Remoção de vírus

rafafg · 22/02/2009

po velho esse tal de hijackthis eh f0da hein ate atualizaçao do xp ele mostra como vc ve isso ae/????

eu instalo todas atualizaçoes pq o xp meu eh original e tal e essa atualizaçao nao tava aki msm q coisa hein???? :cry:

mr wolf instalei a atualizaçao passei o cwsrhedder e ele removeu muita coisa depois tentei reiniciar em modo de segurança do jeito q vc passou e msm asssim nao nao ta entranu em modo de segurança nem fundenu dai passei esse aboutbuster em modo normal msm e ele removeu uma pá de coisa aki tbm meu pc ta rexeadu de virus caraca meu mais kuando terminou de passar o aboutbuster deu esse erro ae

i nao me deu o log do programa vou posta o do hijackthis soh pq nao sei onde foi para o do aboutbuster pq do erro cara meu pc deu uma melhorada boa vlw msm velho

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52:45, on 22/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\iexplorer.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Garena\Garena.exe
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\Documents and Settings\rafael fpg\Desktop\AboutBuster.exe
C:\remoçao de virus adrenaline\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LManager] C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [systema] C:\WINDOWS\system32\systema.exe
O4 - HKLM\..\Run: [msgrmsn] C:\WINDOWS\system32\msgrmsn.exe
O4 - HKLM\..\Run: [Services] C:\iexplorer.exe
O4 - HKLM\..\Run: [MicrosoftNET] C:\WINDOWS\system32\spoollog.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Arquivos de programas\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: "Adicionar ao Bloqueador de banner de anúncio" - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Baixar com o FDM - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Baixar tudo com o FDM - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selecionado pelo FDM - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Arquivos de programas\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Arquivos de programas\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: Estatísticas de proteção de tráfego da web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.Microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchro...eb.1.0.0.10.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) - http://www.shockwave.com/content/bigcityad...BGamePlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1767345-3AC8-4D50-957B-3B1D565CEB36}: NameServer = 200.204.0.10 200.204.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{782554B4-8027-42C5-A185-4E9105C6ED5B}: NameServer = 85.255.112.21
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\adialhk.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: McAfee Application Installer Cleanup (0094841234058681) (0094841234058681mcinstcleanup) - - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

--
End of file - 6421 bytes

imartynetz · 23/02/2009

Ola wolf, sem problema que passou despercebido, por isso pedi desculpa ao double post

Voltando ao problema, não aparece msg de erro. Acontece o seguinte, quando vou carregar algum jogo em site, se o jogo é muito pesado, ele trava o IE, clico na tela fica uma borda branca ao redor da janela, depois que clico novamente aparece em cima que não está respondendo, clico para fechar aparece o classico de não está respondendo e etc mas demora pacas para fechar o IE, engraçado que por enquanto que ta finalizando o resto do pc tá normal, até abro ja mais um IE para continuar aonde estava.

No pc do meu cunhado, liguei o pc e demoro um monte para carregar, e no gerenciamento o processo ekrn.exe tava deixando o processador em 100%.
Meu pc nem o dele é antigo.
O que pode ser?

Mr.Wolf · 23/02/2009

rafafg disse:
dai passei esse aboutbuster em modo normal msm e ele removeu uma pá de coisa aki tbm meu pc ta rexeadu de virus caraca meu mais kuando terminou de passar o aboutbuster deu esse erro ae

i nao me deu o log do programa vou posta o do hijackthis soh pq nao sei onde foi para o do aboutbuster pq do erro

rafafg, vá até a seguinte pasta e delete o arquivo em destaque > C:\Windows\System32\comctl32.ocx. Baixe-o aqui novamente e coloque-o dentro da mesma pasta - System32. Vá até a pasta do AboutBuster e dê um duplo clique na ferramenta, mas não faça nada, apenas execute-o. Veja se o log então surgirá na pasta com o nome de Ab LogFile.txt e cole-o aqui.

Siga as instruções abaixo rafafg:

1ª Etapa

- Faça o download do BankerFix e salve-o no desktop;

● Desabilite o seu antivírus temporariamente para não detectar a ferramenta como vírus;
● Dê um duplo clique em bankerfix.exe;
● Surgirá uma mensagem dizendo que o mesmo será baixado via internet;
● Clique em OK > OK. Tecle Enter e aguarde o término do scan;
● Terminado o scan, leia a mensagem na tela e tecle Enter novamente.
● Será gerado um log em C:\LinhaDefensiva\relatorio.txt.

Delete a pasta C:\LinhaDefensiva após o término.

2ª Etapa

- Faça o download do FindyKill e salve-o no desktop;

● Dê um duplo clique no ícone do programa e instale-o. A ferramenta será instalada em C:Arquivos de Programas\FindyKill e será criado um ícone no desktop;
● Dê um duplo clique neste novo ícone. Tecle E + Enter. Após isto, tecle a opção 2 + Enter e aguarde;
● Se aparecer alguma mensagem para a confirmação da remoção dos malwares, confirme clicando em OK;
● Ao término, será necessário reiniciar seu computador, reinicie-o;
● Um log estará em C:\FindyKill.txt.

