[Arquivado] Log para analise

[Jefferson Bezerra 0]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:39:38, on 02/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
C:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe
C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Arquivos de programas\Google\Google Talk\googletalk.exe
C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jefferson\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\ARQUIV~1\MAGICM~1\Magic.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Dimep\BioTime\BioTime.exe
C:\Arquivos de programas\Java\jre1.6.0_02\bin\jucheck.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cocmaceio.com.br
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.coc.com.br/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2femail.coc.com.br%2fowa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cocmaceio.com.br
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GerenciadorQuickstart] c:\Sistemas\GerenciadorQuickStart.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [\\gongo\EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\DOCUME~1\ADMINI~1.INE\CONFIG~1\Temp\E_S1F6.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spark] C:\Arquivos de programas\Spark\Spark.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\jefferson\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Email INEI.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Configurações do Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Arquivos de programas\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Arquivos de programas\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .NPSSView: C:\Arquivos de programas\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.inei-maceio.com.br
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142769059906
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.43.downloads.estara.com./as/OneCCDM.php?template=247036&sessionid=1246438893_189.71.145.212_3786&=&req=1221746568468OneCC.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginSUD.cab
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - http://10.10.0.97/CSViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ineimaceio.edu.br
O17 - HKLM\Software\..\Telephony: DomainName = ineimaceio.edu.br
O17 - HKLM\System\CCS\Services\Tcpip\..\{38CB0E59-4EC2-403D-A59E-0B58E54AE55B}: NameServer = 10.10.0.201,200.165.132.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{F36DAB91-59B6-4D10-A992-56F62047CEDB}: NameServer = 10.10.0.201,200.165.132.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ineimaceio.edu.br
O17 - HKLM\System\CS1\Services\Tcpip\..\{38CB0E59-4EC2-403D-A59E-0B58E54AE55B}: NameServer = 10.10.0.201,200.165.132.154
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify:  GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O20 - Winlogon Notify:  GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Update Service (gupdate1c91361b44dedb2) (gupdate1c91361b44dedb2) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\winvnc.exe (file missing)

--
End of file - 11572 bytes

[Silas Martins 0]

Baixe o bankerfix.exe.

desative o seu antivírus temporariamente, para não haver conflitos e para uma melhor detecção.

Clique duas vezes sobre bankerfix.exe, dê o Enter e espere ele terminar. Ao terminar, leia a mensagem na tela e aperte Enter novamente.

Aviso: Faça o download pelo navegado Internet Explorer, assim você ira evitar alertas desnecessários

Habilite o seu antivírus. e gere um novo log do hijackthis, e poste juntamente com o relatório .txt do Bankerfix.

 

Aguardo o Retorno

[Jefferson Bezerra 0]

