\DOCUME~1\Marcelo\Phone Browser

2007-08-15 13:12 <DIR> d-------- C:\Arquivos de programas\Chicken Invaders

2007-08-15 12:16 <DIR> d-------- C:\Arquivos de programas\Tetris

2007-08-15 12:14 <DIR> d-------- C:\Arquivos de programas\Puxa R pido

2007-08-14 18:52 <DIR> d-------- C:\Arquivos de programas\Valkyrie Studios

2007-08-14 18:37 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2007-08-11 19:20 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2007-08-11 19:20 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2007-08-11 19:20 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys

2007-08-11 19:20 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2007-08-10 17:29 <DIR> d-------- C:\Arquivos de programas\Golden Mine Demo

2007-08-10 15:29 <DIR> d-------- C:\Arquivos de programas\Monkey Boy Demo

2007-08-10 08:54 <DIR> d-------- C:\Arquivos de programas\Filzip

2007-08-09 12:19 <DIR> d-------- C:\Arquivos de programas\Calligula Demo

2007-08-08 22:21 <DIR> d-------- C:\Arquivos de programas\Whisky

2007-08-04 13:15 <DIR> d-------- C:\WINDOWS\system32\FlashAX

2007-07-22 19:56 931 --a------ C:\WINDOWS\system32\cleardel.reg

2007-07-19 13:39 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll

2007-07-19 13:39 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-07-19 13:39 <DIR> d-------- C:\Arquivos de programas\Xvid

2007-07-14 12:54 <DIR> d-------- C:\Arquivos de programas\WinAVI Video Converter

2007-07-14 12:51 <DIR> d-------- C:\DOCUME~1\Marcelo\DADOSD~1\OpenOffice.org2

2007-07-14 12:50 <DIR> d-------- C:\Arquivos de programas\OpenOffice.org 2.2

2007-07-14 10:47 12,295,929 --------- C:\AVG7QT.DAT

2007-07-13 11:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Favoritos

2007-07-12 23:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy

2007-07-12 23:36 <DIR> d-------- C:\Arquivos de programas\NimoCodec Pack

2007-07-12 23:36 <DIR> d-------- C:\Arquivos de programas\DivX

2007-07-12 11:36 <DIR> d-------- C:\DOCUME~1\Marcelo\DADOSD~1\Skype

2007-07-12 11:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Skype

2007-07-12 11:36 <DIR> d-------- C:\Arquivos de programas\Skype

2007-07-12 11:32 <DIR> dr-h----- C:\MSOCache

2007-07-07 15:41 <DIR> d-------- C:\WINDOWS\system32\FlashAX2

2007-07-07 12:02 <DIR> d-------- C:\Piggybak

2007-07-02 13:03 23,552 --------- C:\WINDOWS\KiG.exe

2007-07-01 20:39 <DIR> d-------- C:\WINDOWS\system32\ajuda

2007-07-01 19:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\UOL

2007-07-01 19:58 <DIR> d-------- C:\Arquivos de programas\UOL

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-16 22:25 --------- d--h----- C:\Arquivos de programas\InstallShield Installation Information

2007-08-14 18:47 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll

2007-08-14 18:47 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll

2007-08-14 18:47 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll

2007-08-11 18:56 --------- d-------- C:\Arquivos de programas\Pokie Magic Games

2007-07-22 20:23 --------- d-------- C:\Arquivos de programas\MSN Messenger

2007-07-07 22:08 --------- d-------- C:\Arquivos de programas\Windows Live Safety Center

2007-07-01 21:15 --------- d-------- C:\Arquivos de programas\Windows Live Toolbar

