Ir ao conteúdo
  • Cadastre-se
Daniel_X_

Problemas com Ardamax, Agente.Iss trojan,Agente.Iss dropper.

Recommended Posts

Olá galera, eu peguei vários virus e keylogger simultaneamente, passei anti virus e botei eles na querentena do avira.

Agora não sei o que fazer para removelos, e para que eles não voltem.

São esses :

*TR/Spy.Ardamax.J Trojan

*TR/Agente.Iss Trojan

*DR/Agente.Iss Dropper

Por favor me ajudem.

Obrigado, abraço.

Já postei o meu log do hijackthis.

Editado por Daniel_X_

Compartilhar este post


Link para o post
Compartilhar em outros sites

Leia as instruções deste tópico:

http://forum.clubedohardware.com.br/criando-novo-topico/429891

E poste um log do Hijackthis para análise.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Logfile of HijackThis v1.99.1

Scan saved at 20:42:53, on 15/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\svchost.exe

C:\WINDOWS\system32\CTFMON.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Asprate\Tibia Multi IP Changer\Tibia MULTI-ip changer.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItIEAddin.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [WCUK Agent] C:\WINDOWS\system32\28463\WCUK.exe

O4 - HKCU\..\Run: [svchost.exe] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8715BFDE-9089-459A-A743-799F3019D008}: NameServer = 200.148.206.22

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

Vejo que você tem uma infecção por backdoor. Este programa tem a capacidade de roubar senhas e outras informações do seu computador. Recomendo que tome essas seguintes providências o quanto antes:

  • Informe seu banco do ocorrido, caso use banco pela internet, tomando as devidas precauções para que não haja fraudes.
  • Após eu dar o log como limpo troque suas senhas de e-mails e demais serviços que usa pela internet.
  • Considere informações que possam ter sido roubadas de seu computador e tome as providências necessárias.

Agora vamos a remoção.

# Etapa nº 1 #

Faça o download SDFix

  • Salve-o no seu desktop.
  • Dê o duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix
  • (Normalmente para o drive que contém o Windows. Habitualmente: C:\SDFix).
  • Não o utilize ainda

# Etapa nº 2 #
Reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização)
# Etapa nº 3 #
Rode o SDFix.
  • Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
  • Tecle Y para que a ferramenta inicie o processo de remoção
  • Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
  • Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
  • Uma janela com o relatório do SDFix irá aparecer.
  • Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt
  • Gere e cole também um novo log do HijackThis.

-- Caso uma janela abra e feche de repente, por favor vá até Iniciar -> Executar -> e copie e cole o seguinte texto:

%systemdrive%\SDFix\apps\FixPath.exe /Q

Reinicie o PC e rode novamente o SDFix.

-- Se mesmo assim o SDFix não rodar, verifique a variável %comspec%. Clique direito do mouse em Meu Computador -> Propriedades -> Avançadas -> Variáveis do Ambiente e verifique se a variável ComSpec tê o valor para o cmd.exe.

%SystemRoot%\system32\cmd.exe

Compartilhar este post


Link para o post
Compartilhar em outros sites

LOG SDFIX

SDFix: Version 1.226

Run by Administrador on qua 17/09/2008 at 14:40

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\svchost.exe - Deleted

Folder C:\Documents and Settings\Administrador\Dados de aplicativos\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-17 14:55:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\DAP\\DAP.exe"="C:\\Arquivos de programas\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"

"C:\\Arquivos de programas\\Tibia\\TibiCAM\\TibiCAM.exe"="C:\\Arquivos de programas\\Tibia\\TibiCAM\\TibiCAM.exe:*:Disabled:TibiCAM"

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"="C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Assistˆncia Remota - Windows Messenger e Voz"

"C:\\Arquivos de programas\\LevelUpGames\\The Duel\\theduel.exe"="C:\\Arquivos de programas\\LevelUpGames\\The Duel\\theduel.exe:*:Disabled:Gunz"

"C:\\Arquivos de programas\\Valve\\hl.exe"="C:\\Arquivos de programas\\Valve\\hl.exe:*:Disabled:Half-Life Launcher"

