[Arquivado] Análise de hijackthis.log-

Altairts · Agosto 18, 2008

Boa tarde aos colegas ! Meu servidor win2000 foi infectado, scaneei e os arquivos foram limpos, contudo, quando reinicio o servidor o mesmo fica infectado novamente, scaneei em modo de segurança mas não resolveu, estou utilizando o trail Kaspersky Anti-Virus for File Server, segue o arquivo log para análise dos especialistas. Agradeço antecipadamente a atenção e ajuda.

abraço

Altair Teixeira

---------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:24:03, on 18/8/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe

C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe

C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe

C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe

C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe

C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe

C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe

C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe

C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe

C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe

C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe

C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe

C:\WINNT\system32\Dfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\llssrv.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe

C:\MICROS~1\MSSQL\binn\sqlservr.exe

C:\WINNT\system32\ntfrs.exe

C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe

C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe

D:\ap7\bin\server\ap7srvwin.exe

C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe

C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\locator.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe

C:\WINNT\system32\svchost.exe

C:\MICROS~1\MSSQL\binn\sqlagent.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Cyberprinter\InjServiceP.exe

C:\WINNT\System32\lserver.exe

C:\Program Files\TOPConnect 4.0\topconnect.exe

C:\Program Files\Cyberprinter\InjectService.exe

C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\dns.exe

C:\WINNT\system32\inetsrv\inetinfo.exe

C:\WINNT\System32\ismserv.exe

C:\Program Files\Cyberprinter\Cyberp.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe

C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe

C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\odsvc.exe

C:\WINNT\system32\inf\svchosd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\mdm.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

D:\User\Eng\Programas\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,,c:\documents and settings\administrator\windows\strsvc.exe,

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ENVIRONMENT] C:\Wi8\wi8server.exe

O4 - HKLM\..\Run: [Cyberp] "C:\Program Files\Cyberprinter\Cyberp.exe"

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKLM\..\Policies\Explorer\Run: [minitnyus] C:\WINNT\system32\inf\svchosd.exe C:\WINNT\wftadfi16_080818a.dll tanlt88

O4 - HKCU\..\Policies\Explorer\Run: [mscheck] rundll32.exe "C:\WINNT\system32\wicheck080812.dll" myjkl

O4 - HKUS\S-1-5-21-1202660629-573735546-725345543-1142\..\Run: [internat.exe] internat.exe (User 'NetShowServices')

O4 - HKUS\S-1-5-21-1202660629-573735546-725345543-1142\..\RunOnce: [^SetupICWDesktop] "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" /desktop (User 'NetShowServices')

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {EDA3C4AB-B1B5-47B7-B6D1-B27858413B53} (Tap7remotex Control) - file://D:\ap7\http\ap7rmtx.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tecnotron.local

O17 - HKLM\System\CCS\Services\Tcpip\..\{6F188AB4-DA72-4075-B26D-0530F6B8880A}: NameServer = 127.0.0.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tecnotron.local

O17 - HKLM\System\CS1\Services\Tcpip\..\{6F188AB4-DA72-4075-B26D-0530F6B8880A}: NameServer = 127.0.0.1

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tecnotron.local

O17 - HKLM\System\CS2\Services\Tcpip\..\{6F188AB4-DA72-4075-B26D-0530F6B8880A}: NameServer = 127.0.0.1

O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

O23 - Service: CA BrightStor Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe

O23 - Service: CA BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe

O23 - Service: CA BrightStor Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe

O23 - Service: CA BrightStor Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe

O23 - Service: CA BrightStor Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe

O23 - Service: CA BrightStor Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe

O23 - Service: CA BrightStor Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe

O23 - Service: CA BrightStor Universal Agent (CASUniversalAgent) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe

O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe

O23 - Service: CA BrightStor Backup Agent RPC Server (DbaRpcService) - Computer Associates - C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe

O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe

O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe

O23 - Service: iTechnology iGateway 2.1 (iGateway) - Computer Associates - C:\Program Files\CA\iGateway\igateway.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe

O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe

O23 - Service: Advanced Protheus 7 (Protheus7service) - TOTVS S/A - D:\ap7\bin\server\ap7srvwin.exe

O23 - Service: CA BrightStor Backup Agent Remote Service (RemoteDbagent) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe

O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe

O23 - Service: serpol print service (srpServiceP) - Unknown owner - C:\Program Files\Cyberprinter\InjServiceP.exe

O23 - Service: TOPConnect 4.0 Server (top4) - Unknown owner - C:\Program Files\TOPConnect 4.0\topconnect.exe

O23 - Service: TSERVICECP (TService) - Unknown owner - C:\Program Files\Cyberprinter\InjectService.exe

O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe

O23 - Service: Block Level Backup Engines (wbengins) - Unknown owner - C:\WINNT\System32\odsvc.exe

--

End of file - 9983 bytes

jgarcia · Agosto 19, 2008

Opa Altairts,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um log do Hijackthis.

