Usamos cookies para medir audiência e melhorar sua experiência. Você pode aceitar ou recusar a qualquer momento. Veja sobre o iMasters.
Ola pessoal
estou com um virus muito chato, os principais sintomas dele são:
* Aparece arquivos temporarios na lista de processos, exemplo 1324343233c.tmp
* Aparece executaveis muitos suspeitos na C:
* Maquina fica muito lenta e trava tudo
* Ja chegou a detonar windows
* Se tiver antivirus instalado, o antivirus some.
* Começa a falhar a instalação de qualquer programa, dando erro de windows
* E os programas instalados vao sendo deletados um por um
* O Virus chama a todo instante o drwtsn32.exe
* Virus enche a HD
* Ele usa a "restauração de sistemas" do windows para sobreviver
agora as providencias que eu ja tomei:
* Rodei HiJackThis, ComboFix, bankerfix, etc... e nada adiantou
* Ja entrei no regedit e msconfig, deletei todas entradas suspeitas e nada
* Instalei varios antivirus famosos, e nenhum consegue tirar esse virus
* Ja rodei antivirus pelo boot e nao adiantou nada
* Ja formatei minha maquina e nada
* Formatei de novo e nada
* Ja baixei tudo que é antivirus, anti spyware, rodei diversos programas e nada
ja instalei o windows umas 4 vezes só ontem.
eu cheguei a pegar um CD Original mesmo do windows SP1, office 2007, instalei, nao coloquei pendrive e nem instalei nada
atualizei tudo pelo site windows update, depoi instalei um antivirus e o antivirus nem acha o virus
pior que instalei um firewall, e ele acha o virus, e nao deixa o virus executar, mas o virus nao morre
o firewall fica disparando alertas dizendo para eu bloquear ou permitir, enche o saco
gostaria de saber qual virus é esse, e por onde ele infecta os micros, pela internet?
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:21:05, on 24/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\G Data\AVKProxy\AVKProxy.exe
C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKService.exe
C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKWCtl.exe
C:\Arquivos de programas\G Data\AntiVirus\AVKTray\AVKTray.exe
C:\Arquivos de programas\UPHClean\uphclean.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Arquivos comuns\G Data\GDScan\GDScan.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fabyo\Desktop\HiJackThis.exe
C:\Arquivos de programas\G Data\AntiVirus\AVK\AVK.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Arquivos de programas\G Data\AntiVirus\WebFilter\AvkWebIE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: G Data WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Arquivos de programas\G Data\AntiVirus\WebFilter\AvkWebIE.dll
O4 - HKLM\..\Run: [G Data AntiVirus Tray Application] C:\Arquivos de programas\G Data\AntiVirus\AVKTray\AVKTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139406804265
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51B31D4-1C9F-4CF8-B1D8-DC5CEE072112}: NameServer = 192.168.0.1
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: G Data AntiVirus Proxy (AVKProxy) - G Data Software AG - C:\Arquivos de programas\Arquivos comuns\G Data\AVKProxy\AVKProxy.exe
O23 - Service: G Data Scheduler (AVKService) - G Data Software AG - C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKService.exe
O23 - Service: G Data Sentinela AntiVirus (AVKWCtl) - G Data Software AG - C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKWCtl.exe
O23 - Service: G Data Scanner (GDScan) - G Data Software AG - C:\Arquivos de programas\Arquivos comuns\G Data\GDScan\GDScan.exe
--
End of file - 4220 bytes
Valeu
C:\Arquivos de programas\DsNET Corp\aTube Catcher 2.0\asfbin.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\DsNET Corp\aTube Catcher 2.0\uninstall.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\gs\uninstgs.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\gs\gs8.64\bin\gswin32.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\gs\gs8.64\bin\gswin32c.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Filters\Haali\gdsmux.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\dsconfig.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\graphstudio.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\mediainfo.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\StatsReader.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\VobSubStrip.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\gspot\gspot.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\PDF to Image Converter\uninst.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\VDownloader\ffmpeg.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\VDownloader\VDownloader.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\CABARC.EXE Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\CDIMAGE.EXE Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\Creator.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\modifyPE.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\reboot.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\uninst.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Arquivos de programas\WinPcap\uninstall.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\ComboFix\iexplore.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\ComboFix\NircmdB.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\ComboFix\pev.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\ComboFix\SF.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\ComboFix\swreg.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\AMagicDefrag.3.0.2.78.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\cmdow.exe Win32/CMDOW.143 application cleaned by deleting - quarantined
C:\Documents and Settings\Fabyo\Desktop\cmdow.rar Win32/CMDOW.143 application deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\ParetoLogic.Inc.Data.Recovery.Pro.v1.1.zip probably a variant of Win32/HackTool.Patcher.A application deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\antivirus segurança\Avast_Antivirus.Pro.4.8.1351.Portable.by_zulkani.rar multiple threats deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\antivirus segurança\BOX_KTR3.0.rar Win32/HackTool.Kiser.GC trojan deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\antivirus segurança\Portables_para_Técnicos_em_Manutenção[www.bestuniom.com - By FeRspaik™].rar probably a variant of Win32/IRCBot trojan deleted - quarantined
C:\Documents and Settings\Fabyo\Meus documentos\Downloads\MiNODLogin_3.8.1.2_bygap87.rar multiple threats deleted - quarantined
C:\SpybotSDPortable\SpybotSDPortable.exe Win32/AutoRun.NAX virus deleted - quarantined
C:\WINDOWS\system\dbghelp.dll Win32/PSW.OnLineGames.PBB trojan deleted (after the next restart) - quarantined