HijackThis

Logfile of HijackThis v1.99.1Scan saved at 09:28, on 2008-12-03Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\ARQUIV~1\GbPlugin\GbpSv.exeC:\WINDOWS\system32\spoolsv.exeC:\ARQUIV~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\SYSTEM32\DNTUS26.EXEC:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\WINDOWS\system32\wdfmgr.exeC:\Arquivos de programas\Google\Update\GoogleUpdate.exeC:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exeC:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exeC:\WINDOWS\system32\vmnat.exeC:\WINDOWS\system32\vmnetdhcp.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\VTTimer.exeC:\Arquivos de programas\Google\Google Talk\googletalk.exeC:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exeC:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exeC:\Arquivos de programas\ESET\ESET Smart Security\egui.exeC:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exeC:\WINDOWS\SOUNDMAN.EXEC:\Arquivos de programas\Skype\Phone\Skype.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\jefferson\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exeC:\ARQUIV~1\MAGICM~1\Magic.exeC:\Arquivos de programas\Skype\Plugin Manager\skypePM.exeC:\Arquivos de programas\Java\jre1.6.0_02\bin\jucheck.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\DOCUME~1\JEFFER~3\CONFIG~1\Temp\Rar$EX00.375\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cocmaceio.com.brR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.coc.com.br/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2femail.coc.com.br%2fowaR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cocmaceio.com.brR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dllO2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dllO2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [GerenciadorQuickstart] c:\Sistemas\GerenciadorQuickStart.exeO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [\\gongo\EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\DOCUME~1\ADMINI~1.INE\CONFIG~1\Temp\E_S1F6.tmp" /EF "HKLM"O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\winvnc.exe" -servicehelperO4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Spark] C:\Arquivos de programas\Spark\Spark.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\jefferson\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /cO4 - Startup: Email INEI.lnk = ?O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Configurações do Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Arquivos de programas\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Arquivos de programas\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)O11 - Options group: [INTERNATIONAL] International*O12 - Plugin for .NPSSView: C:\Arquivos de programas\Seagate Software\Viewers\ActiveXViewer\NPssView.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO14 - IERESET.INF: START_PAGE_URL=http://www.inei-maceio.com.brO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142769059906O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.43.downloads.estara.com./as/OneCCDM.php?template=247036&sessionid=1246438893_189.71.145.212_3786&=&req=1221746568468OneCC.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cabO16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginSUD.cabO16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - http://10.10.0.97/CSViewer.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ineimaceio.edu.brO17 - HKLM\Software\..\Telephony: DomainName = ineimaceio.edu.brO17 - HKLM\System\CCS\Services\Tcpip\..\{38CB0E59-4EC2-403D-A59E-0B58E54AE55B}: NameServer = 10.10.0.201,200.165.132.154O17 - HKLM\System\CCS\Services\Tcpip\..\{F36DAB91-59B6-4D10-A992-56F62047CEDB}: NameServer = 10.10.0.201,200.165.132.154O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ineimaceio.edu.brO17 - HKLM\System\CS1\Services\Tcpip\..\{38CB0E59-4EC2-403D-A59E-0B58E54AE55B}: NameServer = 10.10.0.201,200.165.132.154O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO20 - Winlogon Notify:  GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dllO20 - Winlogon Notify:  GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dllO20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dllO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exeO23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXEO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeO23 - Service: Google Update Service (gupdate1c91361b44dedb2) (gupdate1c91361b44dedb2) - Unknown owner - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe" /svc (file missing)O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exeO23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exeO23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exeO23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exeO23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\winvnc.exe" -service (file missing)

 

 

BankerFix

BankerFix 3.0 VALKYRIE - Removedor de BankersLinha Defensiva | http://www.linhadefensiva.orghttp://www.linhadefensiva.org/bankerfix/-------------------------------------------------------Data: 2008-12-03 - 09:24-------------------------------------------------------Lista de Definição: 2008-10-08-1 | CORE: 2008-09-30-2=======================================================----- Fim -------------------------

[Silas Martins 0]

Baixe o Malwarebytes Anti-Malware

 

 

* Inicie a instalação clique em "mbam-setup.exe";

* Marque "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em concluir.

* Marque "Verificação Rápida" e depois clique em Verificar.

* Quando o scan terminar, clique em Ok e em "Mostrar Resultados" para ver o log;

* Se algo for detectado, veja se tudo está marcado e clique em "Remover";

* O log é automaticamente gravado e pode ser consultado clicando em "Logs" do menu principal;

* Copie e cole esse log, juntamente com o novo log do hijacktihis .

Aguado o retorno.

[Jefferson Bezerra 0]