"C:\\Arquivos de programas\\Valve\\hlds.exe"="C:\\Arquivos de programas\\Valve\\hlds.exe:*:Disabled:HLDS Launcher"

"C:\\Arquivos de programas\\Valve\\hltv.exe"="C:\\Arquivos de programas\\Valve\\hltv.exe:*:Disabled:HLTV Launcher"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Arquivos de programas\\Tibia\\Tibia.exe"="C:\\Arquivos de programas\\Tibia\\Tibia.exe:*:Disabled:Tibia Player"

"C:\\xampp\\apache\\bin\\apache.exe"="C:\\xampp\\apache\\bin\\apache.exe:*:Disabled:Apache HTTP Server"

"C:\\xampp\\MercuryMail\\mercury.exe"="C:\\xampp\\MercuryMail\\mercury.exe:*:Disabled:Mercury/32 Core Processing Module v4.52"

"C:\\Arquivos de programas\\Ares\\Ares.exe"="C:\\Arquivos de programas\\Ares\\Ares.exe:*:Disabled:Ares p2p for windows"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 3 Aug 2004 1,667,584 ..SH. --- "C:\Arquivos de programas\Messenger\msmsgs.exe"

Thu 20 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0926b9470c9af53c207eadf0bf3934da\BIT4F.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0f7f79bf9aff08519beba02a6b335a33\BIT3D.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\13dbf93b2453bda7ea471c0f92a7ab1f\BIT4C.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\198b253efa6680e35b86964f717bd797\BIT4D.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1c2a6e499bef0315b907eb3085b242db\BIT37.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2c9e6276be7533493c76d97a228711fc\BIT43.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d4baa067165c627acf81b788b44d62e\BIT39.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3758f3b38688f313105cf72c6f72fea0\BIT4E.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3919c5bb9c55ca11c02d2c2fac4e3a1f\BIT3C.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3b886d3565df48402eeadfae8512095f\BIT45.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\43c338f954d25847d2b6ae8c2ac9c00a\BIT4A.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\484abe732a18f465a6477b75b978d4cc\BIT60.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5313203d3b510b8c124765a5448ca9ee\BIT5C.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5a954afeff62a725a7db9a6a02e14746\BIT3A.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\60e8655260ead946181036b53b5c8c15\BIT3B.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\630f905c0a8ae5a8ce9a0e8ffcc4aced\BIT51.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6ad85a8f010c0c029e3da88c5841f47b\BIT44.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\74c92a79f7abe0b0c18ea9dddccecd04\BIT55.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\786c0b643e9afd559dd95749a1c9ec90\BIT52.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7a3dd203d422fd4dd350a1bf6a6c424d\BIT5E.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7cd4a9584971c91a1b12ae23d10a40d9\BIT3F.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8bfc499865f60096e9c722d09af67a8d\BIT41.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9e6242122ad3393e8360c34a224fe4e2\BIT50.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\acb69290b87220332fb336da34dae8fe\BIT38.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ad29682ad80cae491e180de5a2d93d7b\BIT40.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b34d11b25a6c7edcc2d1136564a1d3a6\BIT58.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c47b175098f4144ba98888125fbffd0a\BIT46.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c740006f18277419aef502c280a0dfbf\BIT5A.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d094751ab7cc9d40619043e81a5f79c0\BIT56.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d337e1ef3bd797cc758f30fd11b5919c\BIT5B.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dfff249bc0d6c71b8609623e07886a3a\BIT54.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eabb524d6107ff069c5d1536a909b55e\BIT42.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8e74424c9b5e24e127ffa2d61cb8916\BIT48.tmp"

Thu 20 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa0382bc5a949313ea5a3ccb18a15dbe\BIT47.tmp"

Finished!

LOG HIJACKTHIS

Logfile of HijackThis v1.99.1

Scan saved at 14:59:45, on 17/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE

C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItIEAddin.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [WCUK Agent] C:\WINDOWS\system32\28463\WCUK.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Editado por Daniel_X_

Compartilhar este post


Link para o post
Compartilhar em outros sites

Configure o Windows para mostrar todos os arquivos

Acesse este site: http://virusscan.jotti.org/

Em File to upload coloque: C:\WINDOWS\system32\28463\WCUK.exe

Em seguida clique em Submit

Copie e poste o resultado deste exame.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Configurou o Windows para mostrar todos os arquivos?

