Remoção de vírus

Mr.Wolf não apareceu com nenhuma,ja com a porta 11781 que é a que eu uso no bitcomet apareceu

TCP 0.0.0.0:11781 0.0.0.0:0 LISTENING
 
Mr.Wolf disse:
luisednardo, vá em Iniciar > Executar, digite: combofix /u e tecle Enter. Remova as pastas Qoobox, ComboFix e o arquivo ComboFix.txt em C:.

Execute o HijackThis e clique no botão Open the Misc Tools Section. Clique em Open ADS Spy. Desmarque as duas opções abaixo:

Quick scan (Windows base folder only) e Ignore safe system info streams.

Marque apenas a opção Calculate MD5 checksum os streams e clique no botão Scan. Aguarde luisednardo.

Após terminar o scan, caso seja encontrado algo, selecione todos os itens e clique no botão Remove selected.

Clique em Save log e salve o log como adsspy.txt na pasta Meus Documentos.

Poste este log em sua próxima resposta luisednardo.

Uma pergunta: Por acaso a tela do monitor está piscando, seja do nada, seja ao abrir algum aplicativo, ao iniciar o Windows, etc... luisednardo?
Clique para expandir...

Mr Wolf,
fiz tudo que vc pediu, o hijackthis achou várias entradas, selecionei e removi todas, só que não aconteceu nada na hora que cliquei no save log. O que devo fazer? De qualquer modo aí vái um novo log do hijackthis.
Respondendo a sua pergunta: Não, a tela não está piscando não.
Logfile of HijackThis v1.99.1
Scan saved at 18:27:13, on 18/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Arquivos de programas\internet explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Arquivos de programas\myBabylon_English\tbmyBa.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Arquivos de programas\myBabylon_English\tbmyBa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Arquivos de programas\myBabylon_English\tbmyBa.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
 
110 disse:
Mr.Wolf não apareceu com nenhuma,ja com a porta 11781 que é a que eu uso no bitcomet apareceu

TCP 0.0.0.0:11781 0.0.0.0:0 LISTENING
Clique para expandir...
Ok 110. Ótimo, os comandos que eu listei em vermelho não poderiam aparecer mesmo. Pois caso aparecessem, você estaria infectado pelo Back Orifice ou NetBus. Que são trojans que atacam por portas fechadas no firewall. O dever deles é atacar seu firewall, deixando-o com as portas fechadas, para que o cracker possa ver seu computador na rede. E depois esses trojans enviam as informações necessárias ao cracker para que ele possa invadir sua máquina com tranqüilidade.

Mas se os comandos que disse não apareceram ótimo 110. Bom, como eu disse, creio que a porta aberta em seu modem não tem nada à ver não, lógico, temos que cogitar esta possibilidade também, mas acho difícil. Acho que é somente o firewall mesmo.
 
luisednardo disse:
Mr Wolf,
fiz tudo que vc pediu, o hijackthis achou várias entradas, selecionei e removi todas, só que não aconteceu nada na hora que cliquei no save log. O que devo fazer? De qualquer modo aí vái um novo log do hijackthis.
Respondendo a sua pergunta: Não, a tela não está piscando não.
Logfile of HijackThis v1.99.1
Scan saved at 18:27:13, on 18/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Arquivos de programas\internet explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Arquivos de programas\myBabylon_English\tbmyBa.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Arquivos de programas\myBabylon_English\tbmyBa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Arquivos de programas\myBabylon_English\tbmyBa.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
Clique para expandir...
Tudo bem luisednardo. É preocupante ter aparecido várias entradas, mas se removeu ok.

Bem, perguntei se o monitor estava piscando pois as infecções ADS, que foram as que você removeu agora, fazem com que isso aconteça. Menos mal!

O log está limpo agora luisednardo. :thumbs_up
 
MUITO obrigado Mr.Wolf, só estou esperando a key do zone alarm para instala-lo, depois eu posto o novo log, e mais uma vez muito orbrigado.
 
Fala Amigo Mr Wolf. olha aqui eu depois de um tempão, dessa vez, é pra ver a Maquina da minha mulher, pois hj por volta das 21:00 ela se queixou que em todos os programas de Edição de Texto e mensagens instantania. fica digitando sozinho ++++++++++++++++, ela pensa que alguem invadiru o Pc dela! mais mandei-a Desligar o Computador Retirar e colocar o Cabo do Teclado, Ligado o Pc continuou na mesma! ai eu vim ao nobre amigo ajudar com essa "coisa do alem" :D

o Loh do hijack é esse
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.
.
.
+++++++++++++++++++++++++++++++++++++++++++++++++++++.
+.
.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:55, on 18/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe
C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\UltraVNC\winvnc.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\RocketDock\RocketDock.exe
C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe
C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Documents and Settings\XPUser\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\NiwradSoft Shell Pack\Software\ViOrb\ViOrbv2.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\UltraVNC\winvnc.exe
C:\Arquivos de programas\Hamachi\hamachi.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Arquivos de programas\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = [Windows XPHoeNiX]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [tsnpstd] C:\WINDOWS\tsnpstd.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Arquivos de programas\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\XPUser\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [ViOrb] "C:\WINDOWS\NiwradSoft Shell Pack\Software\ViOrb\ViOrbv2.exe"
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Orbit.lnk = C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
O4 - Global Startup: UltraVNC Server.lnk = C:\Arquivos de programas\UltraVNC\winvnc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\Microsoft Office\Office12\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\Skype4COM.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe
O23 - Service: uvnc_service - UltraVNC - C:\Arquivos de programas\UltraVNC\winvnc.exe

--
End of file - 14160 bytes
tomei a Libertade de Atualizar o MalwareBytes e passei o Scann
achando duas ameaças, ai Cliquei em Remover

segue Log

Malwarebytes' Anti-Malware 1.30
Versão do banco de dados: 1410
Windows 5.1.2600 Service Pack 2

18/11/2008 22:45:40
mbam-log-2008-11-18 (22-45-40).txt

Tipo de Verificação: Rápida
Objetos verificados: 0
Tempo decorrido: 3 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)

agradeço a ajuda amigo! e no aguardo de sua resposta! :d
 
Só pra agradecer mais uma vez pela IMENSA ajuda! Mr WOlf, vc é meu ídolo!!!
hehehehe
Valew mesmo. Sempre que chegar máquina infectada aqui é Mr WOlf na certa!
abração!
 