Abraços.

Altairts · Agosto 23, 2008

Bom dia JGarcia ! Desculpe na demora da resposta, infelizmente perdi meu pai esta semana e fiquei uns dias afastado, segue o solicitado, agradeço a atenção e ajuda.

Abraços

Altair Teixeira

ComboFix 08-08-21.02 - Administrator 23/08/2008 8:53:29.1 - NTFSx86

Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.1157 [GMT -3:00]

Running from: D:\app\Lixo\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\bot.txt

C:\RECYCLER\AaKUj.exe

C:\RECYCLER\aDfwNxic.exe

C:\RECYCLER\ajXxdzm.exe

C:\RECYCLER\akhAwV.exe

C:\RECYCLER\AOldKmbA.exe

C:\RECYCLER\arbyxuR.exe

C:\RECYCLER\AudYt.exe

C:\RECYCLER\aWKVte.exe

C:\RECYCLER\aWOsC.exe

C:\RECYCLER\bDCSmW.exe

C:\RECYCLER\BGjHks.exe

C:\RECYCLER\bGsOqX.exe

C:\RECYCLER\BheAutL.exe

C:\RECYCLER\bHupeSy.exe

C:\RECYCLER\bNhnEBVR.exe

C:\RECYCLER\bUSScuG.exe

C:\RECYCLER\BvQmTeM.exe

C:\RECYCLER\CavwpSZ.exe

C:\RECYCLER\cExxNN.exe

C:\RECYCLER\cGbNOK.exe

C:\RECYCLER\CJAmZFO.exe

C:\RECYCLER\CLLwQ.exe

C:\RECYCLER\CmKaFELz.exe

C:\RECYCLER\CmkHdTte.exe

C:\RECYCLER\CoaPHB.exe

C:\RECYCLER\cOatkv.exe

C:\RECYCLER\cpPupOr.exe

C:\RECYCLER\CQSUpM.exe

C:\RECYCLER\CtdEB.exe

C:\RECYCLER\CXckqP.exe

C:\RECYCLER\cXOEkX.exe

C:\RECYCLER\DBWSBbz.exe

C:\RECYCLER\dChlR.exe

C:\RECYCLER\dCJIqvtt.exe

C:\RECYCLER\DeIwxFQ.exe

C:\RECYCLER\DFCAl.exe

C:\RECYCLER\DFEyuR.exe

C:\RECYCLER\DGnHQ.exe

C:\RECYCLER\dKozKq.exe

C:\RECYCLER\DkUMMa.exe

C:\RECYCLER\dPSwR.exe

C:\RECYCLER\DQHfVd.exe

C:\RECYCLER\dviDlznt.exe

C:\RECYCLER\dVmAnM.exe

C:\RECYCLER\DXdnIEf.exe

C:\RECYCLER\dzaMVXp.exe

C:\RECYCLER\dZXOJQ.exe

C:\RECYCLER\eAoyA.exe

C:\RECYCLER\EdDJmW.exe

C:\RECYCLER\enkEY.exe

C:\RECYCLER\EWCDXUlg.exe

C:\RECYCLER\EWxLe.exe

C:\RECYCLER\EzJWFKAk.exe

C:\RECYCLER\FCqjomO.exe

C:\RECYCLER\fCUkbJ.exe

C:\RECYCLER\fdbTUpzW.exe

C:\RECYCLER\FDTaJaws.exe

C:\RECYCLER\FeEuHw.exe

C:\RECYCLER\FfmdCT.exe

C:\RECYCLER\FhTVgB.exe

C:\RECYCLER\fiHLbMIySM.exe

C:\RECYCLER\FJgOxU.exe

C:\RECYCLER\fjpRf.exe

C:\RECYCLER\FLehZO.exe

C:\RECYCLER\fQJhtjMcZ.exe

C:\RECYCLER\frxkuu.exe

C:\RECYCLER\FWmtEz.exe

C:\RECYCLER\FwPQo.exe

C:\RECYCLER\FxENPO.exe

C:\RECYCLER\fxfTAIq.exe

C:\RECYCLER\FYKDA.exe

C:\RECYCLER\fYsDltEe.exe

C:\RECYCLER\gaVLQMx.exe

C:\RECYCLER\GCttZ.exe

C:\RECYCLER\gcXxvbk.exe

C:\RECYCLER\gFHUrD.exe

C:\RECYCLER\GHupq.exe

C:\RECYCLER\GKito.exe

C:\RECYCLER\GlfLdYT.exe

C:\RECYCLER\GnTczshzW.exe

C:\RECYCLER\gqioaPz.exe

C:\RECYCLER\GtHwMt.exe

C:\RECYCLER\GYaePtZ.exe

C:\RECYCLER\gYmcL.exe

C:\RECYCLER\HBiARNx.exe

C:\RECYCLER\hdgAeH.exe

C:\RECYCLER\hEVUsDv.exe

C:\RECYCLER\HFysx.exe