Malwarebytes' Anti-Malware 1.31

Versão do banco de dados: 1459Windows 5.1.2600 Service Pack 32008-12-04 09:01:46mbam-log-2008-12-04 (09-01-46).txtTipo de Verificação: RápidaObjetos verificados: 66730Tempo decorrido: 8 minute(s), 10 second(s)Processos da Memória infectados: 0Módulos de Memória Infectados: 0Chaves do Registro infectadas: 1Valores do Registro infectados: 0Ítens do Registro infectados: 0Pastas infectadas: 0Arquivos infectados: 9Processos da Memória infectados:(Nenhum ítem malicioso foi detectado)Módulos de Memória Infectados:(Nenhum ítem malicioso foi detectado)Chaves do Registro infectadas:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__gbpluginabn (Trojan.Vundo) -> Quarantined and deleted successfully.Valores do Registro infectados:(Nenhum ítem malicioso foi detectado)Ítens do Registro infectados:(Nenhum ítem malicioso foi detectado)Pastas infectadas:(Nenhum ítem malicioso foi detectado)Arquivos infectados:C:\RECYCLER\S-1-5-21-1715567821-839522115-1343024091-1116\Dc84.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Documents and Settings\jefferson_\Configurações locais\Temp\Rar$EX00.829\winrar\crack\Unipatch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\a (Trojan.Agent) -> Quarantined and deleted successfully.C:\8E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.C:\Arquivos de programas\GbPlugin\gbiehabn.dll (Trojan.Vundo) -> Delete on reboot.C:\314.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.C:\315E.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.C:\31A.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.C:\31E.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.

HijackThis v1.99.1

Logfile of HijackThis v1.99.1Scan saved at 09:09, on 2008-12-04Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\ARQUIV~1\GbPlugin\GbpSv.exeC:\WINDOWS\system32\spoolsv.exeC:\ARQUIV~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\SYSTEM32\DNTUS26.EXEC:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeC:\Arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Arquivos de programas\Google\Update\GoogleUpdate.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exeC:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exeC:\WINDOWS\system32\vmnat.exeC:\WINDOWS\system32\vmnetdhcp.exeC:\WINDOWS\system32\VTTimer.exeC:\Arquivos de programas\Google\Google Talk\googletalk.exeC:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exeC:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exeC:\Arquivos de programas\ESET\ESET Smart Security\egui.exeC:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\Skype\Phone\Skype.exeC:\Documents and Settings\jefferson\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exeC:\ARQUIV~1\MAGICM~1\Magic.exeC:\Arquivos de programas\Skype\Plugin Manager\skypePM.exeC:\WINDOWS\system32\wuauclt.exeC:\Arquivos de programas\Mozilla Firefox\firefox.exeC:\Arquivos de programas\WinRAR\WinRAR.exeC:\DOCUME~1\JEFFER~3\CONFIG~1\Temp\Rar$EX00.594\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cocmaceio.com.brR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.coc.com.br/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2femail.coc.com.br%2fowaR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cocmaceio.com.brR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dllO2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll (file missing)O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [GerenciadorQuickstart] c:\Sistemas\GerenciadorQuickStart.exeO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostartO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [\\gongo\EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /F "C:\DOCUME~1\ADMINI~1.INE\CONFIG~1\Temp\E_S1F6.tmp" /EF "HKLM"O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\winvnc.exe" -servicehelperO4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe"  -osbootO4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXEO4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Spark] C:\Arquivos de programas\Spark\Spark.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\jefferson\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /cO4 - Startup: Email INEI.lnk = ?O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra 'Tools' menuitem: &Configurações do Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Arquivos de programas\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dllO9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Arquivos de programas\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Arquivos de programas\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)O11 - Options group: [INTERNATIONAL] International*O12 - Plugin for .NPSSView: C:\Arquivos de programas\Seagate Software\Viewers\ActiveXViewer\NPssView.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO14 - IERESET.INF: START_PAGE_URL=http://www.inei-maceio.com.brO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142769059906O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.43.downloads.estara.com./as/OneCCDM.php?template=247036&sessionid=1246438893_189.71.145.212_3786&=&req=1221746568468OneCC.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cabO16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginSUD.cabO16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - http://10.10.0.97/CSViewer.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ineimaceio.edu.brO17 - HKLM\Software\..\Telephony: DomainName = ineimaceio.edu.brO17 - HKLM\System\CCS\Services\Tcpip\..\{38CB0E59-4EC2-403D-A59E-0B58E54AE55B}: NameServer = 10.10.0.201,200.165.132.154O17 - HKLM\System\CCS\Services\Tcpip\..\{F36DAB91-59B6-4D10-A992-56F62047CEDB}: NameServer = 10.10.0.201,200.165.132.154O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ineimaceio.edu.brO17 - HKLM\System\CS1\Services\Tcpip\..\{38CB0E59-4EC2-403D-A59E-0B58E54AE55B}: NameServer = 10.10.0.201,200.165.132.154O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO20 - Winlogon Notify:  GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll (file missing)O20 - Winlogon Notify:  GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dllO20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exeO23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXEO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeO23 - Service: Google Update Service (gupdate1c91361b44dedb2) (gupdate1c91361b44dedb2) - Unknown owner - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe" /svc (file missing)O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Arquivos de programas\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Workstation\vmware-authd.exeO23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exeO23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exeO23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exeO23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\winvnc.exe" -service (file missing)