Olá mr.wolf eu americano.Traduzi google translate Mr.wolf texto nesta desculpa se o Português é incorrecto

Encontrei este fórum no google e eu preciso de ajuda com vírus e outros vírus e banker brasileiro virtumonde talvez pudesse me ajudar mr.wolf

I have an Spybot (atualizado cada vez) e AdAware (atualizado) along with trying the microtrend online scanner and keep getting BSOD somewhere during te search...

Este computador nunca teve a BSOD e acho que pode estar relacionado (embora eu nunca tenha experimentado isso antes).

AdAware e Spybot mantém encontrar as mesmas coisas e após uma reinicialização eles voltaram e eu continuo a buscar e aleatória intermitted pop ups "Você ganhou um computador portátil livre" ou bips aleatórios, como baixar um pouco acabado.

Estou atualizando para o Service Pack 3 agora ...

Aqui está o meu arquivo de log

very thank :cool:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at, on 18/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dicktravisconstruction.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7480a470-c769-4d29-b238-be482283a486} - C:\WINDOWS\system32\mukewaha.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [wepebisara] Rundll32.exe "C:\WINDOWS\system32\punawuwu.dll",s
O4 - HKLM\..\Run: [4c681aba] rundll32.exe "C:\WINDOWS\system32\dobojobe.dll",b
O4 - HKLM\..\Run: [CPM4f5b2926] Rundll32.exe "c:\windows\system32\vowayore.dll",a
O4 - HKLM\..\RunOnce: [SpybotDeletingC6188] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [wepebisara] Rundll32.exe "C:\WINDOWS\system32\punawuwu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wepebisara] Rundll32.exe "C:\WINDOWS\system32\punawuwu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{4894CB66-7563-4F9A-B3A2-C326E7C40B88}: NameServer = 69.78.96.14 66.174.92.14
O20 - AppInit_DLLs: C:\WINDOWS\system32\vupewoka.dll c:\windows\system32\vowayore.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowayore.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowayore.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6835 bytes
 
dilsinhope disse:
tomei a Libertade de Atualizar o MalwareBytes e passei o Scann
achando duas ameaças, ai Cliquei em Remover

segue Log

Malwarebytes' Anti-Malware 1.30
Versão do banco de dados: 1410
Windows 5.1.2600 Service Pack 2

18/11/2008 22:45:40
mbam-log-2008-11-18 (22-45-40).txt

Tipo de Verificação: Rápida
Objetos verificados: 0
Tempo decorrido: 3 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)

agradeço a ajuda amigo! e no aguardo de sua resposta! :d
Clique para expandir...
Amigo dilsinhope, o Malwarebytes encontrou dois itens?

No log não aparece nada. Quais os itens identificados pelo Malwarebytes amigo, por favor, poste eles aqui.
 
nickUS disse:
Olá mr.wolf eu americano.Traduzi google translate Mr.wolf texto nesta desculpa se o Português é incorrecto

Encontrei este fórum no google e eu preciso de ajuda com vírus e outros vírus e banker brasileiro virtumonde talvez pudesse me ajudar mr.wolf

I have an Spybot (atualizado cada vez) e AdAware (atualizado) along with trying the microtrend online scanner and keep getting BSOD somewhere during te search...

Este computador nunca teve a BSOD e acho que pode estar relacionado (embora eu nunca tenha experimentado isso antes).

AdAware e Spybot mantém encontrar as mesmas coisas e após uma reinicialização eles voltaram e eu continuo a buscar e aleatória intermitted pop ups "Você ganhou um computador portátil livre" ou bips aleatórios, como baixar um pouco acabado.

Estou atualizando para o Service Pack 3 agora ...

Aqui está o meu arquivo de log

very thank :cool:
Clique para expandir...

Hello friend nickUS, welcome to Brasil. :)

Let's see what we can find. Before running a new scan let's clean out the temporoary folders.

Download ATF-Cleaner to your desktop;

- Double-click ATF-Cleaner.exe to run the program;
- Click Select All found at the bottom of the list.
- Click the Empty Selected button > OK.

If you use Firefox browser, do this also:

- Click Firefox at the top and choose Select All from the list;
- Click the Empty Selected button.
- NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

- Click Opera at the top and choose Select All from the list.
- Close ALL Internet browsers (very important).
- Click the Empty Selected button.
- NOTE : If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program.

Now download OTScanIt2 to your desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

- Close ALL OTHER PROGRAMS.
- Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
- Do not change any settings.
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
- Close Notepad (saving the change if necessry).

I will review it when it comes in.