C:\RECYCLER\HhfrDc.exe

C:\RECYCLER\HjhVtqNr.exe

C:\RECYCLER\hJrEOQsmW.exe

C:\RECYCLER\hjUuSJT.exe

C:\RECYCLER\hKtaa.exe

C:\RECYCLER\hlPoUqPP.exe

C:\RECYCLER\HMCEuMJ.exe

C:\RECYCLER\hNDADGz.exe

C:\RECYCLER\HnxIZ.exe

C:\RECYCLER\HQcbgltD.exe

C:\RECYCLER\HqkEXL.exe

C:\RECYCLER\HrSWKbTrxS.exe

C:\RECYCLER\HvItrA.exe

C:\RECYCLER\HvZZkE.exe

C:\RECYCLER\hwnWugRE.exe

C:\RECYCLER\HZIsO.exe

C:\RECYCLER\IAdLvUp.exe

C:\RECYCLER\IAKFM.exe

C:\RECYCLER\IAnzx.exe

C:\RECYCLER\icOuCl.exe

C:\RECYCLER\ifFSuGGW.exe

C:\RECYCLER\ifyAuHu.exe

C:\RECYCLER\IHWSoKgb.exe

C:\RECYCLER\IHYwgh.exe

C:\RECYCLER\IkcxyH.exe

C:\RECYCLER\IkgURrq.exe

C:\RECYCLER\IolIfPQ.exe

C:\RECYCLER\jAGQPaW.exe

C:\RECYCLER\JcJUBS.exe

C:\RECYCLER\jImajPH.exe

C:\RECYCLER\jJsFsehXy.exe

C:\RECYCLER\JLOaQjZ.exe

C:\RECYCLER\jMNIDqn.exe

C:\RECYCLER\JNZkN.exe

C:\RECYCLER\jsDlFxL.exe

C:\RECYCLER\JSLOwJ.exe

C:\RECYCLER\jSLQL.exe

C:\RECYCLER\jtaDqisef.exe

C:\RECYCLER\JtFZHC.exe

C:\RECYCLER\jUzSIJL.exe

C:\RECYCLER\JVekWsnh.exe

C:\RECYCLER\JWLtnJ.exe

C:\RECYCLER\jwxwDrW.exe

C:\RECYCLER\jYBVch.exe

C:\RECYCLER\KBAGP.exe

C:\RECYCLER\KduNN.exe

C:\RECYCLER\kFbSKQt.exe

C:\RECYCLER\kGCTLh.exe

C:\RECYCLER\kKlofWk.exe

C:\RECYCLER\kTCsHJ.exe

C:\RECYCLER\KxJzxAz.exe

C:\RECYCLER\kXZqoDW.exe

C:\RECYCLER\KYHPUER.exe

C:\RECYCLER\KzkekUZC.exe

C:\RECYCLER\LAmrFR.exe

C:\RECYCLER\Lavoop.exe

C:\RECYCLER\LcyWZ.exe

C:\RECYCLER\LczwtO.exe

C:\RECYCLER\LEGoBWg.exe

C:\RECYCLER\LEKubWiV.exe

C:\RECYCLER\llfeuA.exe

C:\RECYCLER\LOpbWJ.exe

C:\RECYCLER\luzjd.exe

C:\RECYCLER\MabtILU.exe

C:\RECYCLER\mANYygAlk.exe

C:\RECYCLER\mckXty.exe

C:\RECYCLER\MdCGpGwyK.exe

C:\RECYCLER\mLctL.exe

C:\RECYCLER\mmJVvYkH.exe

C:\RECYCLER\muLoi.exe

C:\RECYCLER\mupnkPQ.exe

C:\RECYCLER\MvZFkxc.exe

C:\RECYCLER\MwxmO.exe

C:\RECYCLER\mYaFC.exe

C:\RECYCLER\MZQPi.exe

C:\RECYCLER\nBHcfKme.exe

C:\RECYCLER\NBXkbGBX.exe

C:\RECYCLER\NCrdIb.exe

C:\RECYCLER\NCuWbN.exe

C:\RECYCLER\nfcxVxk.exe

C:\RECYCLER\nggLU.exe

C:\RECYCLER\NGLWFwrA.exe

C:\RECYCLER\NjQzGHy.exe

C:\RECYCLER\novJn.exe

C:\RECYCLER\NRpuk.exe

C:\RECYCLER\NtioOd.exe

C:\RECYCLER\NTWmK.exe

C:\RECYCLER\NumPWO.exe

C:\RECYCLER\nwpFEwiQL.exe

C:\RECYCLER\NxrRGPlaO.exe

C:\RECYCLER\nYlohO.exe

C:\RECYCLER\obhmq.exe

C:\RECYCLER\OczOnR.exe

C:\RECYCLER\oGPvVm.exe

C:\RECYCLER\oGxUTLS.exe

C:\RECYCLER\OirmKma.exe

C:\RECYCLER\oIyHzoO.exe

C:\RECYCLER\oKEheXvy.exe

C:\RECYCLER\oOkAUUh.exe

C:\RECYCLER\OPBhWgAY.exe

C:\RECYCLER\OPFvM.exe

C:\RECYCLER\OwLDz.exe

C:\RECYCLER\owYQM.exe

C:\RECYCLER\OXlsm.exe

C:\RECYCLER\oyqLi.exe

