Remoção de vírus

[hyan]

LOG MALWAREBYTES ANTI-MALWARE

Valeu brow

Malwarebytes' Anti-Malware 1.33
Versão do banco de dados: 1705
Windows 6.00.1905 Service Pack 1

29/1/2009 16:05:20
mbam-log-2009-01-29 (16-05-20).txt

Tipo de Verificação: Completa (C:\|)
Objetos verificados: 87038
Tempo decorrido: 55 minute(s), 32 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)

 

[Gustavo MPO]

LOG MALWAREBYTES ANTI-MALWARE

Valeu brow

Ok hyan siga os procedimentos abaixo:

1 -

• Faça o download do Kaspersky Removal Tool
• Execute o arquivo e conclua a instalação normalmente;
• Abra o programa, marque Computer ao lado esquerdo e clique em Scan;
• Aguarde o scan terminar, isso pode demorar;
• Caso encontre alguma infecção, clique em Disinfect;
• Depois de terminar, clique na aba Events e desmarque a checkbox Show all Events e depois em Save to file.

2 -

• Faça o download do ATF Cleaner;
• Execute-o e marque a caixa de seleção Select All ;
• Clique em Empty Selected ;
• Navegue entre as abas Firefox e Opera na parte superior fazendo o mesmo procedimento, caso você tenha esses navegadores instalados.

3 -

• Faça o download do DDS;
• Execute-o e aguarde até o termino do scan;
• Após terminar, surgirão dois logs, DDS e Attach .
• Poste o conteúdo desses logs em sua próxima resposta. ( Use a tag [!spoiler] < sem o sinal de exclamação [/spoiler] para postar os logs).

Me mande os logs do DDS e Kaspersky em sua próxima resposta.

 

[Mr.Wolf]

Olá pessoal, boa tarde. Como vão?

Amigo Carlos MEP, difícil aí hein amigo! Ainda é ação do novo trojan Vundo como relatei à você anteriormente. Este trojan cria arquivos na própria máquina, através de sua própria variável. Não havia necessidade de desconectar-se da Internet.

Siga este procedimento abaixo amigo Carlos MEP.

1ª Etapa

Vá em Iniciar > Executar, digite sysdm.cpl e dê um OK. Clique na aba Avançado e depois no botão Variáveis de ambiente. Em "Variáveis do sistema" clique no botão Nova e em Nome da variável coloque C:\Windows. Em Valor da variável coloque %systemdrive% e dê um OK.

Desinstale o programa Ares Galaxy, e instale-o depois que terminarmos. Pois o programa foi contaminado pelo Vundo, e se caso, executar o programa para baixar algo, seu computador será novamente infectado.

2ª Etapa

- Enviei uma ferramenta por uma MP à você Carlos MEP. Baixe-a e salve-a na pasta Arquivos de Programas;
- Dê um duplo clique no executável da ferramenta e instale o programa normalmente. Abra o Bloco de Notas e cole o conteúdo abaixo:

Everntr

KIET THE VIELT IN .*TXT="REALATED;GRAVE;GATES; - .*TXT {VF}

Exit

Salve como Low.txt e arraste para o executável da ferramenta que lhe enviei. Será criado um novo ícone da ferramenta no desktop. Execute-o e instale-o normalmente.

3ª Etapa

- Faça o download do OTScanIt2 e salve no desktop. Dê um duplo clique em OTScanIt2.exe e clique no botão Extract. Será criada uma pasta com o nome OTScanIt2 em seu desktop. Feche todos os programas e janelas abertos, entre dentro desta pasta e dê um duplo clique em OTScanIt2.exe;

- Em "File Age" coloque a opção 90 Days. Em "Additional Scans" marque as seguintes caixas: Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
- Em "Rootkit Search" clique em Yes.
- Na janela Custom Scans, cole todo este texto abaixo dentro do spoiler:

