Usamos cookies para medir audiência e melhorar sua experiência. Você pode aceitar ou recusar a qualquer momento. Veja sobre o iMasters.
Boa tarde iMasters!
Estive lendo neste fórum, sobre problemas teoricamente iguais ao meu, porém como regra do fórum, não atravessei o tópico de ninguém, pois sem ler as regras já sabia que cada log trata-se de cada PC e seus respectivos problemas. Portanto me inteirando sobre as regras de postagens vi que o correto mesmo seria abrir um novo e aguardar que o meu Log fosse analisado. Então assim o fiz e aguardo uma analise.
Dos fatos que acredito ter sido o motivo da infecção do meu PC, sito:
Ontem, como de costume minha namorada usou meu PC para ler alguns de seus email, sendo ela ainda mais leiga que eu, acabou abrindo um suposto arquivo em PPT, que na verdade era um Executavel (.exe), só soube, pois ela gostou do email e foi me mostrar e quando vi que o arquivo exigiu permissão de acesso, já estava feito e hoje quando liguei o PC, me deparei com 3 janelas de Erro [Failed to set data for "SynNglp"], [Failed to set data for "BTStarcFrr"] e [Failed to set data for "BTStarcLrj"], a quarta e maior janela de erro, apareceu depois que o PC ja estava iniciado a alguns minutos.
====== Abaixo, segue meu log atual ======
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:06:47, on 19/03/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\BTStacLrj.exe
C:\Windows\System32\BTStacFrr.exe
C:\Windows\System32\SynNglp.exe
C:\Users\Bruno\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll (file missing)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TVTray] C:\Program Files\ENLTV-FM3\TVTray.exe
O4 - HKLM\..\Run: [CallControl 4.5] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload
O4 - HKLM\..\Run: [C:\Windows\system32\V0540Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0540Ext.ax
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [bTStacLrj] C:\Windows\system32\BTStacLrj.exe
O4 - HKLM\..\Run: [bTStacFrr] C:\Windows\system32\BTStacFrr.exe
O4 - HKLM\..\Run: [synNglp] C:\Windows\system32\SynNglp.exe
O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Google Update] "C:\Users\Bruno\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: scpVista - Unknown owner - C:\Program Files\Scpad\scpVista.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 6231 bytes
Wings, segue o log
PS: Ao reiniciar o PC, ainda persistiram 2 janelas de Erro {Failed to set data for "BTStarcFrr"] e [Failed to set data for "BTStarcLrj"]
========== Segue o LOG ==========
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Versão da Base de Dados: 6107
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
19/03/2011 15:28:15
mbam-log-2011-03-19 (15-28-15).txt
Tipo de Verificação: Verificação Completa (C:\|)
Objetos escaneados: 271571
Tempo decorrido: 38 minuto(s), 0 segundo(s)
Processos de Memória Infectados: 1
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 1
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 1
Processos de Memória Infectados:
C:\Windows\System32\SynNglp.exe (Trojan.Banker) -> Unloaded process successfully.
Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)
Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)
Valores de Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synnglp (Trojan.Banker) -> Quarantined and deleted successfully.
Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)
Pastas Infectadas:
(Não foram detectados ítens maliciosos)
Arquivos Infectados:
C:\Windows\System32\SynNglp.exe (Trojan.Banker) -> Quarantined and deleted successfully.
*Baixe o ZHPDiag e salve-o no desktop
*Instale o programa e durante a instalação selecione a opção [x]Créer une icône sur le Bureau
*Clique em /applications/core/interface/imageproxy/imageproxy.php?img=http://www.brimg.com/uploads/6/51685e29d4.jpg&key=9a657c615db132c4e09ad976f9c36050dc42c888bf7aed02ad3f419617800d5b" alt="51685e29d4.jpg" /> e aguarde o término
*Cole os relatórios ZHPDiag.txt e mbr.txt criados em C:\Arquivos de programas\ZHPdiag
Caso o relatório ZHPDiag.txt seja demasiadamente grande..
*Acesse este link
*Clique [Enviar arquivo]
*Localize o arquivo ZHPDiag.txt
*Clique [Abrir] > [Créer le lien Cjoint]
*Cole o endereço criado
Ao terminar de instalar o ZHPDiag, me retornou esse erro:
Mesmo assim, fiz como falou.