C:\WINDOWS\system\mfc3B.lOG a variant of Win32/PSW.OnLineGames.QIK trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system\msg2.ini a variant of Win32/PSW.OnLineGames.PMH trojan cleaned by deleting - quarantined
C:\WINDOWS\system\msg4C.ini a variant of Win32/PSW.OnLineGames.PMH trojan cleaned by deleting - quarantined
C:\WINDOWS\system\msg4D.ini a variant of Win32/PSW.OnLineGames.PMH trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\appmgmts.dll.tmp probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\mspmsnsv.dll probably a variant of Win32/Genetik trojan unable to clean
C:\WINDOWS\system32\qmgr.dll probably a variant of Win32/Genetik trojan unable to clean
C:\WINDOWS\system32\systemp Win32/PSW.OnLineGames.POB trojan deleted - quarantined
C:\WINDOWS\system32\xmlprov.dll probably a variant of Win32/Genetik trojan unable to clean
C:\WINDOWS\system32\drivers\4A69730C.sys Win32/Wapomi.D virus deleted - quarantined
C:\WINDOWS\system32\drivers\5DC27A8F.sys Win32/Wapomi.D virus deleted - quarantined
C:\WINDOWS\Temp\102156718.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\120050265.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\Temp\120057625.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\120059031.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\120069093.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\120071890.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\12177046.dll a variant of Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\122114484.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\132238515.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\162214906.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\172327187.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\192183437.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\1afe3f36.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\1c7d30fe.exe Win32/PSW.OnLineGames.POB trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\202200265.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\222230250.dll a variant of Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\22ce04e7.exe Win32/PSW.OnLineGames.POB trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\22ec491a.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\232189703.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\252205656.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\262248781.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\262440421.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\27fa085f.exe Win32/PSW.OnLineGames.POB trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\282259812.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\2d4247a7.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\305c798f.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\30797222.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\42247500.dll Win32/PSW.OnLineGames.OST trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\47a453d2.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\49771202.exe probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\4c770fb.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\52149937.dll Win32/PSW.WOW.DZI trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\52345234.dll Win32/PSW.WOW.DZI trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\5c2c06ab.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\5ff30eb7.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\62168828.dll Win32/PSW.WOW.NRF trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\68b66e37.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\6c8b3143.exe Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\6ec10bd2.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\70077359.dll probably a variant of Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\70080000.dll probably a variant of Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\70081171.dll probably a variant of Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\72122328.dll probably a variant of Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\785277a6.exe a variant of Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\785577af.exe a variant of Win32/PSW.OnLineGames.NSU trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\7be90c59.exe Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\82143859.dll a variant of Win32/Kryptik.DLU trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\dj.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\e744699.exe Win32/TrojanDropper.Agent.ORH trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\gg.dll Win32/PSW.OnLineGames.OST trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\lihJE.LOG probably a variant of Win32/PSW.OnLineGames.OQU trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\my.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\rx.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\sg.dll Win32/PSW.WOW.NOJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\TQ37.tmp probably a variant of Win32/PSW.OnLineGames.OQU trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\wl.dll Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\www.dll Win32/PSW.WOW.DZI trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\xyjj.dll a variant of Win32/PSW.WOW.NQS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\zx.dll Win32/PSW.WOW.NRF trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\GDATA.2010.TR.1.7_[RH]\G DATA 2011 Trial Reset v1.7 incl. 1 year license [RH]\GDATA.2011.TR-v1.7.exe Win32/AutoRun.NAX virus deleted - quarantined
D:\AMagicDefrag.3.0.2.78.rar probably a variant of Win32/Agent trojan deleted - quarantined
D:\cmdow.rar Win32/CMDOW.143 application deleted - quarantined
D:\ParetoLogic.Inc.Data.Recovery.Pro.v1.1.zip probably a variant of Win32/HackTool.Patcher.A application deleted - quarantined
D:\Portables_para_Técnicos_em_Manutenção[www.bestuniom.com - By FeRspaik™].rar probably a variant of Win32/IRCBot trojan deleted - quarantined
Boa tarde....
1.
*Desative temporariamente seu antivírus
*Baixe o USBFix e salve-o no desktop
*Conecte o Pendrive no PC
*Duplo clique em UsbFix
*Clique em [Pesquisa] e aguarde o término
*Remova o Pendrive
** *Cole o relatório criado em C:\UsbFix.txt**
Tópico Arquivado
Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.
Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.
Boa tarde Fabyo
*O PROCEDIMENTO ABAIXO SÓ PODERÁ SER FEITO USANDO O INTERNET EXPLORER
*Desative seu antivírus temporariamente
*Faça um scan online com o NOD32
/applications/core/interface/imageproxy/imageproxy.php?img=http://www.brimg.com/uploads/8/4682a6d30e.gif&key=65e9422bd3d7ef3b3e75c1906098834ebf522d6bca937539bace0e219aa07bb1" alt="4682a6d30e.gif" />
*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log