Em sua próxima resposta rafafg, cole os logs do AboutBuster (caso apareça), BankerFix e FindyKill.

Mr.Wolf · 23/02/2009

Olá imartynetz

imartynetz disse:
Voltando ao problema, não aparece msg de erro. Acontece o seguinte, quando vou carregar algum jogo em site, se o jogo é muito pesado, ele trava o IE, clico na tela fica uma borda branca ao redor da janela, depois que clico novamente aparece em cima que não está respondendo, clico para fechar aparece o classico de não está respondendo e etc mas demora pacas para fechar o IE, engraçado que por enquanto que ta finalizando o resto do pc tá normal, até abro ja mais um IE para continuar aonde estava.

Por acaso já tentou utilizar outro navegador? Firefox por exemplo. E ver se o mesmo problema ocorre com ele?

No pc do meu cunhado, liguei o pc e demoro um monte para carregar, e no gerenciamento o processo ekrn.exe tava deixando o processador em 100%.
Meu pc nem o dele é antigo.
O que pode ser?

Este problema geralmente ocorre com a versão três do NOD32. Qual é a versão do seu NOD32 imartynetz? 3, 2, 4...?

rafafg · 23/02/2009

ae mr wolf o eskema do aboutbuster deu serto colokei o arkivo la na system32 e funfou o logfile dele ahhh hj kuando ligue o pc apareceu uma msg de q o kis ñ eh um aplicativo win32 valido

o q eh issu?????? ferro d vez agora???? ñ to conseguindo passa o findykill por causa desse erro tdos programas q eu tento abri da esse erro de aplicativo valido q m3rda d virus cara ñ to mais conseguindo abri o hijackthis tbm pq da esse erro valido ae soh consegui o bankerfix e o aboutbuster

BankerFix 3.0 VALKYRIE - Removedor de Bankers
Linha Defensiva | http://www.linhadefensiva.org
http://www.linhadefensiva.org/bankerfix/
-------------------------------------------------------
Data: 2009-02-23 - 15:08
-------------------------------------------------------
Lista de Definição: 2009-01-21-2 | CORE: 2009-01-21-1
=======================================================

Arquivo infectado detectado: C:\WINDOWS\system32\configex.dll
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\MEGATRON.ini
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\system1591.exe
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\bios.exe
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\iexplorer.exe
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\IEXPLORE.EXE
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\msng.exe
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\msnnsgr.exe
Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\spoollog.exe
Arquivo infectado removido com sucesso!

----- Fim -------------------------

esse eh o aboutbuster de ontem precisa passa dinovo pq melhorou kuando eu passei ele ontem???

AboutBuster 6.07
Scan started on [22/2/2009] at [19:42:45]
-------------------------------------------------------------
Removed Data Streams:
C:\WINDOWS\addbe.dll:xgshq
C:\WINDOWS\addct32.dll:kcvbv
C:\WINDOWS\atlgh.dll:wgqrs
C:\WINDOWS\atlur.dll:tsimp
C:\WINDOWS\atlvm32.dll:ibmws
C:\WINDOWS\auopm.dat:ddiuj
C:\WINDOWS\bcayf.dat:kwrkm
C:\WINDOWS\bootstat.dat:ngzwt
C:\WINDOWS\Coffee Bean.bmp:fmvoo
C:\WINDOWS\crdx.dll:vmdly
C:\WINDOWS\crpy32.dll:bgwju
C:\WINDOWS\daemon.dll:qngyl
C:\WINDOWS\hmdmv.dll:cahnk
C:\WINDOWS\ieqk32.dll

ieff
C:\WINDOWS\javayr32.dll:tglrp
C:\WINDOWS\mfcro.dll:gywpz
C:\WINDOWS\netif.dll:nqtsp
C:\WINDOWS\ntnt.dll:meosa
C:\WINDOWS\oebdz.dat:qtkdm
C:\WINDOWS\pumyc.txt:xeklb
C:\WINDOWS\Santa Fe Stucco.bmp:ydxoj
C:\WINDOWS\sdkga.dll:exboe
C:\WINDOWS\sdknf.dll:afxrt
C:\WINDOWS\sysuf32.dll:lqsoy
C:\WINDOWS\tsoc.log:fmkwz
C:\WINDOWS\twain.dll:jftvn
C:\WINDOWS\udrpg.dll:tpdov
C:\WINDOWS\vvfvi.dat:ddnyu
C:\WINDOWS\Windows Update.log:axemx
C:\WINDOWS\winzo.dll:eugcw
C:\WINDOWS\xjuer.dll:sukms
C:\WINDOWS\xpium.dll:ghsqm
C:\WINDOWS\xpsp1hfm.log:nljmq