Compartilhar este post


Link para o post
Compartilhar em outros sites

Siga as instruções contidas no link abaixo e instale e execute o Combofix:

http://www.bleepingcomputer.com/combofix/pt/como-usar-o-combofix

  • É importante que instale o Console de Recuperação também.
  • Quando a ferramenta terminar de rodar, gerará um log (o arquivo C:\ComboFix.txt).
  • Cole o conteúdo desse arquivo e faça também um novo log do HijackThis para colocar na sua resposta.

Atenção: Não utilize o mouse nem o teclado enquanto a ferramenta estiver rodando, isso pode fazer com que o computador pare.

Nota: Por favor, NÃO utilize o ComboFix sozinho. É uma ferramenta poderosa criada pra lidar com infeções sofisticadas e caso não a utilize corretamente poderá danificar o seu sistema. A ferramenta apenas deve ser utilizada sob supervisão de Assistentes de remoção de malware devidamente treinados.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Segue os logs.

Combo fix

ComboFix 08-10-04.07 - Administrador 2008-10-05 14:32:01.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.538 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Administrador\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

* Criado um novo ponto de restauro

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\28463

C:\WINDOWS\system32\28463\AKV.exe

C:\WINDOWS\system32\28463\WCUK.001

C:\WINDOWS\system32\28463\WCUK.006

C:\WINDOWS\system32\28463\WCUK.007

.

((((((((((((((((((((((( Ficheiros criados de 2008-09-05 to 2008-10-05 ))))))))))))))))))))))))))))))))

.

2008-10-03 17:20 . 2008-10-03 19:33 <DIR> d-------- C:\Arquivos de programas\TibiaBot NG 7.9

2008-10-03 17:15 . 2008-10-03 17:16 <DIR> d-------- C:\Arquivos de programas\Tibia 8.31

2008-09-26 21:13 . 2008-10-03 17:15 <DIR> d-------- C:\Arquivos de programas\TibiaBot NG

2008-09-25 14:17 . 2008-09-29 14:24 <DIR> d-------- C:\Arquivos de programas\CABAL Online (BRAZIL)

2008-09-19 19:27 . 2008-09-19 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar

2008-09-19 19:27 . 2008-09-19 19:27 <DIR> d-------- C:\Arquivos de programas\Winamp Toolbar

2008-09-19 19:26 . 2008-09-19 19:27 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Winamp

2008-09-19 19:26 . 2008-09-19 19:27 <DIR> d-------- C:\Arquivos de programas\Winamp

2008-09-19 19:07 . 2008-09-19 19:07 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Windows Live

2008-09-17 14:37 . 2008-09-17 14:37 <DIR> d-------- C:\WINDOWS\ERUNT

2008-09-17 14:33 . 2008-09-17 14:57 <DIR> d-------- C:\SDFix

2008-09-17 12:05 . 2008-09-17 12:05 268 --ah----- C:\sqmdata06.sqm

2008-09-17 12:05 . 2008-09-17 12:05 244 --ah----- C:\sqmnoopt06.sqm

2008-09-17 12:00 . 2008-09-17 12:00 268 --ah----- C:\sqmdata05.sqm

2008-09-17 12:00 . 2008-09-17 12:00 244 --ah----- C:\sqmnoopt05.sqm

2008-09-15 20:42 . 2008-09-17 14:59 <DIR> d-------- C:\hijack

2008-09-14 22:23 . 2006-06-26 02:49 1,867,776 --a------ C:\WINDOWS\system32\python24.dll

2008-09-13 20:38 . 2008-09-13 20:38 11 -ra------ C:\WINDOWS\amunres.lsl

2008-09-13 14:52 . 2008-09-13 14:52 <DIR> d-------- C:\Arquivos de programas\Ares

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-05 17:17 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-10-03 20:22 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Tibia

2008-09-22 21:31 --------- d-----w C:\Arquivos de programas\Tibia 8.22

2008-09-20 14:22 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\teamspeak2