Cheers. :thumbs_up
 
Friend nickUS, let's see what we can do. Follow the steps below in order:

Step #1

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YY -> 46f8ygn6.exe -> %SystemRoot%\system32\46f8yGN6.exe
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7480a470-c769-4d29-b238-be482283a486} [HKLM] -> %SystemRoot%\system32\mukewaha.dll [Reg Error: Value does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "CPM4f5b2926" -> %SystemRoot%\system32\halegibu.dll [Rundll32.exe "c:\windows\system32\halegibu.dll",a]
YY -> "wepebisara" -> %SystemRoot%\system32\punawuwu.dll [Rundll32.exe "C:\WINDOWS\system32\punawuwu.dll",s]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\vupewoka.dll -> %SystemRoot%\system32\vupewoka.dll
YY -> c:\windows\system32\halegibu.dll -> %SystemRoot%\system32\halegibu.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\halegibu.dll [SSODL]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\halegibu.dll [STS]
[Files/Folders - Created Within 30 Days]
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 46f8yGN6.exe -> %SystemRoot%\System32\46f8yGN6.exe
NY -> 46f8yGN6.exe.a_a -> %SystemRoot%\System32\46f8yGN6.exe.a_a
NY -> arirahom.ini -> %SystemRoot%\System32\arirahom.ini
NY -> iketenad.ini -> %SystemRoot%\System32\iketenad.ini
NY -> uruholis.ini -> %SystemRoot%\System32\uruholis.ini
NY -> adorozig.ini -> %SystemRoot%\System32\adorozig.ini
NY -> ofalulif.ini -> %SystemRoot%\System32\ofalulif.ini
NY -> At48.job -> %SystemRoot%\tasks\At48.job
NY -> At47.job -> %SystemRoot%\tasks\At47.job
NY -> At46.job -> %SystemRoot%\tasks\At46.job
NY -> At45.job -> %SystemRoot%\tasks\At45.job
NY -> At44.job -> %SystemRoot%\tasks\At44.job
NY -> At43.job -> %SystemRoot%\tasks\At43.job
NY -> At42.job -> %SystemRoot%\tasks\At42.job
NY -> At41.job -> %SystemRoot%\tasks\At41.job
NY -> At40.job -> %SystemRoot%\tasks\At40.job
NY -> At39.job -> %SystemRoot%\tasks\At39.job
NY -> At38.job -> %SystemRoot%\tasks\At38.job
NY -> At37.job -> %SystemRoot%\tasks\At37.job
NY -> At36.job -> %SystemRoot%\tasks\At36.job
NY -> At35.job -> %SystemRoot%\tasks\At35.job
NY -> At34.job -> %SystemRoot%\tasks\At34.job
NY -> At33.job -> %SystemRoot%\tasks\At33.job
NY -> At32.job -> %SystemRoot%\tasks\At32.job
NY -> At31.job -> %SystemRoot%\tasks\At31.job
NY -> At30.job -> %SystemRoot%\tasks\At30.job
NY -> At29.job -> %SystemRoot%\tasks\At29.job
NY -> At28.job -> %SystemRoot%\tasks\At28.job
NY -> At27.job -> %SystemRoot%\tasks\At27.job
NY -> At26.job -> %SystemRoot%\tasks\At26.job
NY -> At25.job -> %SystemRoot%\tasks\At25.job
NY -> ilitiraw.ini -> %SystemRoot%\System32\ilitiraw.ini
NY -> At9.job -> %SystemRoot%\tasks\At9.job
NY -> At8.job -> %SystemRoot%\tasks\At8.job
NY -> At7.job -> %SystemRoot%\tasks\At7.job
NY -> At6.job -> %SystemRoot%\tasks\At6.job
NY -> At5.job -> %SystemRoot%\tasks\At5.job
NY -> At4.job -> %SystemRoot%\tasks\At4.job
NY -> At3.job -> %SystemRoot%\tasks\At3.job
NY -> At24.job -> %SystemRoot%\tasks\At24.job
NY -> At23.job -> %SystemRoot%\tasks\At23.job
NY -> At22.job -> %SystemRoot%\tasks\At22.job
NY -> At21.job -> %SystemRoot%\tasks\At21.job
NY -> At20.job -> %SystemRoot%\tasks\At20.job
NY -> At2.job -> %SystemRoot%\tasks\At2.job
NY -> At19.job -> %SystemRoot%\tasks\At19.job
NY -> At18.job -> %SystemRoot%\tasks\At18.job
NY -> At17.job -> %SystemRoot%\tasks\At17.job
NY -> At16.job -> %SystemRoot%\tasks\At16.job
NY -> At15.job -> %SystemRoot%\tasks\At15.job
NY -> At14.job -> %SystemRoot%\tasks\At14.job
NY -> At13.job -> %SystemRoot%\tasks\At13.job
NY -> At12.job -> %SystemRoot%\tasks\At12.job
NY -> At11.job -> %SystemRoot%\tasks\At11.job
NY -> At10.job -> %SystemRoot%\tasks\At10.job
NY -> 6O2ql5w2.exe.a_a -> %SystemRoot%\System32\6O2ql5w2.exe.a_a
NY -> 6O2ql5w2.exe -> %SystemRoot%\System32\6O2ql5w2.exe
NY -> At1.job -> %SystemRoot%\tasks\At1.job
NY -> ~$rd Atwood Addition.doc -> %UserProfile%\My Documents\~$rd Atwood Addition.doc