C:\RECYCLER\pdLUFXQ.exe

C:\RECYCLER\PFvrfEHD.exe

C:\RECYCLER\pKDPQBvN.exe

C:\RECYCLER\pMNQsgDpa.exe

C:\RECYCLER\pMXpFt.exe

C:\RECYCLER\POMDydmm.exe

C:\RECYCLER\PQKykF.exe

C:\RECYCLER\PqpLsf.exe

C:\RECYCLER\PUmZOQ.exe

C:\RECYCLER\qcYfJIU.exe

C:\RECYCLER\qdsXu.exe

C:\RECYCLER\QewNyyP.exe

C:\RECYCLER\QfcDiHs.exe

C:\RECYCLER\qFnpXRH.exe

C:\RECYCLER\qFUio.exe

C:\RECYCLER\qGlacqr.exe

C:\RECYCLER\QhFXBbBSq.exe

C:\RECYCLER\qIOXHgiBm.exe

C:\RECYCLER\QkfLj.exe

C:\RECYCLER\qPDzgi.exe

C:\RECYCLER\qpvPFVe.exe

C:\RECYCLER\qsBPVgQ.exe

C:\RECYCLER\qUgAcZ.exe

C:\RECYCLER\QzBmnPsj.exe

C:\RECYCLER\RbaKlS.exe

C:\RECYCLER\rBicWSni.exe

C:\RECYCLER\RDwWTjRq.exe

C:\RECYCLER\RGBQrHMS.exe

C:\RECYCLER\RJHFQlIzY.exe

C:\RECYCLER\rnvQV.exe

C:\RECYCLER\rPHtAR.exe

C:\RECYCLER\rqgbxZ.exe

C:\RECYCLER\rqGXUdM.exe

C:\RECYCLER\RRsDrFl.exe

C:\RECYCLER\rrzrqcCM.exe

C:\RECYCLER\RsGqDZgd.exe

C:\RECYCLER\Rueqeoz.exe

C:\RECYCLER\SAJYB.exe

C:\RECYCLER\SbHesmnB.exe

C:\RECYCLER\SchWF.exe

C:\RECYCLER\sFLujfBN.exe

C:\RECYCLER\sgFVCshi.exe

C:\RECYCLER\sHHNqkyHr.exe

C:\RECYCLER\SIpMEY.exe

C:\RECYCLER\sjeKsN.exe

C:\RECYCLER\SlLJuBIX.exe

C:\RECYCLER\sLRSgp.exe

C:\RECYCLER\SolzTJ.exe

C:\RECYCLER\SPHJY.exe

C:\RECYCLER\SQCKhOA.exe

C:\RECYCLER\suhIzI.exe

C:\RECYCLER\sUtCcuI.exe

C:\RECYCLER\svGMluGV.exe

C:\RECYCLER\SWVvbag.exe

C:\RECYCLER\TAOQObBH.exe

C:\RECYCLER\tBUEIwqmA.exe

C:\RECYCLER\tDmAHqQr.exe

C:\RECYCLER\tdweLXB.exe

C:\RECYCLER\TndabRf.exe

C:\RECYCLER\tqQvyPoZ.exe

C:\RECYCLER\tRpjHFtSk.exe

C:\RECYCLER\TXNgVgj.exe

C:\RECYCLER\TXybJq.exe

C:\RECYCLER\tZUhNIyRe.exe

C:\RECYCLER\uBpvbMLa.exe

C:\RECYCLER\UcUOqcm.exe

C:\RECYCLER\ueLnbMn.exe

C:\RECYCLER\UEzdgqAgd.exe

C:\RECYCLER\ufCOBES.exe

C:\RECYCLER\UFSkZeei.exe

C:\RECYCLER\uFXsz.exe

C:\RECYCLER\UhueghF.exe

C:\RECYCLER\UiKTWAUHxz.exe

C:\RECYCLER\uOHHTnj.exe

C:\RECYCLER\uQZfZWT.exe

C:\RECYCLER\utpZzo.exe

C:\RECYCLER\uWBtnFN.exe

C:\RECYCLER\vbBbOQv.exe

C:\RECYCLER\vcAWukGdg.exe

C:\RECYCLER\vCoMGf.exe

C:\RECYCLER\vcVujZRXF.exe

C:\RECYCLER\veeyB.exe

C:\RECYCLER\vFLKSnme.exe

C:\RECYCLER\vFyXrzz.exe

C:\RECYCLER\vIYjxrk.exe

C:\RECYCLER\VnRhU.exe

C:\RECYCLER\vREoVcA.exe

C:\RECYCLER\VSSzp.exe

C:\RECYCLER\VtmVbR.exe

C:\RECYCLER\VTwiy.exe

C:\RECYCLER\VUxydJMr.exe

C:\RECYCLER\VwtKc.exe

C:\RECYCLER\VXCrMVw.exe

C:\RECYCLER\VXEDird.exe

C:\RECYCLER\vyswI.exe

C:\RECYCLER\WaDqW.exe

C:\RECYCLER\wBwzdsi.exe

C:\RECYCLER\WCfugqu.exe

C:\RECYCLER\wFpXdrg.exe

C:\RECYCLER\WGFVfpy.exe

C:\RECYCLER\WHFoh.exe

C:\RECYCLER\WKhnOdL.exe

C:\RECYCLER\WpMCBwj.exe

C:\RECYCLER\wsvVSRpF.exe