Removed 2 Random Key Entries
Removed! : C:\WINDOWS\bcayf.dat
Removed! : C:\WINDOWS\bjngl.dat
Removed! : C:\WINDOWS\dapgs.dat
Removed! : C:\WINDOWS\hzsbm.dat
Removed! : C:\WINDOWS\kicwk.dat
Removed! : C:\WINDOWS\midje.dat
Removed! : C:\WINDOWS\udrpg.dll
Removed! : C:\WINDOWS\uhgxp.dat
Removed! : C:\WINDOWS\xjuer.dll
Removed! : C:\WINDOWS\zdvrd.dat
Removed! : C:\WINDOWS\system32\hldux.dat
Removed! : C:\WINDOWS\system32\inqiw.dat
Removed! : C:\WINDOWS\system32\naida.dat
Removed! : C:\WINDOWS\system32\nfnjo.dat
Removed! : C:\WINDOWS\system32\nxnbv.dat
Removed! : C:\WINDOWS\system32\tazmr.dat
Removed! : C:\WINDOWS\system32\vcbue.dat
Removed! : C:\WINDOWS\system32\wakpi.dat
Removed! : C:\WINDOWS\system32\zavja.dat
Removed! : C:\WINDOWS\system32\zgzcv.dat
Removed! : C:\WINDOWS\system32\zobkn.dat
Removed! : C:\WINDOWS\system32\zycpr.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:00:57

Mr.Wolf · 23/02/2009

rafafg disse:
ahhh hj kuando ligue o pc apareceu uma msg de q o kis ñ eh um aplicativo win32 valido o q eh issu?????? ferro d vez agora???? ñ to conseguindo passa o findykill por causa desse erro tdos programas q eu tento abri da esse erro de aplicativo valido

É ação do Rootkit.Bagle que infectou sua máquina. Como já lhe falei anteriormente, é uma infecção incômoda! Porém, o Sality é pior...

Delete a pasta C:\LinhaDefensiva (caso não a tenha deletado ainda). Delete o AboutBuster.

- Baixe o FixPolicies e salve-o no desktop

- Duplo clique em FixPolicies.exe;
- Uma pasta FixPolicies será criada;
- Vá até a pasta e dê duplo clique em Fix_Policies.cmd. Tecle Enter para sair do programa.

- Com o navegador Internet Explorer, baixe a ferramenta abaixo e salve em seu disco local C:.
● EliBagle > Para baixar a ferramenta, no final da página clique no botão Descargar ELIBAGLA.
● Feche todos os aplicativos abertos. Execute a ferramenta dando dois cliques e clique em Explorar. Após o scan, um log será salvo em C:\InfoSat.txt.

Cole este log em sua próxima resposta.

rafafg · 23/02/2009

fixpolicies.exe nao eh um aplicativo win32 valido cara q virus chato msm bem q vc falo hein????? mais o elibagle rolou

Sun Feb 22 10:01:07 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.

Sun Feb 22 10:11:10 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.

Sun Feb 22 11:00:13 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.

Mon Feb 23 15:42:05 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.

Mon Feb 23 15:45:17 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NEROCHECK.EXE --> Eliminado Bagle.dldr
C:\WINDOWS\system32\MDELK.EXE --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)

Nº Total de Directorios: 23541
Nº Total de Ficheros: 38821
Nº de Ficheros Analizados: 8456
Nº de Ficheros Infectados: 2
Nº de Ficheros Limpiados: 2

Mon Feb 23 15:48:21 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad D:\

Nº Total de Directorios: 99
Nº Total de Ficheros: 534
Nº de Ficheros Analizados: 53
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Feb 23 15:52:26 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Acceso Denegado.
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.
Reinicie para Completar la Limpieza.

Mon Feb 23 15:56:38 2009
EliBagle v11.08 ©2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NEROCHECK.EXE --> Eliminado Bagle.dldr
C:\WINDOWS\system32\MDELK.EXE --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)

Nº Total de Directorios: 2159
Nº Total de Ficheros: 29549
Nº de Ficheros Analizados: 8906
Nº de Ficheros Infectados: 2
Nº de Ficheros Limpiados: 2

Mon Feb 23 16:01:12 2009
EliBagle v12.25 ©2009 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad D:\

Nº Total de Directorios: 99
Nº Total de Ficheros: 534
Nº de Ficheros Analizados: 53
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mr.Wolf · 23/02/2009

Abra o Bloco de Notas e cole o texto abaixo no spoiler dentro (clique em Mostrar):

Código:

-> OptionStatusOn <- SENSE

# Restrictions système -->
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|NoLogOff
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|NoDispCPL
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|NoDispAppearancePage
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|NoDispBackgroundPage
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|NoDispScrSavPage
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|NoDispSettingsPage

# Bureau --> SENSE
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoClose
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoLogOff
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoRun

# Explorateur
RegDelValue  HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoFolderOptions

# RUGRATES EXPLORATE RESTRICTION

CLSID \ CLSID1 \ CLSID2 -> apárt

#Applications 
RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|DisallowRun
RegDeleteKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Salve como Script.scr no desktop. Dê um duplo clique no arquivo. Aparecerá uma tela e sumirá rapidamente.

Tente executar novamente o FixPolicies e me diga se ocorreu tudo bem.

rafafg · 23/02/2009

blz deu serto passo o fixpolicies agora mais na deu logfile ninhum

Mr.Wolf · 23/02/2009

O FixPolicies não gera log.