NY -> ~$ford.doc -> %UserProfile%\My Documents\~$ford.doc
[Files/Folders - Modified Within 30 Days]
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> tikezohu -> %SystemRoot%\System32\tikezohu
NY -> 46f8yGN6.exe.a_a -> %SystemRoot%\System32\46f8yGN6.exe.a_a
NY -> 46f8yGN6.exe -> %SystemRoot%\System32\46f8yGN6.exe
NY -> At9.job -> %SystemRoot%\tasks\At9.job
NY -> At33.job -> %SystemRoot%\tasks\At33.job
NY -> At24.job -> %SystemRoot%\tasks\At24.job
NY -> At48.job -> %SystemRoot%\tasks\At48.job
NY -> At23.job -> %SystemRoot%\tasks\At23.job
NY -> At47.job -> %SystemRoot%\tasks\At47.job
NY -> arirahom.ini -> %SystemRoot%\System32\arirahom.ini
NY -> halegibu.dll -> %SystemRoot%\System32\halegibu.dll
NY -> moharira.dll -> %SystemRoot%\System32\moharira.dll
NY -> At22.job -> %SystemRoot%\tasks\At22.job
NY -> At46.job -> %SystemRoot%\tasks\At46.job
NY -> At21.job -> %SystemRoot%\tasks\At21.job
NY -> At45.job -> %SystemRoot%\tasks\At45.job
NY -> At20.job -> %SystemRoot%\tasks\At20.job
NY -> At44.job -> %SystemRoot%\tasks\At44.job
NY -> At19.job -> %SystemRoot%\tasks\At19.job
NY -> At43.job -> %SystemRoot%\tasks\At43.job
NY -> At18.job -> %SystemRoot%\tasks\At18.job
NY -> At42.job -> %SystemRoot%\tasks\At42.job
NY -> At15.job -> %SystemRoot%\tasks\At15.job
NY -> At39.job -> %SystemRoot%\tasks\At39.job
NY -> At14.job -> %SystemRoot%\tasks\At14.job
NY -> At38.job -> %SystemRoot%\tasks\At38.job
NY -> At13.job -> %SystemRoot%\tasks\At13.job
NY -> At37.job -> %SystemRoot%\tasks\At37.job
NY -> At12.job -> %SystemRoot%\tasks\At12.job
NY -> At36.job -> %SystemRoot%\tasks\At36.job
NY -> At11.job -> %SystemRoot%\tasks\At11.job
NY -> At35.job -> %SystemRoot%\tasks\At35.job
NY -> iketenad.ini -> %SystemRoot%\System32\iketenad.ini
NY -> gitalobo.dll -> %SystemRoot%\System32\gitalobo.dll
NY -> daneteki.dll -> %SystemRoot%\System32\daneteki.dll
NY -> At10.job -> %SystemRoot%\tasks\At10.job
NY -> At34.job -> %SystemRoot%\tasks\At34.job
NY -> At4.job -> %SystemRoot%\tasks\At4.job
NY -> At28.job -> %SystemRoot%\tasks\At28.job
NY -> At3.job -> %SystemRoot%\tasks\At3.job
NY -> At27.job -> %SystemRoot%\tasks\At27.job
NY -> At2.job -> %SystemRoot%\tasks\At2.job
NY -> At26.job -> %SystemRoot%\tasks\At26.job
NY -> At25.job -> %SystemRoot%\tasks\At25.job
NY -> At1.job -> %SystemRoot%\tasks\At1.job
NY -> uruholis.ini -> %SystemRoot%\System32\uruholis.ini
NY -> fareruta.dll -> %SystemRoot%\System32\fareruta.dll
NY -> silohuru.dll -> %SystemRoot%\System32\silohuru.dll
NY -> adorozig.ini -> %SystemRoot%\System32\adorozig.ini
NY -> gizoroda.dll -> %SystemRoot%\System32\gizoroda.dll
NY -> vowayore.dll -> %SystemRoot%\System32\vowayore.dll
NY -> At41.job -> %SystemRoot%\tasks\At41.job
NY -> At17.job -> %SystemRoot%\tasks\At17.job
NY -> At40.job -> %SystemRoot%\tasks\At40.job
NY -> At16.job -> %SystemRoot%\tasks\At16.job
NY -> ofalulif.ini -> %SystemRoot%\System32\ofalulif.ini
NY -> zujopuhe.dll -> %SystemRoot%\System32\zujopuhe.dll
NY -> filulafo.dll -> %SystemRoot%\System32\filulafo.dll
NY -> At32.job -> %SystemRoot%\tasks\At32.job
NY -> At31.job -> %SystemRoot%\tasks\At31.job
NY -> At30.job -> %SystemRoot%\tasks\At30.job
NY -> At29.job -> %SystemRoot%\tasks\At29.job
NY -> ilitiraw.ini -> %SystemRoot%\System32\ilitiraw.ini
NY -> waritili.dll -> %SystemRoot%\System32\waritili.dll
NY -> sawubiyi.dll_old -> %SystemRoot%\System32\sawubiyi.dll_old
NY -> At8.job -> %SystemRoot%\tasks\At8.job
NY -> At7.job -> %SystemRoot%\tasks\At7.job
NY -> At6.job -> %SystemRoot%\tasks\At6.job
NY -> At5.job -> %SystemRoot%\tasks\At5.job
NY -> 6O2ql5w2.exe.a_a -> %SystemRoot%\System32\6O2ql5w2.exe.a_a
NY -> 6O2ql5w2.exe -> %SystemRoot%\System32\6O2ql5w2.exe
NY -> ~$rd Atwood Addition.doc -> %UserProfile%\My Documents\~$rd Atwood Addition.doc
NY -> ~$ford.doc -> %UserProfile%\My Documents\~$ford.doc
[Empty Temp Folders]
[Start Explorer]
Clique para expandir...