C:\RECYCLER\wwkBKA.exe

C:\RECYCLER\WwQkSE.exe

C:\RECYCLER\wWYYSQ.exe

C:\RECYCLER\xaUpbf.exe

C:\RECYCLER\xDyuXcnZ.exe

C:\RECYCLER\xGmQMVYX.exe

C:\RECYCLER\xHnCrPx.exe

C:\RECYCLER\xpbygslgp.exe

C:\RECYCLER\XpyOIqmPt.exe

C:\RECYCLER\XrHIKV.exe

C:\RECYCLER\xViwrS.exe

C:\RECYCLER\XVRkuV.exe

C:\RECYCLER\xzCmr.exe

C:\RECYCLER\yaMdFFln.exe

C:\RECYCLER\YawMtS.exe

C:\RECYCLER\yCqUzB.exe

C:\RECYCLER\YGgpXgWL.exe

C:\RECYCLER\yjWepiU.exe

C:\RECYCLER\yJXSHBJc.exe

C:\RECYCLER\yLdJE.exe

C:\RECYCLER\YPxUCfBpx.exe

C:\RECYCLER\yRtmtc.exe

C:\RECYCLER\ytNZg.exe

C:\RECYCLER\ywXmz.exe

C:\RECYCLER\yxMeLgXL.exe

C:\RECYCLER\zDcsIqu.exe

C:\RECYCLER\ZFHHRL.exe

C:\RECYCLER\ZFPwzF.exe

C:\RECYCLER\ZGoUV.exe

C:\RECYCLER\zhADAL.exe

C:\RECYCLER\zhEOEb.exe

C:\RECYCLER\ZiVun.exe

C:\RECYCLER\ZLqVkex.exe

C:\RECYCLER\ZTBpULP.exe

C:\RECYCLER\zVxZxUR.exe

C:\RECYCLER\ZYVeuW.exe

C:\WINNT\checkcj.ini

C:\WINNT\system32\116.exe

C:\WINNT\system32\Cache

C:\WINNT\system32\dns.exe

C:\WINNT\system32\inf\svchosd.exe

C:\WINNT\system32\mdm.exe

C:\WINNT\system32\mywfhit.ini

C:\WINNT\system32\mywfhit.ini.tmp

C:\WINNT\system32\tmpacj0.exe

C:\WINNT\system32\wicheck080812.exe

C:\WINNT\system32\wins.exe

C:\WINNT\tawisys.ini

C:\WINNT\Web\default.htt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MICROSOFT

-------\Service_Microsoft

-------\Legacy_DNS

-------\Legacy_WINS

-------\Service_DNS

-------\Service_WINS

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))

.

2008-08-23 09:00 . 08-08-23 09:00 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5bc.dat

2008-08-22 15:27 . 08-08-22 15:44 <DIR> d-------- C:\SCAN

2008-08-22 11:45 . 08-08-22 15:53 2,852 --a------ C:\Documents and Settings\Administrator\Application Data\BrightStorMgr.dat

2008-08-22 11:44 . 08-08-22 11:44 <DIR> d-------- C:\ClntApps

2008-08-22 07:50 . 08-08-22 07:50 464,988 ---h----- C:\WINNT\ShellIconCache

2008-08-20 15:36 . 08-08-20 15:36 <DIR> d-------- C:\Documents and Settings\rede

2008-08-19 00:14 . 04-11-02 19:48 236,816 --a------ C:\WINNT\system32\tmpacj5.exe

2008-08-19 00:14 . 08-08-19 00:14 109 --a------ C:\jkDe.bat

2008-08-18 23:34 . 08-08-23 08:53 <DIR> d-------- C:\WINNT\system32\inf

2008-08-18 23:32 . 08-08-19 13:23 <DIR> d-------- C:\WINNT\system32\ZeHin

2008-08-18 17:14 . 08-08-18 17:14 80 --a------ C:\WINNT\system32\23027.bat

2008-08-18 14:16 . 08-08-19 11:45 21,916 --a------ C:\WINNT\system32\info.dat

2008-08-18 12:45 . 08-08-18 12:44 432,128 -r-hs---- C:\WINNT\system32\odsvc.exe

2008-08-18 08:30 . 04-11-02 19:48 236,816 --a------ C:\WINNT\system32\tmpcjjkdf0.exe