- Faça o download do Malwarebytes Anti-Malware e quando aparecer a janela para a escolha de onde salvar o programa, renomeie-o para Rafa.exe (seu nome) como mostra na imagem abaixo:

● Dê dois cliques em Rafa.exe para iniciar a instalação. Selecione o idioma Português (Brasil);
● Ao final da instalação, marque as opções "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em Concluir;
● Após a instalação execute o programa;
● Marque a opção Verificação Rápido e depois clique em Verificar;
● Quando o scan terminar, clique em OK e o log será automaticamente aberto para você;
● Se algo for detectado, verifique se todos os itens estão marcados e clique no botão Remover.
OBS: Caso apareça uma mensagem pedindo para que você reinicie o computador para completar o processo de remoção, reinicie-o imediatamente;
● O log pode ser consultado clicando em Logs do menu principal também;

Copie e cole o conteúdo desse log na sua próxima resposta, juntamente com um novo log do HijackThis.

rafafg · 23/02/2009

ae ta o log do malwarebytes cara curti essa parada de renomiar pro meu nome

Malwarebytes' Anti-Malware 1.34
Versão do banco de dados: 1797
Windows 5.1.2600 Service Pack 3

23/2/2009 16:33:10
mbam-log-2009-02-23 (16-33-10).txt

Tipo de Verificação: Rápida (C:\D:\|)
Objetos verificados: 112792
Tempo decorrido: 33 minute(s), 36 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 4
Valores do Registro infectados: 4
Ítens do Registro infectados: 0
Pastas infectadas: 9
Arquivos infectados: 35

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\uti4ndk2 (Rootkit.Bagle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uti4ndk2 (Rootkit.Bagle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uti4ndk2 (Rootkit.Bagle) -> Quarantined and deleted successfully.

Valores do Registro infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\33121324029934607393720265266261 (Rogue.Antivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ANTIVIRUS (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\totalsecure2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\rafa fpg\Dados de aplicativos\m (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\rafa fpg\Dados de aplicativos\m (Trojan.Agent) -> Delete on reboot.

Arquivos infectados:
C:\WINDOWS\system32\drivers\downld\324386.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\355461.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\364574.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\371964.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\376110.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\396229.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\415227.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\428796.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\443157.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\452150.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\452981.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\463596.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\470586.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\516052.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\543301.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\555608.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\557501.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\584049.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\585371.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\662672.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\665657.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\774944.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\785329.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\822001.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\836703.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\847628.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\849872.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\880886.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\921414.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\downld\941283.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\drivers\hldrrr.exe (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
c:\WINDOWS\avast.exe (Rogue.SystemAntivirus) -> Delete on reboot.

Mr.Wolf · 23/02/2009

Baixe novamente o FindyKill, na janela da escolha de onde salvar, renomeie-o para Brute.exe, e salve-o no desktop. Veja se consegue então instalá-lo e rodá-lo conforme instruções anteriores, e postar o log dele:

- Faça o download do FindyKill e salve-o no desktop;

● Dê um duplo clique no ícone do programa e instale-o. A ferramenta será instalada em C:Arquivos de Programas\FindyKill e será criado um ícone no desktop;
● Dê um duplo clique neste novo ícone. Tecle E + Enter. Após isto, tecle a opção 2 + Enter e aguarde;
● Se aparecer alguma mensagem para a confirmação da remoção dos malwares, confirme clicando em OK;
● Ao término, será necessário reiniciar seu computador, reinicie-o;
● Um log estará em C:\FindyKill.txt.

rafafg · 23/02/2009

bleeeeeeeeeeez velho as coisa tao funfanu aos pouco ake ta ae o log do brute.exe findykill vlw mr wolf c ñ foce vc eu tava fudido ja kra

############################## [ FindyKill V4.717 ]

# User : Rafael () # rafa fg-MK900868
# Update on 17/02/09 by Chiquitine29
# Start at: 17:15:52 | 23/2/2009

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.00.6000.16640
# Windows Firewall Status : Disable
# AV : Kaspersky Internet Security 2009[ (!) Disabled | Updated ]

# A:\ # Unidade de disquete de 3 1/2 polegadas
# C:\ # Disco fixo local # NTFS
# D:\ # Disco CD-ROM

# [ FindyKill V4.717 - Deleting ] ###############

############################## [ Active Processes ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe

################## [ Infected Files / Folders C:\ ]

»»»» Supression files in C:

Deleted ! - C:\fsc.tmp
Deleted ! - C:\Autorun.inf

»»»» Supression files in C:\Windows

»»»» Supression files in C:\Windows\Prefetch

Deleted ! - C:\WINDOWS\prefetch\241859.EXE-2D606250.pf
Deleted ! - C:\WINDOWS\prefetch\251406.EXE-2A127A7E.pf
Deleted ! - C:\WINDOWS\prefetch\254062.EXE-0EF7219F.pf
Deleted ! - C:\WINDOWS\prefetch\320593.EXE-2E944A78.pf
Deleted ! - C:\WINDOWS\prefetch\321500.EXE-17F7003B.pf
Deleted ! - C:\WINDOWS\prefetch\325703.EXE-082517C1.pf
Deleted ! - C:\WINDOWS\prefetch\328390.EXE-099103F4.pf
Deleted ! - C:\WINDOWS\prefetch\335671.EXE-2282BD74.pf
Deleted ! - C:\WINDOWS\prefetch\129203.EXE-1007E30D.pf
Deleted ! - C:\WINDOWS\prefetch\134093.EXE-15F0E411.pf
Deleted ! - C:\WINDOWS\prefetch\134796.EXE-10D6C0C7.pf
Deleted ! - C:\WINDOWS\prefetch\1430828.EXE-039C84D3.pf
Deleted ! - C:\WINDOWS\prefetch\143687.EXE-279CE730.pf
Deleted ! - C:\WINDOWS\prefetch\1493640.EXE-17D1D20E.pf
Deleted ! - C:\WINDOWS\prefetch\1501968.EXE-1F3399B8.pf
Deleted ! - C:\WINDOWS\prefetch\151093.EXE-046BF39B.pf
Deleted ! - C:\WINDOWS\prefetch\157640.EXE-217381E6.pf
Deleted ! - C:\WINDOWS\prefetch\159375.EXE-05D5C348.pf
Deleted ! - C:\WINDOWS\prefetch\162218.EXE-01480891.pf
Deleted ! - C:\WINDOWS\prefetch\165906.EXE-007CF83B.pf
Deleted ! - C:\WINDOWS\prefetch\173218.EXE-23606787.pf
Deleted ! - C:\WINDOWS\prefetch\177468.EXE-3B1E275D.pf
Deleted ! - C:\WINDOWS\prefetch\182281.EXE-02EBAC07.pf
Deleted ! - C:\WINDOWS\prefetch\202562.EXE-36B99D0C.pf
Deleted ! - C:\WINDOWS\prefetch\225140.EXE-0B21042A.pf
Deleted ! - C:\WINDOWS\prefetch\225500.EXE-028E2468.pf
Deleted ! - C:\WINDOWS\prefetch\244078.EXE-0AFDDB45.pf
Deleted ! - C:\WINDOWS\prefetch\249187.EXE-23B763B3.pf
Deleted ! - C:\WINDOWS\prefetch\257546.EXE-3B722181.pf
Deleted ! - C:\WINDOWS\prefetch\263062.EXE-18A33902.pf
Deleted ! - C:\WINDOWS\prefetch\271609.EXE-23588D34.pf
Deleted ! - C:\WINDOWS\prefetch\305421.EXE-15B462C2.pf
Deleted ! - C:\WINDOWS\prefetch\HLDRRR.EXE-106798BB.pf
Deleted ! - C:\WINDOWS\Prefetch\PATCHJRE.EXE-1681CDA0.pf
Deleted ! - C:\WINDOWS\prefetch\FLEC006.EXE-26678B14.pf
Deleted ! - C:\WINDOWS\prefetch\MDELK.EXE-1D176F91.pf
Deleted ! - C:\WINDOWS\prefetch\WINTEMS.EXE-2A563F9B.pf

»»»» Supression files in C:\Windows\system32

Deleted ! - C:\WINDOWS\system32\autorun.inf
Deleted ! - C:\Windows\system32\mdelk.exe
Deleted ! - C:\Windows\system32\wintems.exe
Deleted ! - C:\WINDOWS\system32\ban_list.txt