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the OK button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #2

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

- Click on Online Services and then Online Scanner
- Accept the License Agreement.
- Once the ActiveX installs,Click Full System Scan
- Once the download completes,the scan will begin automatically.
- The scan will take some time to finish,so please be patient.
- When the scan completes, click the Automatic cleaning (recommended) button.
- Click the Show Report button and Copy&Paste the entire report in your next reply.

Step #3

Run a new OTScanIt2 scan with the following options

Step #4

Copy/paste the following back here in your next reply:

- The latest OTScanIt2 fix log (look in the OTScanIt2 folder for a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
- The online virus scan report (whichever one you ran)

Attach the following back here in your next reply:

- The new OTScanIt2 scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.
 
Very very thank Mr.wolf

Congratulations for work made here :yes: :D

here the logs Mr.wolf

thank again :cool:



Explorer killed successfully
[Processes - Safe List]
Unable to kill process 46f8ygn6.exe .
C:\WINDOWS\system32\46f8yGN6.exe moved successfully.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7480a470-c769-4d29-b238-be482283a486}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7480a470-c769-4d29-b238-be482283a486}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CPM4f5b2926 deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\halegibu.dll
C:\WINDOWS\system32\halegibu.dll NOT unregistered.
C:\WINDOWS\system32\halegibu.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wepebisara deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\punawuwu.dll
C:\WINDOWS\system32\punawuwu.dll NOT unregistered.
C:\WINDOWS\system32\punawuwu.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\vupewoka.dll deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vupewoka.dll
C:\WINDOWS\system32\vupewoka.dll NOT unregistered.
C:\WINDOWS\system32\vupewoka.dll moved successfully.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\halegibu.dll .
File C:\WINDOWS\system32\halegibu.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SSODL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"\ not found.
File C:\WINDOWS\system32\halegibu.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
File C:\WINDOWS\system32\halegibu.dll not found.
[Files/Folders - Created Within 30 Days]
File C:\WINDOWS\System32\46f8yGN6.exe not found!
C:\WINDOWS\System32\46f8yGN6.exe.a_a moved successfully.
C:\WINDOWS\System32\arirahom.ini moved successfully.
C:\WINDOWS\System32\iketenad.ini moved successfully.
C:\WINDOWS\System32\uruholis.ini moved successfully.
C:\WINDOWS\System32\adorozig.ini moved successfully.
C:\WINDOWS\System32\ofalulif.ini moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\System32\ilitiraw.ini moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\System32\6O2ql5w2.exe.a_a moved successfully.
C:\WINDOWS\System32\6O2ql5w2.exe moved successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\Documents and Settings\Rick Bennett\My Documents\~$rd Atwood Addition.doc moved successfully.
C:\Documents and Settings\Rick Bennett\My Documents\~$ford.doc moved successfully.
[Files/Folders - Modified Within 30 Days]
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
C:\WINDOWS\System32\tikezohu moved successfully.
File C:\WINDOWS\System32\46f8yGN6.exe.a_a not found!
File C:\WINDOWS\System32\46f8yGN6.exe not found!
File C:\WINDOWS\tasks\At9.job not found!
File C:\WINDOWS\tasks\At33.job not found!
File C:\WINDOWS\tasks\At24.job not found!
File C:\WINDOWS\tasks\At48.job not found!
File C:\WINDOWS\tasks\At23.job not found!
File C:\WINDOWS\tasks\At47.job not found!
File C:\WINDOWS\System32\arirahom.ini not found!
File C:\WINDOWS\System32\halegibu.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\moharira.dll
C:\WINDOWS\System32\moharira.dll NOT unregistered.
C:\WINDOWS\System32\moharira.dll moved successfully.
File C:\WINDOWS\tasks\At22.job not found!
File C:\WINDOWS\tasks\At46.job not found!
File C:\WINDOWS\tasks\At21.job not found!
File C:\WINDOWS\tasks\At45.job not found!
File C:\WINDOWS\tasks\At20.job not found!
File C:\WINDOWS\tasks\At44.job not found!
File C:\WINDOWS\tasks\At19.job not found!
File C:\WINDOWS\tasks\At43.job not found!
File C:\WINDOWS\tasks\At18.job not found!
File C:\WINDOWS\tasks\At42.job not found!
File C:\WINDOWS\tasks\At15.job not found!
File C:\WINDOWS\tasks\At39.job not found!
File C:\WINDOWS\tasks\At14.job not found!
File C:\WINDOWS\tasks\At38.job not found!
File C:\WINDOWS\tasks\At13.job not found!
File C:\WINDOWS\tasks\At37.job not found!
File C:\WINDOWS\tasks\At12.job not found!
File C:\WINDOWS\tasks\At36.job not found!
File C:\WINDOWS\tasks\At11.job not found!
File C:\WINDOWS\tasks\At35.job not found!
File C:\WINDOWS\System32\iketenad.ini not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gitalobo.dll
C:\WINDOWS\System32\gitalobo.dll NOT unregistered.
C:\WINDOWS\System32\gitalobo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\daneteki.dll
C:\WINDOWS\System32\daneteki.dll NOT unregistered.
C:\WINDOWS\System32\daneteki.dll moved successfully.
File C:\WINDOWS\tasks\At10.job not found!
File C:\WINDOWS\tasks\At34.job not found!
File C:\WINDOWS\tasks\At4.job not found!
File C:\WINDOWS\tasks\At28.job not found!
File C:\WINDOWS\tasks\At3.job not found!
File C:\WINDOWS\tasks\At27.job not found!
File C:\WINDOWS\tasks\At2.job not found!
File C:\WINDOWS\tasks\At26.job not found!
File C:\WINDOWS\tasks\At25.job not found!
File C:\WINDOWS\tasks\At1.job not found!
File C:\WINDOWS\System32\uruholis.ini not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\fareruta.dll
C:\WINDOWS\System32\fareruta.dll NOT unregistered.
C:\WINDOWS\System32\fareruta.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\silohuru.dll
C:\WINDOWS\System32\silohuru.dll NOT unregistered.
C:\WINDOWS\System32\silohuru.dll moved successfully.
File C:\WINDOWS\System32\adorozig.ini not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gizoroda.dll
C:\WINDOWS\System32\gizoroda.dll NOT unregistered.
C:\WINDOWS\System32\gizoroda.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\vowayore.dll
C:\WINDOWS\System32\vowayore.dll NOT unregistered.
C:\WINDOWS\System32\vowayore.dll moved successfully.
File C:\WINDOWS\tasks\At41.job not found!
File C:\WINDOWS\tasks\At17.job not found!
File C:\WINDOWS\tasks\At40.job not found!
File C:\WINDOWS\tasks\At16.job not found!
File C:\WINDOWS\System32\ofalulif.ini not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\zujopuhe.dll
C:\WINDOWS\System32\zujopuhe.dll NOT unregistered.
C:\WINDOWS\System32\zujopuhe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\filulafo.dll
C:\WINDOWS\System32\filulafo.dll NOT unregistered.
C:\WINDOWS\System32\filulafo.dll moved successfully.
File C:\WINDOWS\tasks\At32.job not found!
File C:\WINDOWS\tasks\At31.job not found!
File C:\WINDOWS\tasks\At30.job not found!
File C:\WINDOWS\tasks\At29.job not found!
File C:\WINDOWS\System32\ilitiraw.ini not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\waritili.dll
C:\WINDOWS\System32\waritili.dll NOT unregistered.
C:\WINDOWS\System32\waritili.dll moved successfully.
C:\WINDOWS\System32\sawubiyi.dll_old moved successfully.
File C:\WINDOWS\tasks\At8.job not found!
File C:\WINDOWS\tasks\At7.job not found!
File C:\WINDOWS\tasks\At6.job not found!
File C:\WINDOWS\tasks\At5.job not found!
File C:\WINDOWS\System32\6O2ql5w2.exe.a_a not found!
File C:\WINDOWS\System32\6O2ql5w2.exe not found!
File C:\Documents and Settings\Rick Bennett\My Documents\~$rd Atwood Addition.doc not found!
File C:\Documents and Settings\Rick Bennett\My Documents\~$ford.doc not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF41D7.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF76A4.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF8D76.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB1DB.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB1F0.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB231.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB244.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB274.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB283.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB974.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBADA.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\~DF70D2.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\~DF70FC.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.33b fix logfile created on 11122008_134119