Spoiler

%systemroot%\Prefetch\*.* /s
%systemroot%\system32\drivers\*.dat
%systemroot%\system\*.tmp
%systemroot%\system32\*.ACft="ShowVundo created in files 90 Days" actemys
%systemroot%\Web\*ROOT
%systemroot%\Temp\bca4e2da.$$$
%systemroot%\Temp\ed47fa.$
%systemroot%\Temp\fa56d7ec.$$$
%systemroot%\System32\antiwpa.dll
%systemroot%\Pack.epk
%systemroot%\system32\bb1.dat
%systemroot%\system32\cookie1.dat
%systemroot%\system32\tb.dr
%systemroot%\system32\nods32.dll
%ProgramFiles%\MSN Messenger\*.zip
%ProgramFiles%\MSN Messenger\*.exe
%ProgramFiles%\MSN Messenger\*.rar
%PROGRAMFILES%\*crack*.
%PROGRAMFILES%\*keygen*.
%SYSTEMDRIVE%\*crack*.
%SYSTEMDRIVE%\*keygen*.
%SYSTEMDRIVE%\*.zip
%SYSTEMDRIVE%\*.rar
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\*.dll
%systemroot%\*.zip
%systemroot%\*.rar
%systemroot%\system32\*.zip
%systemroot%\system32\*.rar
%PROGRAMFILES%\*.zip
%PROGRAMFILES%\*.rar
%PROGRAMFILES%\*.exe
%PROGRAMFILES%\*.dll
%DESKTOP%\*.zip
%DESKTOP%\*.rar
%DESKTOP%\*.exe
%DESKTOP%\*crack*.
%DESKTOP%\*keygen*.
%PROGRAMFILES%\Common Files\*.*
%PROGRAMFILES%\Common Files\*bak*.
%systemroot%\SYSTEM32\*bak*.
%PROGRAMFILES%\*bak*.
%systemroot%\ime\imjp8_1\*bak*.
%PROGRAMFILES%\QuickTime\*bak*.
%PROGRAMFILES%\Viewpoint\Viewpoint Manager\*bak*.
%PROGRAMFILES%\Analog Devices\Core\*bak*.
%SYSTEMDRIVE%\hp\KBD\*bak*.
%PROGRAMFILES%\Adobe\Photoshop Album Starter Edition\3.2\Apps\*bak*.
%PROGRAMFILES%\BillP Studios\WinPatrol\*bak*.
%PROGRAMFILES%\BroadJump\Client Foundation\*bak*.
%PROGRAMFILES%\Common Files\Real\Update_OB\*bak*.
%PROGRAMFILES%\Common Files\Sonic\Update Manager\*bak*.
%PROGRAMFILES%\\Google\GoogleToolbarNotifier\*bak*.
%PROGRAMFILES%\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\*bak*.
%PROGRAMFILES%\Yahoo!\Messenger\*bak*.
%USERNAME%\*.zip
%USERNAME%\*.rar
%USERNAME%\*.exe
%USERPROFILE%\*.zip
%USERPROFILE%\*.rar
%USERPROFILE%\*.exe
%ALLUSERSPROFILE%\*.zip
%ALLUSERSPROFILE%\*.rar
%ALLUSERSPROFILE%\*.exe
%APPDATA%\*.zip
%APPDATA%\*.rar
%APPDATA%\*.exe
%ALLUSERSSTARTMENU%\*.zip
%ALLUSERSSTARTMENU%\*.rar
%ALLUSERSSTARTMENU%\*.exe
%ALLUSERSSTARTUP%\*.zip
%ALLUSERSSTARTUP%\*.rar
%ALLUSERSSTARTUP%\*.exe
%ALLUSERSPROGRAMS%\*.zip
%ALLUSERSPROGRAMS%\*.rar
%ALLUSERSPROGRAMS%\*.exe
%ALLUSERSAPPDATA%\*.zip
%ALLUSERSAPPDATA%\*.rar
%ALLUSERSAPPDATA%\*.exe
%APPDATA%\*.zip
%APPDATA%\*.rar
%APPDATA%\*.exe
%APPDATA%\*.dat
%APPDATA%\*.dll
%QUICKLAUNCH%\*.zip
%QUICKLAUNCH%\*.rar
%QUICKLAUNCH%\*.exe
%STARTUP%\*.zip
%STARTUP%\*.rar
%STARTUP%\*.exe
%STARTMENU%\*.zip
%STARTMENU%\*.rar
%STARTMENU%\*.exe
%MYDOCUMENTS%\*.zip
%MYDOCUMENTS%\*.rar
%MYDOCUMENTS%\*.exe
%MYDOCUMENTS%\*crack*.
%MYDOCUMENTS%\*keygen*.
%PROGRAMFILES%\Mozilla Firefox\plugins\*.*
%PROGRAMFILES%\Internet Explorer\*.*
%PROGRAMFILES%\Mozilla Firefox\*.zip /s
%PROGRAMFILES%\Mozilla Firefox\*.rar /s
%PROGRAMFILES%\Mozilla Firefox\*.exe /s
%PROGRAMFILES%\Internet Explorer\*.zip /s
%PROGRAMFILES%\Internet Explorer\*.rar /s
%PROGRAMFILES%\Internet Explorer\*.exe /s
%SYSTEMDRIVE%\*.dat
%SYSTEMDRIVE%\*.sys
%SYSTEMROOT%\*.dat
%SYSTEMROOT%\*.sys
%systemroot%\system32\drivers\*.exe /s
%systemroot%\system32\drivers\*.zip /s
%systemroot%\system32\drivers\*.rar /s
%systemroot%\system\*.exe /s
%systemroot%\system\*.zip /s
%systemroot%\system\*.rar /s
%systemroot%\AppPatch\*.exe /s
%systemroot%\AppPatch\*.zip /s
%systemroot%\AppPatch\*.rar /s
%systemroot%\Cache\*.*
%systemroot%\Downloaded Program Files\*.*
%systemroot%\Fonts\*.exe /s
%systemroot%\Fonts\*.zip /s
%systemroot%\Fonts\*.rar /s
%systemroot%\Fonts\*.dll /s
%systemroot%\Help\*.exe /s
%systemroot%\Help\*.zip /s
%systemroot%\Help\*.rar /s
%systemroot%\Tasks\*.*
%APPDATA%\*.sys
%APPDATA%\Google\*.*
%systemroot%\system32\serauth1.dll
%systemroot%\system32\serauth2.dll
%systemroot%\system32\sysaudio.sys
%PROGRAMFILES%\*TinyProxy*.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla|extensions /rs
%systemroot%\system32\inf\*.exe /s
%systemroot%\system32\inf\*.zip /s
%systemroot%\system32\inf\*.rar /s
%systemroot%\system32\inf\*.dll /s
%PROGRAMFILES%\Bitlord\Downloads\*.zip /s
%PROGRAMFILES%\Bitlord\Downloads\*.rar /s
%PROGRAMFILES%\Bitlord\Downloads\*.exe /s
%PROGRAMFILES%\Bitlord\Downloads\*crack*.
%PROGRAMFILES%\Bitlord\Downloads\*keygen*.
%PROGRAMFILES%\Ares\*.zip /s
%PROGRAMFILES%\Ares\*.rar /s
%PROGRAMFILES%\Ares\*.exe /s
%PROGRAMFILES%\Ares\*crack*.
%PROGRAMFILES%\Ares\*keygen*.
%ProgramFiles%\Bittorent\downloads\*.zip /s
%ProgramFiles%\Bittorent\downloads\*.exe /s
%ProgramFiles%\Bittorent\downloads\*.rar /s
%PROGRAMFILES%\Bittorent\Downloads\*crack*.
%PROGRAMFILES%\Bittorent\Downloads\*keygen*.
%ProgramFiles%\uTorrent\Downloads\*.zip /s
%ProgramFiles%\uTorrent\Downloads\*.exe /s
%ProgramFiles%\uTorrent\Downloads\*.rar /s
%ProgramFiles%\uTorrent\Downloads\*crack*.
%ProgramFiles%\uTorrent\Downloads\*keygen*.
%ProgramFiles%\Icq\Shared Files\*.zip /s
%ProgramFiles%\Icq\Shared Files\*.exe /s
%ProgramFiles%\Icq\Shared Files\*.rar /s
%ProgramFiles%\Icq\Shared Files\*crack*.
%ProgramFiles%\Icq\Shared Files\*keygen*.
%ProgramFiles%\Direct Connect\Received Files\*.zip /s
%ProgramFiles%\Direct Connect\Received Files\*.exe /s
%ProgramFiles%\Direct Connect\Received Files\*.rar /s
%ProgramFiles%\Direct Connect\Received Files\*crack*.
%ProgramFiles%\Direct Connect\Received Files\*keygen*.
%ALLUSERSPROFILE%\Application Data\AOL Downloads\*.zip
%ALLUSERSPROFILE%\Application Data\AOL Downloads\*.rar
%ALLUSERSPROFILE%\Application Data\AOL Downloads\*.exe
%ALLUSERSPROFILE%\Application Data\AOL Downloads\*crack*.
%ALLUSERSPROFILE%\Application Data\AOL Downloads\*keygen*.

- Em seguida clique no botão Run Scan e aguarde.

Será gerado um log no Bloco de Notas para você. Anexe este log em sua resposta amigo Carlos MEP.

OBS: O log é um pouco extenso, portanto, talvez, será necessário que compacte-o com o WinZip ou WinRAR e finalmente anexá-lo aqui.