2008-08-18 08:13 . 08-08-23 09:01 13,288 --a------ C:\WINNT\system32\rfclyp.key

2008-08-18 08:13 . 87-08-18 11:47 4,098 --a------ C:\WINNT\system32\zyvxxt.key

2008-08-18 02:53 . 08-08-18 23:34 <DIR> d-------- C:\WINNT\system32\State

2008-08-18 02:53 . 08-08-18 02:53 23,552 ---hs---- C:\WINNT\system32\foxmax.exe

2008-08-18 02:53 . 08-08-18 02:53 1 --a------ C:\WINNT\system32\0049b7d.ini

2008-08-18 01:09 . 08-08-18 01:09 1 --a------ C:\WINNT\system32\0004fd88.ini

2008-08-16 13:40 . 08-08-16 13:40 27 --a------ C:\WINNT\;

2008-08-15 16:12 . 08-08-15 16:12 <DIR> d-------- C:\Program Files\Kaspersky Lab

2008-08-15 16:12 . 08-08-22 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-08-15 16:12 . 08-08-23 09:02 15,210,528 --ahs---- C:\WINNT\system32\drivers\fidbox.dat

2008-08-15 16:12 . 08-08-23 08:57 222,464 --ahs---- C:\WINNT\system32\drivers\fidbox.idx

2008-08-15 16:12 . 08-08-23 09:01 40,480 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat

2008-08-15 16:12 . 08-08-23 08:57 5,840 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx

2008-08-15 16:08 . 08-08-15 16:08 <DIR> d-------- C:\kav

2008-08-15 15:35 . 08-08-15 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

2008-08-15 10:31 . 08-08-15 10:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol

2008-08-15 10:30 . 08-08-15 10:30 <DIR> d-------- C:\Program Files\BillP Studios

2008-08-15 09:53 . 08-08-15 12:14 539,136 --a------ C:\WINNT\system32\netsvc.dll

2008-08-14 13:14 . 08-08-15 14:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-08-14 13:14 . 08-08-15 14:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-08-14 11:07 . 08-08-14 11:07 1 --a------ C:\WINNT\system32\0005158d.ini

2008-08-13 11:22 . 06-12-05 17:17 240 --a------ C:\WINNT\myClean.bat

2008-08-12 15:18 . 08-08-12 15:18 <DIR> d-------- C:\Program Files\Marcos Velasco Security

2008-08-12 15:08 . 08-08-12 15:08 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_61c.dat

2008-08-11 12:36 . 08-08-11 12:36 23,040 ---hs---- C:\WINNT\system32\ieplore.exe

2008-08-11 07:57 . 08-08-23 08:50 47,719 --a------ C:\WINNT\system32\rqennb.key

2008-08-10 13:43 . 08-08-10 13:43 1 --a------ C:\WINNT\system32\0005791c.ini

2008-08-09 21:04 . 08-08-09 21:04 1,724,416 --a------ C:\WINNT\system32\gdiplus.dll

2008-08-09 20:40 . 08-08-15 17:43 <DIR> d-------- C:\WINNT\system32\FileMaps

2008-08-09 20:40 . 08-08-18 23:34 34,304 --a------ C:\WINNT\system32\ntsvc.ocx

2008-08-09 20:40 . 08-08-09 20:40 1 --a------ C:\WINNT\system32\00051fd7.ini

2008-08-09 20:39 . 03-06-19 12:05 413,696 --a------ C:\WINNT\system32\dnary.mdb

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-22 14:48 --------- d---a-w C:\Program Files\CA

2008-08-13 17:08 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-07-10 10:00 251,152 ----a-w C:\WINNT\system32\es.dll

2008-07-09 11:08 6,660 -c--a-w C:\Program Files\TOPConnect 4.DMP

2008-06-25 18:35 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL

2008-06-25 18:35 601,088 ----a-w C:\WINNT\system32\INETCOMM.DLL

2008-06-25 18:35 47,616 ----a-w C:\WINNT\system32\INETRES.DLL

2008-06-25 18:35 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL

2008-06-25 18:34 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL

2008-06-25 12:51 69,904 ----a-w C:\WINNT\system32\mscms.dll

2008-06-25 09:44 33,552 ----a-w C:\WINNT\system32\dnsperf.dll

2008-06-25 09:41 64,784 ----a-w C:\WINNT\system32\mswsock.dll

2008-06-25 09:41 105,744 ----a-w C:\WINNT\system32\msafd.dll

2008-06-20 12:53 575,488 ----a-w C:\WINNT\system32\WININET.DLL

2005-03-08 13:44 271 ---ha-w C:\Program Files\desktop.ini

2005-03-08 13:44 21,952 -c-ha-w C:\Program Files\folder.htt

2004-08-17 12:43 112 ----a-w C:\Documents and Settings\Administrator.TECNOTRON\logon.bat

