Jump to content

Foto

https://bankline.itau.com.br/GRIPNET/bklcom.dll




Existem 10 respostas neste tópico

#1 LucilaTurrini    

LucilaTurrini
  • Participante
  • 15 mensagens

Publicado 03 August 2009 - 12:59 PM

Boa tarde,

Estou com um problema que não consigo resolver. Já passei o Malwarebytes Anti-Malware e nada acusou. Passei o anti-vírus AVIRA Free.. havia tres vírus que foram deletados.
o log do Hijack, no item 017 removo, fica tudo certo, porém perco a conexão. Quando reconecto o item 017 volta.

Acessei meu banco hoje cedo sem perceber o endereço. Fiz transferencias bancárias e só percebi depois. https://bankline.ita...PNET/bklcom.dll

LOG do Hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:23, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Lucelia\My Documents\setup\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.c...a...&tbid=60341
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lar.brasil.vc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.Microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\PROGRA~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://lar.brasil.vc
O15 - Trusted Zone: www.lar.brasil.você
O15 - Trusted Zone: www.orkut.com
O15 - Trusted Zone: http://www.orkut.com.br
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7750530-71D9-43A9-99A2-F26E95749382}: NameServer = 200.149.55.140 200.165.132.147
O20 - Winlogon Notify: GbPluginAbn - C:\PROGRA~1\GbPlugin\gbiehabn.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

--
End of file - 5800 bytes

Tb já usei a linha defensiva Banker fix e diz que não tem nada de anormal.


Não sei como solucionar isso, por favor , quem puder me ajudar , ficarei imensamente grata.


 

#2 Sr. Perfect    

Sr. Perfect
  • Participante
  • 530 mensagens

Publicado 03 August 2009 - 01:10 PM

Faça o download do ComboFix de um destes locais:

Link 1.
Link 2.
Link 3.

Importante!
Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.
Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.
Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional
.

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

• Dê um duplo clique no ComboFix.exe & siga as instruções.

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

http://img.photobuck...ed7/RcAuto1.gif

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

Posted Image

Clique em Sim, para continuar a varredura de malware.

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.
PedroNeto
Não respondo dúvidas via MP, por favor postar no fórum!

#3 LucilaTurrini    

LucilaTurrini
  • Participante
  • 15 mensagens

Publicado 03 August 2009 - 01:43 PM

ComboFix 09-08-02.04 - Lucelia 03/08/2009 13:28.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.314 [GMT -3:00]
Running from: c:\documents and settings\Lucelia\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\16ff48a.msp
c:\windows\Installer\19b7ff.msi
c:\windows\Installer\1b7e4b.msi
c:\windows\Installer\75e26.msi