 

[Mr.Wolf]

Olá hyan, seu caso trata-se possivelmente do Courl.Bagle-HTML.

Há cinco entradas indetectáveis de payload em seu log do HijackThis hyan. Com certeza é do Bagle. Peço que faça o seguinte procedimento hyan:

- Abra o HijackThis e clique em Open the Misc Tools Section. Clique na aba Main e marque a última opção "Run HijackThis at startup and show it when items are found".

Reinicie seu computador e ao inicá-lo, o HijackThis abrirá automaticamente, clique em Executar e aguarde. Faça um novo log e poste aqui hyan.

 

[luisednardo]

Mr Wolf!!!!!
Não acredito que voltou amigo!!!!!
mas e aí, veio pra ficar?
Coinscidência medonha. Eu já ia mandar uns logs para o Gustavo MPO de um pc lá da empresa. É a praga do avc35.

P.S.: Cara, fico muito feliz em te ver online de novo! Nem sabe o quanto. Acho que até conseguimos ajudar algumas pessoas enquanto vc esteve fora, graças a Deus forma casos leves, exceto o "sortudo" do Carlos MEP com o maldito vundo.

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:40, on 30/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\ARQUIV~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\windows\trvtg.exe
C:\windows\system\jbzuc.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\windows\inf\fkqwu.exe
C:\arquivos de programas\arquivos comuns\uerdv.exe
C:\windows\config\lmrok.exe
C:\windows\system32\bmizk.exe
C:\Arquivos de programas\BrOffice.org 2.3\program\soffice.exe
C:\Arquivos de programas\BrOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrador\Desktop\RSIT.exe
C:\HijackThis\Administrador.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.1:6588
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [tDefault] c:\windows\system32\rcmoz.exe
O4 - HKLM\..\Run: [Settings] c:\windows\trvtg.exe
O4 - HKLM\..\Run: [SystemT] c:\windows\system\jbzuc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RSetting] c:\windows\inf\fkqwu.exe
O4 - HKCU\..\Run: [UserTools] c:\arquivos de programas\arquivos comuns\uerdv.exe
O4 - HKCU\..\Run: [CheckS] c:\windows\config\lmrok.exe
O4 - HKCU\..\Run: [DeviceSys] c:\windows\system32\bmizk.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: BrOffice.org 2.3.lnk = C:\Arquivos de programas\BrOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213374838265
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

--
End of file - 5590 bytes

 

[Carlos MEP]

MR.WOOOOOOLLLFFFF, bahh rapaiz que prazer em falar contigo de novo. Como o querido colega Luis Ednardo disse sou um rapaiz de sorte. Na verdade galera enviei uns 1000 e mails para Mr.Wolf, acho que ele ficou com pena de mim e veio me socorrer hehehe. Mr.Wolf quero primeiro pedir desculpas a voce por ter mandado aquele tanto de e mail e tal. Mais foi por desespero mesmo, os caros colegas Gustavo MPO e Luis Ednardo me deram uma grande força na sua ausencia, mais como eles mesmos disseram e uma praga dificil de lidar e tudo mais, necessitando ajuda de alguem com mais experiencia no ramo.

Bem grande mestre e rei Mr.Wolf fiz tudo que me pediu certinho, apos instalar o programinha que me mandou pela MP consigo abrir todas as minhas pastas normalmente e acabei de desinstalar o ares.
E so voce passar as coisas que tudo muda, bahh voce é demais rapaiz.

Realmente tive de anexar o log do OTScanIt2 Mr.Wolf é bem grandinho ele.

Mr.Wolf muito obrigado meeesmo cara, mesmo mesmo. DESCULPAS MIL por ter mandado aqueles e mails atrapalhando voce no que estava fazendo.

Agora pergunto tambem igual ao Luis Ednardo voltou pra ficar ou ainda estara ausente???

Atenciosamente

Carlos

Um grande abração rei.

 

[zarithur]

Log do Hijack do meu pc, só por curiosidade, não notei nenhum virus mas melhor prevenir.

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:21 PM, on 1/30/2009
Platform: Unknown Windows (WinNT 6.01.2904)
MSIE: Internet Explorer v8.00 (8.00.7000.0000)
Boot mode: Normal

Running processes:
C:\Windows\SOUNDMAN.EXE
C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\EVEREST Ultimate Edition\everest.exe
D:\Programas\Orthos 29-01-09\ORTHOS.exe
C:\PROGRA~2\GOMPLA~1\GOM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files (x86)\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5667 bytes

Queria aproveitar e te perguntar uma coisa

Fui ontem tentar arrumar um pc de um amigo meu
O PC tava todo ferrado, cheio de spywares e virus
Passei o avira free e encontrou 470 virus na primeira passada, e uns 10 na segunda.
Passei também o Dr. Spyware free. No final tava bem melhor, mas ainda não estava 100%, e não sei como tirar o resto que ficou.
Hoje ele me ligou dizendo que a tela ta toda preta, não entendi direito se não liga ou oque, estou indo la mais tarde ver.
Você saberia de alguma coisa pra fazer pra tentar deixar o PC dele limpo ?
Um software melhor talvez..

 

[hyan]

Olá hyan, seu caso trata-se possivelmente do Courl.Bagle-HTML.

Há cinco entradas indetectáveis de payload em seu log do HijackThis hyan. Com certeza é do Bagle. Peço que faça o seguinte procedimento hyan:

- Abra o HijackThis e clique em Open the Misc Tools Section. Clique na aba Main e marque a última opção "Run HijackThis at startup and show it when items are found".

Reinicie seu computador e ao inicá-lo, o HijackThis abrirá automaticamente, clique em Executar e aguarde. Faça um novo log e poste aqui hyan.