»»»» Supression files in C:\Windows\system32\drivers

Deleted ! - C:\WINDOWS\system32\drivers\srosa.sys
Deleted ! - C:\WINDOWS\system32\drivers\srosa2.sys
Deleted ! - C:\WINDOWS\system32\drivers\winfilse.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\202562.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\240156.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\246046.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\263062.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\271609.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\280703.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\300515.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\355937.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\380734.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\381984.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\459796.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\465359.exe
Deleted ! - C:\WINDOWS\system32\drivers\downld\472140.exe
Deleted ! - C:\Windows\system32\drivers\downld\11253490.exe
Deleted ! - C:\Windows\system32\drivers\downld\11262804.exe
Deleted ! - C:\Windows\system32\drivers\downld\11265097.exe
Deleted ! - C:\Windows\system32\drivers\downld\11285876.exe
Deleted ! - C:\Windows\system32\drivers\downld\11296828.exe
Deleted ! - C:\Windows\system32\drivers\downld\11306406.exe
Deleted ! - C:\Windows\system32\drivers\downld\11316203.exe
Deleted ! - C:\Windows\system32\drivers\downld\11323098.exe
Deleted ! - C:\Windows\system32\drivers\downld\231708.exe
Deleted ! - C:\Windows\system32\drivers\downld\234095.exe
Deleted ! - C:\Windows\system32\drivers\downld\250958.exe
Deleted ! - C:\Windows\system32\drivers\downld\266839.exe
Deleted ! - C:\Windows\system32\drivers\downld\276870.exe
Deleted ! - C:\Windows\system32\drivers\downld\289943.exe
Deleted ! - C:\Windows\system32\drivers\downld\297150.exe
Deleted ! - C:\Windows\system32\drivers\downld\402342.exe
Deleted ! - C:\Windows\system32\drivers\downld\426647.exe
Deleted ! - C:\Windows\system32\drivers\downld\530247.exe
Deleted ! - C:\Windows\system32\drivers\downld\530793.exe
Deleted ! - C:\Windows\system32\drivers\downld\539030.exe
Deleted ! - C:\Windows\system32\drivers\downld\539825.exe
Deleted ! - C:\Windows\system32\drivers\downld\543554.exe
Deleted ! - C:\Windows\system32\drivers\downld\557235.exe
Deleted ! - C:\Windows\system32\drivers\downld\570714.exe
Deleted ! - C:\Windows\system32\drivers\downld\577266.exe
Deleted ! - C:\Windows\system32\drivers\downld\579465.exe
Deleted ! - C:\Windows\system32\drivers\downld\580573.exe
Deleted ! - C:\Windows\system32\drivers\downld\583350.exe
Deleted ! - C:\Windows\system32\drivers\downld\58819911.exe
Deleted ! - C:\Windows\system32\drivers\downld\58824279.exe
Deleted ! - C:\Windows\system32\drivers\downld\58838522.exe
Deleted ! - C:\Windows\system32\drivers\downld\58854996.exe
Deleted ! - C:\Windows\system32\drivers\downld\58867991.exe
Deleted ! - C:\Windows\system32\drivers\downld\58887054.exe
Deleted ! - C:\Windows\system32\drivers\downld\58908364.exe
Deleted ! - C:\Windows\system32\drivers\downld\58922934.exe
Deleted ! - C:\Windows\system32\drivers\downld\59017346.exe
Deleted ! - "C:\WINDOWS\system32\drivers\downld"

»»»» Supression files in C:\Documents and Settings\rafa fpg\Dados de aplicativos

Deleted ! - "C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\flec006.exe"
Deleted ! - "C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\list.oct"
Deleted ! - "C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\data.oct"
Deleted ! - "C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\srvlist.oct"
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\3D Dancing Snowmen 1.0.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\3D_Manatees_1.0.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\4D_AudioPlayer_SGLX_1.5_Serial.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\5_Solitaires_Pack_1.23.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Complete_Anonymous_Internet_1.0_[Serial].zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Constructioner Light Edition 2.7 (Key).zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\CoolCap 2.1.11.6.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Critter_Match_1.0_[Patch].zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\CSV & Text Files to HTML Table Software 7.0 (Cracked).zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Unreal_Tournament_2004_DM_Buliwyf_map.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\USAsoft DVD Video MOV Converter 5.00.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\VISaldo 1.0.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\VisNetic_AntiVirus_Plug-in_for_VisNetic_MailServer_4.6.1.3.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Wedding_Diary_1.01.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Word Viewer ActiveX Control 3.2.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\Xilisoft iPod Video Converter 3.1.37.0718b Patch.zip
Deleted ! - C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared\X_Rule_1.0_[KeyGen].zip
Deleted ! - "C:\Documents and Settings\rafa fpg\Dados de aplicativos\m\shared"
Deleted ! - "C:\Documents and Settings\rafa fpg\Dados de aplicativos\m"

»»»» Supression files in C:\DOCUME~1\rafa fpg\CONFIG~1\Temp

»»»» Supression files in C:\Documents and Settings\rafa fpg\Local Settings\Temporary Internet Files\Content.IE5

################## [ Registry / Infected keys ]

Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
Deleted ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\key_generator
Deleted ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\winupgro
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s
Deleted ! - HKEY_CURRENT_USER\Software\bisoft
Deleted ! - HKEY_CURRENT_USER\Software\DateTime4
Deleted ! - HKEY_CURRENT_USER\Software\FirtR
Deleted ! - HKEY_CURRENT_USER\Software\FFC
Deleted ! - HKEY_CURRENT_USER\Software\CHKPTR
Deleted ! - HKEY_USERS\S-1-5-21-2136287408-100421902-711123233-1003\Software\Local AppWizard-Generated Applications\MsnMsgr
Deleted ! - HKEY_USERS\S-1-5-21-2136287408-100421902-711123233-1003\Software\Local AppWizard-Generated Applications\winfilse
Deleted ! - HKEY_USERS\S-1-5-21-2136287408-100421902-711123233-1003\Software\MuleAppData

################## [ Searching in removable drives ]

# Presence of files :

################## [ States / Restarting of services ]

+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2

################## [ Registry / Mountpoint2 ]

# -> Not found !

################## [ Searching Other Infections ]

################## [ Searching Cracks / Keygen ]

Deleted ! - C:\program files\garena_crack.zip
Deleted ! - C

rogram files\cssjkeygen_arow.rar

################## [ ! End of report # FindyKill V4.717 ! ]

Mr.Wolf · 23/02/2009

Vá em Iniciar > Executar, digite os comandos abaixo, um após o outro, e dê um OK em cada um:

Código:

[B][COLOR="Yellow"]REG.EXE add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t Reg_DWORD /d 0x1 /f[/COLOR][/B]

Código:

[B][COLOR="Yellow"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t Reg_DWORD /d 0xff /f[/COLOR][/B]

- Baixe o BFU e salve-o no desktop;

- Crie uma pasta denominada C:\BFU e extraia os arquivos para a mesma;
- Vá até a pasta e dê um duplo clique no arquivo BFU.exe. Na janela que será aberta, clique no botão

e cole o seguinte endereço abaixo na caixa que será aberta:

Código:

[B][COLOR="Lime"]http://pagesperso-orange.fr/Chercheur-perso/scripts/toolbar.bfu[/COLOR][/B]

- Dê um OK. Clique no botão Execute e aguarde a mensagem. Clique em OK na mensagem.

Execute o FindKill novamente, tecle E + Enter. Depois 1 + Enter.

Cole o log dele aqui.

rafafg · 23/02/2009

nao pode copia e cola esses codigos ae nao velho????

Mr.Wolf · 23/02/2009

Claro que pode!

rafafg · 23/02/2009

bleeeeeeez ja fis esses coisa tdo tbm e aki ta outro log do findykill brute.exe cara mto obrigads por ta mi ajudandu aki velhor vc sb das coisa

############################## [ FindyKill V4.717 ]

# User : Rafael () # rafa fg-MK900868
# Update on 17/02/09 by Chiquitine29
# Start at: 17:57:20 | 23/2/2009

# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.00.6000.16640
# Windows Firewall Status : Disable
# AV : Kaspersky Internet Security 2009[ (!) Disabled | Updated ]

# A:\ # Unidade de disquete de 3 1/2 polegadas
# C:\ # Disco fixo local # NTFS
# D:\ # Disco CD-ROM

############################## [ Active Processes ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe

################## [ Infected Files / Folders C:\ ]

################## [ C:\WINDOWS ]

################## [ C:\WINDOWS\system32 ]

################## [ C:\WINDOWS\system32\drivers ]

################## [ C:\.. Application Data ... ]

################## [ Registry / Infected keys ]

################## [ Searching in removable drives ]

# Presence of files :

################## [ Registry / Mountpoint2 ]

# -> Not found !

################## [ ! End of report # FindyKill V4.717 ! ]

rafafg · 23/02/2009

AEEEEEEEEEEEEEEEEEEEEEEEEEE VELHO O KIS JA TA FUNFANU NORMAL E OS PROGRAMAS NAO TAO MAIS DANDU ERRO DE WIN32 VALIDOOOOO CARA VLWWWWWWW MSM MANU VLW VLW VLW VLW :yes:

\o/ \ o / uhulllllll

eh noiisssssssss

faço um escan com o kis aki ou num pode o q vc acha mr wolf????

brigadu

Mr.Wolf · 23/02/2009

rafafg disse:
faço um escan com o kis aki ou num pode o q vc acha mr wolf????

Não.

Ao que tudo indica o Rootkit.Bagle foi removido. Mas ainda temos um File Infector (Sality) e um Backdoor (Autoupder) para removermos ainda rapaz. A "briga" ainda está só no começo, rsrs.

Execute o FindyKill, tecle E + Enter. Depois 3 + Enter para removê-lo. Clique em OK na mensagem.

Por favor, poste um novo log do HijackThis.

rafafg · 23/02/2009

**** q p felisidade de pobre dura poco msm eskeci desses outros virus ae velho ahhh mais o importante tbm eh q alguns meus programas tao funfandu blz sem akele maldito erro soh alguns q nao abrem ainda deve ser esses virus ae q faltam neh???

ae o log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:33, on 23/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Ares Gold.exe
C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\remoçao de virus adrenaline\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LManager] C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [systema] C:\WINDOWS\system32\systema.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [aresG] "C:\Arquivos de programas\Ares Gold Premium
O4 - HKCU\..\Run: [Gold] "C:\Documents and Settings\Ares Gold Stars
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Arquivos de programas\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: "Adicionar ao Bloqueador de banner de anúncio" - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Baixar com o FDM - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Baixar tudo com o FDM - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selecionado pelo FDM - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Arquivos de programas\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Arquivos de programas\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: Estatísticas de proteção de tráfego da web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.Microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchro...eb.1.0.0.10.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) - http://www.shockwave.com/content/bigcityad...BGamePlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1767345-3AC8-4D50-957B-3B1D565CEB36}: NameServer = 200.204.0.10 200.204.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{782554B4-8027-42C5-A185-4E9105C6ED5B}: NameServer = 85.255.112.21
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\adialhk.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: McAfee Application Installer Cleanup (0094841234058681) (0094841234058681mcinstcleanup) - - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

--
End of file - 6821 bytes

rafafg · 23/02/2009

cara deu a loka no kis aki ele ta detectando tdo como virussssss ta ate travando o pc

o q eh isso???? ate o hijackthis ele ta detectando virus

Mr.Wolf · 23/02/2009

rafafg disse:
cara deu a loka no kis aki ele ta detectando tdo como virussssss ta ate travando o pc o q eh isso???? ate o hijackthis ele ta detectando virus

File Infector.