2003-10-01 18:17 191 ----a-w C:\Documents and Settings\Administrator.TECNOTRON\bkp_siga.bat

2000-07-26 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys

1987-08-19 03:14 47,616 --sh--w C:\WINNT\system32\dYGykhoGtvU.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [00-07-26 09:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ENVIRONMENT"="C:\Wi8\wi8server.exe" [08-02-13 08:31 4153344]

"ATIModeChange"="Ati2mdxx.exe" [01-09-04 17:24 28672 C:\WINNT\system32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [00-07-26 09:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

"FlashPlayerUpdate"="C:\WINNT\system32\Macromed\Flash\FlashUtil9e.exe" [07-11-20 21:04 218496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-03-08 13:51:44 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ShowSuperHidden"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

R0 afamgt;afamgt;C:\WINNT\system32\drivers\afamgt.sys [04-03-30 18:23 ]

R0 dcdbas;Systems management base driver;C:\WINNT\system32\DRIVERS\dcdbas32.sys [05-03-09 13:59 ]

R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys [03-06-19 12:05 ]

R0 mraid2k;mraid2k;C:\WINNT\system32\drivers\mraid2k.sys [03-12-11 18:43 ]

R0 vxio;Array Manager Device Driver;C:\WINNT\system32\drivers\vxio.sys [04-07-27 17:06 ]

R1 sw2dds;sw2dds;C:\WINNT\system32\DRIVERS\sw2dds.sys [03-07-10 15:23 ]

R2 Alert Notification Server;Alert Notification Server;C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE [03-11-04 09:34 ]

R2 bmlbbs;bmlbbs;C:\WINNT\system32\svchost.exe [00-07-26 09:00 ]

R2 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [03-10-12 17:20 ]

R2 CASDBEngine;CA BrightStor Database Engine;C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe [03-12-12 19:24 ]

R2 CASDiscoverySvc;CA BrightStor Discovery Service;C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe [03-12-12 19:21 ]

R2 CASJobEngine;CA BrightStor Job Engine;C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe [03-12-12 19:24 ]

R2 CASMsgEngine;CA BrightStor Message Engine;C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe [03-12-12 19:24 ]

R2 CASSvcControlSvr;CA BrightStor Service Controller;C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe [03-12-12 19:24 ]

R2 CASTapeEngine;CA BrightStor Tape Engine;C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe [03-12-12 19:31 ]

R2 CASUnivDomainSvr;CA BrightStor Domain Server;C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe [03-12-12 19:24 ]

R2 CASUniversalAgent;CA BrightStor Universal Agent;C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe [03-12-12 19:28 ]

R2 CATIRPC;CA Remote Procedure Call Server;C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe [03-12-12 19:25 ]

R2 DbaRpcService;CA BrightStor Backup Agent RPC Server;C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe [03-12-12 19:32 ]

R2 DHCPServer;DHCP Server;C:\WINNT\System32\tcpsvcs.exe [00-07-26 09:00 ]

R2 Event;Event;C:\WINNT\System32\svchost.exe [00-07-26 09:00 ]

R2 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe [03-06-19 12:05 ]

R2 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe [04-12-19 19:30 ]

R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [02-09-20 12:29 ]

R2 nsmonitor;Windows Media Monitor Service;C:\WINNT\system32\WINDOW~1\Server\nspmon.exe [05-03-01 07:32 ]

R2 nsprogram;Windows Media Program Service;C:\WINNT\system32\WINDOW~1\Server\nspm.exe [99-11-09 20:46 ]

R2 nsstation;Windows Media Station Service;C:\WINNT\system32\WINDOW~1\Server\nscm.exe [04-05-03 07:24 ]

R2 nsunicast;Windows Media Unicast Service;C:\WINNT\system32\WINDOW~1\Server\nsum.exe [02-10-23 12:02 ]

R2 NtFrs;File Replication Service;C:\WINNT\system32\ntfrs.exe [03-06-19 12:05 ]

R2 Proteq;Proteq;C:\WINNT\system32\drivers\Proteq.sys [97-11-05 17:24 ]

R2 Protheus7service;Advanced Protheus 7;D:\ap7\bin\server\ap7srvwin.exe [07-05-25 16:55 ]

R2 RemoteDbagent;CA BrightStor Backup Agent Remote Service;C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe [03-12-12 19:40 ]

R2 TermServLicensing;Terminal Services Licensing;C:\WINNT\System32\lserver.exe [03-06-19 12:05 ]

R2 top4;TOPConnect 4.0 Server;C:\Program Files\TOPConnect 4.0\topconnect.exe [07-05-16 16:29 ]