Fala ae grande Mr.Wolf tudo tranks meu velhow???? pelo visto vc nao pode fik um minuto longe do topico neh velhow?? hauahauahaua

Fiz o q me pediu Mr.Wolf tae o log do HijackThis

Depois gostaria q me passasse um firewall tranks aki pq o do windows vista falarao q eh uma ***** igual ao do xp.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:12, on 30/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Windows\Domino.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Windows\VM301Snap.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files (x86)McAfee\SiteAdvisor\McSACore.exe
C:\Program Files (x86)\ActiveMultiwallpaper\Changer.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\MSN Messenger\usnsvc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\HyanCS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Babylon Client] "C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
04 - HKCU\..\Run: [HijackThis startup scan] C:\Users\HyanCS\Desktop\HijackThis.exe /startup scan
O4 - HKLM\..\Run: [BigDogPath] C:\Windows\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F19B57C-6EBC-44EC-A86D-F6BE6B2CEECC}: NameServer = 200.165.132.155 200.149.55.140
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: WMPNetworkSvc - Unknown owner - (no file)

--
End of file - 7799 bytes

Valeu velhow

 

[filipescorrea]

Ae galera que tiver sido atacado por essa Josta de praga "Juejo". É o seguinte: parece-me tratar apenas da obra de um grande desocupado que quer provar pra alguém q ama outra pessoa. Li nas linhas de comando instruções para autodisseminação da praga para qualquer unidade de disco conectada ao PC infectado. Seja fisicamente ou por rede.
Essa bostica se instala no diretório Windows\system32 e se autorecupera no momento em que é deletado no C:\.
Eu solucionei o causo nos pcs da minha empresa fazendo o seguinte:
1 - Em propriedades da pasta, mande que o explorer mostre os arquivos de sistema e ocultos.
2 - Vá em c:\windows\system32 e delete os arquivos autorun.inf, juejo.reg, juejo.bat e juejo.vbs
3 - Apague os mesmos arquivos que estão na raiz do disco (C:\) e, se for o caso, em pendrives e computadores da rede que estiverem infectados.

No meu caso, eu fui de pc em pc, desativando a conexão de rede e removendo os arquivos citados. Quando estavam todos limpos voltei a ativar todas as conexões de rede.
Espero que ajude alguém que esteja passando pelo mesmo problema.

 

[Mr.Wolf]

Carlos MEP vamos lá!

Antes de continuarmos, caso dê algum erro ou não consiga prosseguir com alguma das etapas abaixo, pare imediatamente com os procedimentos, não dê continuidade, e me diga em qual deles ocorreu o erro! Também não clique em nenhum botão referente à: OK, Ajuda, Fechar, caso apareça em alguma mensagem de erro, apenas reinicie o computador normalmente. Não precisa nem tirar screens das imagens de erro. :thumbs_up

1ª Etapa

Baixe estas duas ferramentas abaixo e salve-as no desktop:

MSNFix
VundoFix

OBS: Não execute nenhuma destas duas ferramentas acima ainda!

2ª Etapa

- Feche todos os programas abertos e desabilite a proteção do Avira temporariamente;
- Dê um duplo clique no OTScanIt2.exe para abrir a janela do programa;
- Copie todo este texto aqui abaixo dentro do spoiler e cole na área Paste Fix Here do programa:

Spoiler

[Kill Explorer]
[Unregister Dlls]
[Open Heuristic Advanced]
[Driver Services - Safe List]
YY -> Find FC -> %SystemRoot%\System32\DRIVERS\gnhauhs.sys [] "Low"
YC -> Found FC ; not found error FC ; "%SystemRoot%\System32\DRIVERS\gnhauhs.sys"
YN -> Related FC -> %SystemRoot%\System32\DRIVERS\gnhauhs.sys created on (92001175104) Reg Error
RY -> Block and exclusion FC -> File; [gnhauhs.sys] ; Moved for folder ; Fatal Reg Error On Reboot {not found} <-
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {106FC549-1072-4AB6-A07E-9ADFD69D4A5B} [HKLM] -> %SystemRoot%\system32\mlJyVOGX.dll [Reg Error: Value does not exist or could not be read.]
YY -> {50bfa3a5-e22a-45bb-a72a-73e52b044e8f} [HKLM] -> %SystemRoot%\system32\yibuvido.dll [Reg Error: Value does not exist or could not be read.]
YA -> {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} [HKLM] -> %SystemRoot%\system32\ljjigghau.dll [BUILDING THE STREAIZER] ; UFR.Fake
YG -> {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} [HKLM] -> Arcade\%SystemRoot%\system32\j.exe [Value Disorce]
WY -> {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} [HKLM] -> %SystemRoot%\system32\navaunhsyshext5.dll [Reg Toutement]
YY -> {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} [HKLM] -> %SystemRoot%\system32\mlJcYOGV.dll [Reg Error: Value does not exist or could not be read.]
YN -> {78366GHU-8972-8937-HHJH-JHNE431239JK} [HKLM] -> %SystemRoot%\system32\msne.exe [For the solution here...;]
YY -> {f555dad3-ca4a-4981-a6bd-f17dcbc941cc} [HKLM] -> %SystemRoot%\system32\hgrlsb.dll [Reg Error: Value does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> ShellBrowser\\"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "daseyezeba" -> %SystemRoot%\system32\gisiyojo.dll [Rundll32.exe "C:\WINDOWS\system32\gisiyojo.dll",s]
YY -> "f8806e12" -> %SystemRoot%\system32\cwfbxdhd.dll [rundll32.exe "C:\WINDOWS\system32\cwfbxdhd.dll",b]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
YN -> "" -> []
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\yujitana.dll -> %SystemRoot%\system32\yujitana.dll
YY -> hgrlsb.dll -> %SystemRoot%\system32\hgrlsb.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> mlJcYOGV -> %SystemRoot%\system32\mlJcYOGV.dll
YN -> WgaLogon ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" [HKLM] -> %SystemRoot%\system32\mlJcYOGV.dll []
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
YY -> digeste.dll -> %SystemRoot%\system32\digeste.dll
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\mlJyVOGX -> %SystemRoot%\system32\mlJyVOGX.dll
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\Program Files\LimeWire\LimeWire.exe" -> C:\Program Files\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire]
[Files/Folders - Created Within 90 Days]
NY -> dhdxbfwc.ini -> %SystemRoot%\System32\dhdxbfwc.ini
NY -> cwfbxdhd.dll -> %SystemRoot%\System32\cwfbxdhd.dll
NY -> hgrlsb.dll -> %SystemRoot%\System32\hgrlsb.dll
NY -> bwdgeomq.dll -> %SystemRoot%\System32\bwdgeomq.dll
NY -> mgpzgz.dll -> %SystemRoot%\System32\mgpzgz.dll
NY -> irpmacsu.dll -> %SystemRoot%\System32\irpmacsu.dll
NY -> jlipxtoo.ini -> %SystemRoot%\System32\jlipxtoo.ini
NY -> ootxpilj.dll -> %SystemRoot%\System32\ootxpilj.dll
AY -> awayohum.ini -> %SystemRoot%\System32\awayohum.ini
NY -> tvulyqdi.job -> %SystemRoot%\tasks\tvulyqdi.job
GY -> mlJAqooO.dll -> %SystemRoot%\System32\mlJAqooO.dll
NY -> opojopir.ini -> %SystemRoot%\System32\opojopir.ini
NY -> jbmhda.dll -> %SystemRoot%\System32\jbmhda.dll
NY -> xlojfqpe.dll -> %SystemRoot%\System32\xlojfqpe.dll
NY -> xwqdfiyq.ini -> %SystemRoot%\System32\xwqdfiyq.ini
NY -> qyifdqwx.dll -> %SystemRoot%\System32\qyifdqwx.dll
NY -> oatwxuis.ini -> %SystemRoot%\System32\oatwxuis.ini
YY -> siuxwtao.dll -> %SystemRoot%\System32\siuxwtao.dll
NY -> psokbp.dll -> %SystemRoot%\System32\psokbp.dll
NY -> rqgnsvbg.dll -> %SystemRoot%\System32\rqgnsvbg.dll
NY -> ajibukaf.ini -> %SystemRoot%\System32\ajibukaf.ini
YY -> lgwrgjbl.ini -> %SystemRoot%\System32\lgwrgjbl.ini
PY -> mwkccdrd.dll -> %SystemRoot%\System32\mwkccdrd.dll
NY -> esilufug.ini -> %SystemRoot%\System32\esilufug.ini
NY -> izemanek.ini -> %SystemRoot%\System32\izemanek.ini
NY -> uzuzedat.ini -> %SystemRoot%\System32\uzuzedat.ini
NY -> jhyrpj.dll -> %SystemRoot%\System32\jhyrpj.dll
NY -> bvxxtulb.dll -> %SystemRoot%\System32\bvxxtulb.dll
NY -> lklanehw.ini -> %SystemRoot%\System32\lklanehw.ini
NY -> whenalkl.dll -> %SystemRoot%\System32\whenalkl.dll
NY -> tgfniauu.ini -> %SystemRoot%\System32\tgfniauu.ini
NY -> ksxleu.dll -> %SystemRoot%\System32\ksxleu.dll
NY -> ujxfiirf.dll -> %SystemRoot%\System32\ujxfiirf.dll
NY -> sdisxlbf.ini -> %SystemRoot%\System32\sdisxlbf.ini
NY -> ujgcrvyt.dll -> %SystemRoot%\System32\ujgcrvyt.dll
NY -> orbtoa.dll -> %SystemRoot%\System32\orbtoa.dll
NY -> XGOVyJlm.ini2 -> %SystemRoot%\System32\XGOVyJlm.ini2
NY -> XGOVyJlm.ini -> %SystemRoot%\System32\XGOVyJlm.ini
NY -> mlJyVOGX.dll -> %SystemRoot%\System32\mlJyVOGX.dll
NY -> gadcom -> %AppData%\gadcom
NY -> mlJcYOGV.dll -> %SystemRoot%\System32\mlJcYOGV.dll
NY -> digeste.dll -> %SystemRoot%\System32\digeste.dll
NY -> ~.exe -> %UserProfile%\~.exe
NY -> LimeWire 4.18.8.lnk -> %UserProfile%\Desktop\LimeWire 4.18.8.lnk
[Files/Folders - Modified Within 90 Days]
NY -> fediyuwa -> %SystemRoot%\System32\fediyuwa
NY -> tvulyqdi.job -> %SystemRoot%\tasks\tvulyqdi.job
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\My Documents\Thumbs.db:encryptable
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersProfile%\Application Data\TEMP: DFC5A2B2
[File - Lop Check]
NY -> Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint
NY -> gadcom -> C:\Documents and Settings\Administrator\Application Data\gadcom
NY -> tvulyqdi.job -> C:\WINDOWS\Tasks\tvulyqdi.job
[Custom Scans]
NY -> ~.exe -> C:\Documents and Settings\Administrator\~.exe
NY -> tvulyqdi.job -> C:\WINDOWS\Tasks\tvulyqdi.job

