Publicado em 12 de ago.

[Resolvido] Computador possivelmente Infectado

#topicos-resolvidos-seguranca-malwares #vírus

fiz um com o meu antivirus e detetou 3 trojan e tenho o pc bastante lento

segue-se os links

https://www.cjoint.com/c/HHmudNyXmWu

https://www.cjoint.com/c/HHmufArE0Bu

Discussão (13)

Entre ou cadastre-se para participar da discussão

Entrar Criar conta

DigRam· 17 de ago.

/_ Boa Noite! Pedroalves _\

> Copie estas informações que estão em vermelho,para o Bloco de Notas.

> Salve-as com o nome fixlist. << Texto ou Unicode,caso solicite!

> Salve-as ao desktop! ( Área de trabalho ... )

start::

CloseProcesses:

	HKU\S-1-5-21-2955925240-1096623219-443652941-1000\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize

	GroupPolicy: Restriction ? <==== ATTENTION

	GroupPolicy\User: Restriction ? <==== ATTENTION

	HKU\S-1-5-21-2955925240-1096623219-443652941-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.pt/

	SearchScopes: HKU\S-1-5-21-2955925240-1096623219-443652941-1000 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL = hxxps://search.yahoo.com/yhs/search?hspart=lvs&hsimp=yhs-awc&type=lvs__webcompa__1_0__ya__ch_WCYID10427__180526__yaie&p={searchTerms}

	FF NewTab: Mozilla\Firefox\Profiles\ixdg9mn0.default -> hxxps://search.yahoo.com/yhs/web?hspart=lvs&hsimp=yhs-awc&type=lvs__webcompa__1_0__ya__hp_WCYID10427__180526__yaff

	Task: {00e220a5-0824-47f5-afe6-5609c16178de} - no filepath

	ShortcutWithArgument: C:\Users\Pedro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnk -> C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation) -> /k "C:\Program Files (x86)\nodejs\nodevars.bat"

	Task: {18515B67-9C76-4549-9D17-25C9BD18495B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-03-21] (Adobe Systems Incorporated)

	CreateRestorePoint:

	Emptytemp:

	Hosts:

	end::

	 

	/applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/IsRtnte.jpg&key=e02edae083edace15c6933c009d0a904d47de872b8951907e93617b0282d936c" class="ipsImage" alt="IsRtnte.jpg" data-imageproxy-source="https://imgur.com/IsRtnte.jpg" />

	 

	> Execute **FRST/FRST64** >> Clique "**Corrigir**" << *Aguarde!*

	> Poste o **relatório** "*Resultado da Correção pela Farbar Recovery Scan Tool*". (**Fixlog.txt**)

	> **Este** e **outros relatórios**,podem ser encontrados **na pasta**: Disco Local (**C**) >> FRST >> ***Logs***

	 

	/applications/core/interface/imageproxy/imageproxy.php?img=http://r17.imgfast.net/users/1712/29/07/67/smiles/434264.gif&key=8b580fd8c41338fe0925cd84ba4dbbb4293b15fe6a04cbd03d242b4e86624720" class="ipsImage" alt="434264.gif" data-imageproxy-source="http://r17.imgfast.net/users/1712/29/07/67/smiles/434264.gif" />

	< Peço aos **visitantes** que **não** utilizem este **script** em **outros** computadores,sob risco de **danos** aos mesmos! >

	 

	[]s

Pedroalves· 18 de ago.

segue-se o resultado

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018

Ran by Pedro Quesado (18-08-2018 14:31:13) Run:1

Running from C:\Users\Pedro\Desktop

Loaded Profiles: Pedro Quesado (Available Profiles: Pedro Quesado & Pedro & Administrador)

Boot Mode: Normal

==============================================

fixlist content:

*****************

CloseProcesses:

	HKU\S-1-5-21-2955925240-1096623219-443652941-1000\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize

	GroupPolicy: Restriction ? <==== ATTENTION

	GroupPolicy\User: Restriction ? <==== ATTENTION

	HKU\S-1-5-21-2955925240-1096623219-443652941-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.pt/

	SearchScopes: HKU\S-1-5-21-2955925240-1096623219-443652941-1000 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL = hxxps://search.yahoo.com/yhs/search?hspart=lvs&hsimp=yhs-awc&type=lvs__webcompa__1_0__ya__ch_WCYID10427__180526__yaie&p={searchTerms}

	FF NewTab: Mozilla\Firefox\Profiles\ixdg9mn0.default -> hxxps://search.yahoo.com/yhs/web?hspart=lvs&hsimp=yhs-awc&type=lvs__webcompa__1_0__ya__hp_WCYID10427__180526__yaff

	Task: {00e220a5-0824-47f5-afe6-5609c16178de} - no filepath

	ShortcutWithArgument: C:\Users\Pedro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnk -> C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation) -> /k "C:\Program Files (x86)\nodejs\nodevars.bat"

	Task: {18515B67-9C76-4549-9D17-25C9BD18495B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-03-21] (Adobe Systems Incorporated)

	CreateRestorePoint:

	Emptytemp:

	Hosts:

DigRam· 18 de ago.