R2 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe [05-04-08 08:51 ]

R2 wbengins;Block Level Backup Engines;C:\WINNT\System32\odsvc.exe [08-08-18 12:44 ]

R2 Wingms;Windows Gateway Manager System;C:\WINNT\system32\svchost.exe [00-07-26 09:00 ]

R3 dcdipm;Systems management IPMI driver;C:\WINNT\system32\DRIVERS\dcdipm32.sys [05-03-09 13:59 ]

R3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys [02-08-14 16:00 ]

R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]

S0 vxboot;vxboot;C:\WINNT\system32\drivers\vxboot.sys [04-07-27 17:06 ]

S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [03-09-12 17:04 ]

S3 NSLService;On-line Presentation Broadcast;C:\WINNT\system32\Windows Media\NSLite\nslservice.exe [99-11-09 20:43 ]

S3 PORTACCESSOR;PORTACCESSOR;C:\PROGRA~1\Dell\OPENMA~1\oldiags\packages\PORTACCESSOR.sys [05-03-09 14:02 ]

S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys [03-06-19 12:05 ]

S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys [03-06-19 12:05 ]

S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys [03-06-19 12:05 ]

S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys [03-06-19 12:05 ]

S4 Pro;Support Provider;C:\WINNT\system32\ieplore.exe [08-08-11 12:36 ]

S4 TOPConnect;TOPConnect 2.0;C:\Program Files\TOPConnect 2.0\topsr32.exe [04-03-09 22:57 ]

Start Pending2 jnfijt;jnfijt;C:\WINNT\system32\svchost.exe [00-07-26 09:00 ]

Start Pending2 servics;Network Access;C:\WINNT\system32\svchost.exe [00-07-26 09:00 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

tapisrv REG_MULTI_SZ Tapisrv

jnfijt REG_MULTI_SZ jnfijt

Microsoft REG_MULTI_SZ Microsoft

bmlbbs REG_MULTI_SZ bmlbbs

Wingms REG_MULTI_SZ Wingms

servics REG_MULTI_SZ servics

Event REG_MULTI_SZ Event

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

netsvc

*Newly Created Service* - IPNAT

*Newly Created Service* - SHAREDACCESS

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.uol.com.br/

O8 -: E&xportar para o Microsoft Excel

O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

O17 -: HKLM\CCS\Interface\{6F188AB4-DA72-4075-B26D-0530F6B8880A}: NameServer = 127.0.0.1

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab

C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {EDA3C4AB-B1B5-47B7-B6D1-B27858413B53} - file://D:\ap7\http\ap7rmtx.cab

C:\WINNT\Downloaded Program Files\ap7rmtx.inf

C:\WINNT\system32\apexcel80.xla

C:\WINNT\system32\apapi.dll

C:\WINNT\system32\ApWord.dll

C:\WINNT\system32\ApProject.dll

C:\WINNT\system32\ApExcel.dll

C:\WINNT\system32\apconn.dll

C:\WINNT\system32\SenhaP.dll

C:\WINNT\system32\splogin.dll

C:\WINNT\Downloaded Program Files\ap7rmtx.ocx

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-23 09:02:11

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe

-> c:\winnt\system32\rfclyp.dll

PROCESS: C:\WINNT\explorer.exe

-> c:\winnt\system32\rfclyp.dll

.

Completion time: 2008-08-23 9:03:26 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-23 12:03:15

Pre-Run: 532,762,624 bytes free

Post-Run: 835,178,496 bytes free

570 --- E O F --- 2008-08-14 12:09:47

********************************************************************************

*******************

LOG HIJACKTHIS

********************************************************************************

*******************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:06, on 2008-08-23

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe

C:\Program Files\CA\SharedComponents\BrightStor\CADS\casdscsvc.exe

C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE

C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe

C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe

C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe

C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe

C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe

C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe

C:\Program Files\CA\SharedComponents\BrightStor\UniAgent\UnivAgent.exe

C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe

C:\Program Files\CA\SharedComponents\BrightStor\DBAcommon\DBASVR.exe

C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe

C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe

C:\WINNT\system32\Dfssvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\llssrv.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe

C:\MICROS~1\MSSQL\binn\sqlservr.exe

C:\WINNT\system32\ntfrs.exe

C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe

C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe

D:\ap7\bin\server\ap7srvwin.exe

C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

C:\Program Files\CA\BrightStor ARCserve Backup Agent for SQL\dbasqlr.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\locator.exe

C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe

C:\WINNT\system32\svchost.exe

C:\MICROS~1\MSSQL\binn\sqlagent.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\lserver.exe

C:\Program Files\TOPConnect 4.0\topconnect.exe

C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe

C:\WINNT\System32\odsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\system32\inetsrv\inetinfo.exe

C:\WINNT\System32\ismserv.exe

C:\Wi8\wi8server.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe

C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe

C:\WINNT\explorer.exe

D:\User\Eng\Programas\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896