[Jefferson Bezerra 0]

Informação Adicional,

o ESET de vez em quando está detectando arquivos infectados com um variante do win32/sality, e ele apaga os arquivos, não ta dando opção de limpar o executável. Verifiquei que os executáveis infectados estão modificados, pelo menos em relação ao tamanho. Ex. o original possuia 352Kb, e o infectado 450Kb.

[Silas Martins 0]

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

 

2) Dê um duplo-clique no combofix.exe e aguarde (o processo total demora cerca de 10 minutos);

 

3) A janela de “NEGAÇÃO DE GARANTIA DO SOFTWARE” abrir-se-á. Leia atentamente o texto contido nesta janela e clique sobre “SIM” para continuar.

 

PS.: Caso não concorde com os termos clique sobre “NÃO” para sair do software, cabendo lembrar que o processo de desinfecção não será possível sem a continuidade do ComboFix.

 

4) Outra janela irá abrir, caso a sua máquina não possua o CONSOLE DE RECUPERAÇÃO DO WINDOWS. É recomendável executar a instalação do console ante de dar continuidade ao processo, pois tal ação proporcionará a garantia de que o sistema poderá ser recuperado em caso de problemas durante a varredura.

 

Clique sobre “SIM” e aguarde, pois o processo de instalação do console dar-se-á automaticamente através do próprio ComboFix. Ele poderá demorar alguns minutos (dependerá da velocidade de sua conexão), portanto seja paciente.

 

Quando a janela “INSTALANDO O CONSOLE DE RECUPERAÇÃO” aparecer clique em “OK”, depois clique sobre “SIM” para aceitar a licença EULA.

 

Ao término da instalação do console de recuperação abrir-se-á uma janela avisando que “O CONSOLE DE RECUPERAÇÃO FOI INSTALADA COM SUCESSO”.

 

Clique sobre “SIM” para continuar a varredura.

 

5) O ComboFix iniciará o AUTOSCAN (aguarde).

 

ATENÇÃO: Não clique na janela do ComboFix, nem termine o processo abruptamente enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco).

 

Ao término do processo a máquina será reiniciada para a emissão do relatório.

 

6) Ao reiniciar a máquina o ComboFix irá executar o FIND3M para a criação do relatório final da varredura. O log ficará alocado em C:\ComboFix.txt.

 

7) Reabilite o seu anti-vírus;

 

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

OBS.1: Caso apareça uma mensagem avisando que ESTE NÃO É UM APLICATIVO WIN 32 VÁLIDO baixe o ComboFix novamente, mas salve-o em seu Desktop como KomboFix. Em último caso, tente utilizar o ComboFix em MODO SEGURO.

 

OBS.2: Caso haja um clique sobre a janela do ComboFix em execução, ela irá MAXIMIZAR, sobrepondo-se sobre as demais. Para minimizá-la novamente basta utilizar a combinação ALT + TAB.

 

 

 

Atenção:

Não clique em nada enquanto o Combofix estiver rodando, Do contrário seu desktop ficará em branco.

 

Para parar o processo ou sair do ComboFix, tecle "2" e Enter.

 

Aguardo o retorno

 

Removedor de Wn 32/Sality

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.