Log ZHPDiag.txt realmente ficou grande, vide link:
http://cjoint.com/data1/1dtuaLlTEfG_ZHPDiag.Txt
Já o Log mbr.txt segue abaixo:
========= Log mbr.txt =========
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: SAMSUNG_ rev.1AG0 -> \Device\0000005d
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
C:\Windows\system32\drivers\nvstor.sys NVIDIA Corporation NVIDIA nForce™ SATA Driver
1 ntkrnlpa!IofCallDriver[0x82A7252F] -> \Device\Harddisk0\DR0[0x85E6E238]
3 CLASSPNP[0x8A99159E] -> ntkrnlpa!IofCallDriver[0x82A7252F] -> [0x84DF6700]
5 ACPI[0x8A39E3D4] -> ntkrnlpa!IofCallDriver[0x82A7252F] -> \Device\0000005d[0x857068B0]
kernel: MBR read successfully
user & kernel MBR OK
Por favor....novo log do hijack.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:20:13, on 19/03/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Windows\System32\BTStacLrj.exe
C:\Windows\System32\BTStacFrr.exe
C:\Users\Bruno\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll (file missing)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TVTray] C:\Program Files\ENLTV-FM3\TVTray.exe
O4 - HKLM\..\Run: [CallControl 4.5] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload
O4 - HKLM\..\Run: [C:\Windows\system32\V0540Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0540Ext.ax
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [bTStacLrj] C:\Windows\system32\BTStacLrj.exe
O4 - HKLM\..\Run: [bTStacFrr] C:\Windows\system32\BTStacFrr.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Google Update] "C:\Users\Bruno\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DIMBaixando a sua atualização...1285781003180] "C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.EXE" "c:\programdata\corel\downloads\540215253_410003\1285781003180\dim_params.xml" -Launch=3 -uibase="c:\programdata\corel\messages\540215253_410003\br\messagecache1\workflow"
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: scpVista - Unknown owner - C:\Program Files\Scpad\scpVista.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 7056 bytes
*Faça um scan online com o NOD32
/applications/core/interface/imageproxy/imageproxy.php?img=http://www.brimg.com/uploads/8/4682a6d30e.gif&key=65e9422bd3d7ef3b3e75c1906098834ebf522d6bca937539bace0e219aa07bb1" alt="4682a6d30e.gif" />
*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log
wings, eis o tão demorado Log ^^
Apesar de ter encontrado alguns virus e alguns keygens, ao reiniciar os dois erros persistiram.
========= segue o log =========
ESETSmartInstaller@High as downloader log:
all ok
C:\Users\Bruno\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000571 a variant of Win32/TrojanDownloader.Banload.PYP trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Bruno\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E15TE02L\destejer[1].mp3 a variant of Win32/Spy.Banker.UQC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\Santuares.exe a variant of Win32/TrojanDownloader.Banload.PYP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\BRUNO\Software\DreamWeaver CS5\Kgen\k-gen.exe a variant of Win32/Keygen.BH application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\BRUNO\Software\PhotoShop CS5\kgen_PhotoShop-CS5.exe a variant of Win32/HackTool.Patcher.P application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Downloads\ADWCS5.v11.0.4909-www.brasildowns.com.br-.rar a variant of Win32/Keygen.BH application (deleted - quarantined) 00000000000000000000000000000000 C
É pelo visto demorou mesmo....:)
Antes de encerrar o caso, quero obter informações de dois arquivos.
*Baixe o SystemLook e salve-o no desktop
*Execute-o e cole o código no espaço em branco:
>
:file
C:\Windows\system32\BTStacLrj.exe
C:\Windows\system32\BTStacFrr.exe
*Clique [Look]
*Cole o relatório apresentado
Pois é, imagina quase 500gb de tralhas para scanear... ^_^
Então wings, ta ai, espero que estejamos perto do fim!rs
SystemLook 04.09.10 by jpshortstuff
Log created at 19:23 on 19/03/2011 by Bruno
Administrator - Elevation successful
========== file ==========
C:\Windows\system32\BTStacLrj.exe - File found and opened.