[SUPLEMENTAR THE OTSCAN BELOW]
[EXCLUSION ABOUT LANGUAGES REMOVE BELOW]
AD -> (cknlebvd) <>- C:\WINDOWS\system32\cknlebvd.dll
AF -> (ddcaBTJy) <>- C:\WINDOWS\system32\ddcaBTJy.dll
AD -> (kkzqco) <>- C:\WINDOWS\system32\kkzqco.dll
AD -> (xxyyyApN) <>- C:\WINDOWS\system32\xxyyyApN.dll [Anonimous Terminate]
AF -> (xxyyyApN) <>- C:\WINDOWS\system32\xxyyyApN.dll [Anonimous Finshed]
AF -> (kkzqco) <>- C:\WINDOWS\system32\kkzqco.dll
AF -> (ddcaBTJy) <>- C:\WINDOWS\system32\ddcaBTJy.dll
AF -> (yJTBacdd) <>- C:\WINDOWS\system32\yJTBacdd.ini
AG -> (yJTBacdd) <>- C:\WINDOWS\system32\yJTBacdd.ini2 /M [Force]
AF -> (cknlebvd) <>- C:\WINDOWS\system32\cknlebvd.dll
AF -> (dvbelnkc) <>- C:\WINDOWS\system32\dvbelnkc.ini
AF -> (cbXRJaWp) <>- C:\WINDOWS\system32\cbXRJaWp.dll "processes.exe"
AF -> (gyfppxsp) <>- C:\WINDOWS\system32\gyfppxsp.dll

[Allowed on start Windows]
[Empty Temp Folders]
[Final Heuristic Advanced]
[Start Explorer]
[Reboot]

- Embaixo marque apenas as seguintes caixas: Disable MS Config Items e Tcpip Persistent Routes. Em "Rootkit Search" marque a opção Yes;
- Clique então no botão Run Fix e aguarde a remoção dos arquivos;
- Será gerado um novo log no Bloco de Notas.

Cole-o em sua próxima resposta.

3ª Etapa

- Execute apenas o MSNFix e extraia os arquivos compactados do WinRAR no desktop - será criada uma pasta denominada MSNFix;
- Reinicie seu computador em Modo de Segurança (caso não consiga acessar o Modo de Segurança me diga, pois é normal, é provocado pelo Vundo);
- Entre na pasta MSNFix e dê um duplo clique no arquivo MSNFix.bat. Abrirá a janela MSN_Fix-menu;
- Tecle R para iniciar o scan, se a infecção for detectada aparecerá a mensagem: "Infection Présente"
- Tecle Enter para dar continuidade ao processo. Apenas aguarde sem mover o mouse ou usar o teclado;
- Ao término, abrirá, automaticamente, um Bloco de Notas com um log para você. Este log estará também na pasta do MSNFix, um arquivo chamado msnfix.txt.

Em sua próxima resposta Carlos MEP, cole os logs do OTScanIt2, MSNFix e um novo log do HijackThis.


_________________________________________________________


luisednardo, delete o RSIT. Rode o ComboFix aí em Modo de Segurança, não rode em Modo Normal. E poste o log da ferramenta aqui. Faça o procedimento com a Internet desconectada luisednardo.