2008-09-15 19:41 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-09-15 19:37 --------- d-----w C:\Arquivos de programas\Google SketchUp 6

2008-09-09 23:32 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\sqlitestudio

2008-09-01 23:59 --------- d-----w C:\Arquivos de programas\Digitando 2007 Versão Escritório

2008-08-28 01:20 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Simego

2008-08-28 00:57 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Notepad++

2008-08-28 00:57 --------- d-----w C:\Arquivos de programas\Notepad++

2008-08-19 16:48 --------- d-----w C:\Arquivos de programas\Tibia 8.21

2008-08-19 03:03 --------- d-----w C:\Arquivos de programas\Teamspeak2_RC2

2008-08-12 19:40 --------- d-----w C:\Arquivos de programas\Java

2008-08-12 00:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard

2008-08-12 00:29 --------- d-----w C:\Documents and Settings\Administrador\Dados de aplicativos\Ventrilo

2008-04-04 21:23 152 ----a-w C:\Documents and Settings\Administrador\brdgInst.bat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Arquivos de programas\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-24 5898240]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"avgnt"="C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-21 266497]

"PCTVOICE"="pctspk.exe" [2003-01-06 C:\WINDOWS\system32\pctspk.exe]

"SoundMan"="SOUNDMAN.EXE" [2004-12-22 C:\WINDOWS\SOUNDMAN.EXE]

"nwiz"="nwiz.exe" [2006-07-24 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Administrador\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Ralink Wireless Utility.lnk - C:\Arquivos de programas\RALINK\Common\RaUI.exe [2007-12-01 618496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.X264"= x264vfw.dll

"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^EPSON Status Monitor 3 Environment Check 2.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\EPSON Status Monitor 3 Environment Check 2.lnk

backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]

--a------ 2007-12-01 11:41 4376328 C:\Arquivos de programas\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]

--------- 2001-09-20 11:43 254022 C:\Arquivos de programas\EPSON\Ink Monitor\Inkmonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2006-07-24 23:33 86016 C:\WINDOWS\system32\nvmctray.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\DAP\\DAP.exe"=

"C:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=

"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\hlds.exe"=

"C:\\Arquivos de programas\\Valve\\hltv.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\Tibia\\Tibia.exe"=

"C:\\Arquivos de programas\\Ares\\Ares.exe"=

"C:\\Arquivos de programas\\CABAL Online (BRAZIL)\\launcher\\update\\ESTdnheadless.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7171:TCP"= 7171:TCP:open tibia server

"5000:TCP"= 5000:TCP:AresChatServer

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [ ]

S3 PciCon;PciCon;D:\PciCon.sys [ ]

S3 XDva068;XDva068;C:\WINDOWS\system32\XDva068.sys [ ]

S3 XDva074;XDva074;C:\WINDOWS\system32\XDva074.sys [ ]

S3 XDva081;XDva081;C:\WINDOWS\system32\XDva081.sys [ ]

S3 XDva120;XDva120;C:\WINDOWS\system32\XDva120.sys [ ]

S3 XDva195;XDva195;C:\WINDOWS\system32\XDva195.sys [ ]

*Newly Created Service* - PROCEXP90

.

- - - - ORFAOS REMOVIDOS - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKLM-Run-WCUK Agent - C:\WINDOWS\system32\28463\WCUK.exe

MSConfigStartUp-DU Meter - C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\is-47BOS.tmp\DUMeter.exe

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\lx7v5a6p.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com.br

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-05 14:33:59

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\C:\Arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

Tempo para conclusão: 2008-10-05 14:35:35

ComboFix-quarantined-files.txt 2008-10-05 17:35:32

Pre-Run: 9 pasta(s) 62.431.031.296 bytes disponíveis

Post-Run: 14 pasta(s) 62,449,909,760 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

155

Hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 14:39:53, on 5/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\pctspk.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItIEAddin.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8715BFDE-9089-459A-A743-799F3019D008}: NameServer = 200.148.206.22

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

obrigado, abraços.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Faça um Online Scan em kaspersky Virusscanner

  • Clique em Clipboard01-1.jpg
  • Quando questionando para instalar o componente ActiveX, clique em Clipboard015.jpg
  • Aguarde a instalação e a actualização e depois clique em Clipboard013.jpg
  • Clique agora em Clipboard016.jpg
  • Nas opções do scan (settings), certifique-se que as entradas abaixo estão selecionadas:
    • Scan using the following Anti-Virus database:

      Extended (if available otherwise Standard)

    • Scan Options:

      Scan Archives
      Scan Mail Bases

    [*]Clique Clipboard014.jpg

    [*]Clique em My Computer para que seja feito um Scan completo no seu Sistema.