.
((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-03 15:42 . 2009-08-03 15:43 -------- d-----w- C:\LinhaDefensiva
2009-07-25 02:18 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-25 02:18 . 2009-03-24 19:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-25 02:18 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-25 02:18 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-25 02:18 . 2009-07-25 02:18 -------- d-----w- c:\program files\Avira
2009-07-25 02:18 . 2009-07-25 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-19 19:22 . 2009-07-19 19:48 -------- d-----w- c:\program files\System Protect
2009-07-19 16:19 . 2009-07-19 19:44 -------- d-----w- c:\program files\Crawler
2009-07-13 14:39 . 2009-07-13 14:39 -------- d-----w- c:\documents and settings\Lucelia\Local Settings\Application Data\NitroPC
2009-07-13 14:39 . 2009-07-19 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-12 23:47 . 2009-07-12 23:47 23600 ----a-w- c:\windows\system32\drivers\TVICHW32.SYS
2009-07-12 23:47 . 2009-07-12 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-12 23:46 . 2009-07-12 23:53 -------- d-----w- c:\documents and settings\Lucelia\Local Settings\Application Data\eSupport.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 12:28 . 2009-03-06 11:04 -------- d-----w- c:\program files\Foxit Software
2009-07-29 11:54 . 2009-04-25 14:01 -------- d-----w- c:\program files\lx_cats
2009-07-19 19:51 . 2009-06-07 17:40 -------- d-----w- c:\program files\Google
2009-07-19 15:29 . 2009-01-23 22:33 -------- d-----w- c:\program files\ESET
2009-07-16 17:03 . 2009-01-23 22:12 19384 ----a-w- c:\documents and settings\Lucelia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 10:58 . 2009-01-31 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\GbPlugin
2009-07-14 23:35 . 2009-01-24 02:59 -------- d-----w- c:\program files\Paltalk Messenger
2009-07-14 21:37 . 2009-01-31 02:36 -------- d-----w- c:\program files\GbPlugin
2009-07-13 12:10 . 2009-01-31 18:05 -------- d-----w- c:\program files\Yahoo!
2009-07-10 18:31 . 2009-05-25 17:50 27240 ----a-w- c:\windows\system32\drivers\GbpKm.sys
2009-06-26 00:35 . 2009-02-24 15:49 -------- d-----w- c:\docume~1\Lucelia\APPLIC~1\Free Audio Editor
2009-06-25 19:08 . 2009-06-25 19:05 -------- d-----w- c:\program files\Conference
2009-06-17 20:42 . 2009-04-25 13:58 -------- d-----w- c:\program files\Lexmark 2400 Series
2009-06-15 16:58 . 2009-06-15 16:58 -------- d-----w- c:\docume~1\Lucelia\APPLIC~1\teamspeak2
2009-06-13 03:55 . 2009-01-31 23:47 -------- d-----w- c:\docume~1\Lucelia\APPLIC~1\LimeWire
2009-06-08 06:01 . 2009-06-08 06:01 -------- d-----w- c:\program files\MSXML 4.0
2009-07-31 14:58 . 2009-02-20 01:10 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2008-03-27 20:22 1614848 058D3710F7D1E27C4BCBDA448BECAABD c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-03-21 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3735552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-03-21 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
2009-07-10 18:31 296872 ----a-w- c:\progra~1\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\Microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [25/5/2009 14:50 27240]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/7/2009 23:18 108289]
R2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [30/1/2009 23:36 53736]
R3 cwrwdm;SoundFusion™ WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [29/1/2009 16:20 48640]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/1/2008 07:06 21632]
R3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [23/1/2009 22:09 91263]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lar.brasil.você/
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: //www.orkut.com/
Trusted Zone: brasil.você\lar
Trusted Zone: brasil.você\www.lar
Trusted Zone: orkut.com\www
Trusted Zone: orkut.com.br\www
TCP: {B7750530-71D9-43A9-99A2-F26E95749382} = 200.149.55.140 200.165.132.147
FF - ProfilePath - c:\docume~1\Lucelia\APPLIC~1\Mozilla\Firefox\Profiles\0oyoxv91.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2079528&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://lar.brasil.você
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Lucelia\Application Data\Mozilla\Firefox\Profiles\0oyoxv91.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Lucelia\Application Data\Mozilla\Firefox\Profiles\0oyoxv91.default\extensions\seetooaddon@seetoo.com\plugins\npSeeTooAddon.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\progra~1\GbPlugin\gbiehabn.dll
.
Completion time: 2009-08-03 13:36
ComboFix-quarantined-files.txt 2009-08-03 16:36

Pre-Run: 26.330.218.496 bytes free
Post-Run: 6 pasta(s) 26.380.947.456 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

144 --- E O F --- 2009-06-08 06:20

LOG Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:42:06, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucelia\My Documents\setup\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lar.brasil.vc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.Microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\PROGRA~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://lar.brasil.vc
O15 - Trusted Zone: www.lar.brasil.você
O15 - Trusted Zone: www.orkut.com
O15 - Trusted Zone: http://www.orkut.com.br
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7750530-71D9-43A9-99A2-F26E95749382}: NameServer = 200.149.55.140 200.165.132.147
O20 - Winlogon Notify: GbPluginAbn - C:\PROGRA~1\GbPlugin\gbiehabn.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

--
End of file - 5567 bytes


Apos concluir o Combo novamente perdi a conexão, reconectei passei o Hijack

#4 LucilaTurrini    

LucilaTurrini
  • Participante
  • 15 mensagens

Publicado 03 August 2009 - 02:37 PM

Fiz novamente o teste. É só deletar manualmente ou o scan limpar que fico sem conexão e após reconectar o item volta.

Acesso o endereço do Itau, após agencia e senha..quando vai pra pagina do nome do cliente e senha, já entre a falsa
:cry:

#5 Sr. Perfect    

Sr. Perfect
  • Participante
  • 530 mensagens

Publicado 03 August 2009 - 02:57 PM

No Internet Explorer, acesse o menu Ferramentas, Opções da Internet. Na aba Conexões, clique sobre o botão Configurações da Lan. Veja na caixa que abrirá se há alguma URL terminada com .pac na opção “Usar script de configuração automática”. Caso haja, remova-o.

Posted Image

Caso você use o Firefox:

No Firefox, acesse o menu Ferramentas, Opções. Na aba Avançado, acesse a opção Rede e clique no botão “Configurar Conexão”. Na caixa que abrir, verifique no ítem “Endereço para configuração automática de proxy” se há alguma URL. Caso haja, remova-a.