MD5: 7BD2BA9CFB7F4D6B0B9C05C07A774C4D
Created at 22:18 on 18/03/2011
Modified at 22:18 on 18/03/2011
Size: 2766848 bytes
Attributes: --a----
No version information available.
C:\Windows\system32\BTStacFrr.exe - File found and opened.
MD5: F7123D6D7DF7F9C63CEC84D6331EBFB9
Created at 22:19 on 18/03/2011
Modified at 22:19 on 18/03/2011
Size: 1824256 bytes
Attributes: --a----
No version information available.
-= EOF =-
Realmente eles são muito estranhos....
1.
*Vá em Adicionar ou remover programas e desinstale ZHPDiag
*Delete a pasta C:\Arquivos de programas\ZHPdiag
2.
*Execute o arquivo c:\Arquivos de programas\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
3.
*Delete o SystemLook e seu relatório SystemLook.txt criado no desktop
4.
*Execute o Malwarebytes, clique na aba [Quarentena], selecione todos os resultados e clique [Apagar tudo]
*Clique na aba [Logs], selecione o relatório e clique [Apagar]
*Feche o Malwarebytes
5.
*Envie os arquivos abaixo para análise em http://virusscan.jotti.org
>
C:\Windows\system32\BTStacLrj.exe
C:\Windows\system32\BTStacFrr.exe
*Cole os links dos resultados.
Seguem os links:
Ref arquivo [bTStacLrj.exe]
http://virusscan.jotti.org/pt-BR/scanresult/1474e9dd5ba9f1c5b76048c1f03b3ac6e8aaa83f
Ref arquivo [bTStacFrr.exe]
http://virusscan.jotti.org/pt-BR/scanresult/d2b50e3bfaed2f556c35cf3c8a61cfa407a7ac1d
A taxa de detecção foi significativa para um deles, estando em quase 50%.
Vamos finalizar com este antivírus.
*Baixe o Dr.WebCureit e salve-o no desktop
*Execute-o e clique [Cancelar] > [Não] > [iniciar] > [sim]
*Clique no botão /applications/core/interface/imageproxy/imageproxy.php?img=http://img16.imageshack.us/img16/2746/drweb1.png&key=8da9b3fa2b530526422c92fcbb5a12f322aecf9f8015de926f57a1eba4907cda" alt="drweb1.png" /> para interromper o scan
*Clique [Opções] > [Alterar definições] > [Ações]
*Em "Objetos infectados" altere para "Mover" e desmarque a opção [] Perguntar na ação
/applications/core/interface/imageproxy/imageproxy.php?img=http://img864.imageshack.us/img864/5932/drweb1e.png&key=b1ab6b09199067d1f9485972b2ba012a2549333912398b56df1db35e719701b7" alt="drweb1e.png" />
*Clique [Aplicar] > [OK]
*Marque [x] Verificação Rápida
*Clique em /applications/core/interface/imageproxy/imageproxy.php?img=http://img707.imageshack.us/img707/2420/drweb2.png&key=d35378f5a24581bdb5e3b6238fc36d7a7e75fbc6f5389d8c443892aa72097b1d" alt="drweb2.png" /> para iniciar o scan
*Ao finalizar, feche o programa e clique [Não]
*Cole o relatório C:\Documents and Settings\Nome_do_seu_Usuário\DoctorWeb\CureIt.txt
Wings,
Ontem num primeiro momento, você me pediu que fizesse de maneira completa (a verificação pelo Dr.Web).
Então, iniciei o processo de varredura completa, como o programa pré-configurado da forma que vem na instalação.
Neste processo de mais de 11 horas (deixei varrendo, saí, dormi e acordei) haviam sido encontrados 15 arquivos, sendo 11 incuráveis e 4 que foram movidos, no entanto a limpeza nao foi completa pois o programa acabou travando, interrompi o processo, unica coisa que consegui salvar p/ te mostrar foi isso:
Que são dados que gerei ao interromper o processo.
========== inicio ==========
btstacfrr.exe c:\windows\system32 Trojan.PWS.Banker.origin Incurável.Movido.
btstaclrj.exe c:\windows\system32 Trojan.PWS.Banker.origin Incurável.Movido.