    [*]Será iniciado o scan e poderá demorar um pouco. Seja paciente e aguarde.

    [*]No final do Scan, clique no botão Save as Text

    [*]Salve o log com os resultados e poste na sua próxima resposta.

    [*]Gere e cole também um novo log do HijackThis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Segue os logs.

Novo log Hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 06:10:45, on 6/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Arquivos de programas\TechSmith\SnagIt 8\SnagItIEAddin.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Arquivos de programas\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8715BFDE-9089-459A-A743-799F3019D008}: NameServer = 200.148.206.22

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Kaspersky Scan Online

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Monday, October 6, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Sunday, October 05, 2008 22:49:40

Records in database: 1293766

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

Scan statistics:

Files scanned: 57083

Threat name: 3

Infected objects: 4

Suspicious objects: 0

Duration of the scan: 02:47:43

File name / Threat name / Threats count

C:\QooBox\Quarantine\C\WINDOWS\system32\28463\AKV.exe.vir Infected: not-a-virus:Monitor.Win32.Ardamax.o 1

C:\QooBox\Quarantine\C\WINDOWS\system32\28463\WCUK.006.vir Infected: not-a-virus:Monitor.Win32.Ardamax.271 1

C:\QooBox\Quarantine\C\WINDOWS\system32\28463\WCUK.007.vir Infected: not-a-virus:Monitor.Win32.Ardamax.271 1

C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Agent.wbt 1

The selected area was scanned.

Abraço.

Compartilhar este post


Link para o post
Compartilhar em outros sites
Eu já postei os novos logs, renato olhe eles p/ mim.

Obrigado, abraço.

Eu sei que você já postou, recebi o e-mail de notificação em sua primeira resposta, não há necessidade de cobrar resposta.

Parabéns, seu log está limpo.

De agora em diante fique ALERTA!

Para finalizar faça o seguinte:

Vá em Iniciar > Executar e digite combofix /u. Isso desinstalará o ComboFix de sua máquina.

Apague a pasta:

C:\SDFix <--Esta pasta

Sugiro que rode o CCleaner para fazer uma limpeza em sua máquina. Faça o download dele aqui CCleaner

  • Abra o programa e clique em Executar Limpeza;
  • Após isto, clique em Erros >> Procurar erros >> Corrigir Erros

Sugiro também que consulte este artigo: Proteja seu PC

Mais algum problema com o computador?

Compartilhar este post


Link para o post
Compartilhar em outros sites

como está limpo se estou com vários key loggers e virus na quarentena do anti virus ?

mesmo eles estando lá eu corro perigo.

Eu preciso deletar eles.

Obrigado

Compartilhar este post


Link para o post
Compartilhar em outros sites
como está limpo se estou com vários key loggers e virus na quarentena do anti virus ?

mesmo eles estando lá eu corro perigo.

Eu preciso deletar eles.

Obrigado

File name / Threat name / Threats count

C:\QooBox\Quarantine\C\WINDOWS\system32\28463\AKV. exe.vir Infected: not-a-virus:Monitor.Win32.Ardamax.o 1

C:\QooBox\Quarantine\C\WINDOWS\system32\28463\WCUK .006.vir Infected: not-a-virus:Monitor.Win32.Ardamax.271 1

C:\QooBox\Quarantine\C\WINDOWS\system32\28463\WCUK .007.vir Infected: not-a-virus:Monitor.Win32.Ardamax.271 1

C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Agent.wbt 1

Os arquivos na pasta Qoobox serão eliminados quando você aplicar o comando combofix /u e a pasta SDFix já pedi para apagar.

Qual o problema afinal?

Compartilhar este post


Link para o post
Compartilhar em outros sites





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×