2007-06-30 20:29 --------- d-------- C:\Arquivos de programas\AmericanSlots_Demo

2007-06-30 20:25 --------- d-------- C:\DOCUME~1\Marcelo\DADOSD~1\Google

2007-06-30 20:23 --------- d-------- C:\Arquivos de programas\Google

2007-06-30 18:59 720896 --a------ C:\WINDOWS\iun6002.exe

2007-06-29 15:08 --------- d-------- C:\Arquivos de programas\Activision

2007-06-29 14:10 --------- d-------- C:\Arquivos de programas\MILHAO2

2007-06-14 11:16 286720 --a------ C:\WINDOWS\iun506.exe

1998-08-24 11:09 10000 --a------ C:\WINDOWS\inf\unregpn.exe

--------- C:\Arquivos de programas\Puxa Rápido

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-07-22 12:00 C:\WINDOWS\SOUNDMAN.EXE]

"InCD"="C:\Arquivos de programas\Ahead\InCD\InCD.exe" [2005-01-27 14:17]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 20:06]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe" [2007-07-14 12:50]

"!AVG Anti-Spyware"="C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 06:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="C:\Arquivos de programas\Ahead\Nero BackItUp\nbj.exe" [2005-05-19 19:38]

C:\DOCUME~1\Marcelo\MENUIN~1\PROGRA~1\INICIA~1\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\WINDOWS\system32\hadjajr.ini

R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys

R2 Ps2KSecureKeyboard;SecureKbd;\??\C:\WINDOWS\system32\DRIVERS\psseckbd.sys

R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys

S3 mstTADsk;mst TotalAccess Disk Driver;\??\C:\WINDOWS\system32\drivers\mstTADsk.sys

S3 s3chipid;s3chipid;\??\C:\DOCUME~1\Marcelo\CONFIG~1\Temp\s3chipid.sys

S4 SNMgrSvc;SNMgrSvc;"C:\WINDOWS\system32\SnMgrSvc.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f544eff9-ae33-11db-8f87-00173144ea9f}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-30 21:20:54

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

obrigado agurdo resposta

marcelito · Agosto 31, 2007

caro garcia agora esta o pc esta me reconhecendo como administrador so que ele esta lento meu avg detecto hoje de manha e mando para quaretena o seguinte:virus foun host(c\windows\sistem32 drivers\etc\hosttrojan horse volume genericeste e novo relatorio do hijackthisLogfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 11:11:55, on 31/8/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Ahead\InCD\InCDsrv.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exeC:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exeC:\WINDOWS\SOUNDMAN.EXEC:\Arquivos de programas\Ahead\InCD\InCD.exeC:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exeC:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exeC:\WINDOWS\system32\svchost.exeC:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exeC:\Arquivos de programas\Nikon\NkView6\NkvMon.exeC:\Arquivos de programas\internet explorer\iexplore.exeC:\Documents and Settings\Marcelo\Desktop\pacote\HiJackThis_v2.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [inCD] "C:\Arquivos de programas\Ahead\InCD\InCD.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [AVG7_CC] "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUPO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\nbj.exe"O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exeO4 - Global Startup: NkvMon.exe.lnk = C:\Arquivos de programas\Nikon\NkView6\NkvMon.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{EFD46C11-6792-4191-877A-E6C4CD2E490F}: NameServer = 200.147.255.101 200.221.11.100O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.iniO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe--End of file - 3741 bytesobrigado pela sua ajuda pois ja adianto muito

jgarcia · Agosto 31, 2007

Opa marcelito,

1. Baixe o BankerFix.

2. Desative o seu anti-vírus temporariamente.

3. Dê um duplo-clique sobre o bankerfix.exe. Uma mensagem aparecerá avisando que o mesmo será baixado via internet. Clique em Ok -> Ok. Aperte Enter e aguarde o término do scan.

4. Terminado o scan, leia a mensagem na tela e aperte Enter novamente.

5. Habilite o seu anti-vírus.

6. Retorne com um novo log do HijackThis, juntamente com o relatorio.txt do BankerFix (ele estará em C:\LinhaDefensiva\).