Files moved on Reboot...
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF41D7.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF76A4.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF8D76.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB1DB.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB1F0.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB231.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB244.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB274.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB283.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB974.tmp not found!
C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBADA.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\~DF70D2.tmp moved successfully.
C:\WINDOWS\temp\~DF70FC.tmp moved successfully.


Scanning Report
Wednesday, November 12, 2008 14:37:01 - 15:44:12
Computer name: D1WZ0L91
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 10 malware found
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
Trojan.Win32.Agent.aljf (virus)
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20081110-174357-531.DLL (Renamed)
Vundo.FBW (virus)
C:\_OTSCANIT\MOVEDFILES\11122008_134119\C_WINDOWS\SYSTEM32\ADOROZIG.INI
C:\_OTSCANIT\MOVEDFILES\11122008_134119\C_WINDOWS\SYSTEM32\ARIRAHOM.INI
C:\_OTSCANIT\MOVEDFILES\11122008_134119\C_WINDOWS\SYSTEM32\IKETENAD.INI
C:\_OTSCANIT\MOVEDFILES\11122008_134119\C_WINDOWS\SYSTEM32\ILITIRAW.INI
C:\_OTSCANIT\MOVEDFILES\11122008_134119\C_WINDOWS\SYSTEM32\OFALULIF.INI
C:\_OTSCANIT\MOVEDFILES\11122008_134119\C_WINDOWS\SYSTEM32\URUHOLIS.INI
C:\WINDOWS\SYSTEM32\ASEZURAY.INI

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38309
System: 2870
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 9
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2008-11-12
F-Secure AVP: 7.0.171, 2008-11-12
F-Secure Pegasus: 1.20.0, 2008-10-09
F-Secure Blacklight: 2.4.1093
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.



:yes::yes::yes::yes:
 

Attachments

  • OTScanIt2.txt
    105.9 KB · Visitas: 128
Thank you my friend nickUS. :)

That looks pretty good. There are just a couple of left-over items to take care of. Follow the steps below in order:

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "CPM4f5b2926" -> %SystemRoot%\system32\jogevoma.dll [Rundll32.exe "c:\windows\system32\jogevoma.dll",a]
YN -> "wepebisara" -> %SystemRoot%\system32\punawuwu.DLL [Rundll32.exe "C:\WINDOWS\system32\punawuwu.dll",s]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> c:\windows\system32\jogevoma.dll -> %SystemRoot%\system32\jogevoma.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\jogevoma.dll [SSODL]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\jogevoma.dll [STS]
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> nahilifo.dll -> %SystemRoot%\System32\nahilifo.dll
NY -> tikezohu -> %SystemRoot%\System32\tikezohu
NY -> asezuray.ini -> %SystemRoot%\System32\asezuray.ini
NY -> 46f8yGN6.exe_ -> %SystemRoot%\System32\46f8yGN6.exe_
[Files/Folders - Modified Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> tikezohu -> %SystemRoot%\System32\tikezohu
NY -> nahilifo.dll -> %SystemRoot%\System32\nahilifo.dll
NY -> 46f8yGN6.exe_ -> %SystemRoot%\System32\46f8yGN6.exe_
NY -> asezuray.ini -> %SystemRoot%\System32\asezuray.ini
NY -> jogevoma.dll -> %SystemRoot%\System32\jogevoma.dll
NY -> yaruzesa.dll -> %SystemRoot%\System32\yaruzesa.dll
[Empty Temp Folders]
[Start Explorer]
Clique para expandir...