/_ Boa Noite! Pedroalves _\

> O relatório Fixlog veio incompleto!

> Baixe: < ZHPCleaner > < /applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/6LcRokv.jpg&key=4684c965737c18f7476fe10aa0d12f9a5f0279583460e462d3bcad9875ed3ea0" /> ... de Nicolas Coolman >

> Ou |Aqui!| << Mirror!

Citar

https://www.youtube.com/watch?v=8olWT8u5RYQ

> Caso tenha algum impedimento ao download,assista este tutorial que foi postado no YouTube,para desativar o Windows SmartScreen.

> Estando na página,clique /applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/7ukwnm8.jpg&key=411680a7552ecf5560e81caa8178fc7cb71e09190a8cbd96b9b9f256cdfd3139" />

> Salve-a ao desktop! ( ZHPCleaner.exe )

> Desabilite seu antivírus e execute ZHPCleaner.exe <<

/applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/nDQ00tR.jpg&key=5a7684e4ed599a69b7680762ec1e2092f2d6d3e0149cc28a4fbaede09240d2f7" />

	> Ao **abrir** esta tela,**evite** clicar em **Update** ou **Atualização**,para não ser **direcionado** ao **ZHPBrowser**.

	> Ps: **Feche** a **mensagem** ao clicar no **[**"X"**]**.

	 

	[/applications/core/interface/imageproxy/imageproxy.php?img=http://7.t.imgbox.com/6MKUYyzn.jpg&key=8f3fd1595941bd85ca77864e608c9a5cb5b4cb9870e031caf9d8839bddf0baed" />](http://imgbox.com/6MKUYyzn)

	 

	> Com a **ferramenta aberta**,clique em **Scanner**.

	 

	/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/ljOOETD.jpg&key=17f616a66a0ac1f98d58b7ad72fc71eb684f7e9613c302777e420d4af6d64274" />

	 

	> Aguarde a **conclusão!**

	 

	/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/9g2LW3p.jpg&key=0e1bebfae36cbb4c260bebf282446e492aa1234bbb6cdf835ba00e03c61990c3" />

	 

	> Ao concluir,clique **Repair**.

	 

	/applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/88z05Yv.jpg&key=cf7e167afcb455fcd466b03d0e05ddf3a78efd594e8e4e5680a40e1a10f74511" />

	 

	> Ps: Ignore **possíveis alertas** quanto à sua **configuração de rede**. (DNS)

	> Clique **Sim** >> **Sim!**

	 

	[/applications/core/interface/imageproxy/imageproxy.php?img=http://7.t.imgbox.com/CWxMrxRA.jpg&key=0766b1401c7f2a3c0d7d2272860c2b83abcae35df2605b9ebf777fd9dec628f7" />](http://imgbox.com/CWxMrxRA)

	 

	> Surgirão **guias** que estarão em **vermelho**,indicando **problemas a serem reparados**.

	> Clique **Repair**.

	 

	/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/fN86PG8.jpg&key=0627b2d6ba9a8d38506700f60ee02989c4346b5b8c2a5f812deb142e1dc5d4dd" />

	 

	> Ao **concluir**,clique **Report**.

	> Poste o **log** de **reparo**: **~ Type : Reparo**

Citar

file:///C:/Users/xxx../AppData/Roaming/ZHP/ZHPCleaner.html

Ps: Ao clicar "Report",você obterá o relatório,dentre outras informações,em formato HTML.

file:///C:/Users/xxx.../AppData/Roaming/ZHP/ZHPCleaner.txt

Este será seu relatório direto,obtido ao modificar na barra de endereços,de (.html) para (.txt).

Basta selecionar (ctrl + A),copiar (ctrl + C) e colar ao seu Post ou Bloco de Notas. (ctrl + V)

/applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/dcE3kmT.jpg&key=6927a8e39f6822c8d13a6aa591b0ac9dc793f8e5d162632c795e53618d6572c6" />

Disponibilize o relatório em Cjoint.com ou utilize spoiler,cuja instrução está ao final daquela página.

Outra opção,é hospedar o relatório em Hébergement de fichiers, Security-x.fr.