OBS: Sugiro que troque sua senha do MSN caso tenha acessado sua conta neste computador aí luisednardo.


__________________________________________________________



hyan, realmente é o Courl.Bagle como eu havia dito antes, uma praguinha bem incômoda de retirar da máquina. Talvez será necessário reinstalar os navegadores após o término da desinfecção de sua máquina amigo hyan. Pois este malware buga e contamina todos os navegadores instalados na máquina, portanto, se após a limpeza executar os navegadores afetados a infecção poderá retornar ao PC.

Siga o procedimento abaixo hyan.

- Baixe a pasta Faster.zip upada no host do link aqui abaixo hyan;
http://www.savefile.com/downloadmax/1988751

- Crie uma pasta em C: denominada Fixed Courl Bagle e extraia os arquivos do WinZip nesta pasta criada;
- Vá até a pasta e execute apenas o arquivo Bagle.exe;
- Pressione qualquer tecla para continuar. Na outra tela tecle 1 > Enter para iniciar a verificação da ferramenta;
- Ao término da verificação surgirã uma mensagem perguntando se deseja reiniciar a máquina, diga Sim e reinicie;
- Quando iniciar será aberto automaticamente um log no Bloco de Notas para você hyan. Salve-o no desktop com o nome de sua preferência e deixe-o lá por enquanto.

- Retorne à pasta Fixed Bagle e agora execute o arquivo Flexer.exe dando um duplo clique no mesmo;
- Clique no botão Ejecutar e aguarde, sua tela irá piscar, é normal.

Em sua próxima resposta hyan, poste o log da ferramenta Bagle.exe, salvo no desktop, e um novo log do HijackThis.

 

[Mr.Wolf]

Log do Hijack do meu pc, só por curiosidade, não notei nenhum virus mas melhor prevenir.

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:21 PM, on 1/30/2009
Platform: Unknown Windows (WinNT 6.01.2904)
MSIE: Internet Explorer v8.00 (8.00.7000.0000)
Boot mode: Normal

Running processes:
C:\Windows\SOUNDMAN.EXE
C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\EVEREST Ultimate Edition\everest.exe
D:\Programas\Orthos 29-01-09\ORTHOS.exe
C:\PROGRA~2\GOMPLA~1\GOM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files (x86)\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5667 bytes

Olá zarithur, seu log está limpo.

Queria aproveitar e te perguntar uma coisa

Fui ontem tentar arrumar um pc de um amigo meu
O PC tava todo ferrado, cheio de spywares e virus
Passei o avira free e encontrou 470 virus na primeira passada, e uns 10 na segunda.
Passei também o Dr. Spyware free. No final tava bem melhor, mas ainda não estava 100%, e não sei como tirar o resto que ficou.
Hoje ele me ligou dizendo que a tela ta toda preta, não entendi direito se não liga ou oque, estou indo la mais tarde ver.
Você saberia de alguma coisa pra fazer pra tentar deixar o PC dele limpo ?
Um software melhor talvez..

Neste caso zarithur, o ideal seria seu amigo postar um log do HijackThis para uma análise. Pois dependendo do tipo de infecção, sempre quando remover algumas infecções aqui, serão criadas outras infecções ali, e por aí consecutivamente... Sendo assim, dificultará a limpeza total da máquina de seu amigo. Se pudesse postar o relatório do scan do Avira aqui já estaria ótimo!

Mesmo assim, diga à seu amigo que instale e rode o Malwarebytes Anti-Malware conforme o tutorial do amigo de fórum e de trabalho Fábio Assolini (Einstein):
http://www.linhadefensiva.org/forum/index.php?showtopic=75554

É estranho esta tela preta ter aparecido quando seu amigo ligou a máquina zarithur, mas sem uma análise ou um relatório da situação do sistema dele, fica difícil lhe dizer quais medidas tomar!

Abraços

 

[Carlos MEP]

Ô meu caro colega e mestre Mr.Wolf obrigado pela resposta companheiro, ainda mais 6 horas da matina, valeu mesmo rapaiz, nem sei como agradecer.

PS.: Cara o micro melhorou demaaais demaaais, esta voltando as suas origens hehe, graças a tu meu caro colega.

Bem fiz tudo que foi recomendado pelo rei e abaixo deixo os logs do OTScanIt2, MSNFix e um novo do HijackThis. Tive que anexar porque tava dando erro database quando postava aqui.

Atenciosamente

Um grande abração e tudo de bom sempre.

 

[hyan]

Fala ae Mr.Wolf vlw msm pela ajuda irmao posso dizer com pulos de alegria q meus navegadores voltaram ao normal depois disso. To conseguindo usar todos sem problemas, normalmente o problema se foi, brigadao brother,depois vou reinstalar todos como disse vc vlw???

Vlwzão brow, qual o prossimo passo????????????

T+ meu velho

Tae o log do programa la

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~

----\\Bagle - (Version - 1.0.9) - Creacion: 0.15.33,12, 31/01/2009

----\\Modo de Inicio: Normal - Microsoft Windows Vista SP1 [Versione 6.00.1905]

----\\Usuario:HyanCS - Equipo64, AuthenticAMD

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~ Objetos Encontrados
~~~~~ Archivos
C:\WINDOWS\system32\drivers\srosa.sys - Eliminado
C:\WINDOWS\system32\mdelk.exe - Eliminado
C:\WINDOWS\system32\wintems.exe - Eliminado
C:\Documents and Settings\HyanCS\DATA\m\flec006.exe - Eliminado
C:\WINDOWS\system32\win32lib.exe - Eliminado
C:\Windows\system32\Drivers\downld\1143859.exe - Eliminado
C:\Windows\system32\Drivers\downld\1147875.exe - Eliminado
C:\Windows\system32\Drivers\downld\1170031.exe - Eliminado
C:\Windows\system32\Drivers\downld\1171984.exe - Eliminado
C:\Windows\system32\Drivers\downld\1185765.exe - Eliminado
C:\Windows\system32\Drivers\downld\1191468.exe - Eliminado
C:\Windows\system32\Drivers\downld\1197609.exe - Eliminado
C:\Program Files\Movie Maker\Shared\Empty.txt - Eliminado
C:\Program Filesi\Movie Maker\Shared\Filters.xml - Eliminado
C:\Program Files\Movie Maker\Shared\news.png - Eliminado
C:\Program Files\Movie Maker\Shared\paint.png - Eliminado
C:\Program Files\Movie Maker\Shared\Sample1.jpg - Eliminado
C:\Program Files\Movie Maker\Shared\Sample2.jpg - Eliminado
C:\Program Files\Movie Maker\Shared\Profiles\Blank.txt - Eliminado
~~~~ Carpetas
C:\Documents and Settings\HyanCS\DATA\m\shared - Eliminada
C:\WINDOWS\system32\drivers\downld - Eliminada
C:\Documents and Settings\HyanCS\DATA\m - Eliminada
~~~~ Catchme Detector
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-01-31 15:40:34
Windows 6.00.1905 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