7. Depois de postar a sua resposta você poderá deletar a pasta LinhaDefensiva contida no C.

Abraços.

marcelito · Agosto 31, 2007

caro garcia :clap: fiz o que o sr mando aqui estan os relatorios devo excluir os virus que estao na quarentena do avg?

ankerFix 2.4 - Removedor de Bankers

Linha Defensiva - http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

Data: 31/8/2007 - 16:41

-------------------------------------------------------

Lista de Definição: 2007-08-18-1

=======================================================

Killando arquivos em Help

-----------------------------------

Killing '*'

Removendo Arquivos em Help

-----------------------------------

Arquivos ruins restantes

-----------------------------------

----- Fim -------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 16:36:56, on 31/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Ahead\InCD\InCD.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Arquivos de programas\Nikon\NkView6\NkvMon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Grisoft\AVG Free\avgcc.exe

C:\Documents and Settings\Marcelo\Desktop\pacote\HiJackThis_v2.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [inCD] "C:\Arquivos de programas\Ahead\InCD\InCD.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG7_CC] "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\nbj.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Arquivos de programas\Nikon\NkView6\NkvMon.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{EFD46C11-6792-4191-877A-E6C4CD2E490F}: NameServer = 200.147.255.101 200.221.11.100

O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.ini

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe

--

End of file - 3774 bytes

aguardo resposta e muito obrigado pela sua dedicaçao

jgarcia · Agosto 31, 2007

caro garcia :clap: fiz o que o sr mando aqui estan os relatorios devo excluir os virus que estao na quarentena do avg?

Sim.

Você executou a Opção 2 do SmitfraudFix?

marcelito · Agosto 31, 2007

verdadiramente nao lembro se fiz, mais fiz agora prieiro delete os virus do avg e depois efetue o smitfraudfix opçao 2 eis o relatorioSmitFraudFix v2.217Scan done at 17:57:11,48, --- 31/08/2007Run from C:\Documents and Settings\Marcelo\Desktop\pacote\SmitfraudFixOS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts192.168.200.3 ad.doubleclick.net192.168.200.3 ad.fastclick.net192.168.200.3 ads.fastclick.net192.168.200.3 ar.atw»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files»»»»»»»»»»»»»»»»»»»»»»»» DNSHKLM\SYSTEM\CS3\Services\Tcpip\..\{EFD46C11-6792-4191-877A-E6C4CD2E490F}: NameServer=200.221.11.101 200.147.255.100»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» RebootC:\WINDOWS\system32\hadjajr.ini Please, Reboot and Run SmitfraudFix option 2 once again. »»»»»»»»»»»»»»»»»»»»»»»» Endagurdo resposta e obrigado novamente

jgarcia · Agosto 31, 2007

Opa marcelito,

Vamos lá.

Habilite o Windows para mostrar todos os arquivos (até ocultos).

1ª Etapa

Baixe o Killbox em:

Killbox

1. Execute o Killbox, clique em Delete on Reboot.

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

C:\WINDOWS\system32\hadjajr.ini

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

4. Aperte em "X". Responda "não" à pergunta.

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

2ª Etapa

Reinicie o computador em Modo Seguro (ao reiniciar aperte a tecla F8 repetidamente até que apareça uma tela preta em DOS e escolha a opção Modo Seguro).

Execute o HijackThis, clique em Do a system scan only e marque:

O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.ini

Clique em Fix Checked.

3ª Etapa

Reinicie em Modo Normal.

Delete o conteúdo da pasta C:\!Killbox.

Poste novos logs do ComboFix e HijackThis.

Aguardo retorno.

Um abraço.

marcelito · Setembro 1, 2007

caro garcia consegui habilitar os arquivos ocultos so nao consiguo executar o killbox, eu executo ele coloco a frase(C:\WINDOWS\system32\hadjajr.ini) mais so fica uma luz verde piscando e nao vejo fazer escaner nenhumdesculpa te incomodar mais se tu poderia me explicar de maneira mais simples (tipo crinaça)jjaja como executar o killbox os demais passo tranquilo consigo so con ele que me atrapalho obrigado novamente especialmente pela paciencia

marcelito · Setembro 1, 2007

caro garcia consegui executar o killbox fiz o scan do hijackthis enao apereceu nada do que o sr me mando marcar eis o resultado

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 17:58:30, on 1/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\MICROS~2\OFFICE11\WORDVIEW.EXE