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the OK button and Notepad will open with a log of actions taken during the fix.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time.

Copy/paste the results back here in your next reply.
 
Thanks Mr.wolf

My computer is perfect now

here:


Explorer killed successfully
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CPM4f5b2926 deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jogevoma.dll
C:\WINDOWS\system32\jogevoma.dll NOT unregistered.
C:\WINDOWS\system32\jogevoma.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wepebisara deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\jogevoma.dll deleted successfully.
File C:\WINDOWS\system32\jogevoma.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SSODL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"\ not found.
File C:\WINDOWS\system32\jogevoma.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ deleted successfully.
File C:\WINDOWS\system32\jogevoma.dll not found.
[Files/Folders - Created Within 30 Days]
LoadLibrary failed for C:\WINDOWS\System32\nahilifo.dll
C:\WINDOWS\System32\nahilifo.dll NOT unregistered.
C:\WINDOWS\System32\nahilifo.dll moved successfully.
C:\WINDOWS\System32\tikezohu moved successfully.
C:\WINDOWS\System32\asezuray.ini moved successfully.
C:\WINDOWS\System32\46f8yGN6.exe_ moved successfully.
[Files/Folders - Modified Within 30 Days]
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
File C:\WINDOWS\System32\tikezohu not found!
File C:\WINDOWS\System32\nahilifo.dll not found!
File C:\WINDOWS\System32\46f8yGN6.exe_ not found!
File C:\WINDOWS\System32\asezuray.ini not found!
File C:\WINDOWS\System32\jogevoma.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yaruzesa.dll
C:\WINDOWS\System32\yaruzesa.dll NOT unregistered.
C:\WINDOWS\System32\yaruzesa.dll moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF758C.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF81BC.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB4F0.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBA45.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBA52.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBAD6.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBAE3.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBBE5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBBF2.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFF0A1.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.33b fix logfile created on 11122008_180428

Files moved on Reboot...
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF758C.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DF81BC.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFB4F0.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBA45.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBA52.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBAD6.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBAE3.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBBE5.tmp not found!
File C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFBBF2.tmp not found!
C:\Documents and Settings\Rick Bennett\Local Settings\Temp\~DFF0A1.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully
 
Friend nickUS,

That looks good. Go ahead and run the system for a couple of days and then let me know if anything unusual pops back up. Then we have some final cleanup to do and you'll be all set.

Cheers.
 
Very very thank Mr.wolf.Its running better already-I'll report back on wednesday. =)

Cheers the everyone in Brasil
 
E ai SR. Mr. Wolf!!! Muito trabalho com o pessoal ai??? hehe... Olha só, por várias vezes eu peguei um vírus no meu computador e no computador da minha namorada... Na verdade eu ñ sei se era realmente vírus ou spyware... Enfim, ando meio preocupado, caso eu pegue ele novamente... Ele funciona da seguinte maneira: Desativa o gerenciador de tarefas do windows, tira todas opções do menu iniciar, impedindo que se entre no executar ou painel de controle, desativa os atalhos do teclado, por exemplo "windows + e" p/ entrar no meu computador ñ funciona, ele simplesmente exclui tudo que poderia ser utilizado p/ encontrá-lo, eu uso o McAfee enterprise 8.5i e a opção de varredura ao acessar (que permite analizar os processos abertos e qualquer tentativa de invasão ou instalação indevida), simplificando, ele praticamente congela o sistema... Bom, o que eu concegui verificar é que ele vem de algum executável real ou de algum código fonte imbutido em páginas da web, porém não sei exatamente daonde e infelizmente eu não tive alternativas a não ser formatar o windows, até porque na vez em que concegui remover tudo que poderia ser a tal praga, o windows ficou literalemente uma peneira, cheio de furos, todas as opções de navegação forma excluidas e mesmo com instalação por cima não recuperou os buracos deixados... Ai eu agora comecei a adotar uma políticas de proteção total, principalmente com meus clientes... O que vc acha que poderia ser e como eu poderia me proteger de forma expecífica, afinal fica bem complicado proibir instalação de executáveis na pasta do windows e arquivos de programas, tendo liberar toda vez que vou fazer instalação de algúm aplicativo que modifique o conteúdo que algúm executável do windows ou simplesmente adicione mais executáveis... Bom deculpe o texto enorme e cansativo, isso foi tbm um desabafo, pois essa praga realmente é frustrante... Vlw e parabéns pelo tópico... Flw... :)
 
Opa amigo abelr, como vai?

Olha só amigo abelr, pelo seu relato, o vírus que infectou sua máquina foi um Rootkit.Agent.BW. Este tipo de trojan faz exatamente isso que você contou. Aliás, depende dos prefixos deste malware, ele faz até com que seu Windows não inicie mais. E também pode chegar ao ponto de desinstalar seu antivirus por completo, para trazer ainda mais infecções para sua máquina.

Quando somos infectados por este malware, a primeira coisa que deve ser feita é, desconectar-se da Internet e reiniciar seu computador em Modo de Segurança. O arquivo deste vírus fica alojado na pasta System, System32 e Windows. Pois ele faz uma cópia de si mesmo e espalha nestas pastas, é como um Worm, vamos dizer assim.
Você estando em Modo Seguro, o vírus ficará desativado. Sua remoção deve ser através do prompt de comando, pois as ferramentas utilizadas para a remoção deste malware não é suficiente.