~~~~ Registro

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Babylon Client"="C:\\Program Files (x86)\\Babylon\\Babylon-Pro\\Babylon.exe"
"BigDogPath"="C:\\Windows\\VM301Snap.exe "
"Sidebar"= "c:\\Program Files\\Windows Sidebar\\Sidebar.exe"
"SunJavaUpdateSched"="C:\\pROGRAM fILES\\Java\\jre1. 5.0_16\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~

----\\Bagle - (Version - 1.0.9) - Finalizacion: 0.15.56,85, 31/01/2009

----\\Se creo una carpeta en C:\_Bagle, con una copia de los archivos eliminados
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~FIN~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~

 

[secta]

Wolf, acho que ainda continuo com aquele Net-Worm, da uma olhada:

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21:52, on 31/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Arquivos de programas\Razer\DeathAdder\razerhid.exe
C:\windows\system32\ctfmon.exe
C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Arquivos de programas\Razer\DeathAdder\razertra.exe
C:\Arquivos de programas\Razer\DeathAdder\razerofa.exe
C:\Documents and Settings\secta\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Steam\steam.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Arquivos de programas\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Arquivos de programas\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Glass2k] C:\Arquivos de programas\Glass2k\Glass2k.exe
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [DeathAdder] C:\Arquivos de programas\Razer\DeathAdder\razerhid.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Arquivos de programas\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Arquivos de programas\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

--
End of file - 6661 bytes

 

[zarithur]

Olá zarithur, seu log está limpo.


Neste caso zarithur, o ideal seria seu amigo postar um log do HijackThis para uma análise. Pois dependendo do tipo de infecção, sempre quando remover algumas infecções aqui, serão criadas outras infecções ali, e por aí consecutivamente... Sendo assim, dificultará a limpeza total da máquina de seu amigo. Se pudesse postar o relatório do scan do Avira aqui já estaria ótimo!

Mesmo assim, diga à seu amigo que instale e rode o Malwarebytes Anti-Malware conforme o tutorial do amigo de fórum e de trabalho Fábio Assolini (Einstein):
http://www.linhadefensiva.org/forum/index.php?showtopic=75554

É estranho esta tela preta ter aparecido quando seu amigo ligou a máquina zarithur, mas sem uma análise ou um relatório da situação do sistema dele, fica difícil lhe dizer quais medidas tomar!

Abraços

Obrigado Mr.Wolf

Quando eu ir para casa domingo irei postar o log do hijack da maquina dele.

 

[PerfectBlue]

Cara, to com um problemão aqui... um maldito virus/trojan/dropper, sei lá oque... que não consigo tirar do pc.
Instalei o Kaspersky na esperança de ele acabar com o safado, ele até diminuiu o número de alertas que dava antes com o Avira free, mas ele não tira completamente...
E com certeza ele se renova pela internet, pq eu testei ficar com o cabo de rede desconectado e os arquivos suspeitos não voltaram a aparecer, mas quando eu conectei o cabo e entrei no Firefox deu um alerta

Os arquivos suspeitos ficam sempre nas pastas
C:\Documents and Settings\User\Configurações locais\Temp
C:\Documents and Settings\User\Configurações locais\Temporary Internet Files
C:\Documents and Settings\User\Configurações locais\Temporary Internet Files\Content.IE5

Geralmente com nomes com números, tipo 099.exe, 789.exe, etc...
Creio eu esses serem os droppers, fora os virus que apareceram com os nomes mais variados possíveis, mas todos parecendo ser variantes dos anteriores...

Ah lembrei de outra coisa, é um virus que se dissemina por rede e dispositivos removíveis, tipo pendrives, o meu já tá infectado a tempos e tá um saco limpar ele...

Vou anexar 2 screenshots dos reports do Kaspersky, pq não dá pra ficar escrevendo cada nome de trojan e virus aqui... fora os nomes de arquivos...

E abaixo segue o log do HijackThis

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:39:28, on 2/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Arquivos de programas\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Windows Sidebar\sidebar.exe
C:\Arquivos de programas\Windows Sidebar\sidebar.exe
C:\Arquivos de programas\Windows Sidebar\sidebar.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - (no file)
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Arquivos de programas\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Arquivos de programas\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Sidebar] C:\Arquivos de programas\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Windows Service help] C:\RECYCLER\S-1-5-21-3192281266-7410456852-905514803-7773\winservices.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1218523021921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{159DF49C-D029-4F83-B532-B6D243E604A4}: NameServer = 200.204.0.10,192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{159DF49C-D029-4F83-B532-B6D243E604A4}: NameServer = 200.204.0.10,192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{159DF49C-D029-4F83-B532-B6D243E604A4}: NameServer = 200.204.0.10,192.168.0.1
O20 - AppInit_DLLs: ??????P,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\adialhk.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\kloehk.dll acaptuser32.dll
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll (file missing)
O20 - Winlogon Notify: GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9072 bytes

 

[JulianoT]

Mr Wolf, bom dia
De uma olhadinha nesse log quando tiveres tempo
Obrigado

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:46 AM, on 2/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223567565687
O17 - HKLM\System\CCS\Services\Tcpip\..\{935ABD44-F4F1-4B3A-871B-A9DFFDA09751}: NameServer = 200.175.89.139,200.175.189.139
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7005 bytes

 

[Mr.Wolf]

Olá pessoal!

Postado originalmente por Carlos MEP

Ô meu caro colega e mestre Mr.Wolf obrigado pela resposta companheiro, ainda mais 6 horas da matina

Amigo Carlos MEP, não estou no Brasil. No país onde estou são exatamente 10:42 da manhã do dia 02 de fevereiro. E no dia em que postei minha resposta anterior à você eram 13:33 da tarde.

Vamos lá, Carlos MEP, delete o MSNFix.

1ª Etapa

Abra o Bloco de Notas e cole este texto abaixo no spoiler dentro:

Spoiler

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

Salve como ResetVundo.reg no desktop.

Não execute este arquivo ainda!

2ª Etapa

- Execute a ferramenta VundoFix dando dois cliques em VundoFix.exe;
- Clique em Scan for Vundo e aguarde;
- Quando terminar, clique em Remove Vundo
- Você receberá um prompt perguntando se você quer remover os arquivos. Confirme. Sua área de trabalho vai sumir;
- Você receberá um aviso dizendo que seu computador deve ser desligado. Clique em OK e depois ligue o computador novamente;
- É possível que o VundoFix encontre um arquivo, mas não consiga removê-lo. Se isso acontecer, a ferramenta rodará ao reiniciar.
Quando o VundoFix aparecer, clique no botão Scan for Vundo para repetir o processo.
- Será criado um log vundofix.txt no desktop.