Posted Image

Tutorial Linha Defensiva

Logo depois execute o BankerFix

Faça o download do bankerfix clicando no link abaixo:
http://www.linhadefe...rg/dl/bankerfix

- Salve a ferramenta no seu disco rígido.
- Dê um duplo-clique no bankerfix.exe.
- Uma janela pedirá a confirmação para a instalação da ferramenta. Clique em Sim.
- Feche todas as janelas e programas, com exceção do BankerFix
- Agora é so aguarda a execução do bankerfix.
- O relatório da ferramenta, informando sobre todos os arquivos detectados e removidos, fica no arquivo relatorio.txt, presente na pasta C:\LinhaDefensiva poste-o na sua proxima resposta junto com o log do hijackthis.

Editado por Sr. Perfect 03 August 2009 - 02:58 PM

PedroNeto
Não respondo dúvidas via MP, por favor postar no fórum!

#6 LucilaTurrini    

LucilaTurrini
  • Participante
  • 15 mensagens

Publicado 03 August 2009 - 03:58 PM

Não existe nenhuma URL nem no IE e nem no Fox.

Relatório só tinha isso na pasta indicada

-------------------------------------------------------
BankerFix 3.1 VALKYRIE - Removedor de Bankers
Linha Defensiva | http://www.linhadefensiva.org
http://www.linhadefe....org/bankerfix/
-------------------------------------------------------
Data: 2009-08-03 - 15:53
-------------------------------------------------------
Lista de Definição: 2009-07-24-2 | CORE: 2009-07-24-1
=======================================================



----- Fim -------------------------

LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:41, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucelia\My Documents\setup\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lar.brasil.vc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.Microsoft....k/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\PROGRA~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://lar.brasil.vc
O15 - Trusted Zone: www.lar.brasil.você
O15 - Trusted Zone: www.orkut.com
O15 - Trusted Zone: http://www.orkut.com.br
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7750530-71D9-43A9-99A2-F26E95749382}: NameServer = 200.149.55.140 200.165.132.147
O20 - Winlogon Notify: GbPluginAbn - C:\PROGRA~1\GbPlugin\gbiehabn.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

--
End of file - 5567 bytes

Editado por LucilaTurrini 03 August 2009 - 04:00 PM


#7 Sr. Perfect    

Sr. Perfect
  • Participante
  • 530 mensagens

Publicado 04 August 2009 - 01:17 PM

Acesse este site: http://www.kaspersky.com/virusscanner

Clique em Posted Image

Siga as instruções de configuração do verificador conforme imagem abaixo.

http://img113.images...9393/kosjn0.gif

poste o log do scan aqui mesmo no tópico
PedroNeto
Não respondo dúvidas via MP, por favor postar no fórum!

#8 LucilaTurrini    

LucilaTurrini
  • Participante
  • 15 mensagens

Publicado 04 August 2009 - 07:42 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, August 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, August 04, 2009 20:07:29
Records in database: 2580417
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 46688
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:53:47


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

The selected area was scanned.

#9 Sr. Perfect    

Sr. Perfect
  • Participante
  • 530 mensagens

Publicado 04 August 2009 - 10:16 PM

1) Etapa

• Acesse o site do vírus total
http://www.virustotal.com/pt/

      ◘ Clique em arquivo e envie o arquivo abaixo para uma análise:

C:\Program Files\mIRC\mirc.exe.

      ◘ Logo depois clique em Enviar arquivo.

Poste o resultado aqui mesmo neste tópico.

2) Etapa.

Passei o anti-vírus AVIRA Free.. havia tres vírus que foram deletados.


Poderia dizer quais arquivos foram esses?

Perceba que o log do scan so mostra uma infecção, os problemas relatados no ínicio do tópico ainda continua?

Abraços.

Editado por Sr. Perfect 04 August 2009 - 10:18 PM

PedroNeto
Não respondo dúvidas via MP, por favor postar no fórum!

#10 LucilaTurrini    

LucilaTurrini
  • Participante
  • 15 mensagens

Publicado 06 August 2009 - 07:23 AM

Esse programa Mirc acabei deletando do meu micro, porque não era usado há muito tempo.

Voltei a usar o NOD32 que não achou nenhuma anormalidade no micro.

O AVIRA havia baixado há pouco tempo. Não sei os vírus que formam deletados.

O Problema ainda permanece. Quando acesso o banco Itaú após colocar Agencia e C/C automaticamente vai pra página falsa https://bankline.itau.com.br/GRIPNET/bklcom.dll

Será que a única solucão seria formatar a máquina? Ou você acha que tem mais alguma coisa que pode ser feito.
Quando deleto o item 017 com dois endereços de IP que me parece ser a Velox rio. Onde pela analise do HiJack existe um problema, perco a conexão. Quando reconecto o item 17 volta.

Desde já gostaria de agradecer toda sua ajuda.