Foi você quem instalou o Ares Gold? Desinstale este programa imediatamente. Ele instala adwares e trojans na máquina. É um falso programa desenvolvido pela empresa de adwares AdVantage.

1ª Etapa

- Baixe o arquivo do link abaixo e salve-o dentro da pasta C:\BFU;
http://www.ctrlaltdel.dk/Programmer/BFUwareout.zip

- Descompacte o arquivo lá mesmo dentro da pasta;
- Execute a ferramenta BFU novamente, clique no botão

e selecione o arquivo wareou.bfu que estará dentro da pasta. Clique em Execute > OK.

2ª Etapa

- Baixe o FixAutoupder e salve no desktop;

- Dê um duplo clique na ferramenta e aguarde a verificação. É um pouco demorado o scan;
- Caso ele encontre a infecção pedirá que você reinicie a máquina. Reinicie-a então.

3ª Etapa -> Este procedimento deve ser feito sem estar conectado no MSN, portanto, feche-o antes de prosseguir...

- Faça o download do MSNCleaner e salve-o no desktop;

● Feche todas as janelas abertas, extraia o arquivo para o desktop e dê um duplo clique em MSNCleaner.exe (será gerado uma pasta em C:\MSNCleaner);
● No item "Language" selecione a opção "Portugues";
● Clique no botão Analisar e aguarde. Pode demorar um pouco;
● Se a ferramenta encontrar as infecções, clique no botão Remover e confirme a remoção;
● Vá até a pasta MSNCleaner em C: e abra o log que estará dentro da pasta.

Em sua próxima resposta, cole os logs do MSNCleaner e um novo do HijackThis.

rafafg · 23/02/2009

po nem sabia q o ares era falso mais sempre vejo tdo mundo usar o ares eh falso msm???? bem q nao tava funfandu nada msm eu pedia pra baixa 1 musica e nada deve ser falso msm m3rda outra coisa q nem sabia era q meu msn tava com virus cara ow dpois mi ensina a olha esses logs ae manu??? isso eh uma arma contra os virus eh ate melhor q anti-virus isso ae

vlw por tdo meu pc ta um xuxu

- Reporte MSNCleaner 1.7.1 by www.forospyware.com
- Reporte Creado: 23/2/2009 on 19:12:05
- Sistema Operacional: Windows XP
- Tipo de Boot: Normal
_________________________________________

Arquivos detectados: 9
Arquivos removidos: 9
Arquivos não removidos: 0

C:\WINDOWS\images.zip <--- Removido
C:\WINDOWS\Bush.exe <--- Removido
C:\WINDOWS\Desnuda.exe <--- Removido
C:\WINDOWS\F0538_jpg.zip <--- Removido
C:\WINDOWS\Facebook.zip <--- Removido
C:\Windows\System32\New-Year2008-imgaes.zip <--- Removido
C:\Windows\System32\new-photos.zip <--- Removido
C:\Windows\System32\Foto_Celular.scr <--- Removido
C:\Windows\System32\Foto_Celular.zip <--- Removido

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:21, on 23/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Garena\Garena.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\remoçao de virus adrenaline\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\Free Download Manager\iefdm2.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LManager] C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [aresG] "C:\Arquivos de programas\Ares Gold Premium
O4 - HKCU\..\Run: [Gold] "C:\Documents and Settings\Ares Gold Stars
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Arquivos de programas\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: "Adicionar ao Bloqueador de banner de anúncio" - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Baixar com o FDM - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Baixar tudo com o FDM - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selecionado pelo FDM - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Arquivos de programas\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Arquivos de programas\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: Estatísticas de proteção de tráfego da web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.Microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchro...eb.1.0.0.10.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) - http://www.shockwave.com/content/bigcityad...BGamePlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1767345-3AC8-4D50-957B-3B1D565CEB36}: NameServer = 200.204.0.10 200.204.0.138
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\adialhk.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: McAfee Application Installer Cleanup (0094841234058681) (0094841234058681mcinstcleanup) - - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

--
End of file - 6533 bytes

qeuzinha · 23/02/2009

O que é

Oi tudo bem. Pode me informar que o seja Trojan Generic 1227114 e como remove-lo. Grata

Ferps · 24/02/2009

Desculpa a demora mr wolf

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 23, 2009 23:20:21
Records in database: 1836128
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 102847
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:53:35

No malware has been detected. The scan area is clean.

The selected area was scanned.

hehe, ta ai mr wolf, n encontro virus nenhum O.O
oq pode ser a lentidão?

Remoção de vírus

Member

Member

Malware Removal

Malware Removal

Member

Malware Removal

Member

Malware Removal

Member

Malware Removal

Member

Malware Removal

Member

Malware Removal

Member

Malware Removal

Member

Member

Malware Removal

Member

Member

Malware Removal

Member

Member

Member

Users who are viewing this thread