O que vc acha que poderia ser e como eu poderia me proteger de forma expecífica, afinal fica bem complicado proibir instalação de executáveis na pasta do windows e arquivos de programas, tendo liberar toda vez que vou fazer instalação de algúm aplicativo que modifique o conteúdo que algúm executável do windows ou simplesmente adicione mais executáveis.
Clique para expandir...
Minha sugestão para você amigo abelr, seria que instalasse um Anti-Rootkit na máquina. Pois é a única ferramenta capaz de identificar e tentar uma possível remoção deste malware de seu computador.

Poderia me dizer quais os programas de proteção que possui abelr?
 
fala wolffffffffffff...


problema resolvido aqui...

valeuuuuuuuuuuuuuuuuuuuuuuuuu...
 
Mr.Wolf disse:
Friend nickUS,

That looks good. Go ahead and run the system for a couple of days and then let me know if anything unusual pops back up. Then we have some final cleanup to do and you'll be all set.

Cheers.
Clique para expandir...
Mr.wolf all better, solved problem. Very thanks!

Mr.wolf can anyone translate this to english please????


Antes do Tom Cruise se perder na Igreja da Cientologia, ele estrelou em Minority Report fingindo usar uns computadores bem legais que ele controlava movendo as mãos no ar - sem mouse nem toque envolvido. A Mgestyk Technologies está desenvolvendo essa idéia de uma interface baseada em gestos, que consiste em uma câmera 3D e um software que traduz os movimentos das mãos para comandos que controlam os programas do computador.

A empresa vai demonstrar essa tecnologia no Montreal International Game Summit (encontro internacional de jogos de Montreal), nos dias 18 e 19 de novembro.
Clique para expandir...

Thanks,
nickUS
 
nickUS disse:
Mr.wolf all better, solved problem. Very thanks!

Mr.wolf can anyone translate this to english please????




Thanks,
nickUS
Clique para expandir...
Of course, my friend nickUS.

Before Tom Cruise lost his marbles to the Church of Scientology, he starred in Minority Report and pretended to use some pretty cool computers that he controlled by waving his hands around — no mouse, no touching involved. Mgestyk Technologies is playing off that idea with its gesture-based interface, which consists of a 3D camera and software that translate hand movements into commands to control computer applications.

In the demo video (above), we see a tester playing games, browsing web sites and performing other miscellaneous tasks with nothing but his hands. Pretty cool, huh? The company's going to show off this technology at the Montreal International Game Summit on November 18 and 19.

Cheers :thumbs_up
 
Mr.Wolf tudo bem? :yes:

Estive rodando o superantispyware e o malwarebytes alternadamente, e sempre aparece essa infecção o tal de rogue component installer, já é a terceira vez que acontece isso. Eu removo ele e depois de um tempo aparece.Que vírus é esse? Será que estou entrando em algum site pra pegar esse spyware? Pq parece que ele se instala no registro do Win. Necessário rodar o combofix?

Grato!! :yes:

virusrogueim8.jpg


Log do hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 16:22:46, on 19/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Arquivos de programas\Internet Download Manager\IDMIECC.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Download all links with IDM - C:\Arquivos de programas\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Arquivos de programas\Internet Download Manager\IEExt.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\adialhk.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing)
 
E aí meu amigo lopez, tudo ok e você?

O Rogue.Component é como o próprio nome já diz, um Rogue (falso) programa de segurança. A maneira mais comum de pegar este tipo de infecção é acessando sites inseguros, instalando ActivesX maliciosos, ou executando um arquivo .bat suspeito. Porém, pode ser pego de várias outras maneiras também, essas que eu citei são os mais comuns.

Vamos prosseguir da seguinte forma amigo lopez.

- Faça o download do RogueRemover e salve-o no desktop;

- Dê um duplo clique em rr-free-setup para que o programa seja instalado;
- Clique em Next;
- Marque a caixinha I accept the agreement e clique em Next > Next > Next > Next > Install;
- Marque a caixinha Launch RogueRemover FREE e clique em Finish;
- Clique em Check for updates > Check for updates, aguarde o download e clique em OK > Close;
- Clique em Scan e aguarde e bem rápido. Se ele não detectar o Rogue no seu computador, aparecerá a seguinte mensagem: "Congratulations, RogueRemover did not detect any items"!

Veja então se o Rogue.Component ainda será detectado lopez.
 
Mr.Wolf disse:
E aí meu amigo lopez, tudo ok e você?

O Rogue.Component é como o próprio nome já diz, um Rogue (falso) programa de segurança. A maneira mais comum de pegar este tipo de infecção é acessando sites inseguros, instalando ActivesX maliciosos, ou executando um arquivo .bat suspeito. Porém, pode ser pego de várias outras maneiras também, essas que eu citei são os mais comuns.

Vamos prosseguir da seguinte forma amigo lopez.

- Faça o download do RogueRemover e salve-o no desktop;

- Dê um duplo clique em rr-free-setup para que o programa seja instalado;
- Clique em Next;
- Marque a caixinha I accept the agreement e clique em Next > Next > Next > Next > Install;
- Marque a caixinha Launch RogueRemover FREE e clique em Finish;
- Clique em Check for updates > Check for updates, aguarde o download e clique em OK > Close;
- Clique em Scan e aguarde e bem rápido. Se ele não detectar o Rogue no seu computador, aparecerá a seguinte mensagem: "Congratulations, RogueRemover did not detect any items"!

Veja então se o Rogue.Component ainda será detectado lopez.
Clique para expandir...

:yes:

Vlw eu rodei e nada foi encontrado. Eu acho que n é site mas estou rodando alguns programas .bat ultimamente, que são executáveis pra descompactar programas.
 
Você deve fazer login ou se registrar para responder aqui.

Users who are viewing this thread

Total: 3 (membros: 0, visitantes: 3)
Voltar
Topo