{91AF978A-C3D1-C200-B913-655FBA36707C}-Santuares.exe C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy Trojan.DownLoader.origin Incurável.Movido.
crodesc[1].mp3 C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDOV6 Trojan.PWS.Banker.origin Incurável.Movido.
alaost[1].mp3 C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Microsoft\Windows\Temporary Internet Files\Content.IE5\E15TE Trojan.PWS.Banker.origin Incurável.Movido.
mail[3].js C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1 Provavelmente SCRIPT.Virus Movido.
mail[3].js C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Temporary Internet Files\Low\Content.IE5\1BHQJ51N Provavelmente SCRIPT.Virus Caminho inválido para o ficheiro
mail[3].js C:\Documents and Settings\Bruno\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1BHQJ51N Provavelmente SCRIPT.Virus Caminho inválido para o ficheiro
alaost[1].mp3 C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.
btstacfrr.exe C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.
btstaclrj.exe C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.
crodesc[1].mp3 C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.
{91AF978A-C3D1-C200-B913-655FBA36707C}-Santuares.exe C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.DownLoader.origin Incurável.Movido.
mail[3].js C:\Users\Bruno\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1BHQJ51N Provavelmente SCRIPT.Virus Caminho inválido para o ficheiro
$R7CRLFE.exe D:\$RECYCLE.BIN\S-1-5-21-355165010-1247274135-1621168963-1001 Trojan.DownLoader1.36257 Incurável.Movido.
========== fim ==========
PS: Depois que interrompi o processo, o proprio Dr.Web sugeriu o reinicio do sistema, assim o fiz e os erros ja não aconteceram.
Então, voltei aqui no fórum e percebi que você havia alterado o seu ultimo post, sugerindo que fizesse de maneira rápida, então fiz novamente desta forma sugerida e o resultado foi de zero arquivos infectados, gerando esse enorme log:
http://mancaro.com.br/CureIt.log (Hospedei em um de meus domínios)
Por via das dúvidas, já segue novo log hijack:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:09:32, on 20/03/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Users\Bruno\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Windows\system32\ctfmon.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe
C:\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll (file missing)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TVTray] C:\Program Files\ENLTV-FM3\TVTray.exe
O4 - HKLM\..\Run: [CallControl 4.5] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload
O4 - HKLM\..\Run: [C:\Windows\system32\V0540Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0540Ext.ax
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Google Update] "C:\Users\Bruno\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DIMBaixando a sua atualização...1285781003180] "C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.EXE" "c:\programdata\corel\downloads\540215253_410003\1285781003180\dim_params.xml" -Launch=3 -uibase="c:\programdata\corel\messages\540215253_410003\br\messagecache1\workflow"
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: scpVista - Unknown owner - C:\Program Files\Scpad\scpVista.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 6709 bytes
====================
Bom, espero que desta vez tenha sido concluído este processo...
Obrigado!
Olá BrunoPilek
Desculpe ter mudado o procedimento. Pensei que não havias feito ainda, e como o scan online demorou muito, achei melhor fazer um scan rápido.
Mas, tudo bem...sem problemas.
O log está limpo.....:)
1.
*Como este programa não tem instalador, basta deletar o DrWebCureIt e a pasta C:\Documents and Settings\Nome_do_seu_Usuário\DoctorWeb
Um abraço.
Sem problemas wings, muito obrigado pela atenção e pela disponibilidade em ajudar.
Deveriam existir mais pessoas como você, dispostas a ajudar!rsrs
Grande abraço e muita satisfação por ter colaborado com o fórum, virei assinante, principalmente na parte de Design Gráfico!
PS: o DrWeb, não pode deixar salvo para verificações corriqueiras ou não há necessidade, ou ainda é um programa arriscado?!
Att
Bruno Luís
Não precisa manter no PC pois este programa é atualizado diariamente. Digamos: usou....joga fora...rss
Um abraço.
PROBLEMA RESOLVIDO
Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.
Olá BrunoPilek
*Baixe o MalwareBytes e salve-o no desktop
*Instale o programa e aguarde a atualização
*O programa será aberto automaticamente
*Na aba [Verificação], selecione [Verificação completa]
*Clique [Verificar] e selecione a partição onde o Windows está instalado
*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados] > [Remover Selecionados]
*Cole o relatório apresentado