3ª Etapa

Execute, dando dois cliques, o Reset.reg e clique em Sim na mensagem.

Poste o log do VundoFix, juntamente com um novo log do HijackThis Carlos MEP.

_______________________________________________


hyan, delete as pastas Faster, C:\Fixed Courl Bagle e C:\_Bagle.

Poste um novo log do HijackThis aqui amigo hyan.

 

[Mr.Wolf]

Olá secta, seu log não mostra infecções. Porém existem três entradas ocultas no log, faça o seguinte procedimento secta:

Spoiler

- Faça o download do RSIT e salve no seu desktop;

● Dê dois cliques em RSIT.exe para executar o programa;
● Na janela que abrir clique no botão Continue para que a ferramenta comece a rodar;
● Quando a ferramenta terminar de rodar, abrirá um log automaticamente no bloco de notas contendo o resultado do scan. Cole o resultado desse log (log.txt) na sua próxima resposta;
● Cole também o conteúdo do arquivo info.txt que estará em C:\rsit\info.txt amigo secta.

_______________________________

Olá PerfectBlue, siga as instruções do spoiler abaixo.

Spoiler

- Faça o download do FindyKill e salve no desktop;

● Dê um duplo clique no ícone da ferramenta e instale a ferramenta normalmente;
● Após a instalação, faça um duplo clique no novo ícone que aparecerá no desktop;
● Será aberta uma tela onde você deve escolher a linguagem, digite E e tecle Enter para selecionar Inglês;
● Pressione então a tecla 1 > Enter para iniciar o scan e aguarde o término da verificação;
● Será gerado um log para você no Bloco de Notas. O mesmo também estará em C:\FindyKill.txt.

Cole este log em sua próxima resposta PerfectBlue.

_______________________________


Amigo JulianoT, o log está limpo.

Algum problema?

 

[hyan]

Fala ae Mr.wolf so curtindo fora do brasil velhow??? hauahauah locasso meu sonho eh conhecer a europa cara,vc eh f0da.

Tae o novo log do Hijackthis ja deletei todas as pastas q me pediu la vlws

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:55:23, on 2/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Windows\Domino.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\MSN Messenger\usnsvc.exe
C:\Program Files (x86)McAfee\SiteAdvisor\McSACore.exe
C:\Program Files (x86)\Eset\nod32krn.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\ActiveMultiwallpaper\Changer.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\HyanCS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Babylon Client] "C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
04 - HKCU\..\Run: [HijackThis startup scan] C:\Users\HyanCS\Desktop\HijackThis.exe /startup scan
O4 - HKLM\..\Run: [BigDogPath] C:\Windows\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F19B57C-6EBC-44EC-A86D-F6BE6B2CEECC}: NameServer = 200.165.132.155 200.149.55.140
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: WMPNetworkSvc - Unknown owner - (no file)

--
End of file - 7782 bytes

 

[Mr.Wolf]

hyan

Execute o HijackThis e clique em Do a system scan only. Marque a entrada abaixo no log e clique no botão Fix Checked e depois em Sim na mensagem.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

Com o HijackThis ainda aberto, clique no botão Main Menu. Clique em Open the Misc Tools Section e clique no último botão Uninstall HijackThis & exit.

Baixe esta versão do HijackThis abaixo e poste um novo log:

HijackThis 1.9

 

[hyan]

Aqui ta wolf

Logfile of Trend Micro HijackThis v1.99.1
Scan saved at 04:18:20, on 2/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Windows\Domino.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\MSN Messenger\usnsvc.exe
C:\Program Files (x86)McAfee\SiteAdvisor\McSACore.exe
C:\Program Files (x86)\Eset\nod32krn.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\ActiveMultiwallpaper\Changer.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\HyanCS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Babylon Client] "C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\Windows\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F19B57C-6EBC-44EC-A86D-F6BE6B2CEECC}: NameServer = 200.165.132.155 200.149.55.140
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: WMPNetworkSvc - Unknown owner - (no file)

--
End of file - 7780 bytes

 

[Mr.Wolf]

Vá em Iniciar > Executar, digite regedit e dê um OK. Percorra a chave abaixo e delete o valor destacado em vermelho:

HKEY_USER\.DEFAULTS\AppEvents\srosa.

- Baixe o RegASSASSIN e salve no desktop;

- Execute a ferramenta e veja se as duas opções estão marcadas: Reset registry key permissions e Delete registry key and all subkeys;
- Cole este texto abaixo na janela da ferramenta e clique no botão Delete:

Reg /survivor in payload \v/t delete all services: HKEY_USER\.DEFAULTS\*\""/.MIRROR

Poste um novo log do HijackThis hyan.

 

[hyan]

Caraaaaaca wolf o pc acelerou de mais depois disso q fiz aki cara....uhullll \o/ hauahaua

vleuzao msm brow nun eh atoa q te chamam de mestre aki neh fiao

agora minha vez VLW MESTRE

qual o prossimo passo meu velhow????

Logfile of Trend Micro HijackThis v1.99.1
Scan saved at 04:38:52, on 2/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Windows\Domino.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\MSN Messenger\usnsvc.exe
C:\Program Files (x86)McAfee\SiteAdvisor\McSACore.exe
C:\Program Files (x86)\Eset\nod32krn.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\ActiveMultiwallpaper\Changer.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\HyanCS\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.Microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Babylon Client] "C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\Windows\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F19B57C-6EBC-44EC-A86D-F6BE6B2CEECC}: NameServer = 200.165.132.155 200.149.55.140
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 antivírus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: WMPNetworkSvc - Unknown owner - (no file)

--
End of file - 7780 bytes

 

[Mr.Wolf]

Delete o RegASSASSIN hyan.

O log está limpo

- Recomendo uma manutenção no computador para exclusão dos arquivos temporários, desnecessários e entradas inválidas no registro. Faça o download do CCleaner Slim (sem toolbar do Yahoo):

- Abra o programa e clique em Executar Limpeza;
- Após isto, clique em Registro > Procurar erros > Corrigir erros selecionados.

- Desative e ative novamente a Restauração do Sistema.
- Leia o artigo Proteja seu PC para maiores informações sobre como evitar infecções.

OBS: hyan, não se esqueça de reinstalar os navegadores que estão instalados em seu computador. Pois como disse anteriormente foram afetados pelo Bagle.

Abraços