[Abs]

Pedroalves· 18 de ago.

segue-se o log

~ ZHPCleaner v2018.8.16.160 by Nicolas Coolman (2018/08/16)

~ Run by Pedro Quesado (Administrator) (19/08/2018 00:18:46)

~ Web: https://www.nicolascoolman.com

~ Blog: https://nicolascoolman.eu/

~ Facebook : https://www.facebook.com/nicolascoolman1

~ State version : Version KO

~ Certificate ZHPCleaner: Legal

~ Type : Repair

~ Report : C:\Users\Pedro\Desktop\ZHPCleaner.txt

~ Quarantine : C:\Users\Pedro\AppData\Roaming\ZHP\ZHPCleaner_Reg.txt

~ UAC : Activate

~ Boot Mode : Normal (Normal boot)

Windows 10 Pro, 64-bit (Build 17134)

---\\ Alternate Data Stream (ADS). (0)

~ No malicious or unnecessary items found.

---\\ Services (0)

~ No malicious or unnecessary items found.

---\\ Browser internet (1)

	DELETED data: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\webcompanion.com\\http [Bad : Sensitive Websites]  =>PUP.Optional.LavasoftWebCompanion

	---\\  Hosts file (1)

	~ The hosts file is legitimate (2)

	---\\  Scheduled automatic tasks. (0)

	~ No malicious or unnecessary items found.

	---\\  Explorer ( File, Folder) (2)

	MOVED file: C:\Users\Pedro\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BitTorrent.lnk  [Bad : C:\Users\Pedro\AppData\Roaming\BitTorrent\BitTorrent.exe](.BitTorrent Inc..)  =>BitTorrent (P2P)

	MOVED folder: C:\Users\Pedro\AppData\Local\SlimWare Utilities Inc  =>.SUP.SlimWareUtilities

	---\\  Registry ( Key, Value, Data) (6)

	DELETED key*: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent [BitTorrent Inc.]  =>BitTorrent (P2P)

	DELETED key*: HKCU\Software\Lavasoft\Web Companion []  =>PUP.Optional.LavasoftWebCompanion

	DELETED key*: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com []  =>PUP.Optional.LavasoftWebCompanion

	DELETED key*: HKLM\SOFTWARE\Wow6432Node\Lavasoft\Web Companion []  =>PUP.Optional.LavasoftWebCompanion

	DELETED key: HKLM\SOFTWARE\Lavasoft\Web Companion []  =>PUP.Optional.LavasoftWebCompanion

	DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\SlimWare Utilities Inc []  =>.SUP.SlimWareUtilities

	---\\  Summary of the elements found (3)
[https://nicolascoolman.eu/2017/03/12/superfluous-lavasoftwebcompanion/](https://nicolascoolman.eu/2017/03/12/superfluous-lavasoftwebcompanion/) =>PUP.Optional.LavasoftWebCompanion
[https://nicolascoolman.eu/2017/01/27/repaquetage-et-infection/](https://nicolascoolman.eu/2017/01/27/repaquetage-et-infection/) =>BitTorrent (P2P)

https://nicolascoolman.eu/2017/03/03/superfluous-slimwareutilities/ =>.SUP.SlimWareUtilities

---\\ Other deletions. (50)

~ Registry Keys Tracing deleted (48)

~ Remove the old reports ZHPCleaner. (2)

---\\ Result of repair

~ Repair carried out successfully

~ Browser not found (Google Chrome)

~ Browser not found (Opera Software)

---\\ Statistics

~ Items scanned : 2036

~ Items found : 0

~ Items cancelled : 0

~ Items options : 0/7

~ Space saving (bytes) : 0

~ End of clean in 00h00mn21s

---\\ Reports (2)

ZHPCleaner--19082018-00_18_25.txt

ZHPCleaner-[R]-19082018-00_19_07.txt

DigRam· 19 de ago.

/_ Bom Dia! Pedroalves _\

você ainda detecta algum Trojan?

> Baixe: < /applications/core/interface/imageproxy/imageproxy.php?img=http://i1143.photobucket.com/albums/n629/j2ram/AdwCleaner_Logo2_zps580bcd78.jpg&key=71530441ef1621c6398a69f0f5fae6f7f5c87897579baf8487ec306c4e109626" /> > ( ... de Xplode )

> Ou daqui: < AdwCleaner > << Link!

> Ao acessar,clique em "Download Now".

> Salve-o ao desktop!

> Desabilite seu antivírus!

< /applications/core/interface/imageproxy/imageproxy.php?img=http://i1143.photobucket.com/albums/n629/j2ram/Executar_Administrador.jpg&key=29bbf2d3836c6859afe3923102565f782321b5a7a2787d5bb24cc9918d13e9bd" /> >

> Clique direito em adwcleaner.exe,e escolha sua execução como administrador.

> Clique "Definições".

/applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/XZTQ4T3.jpg&key=2222c2a03e84c8a3bac88773e5d38e54e881fc6fa40b2c4f344c1a8be11eba89" />

> Estando em "Definições",deixe as configurações conforme este banner.

/applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/bk0BviF.jpg&key=96ac2b7643e0e946084fe8eb3fc85c5650becd4e85eab476e50ac9b37d51e811" />

> Ps: Dê início ao scan,clicando em "Verificar Agora".

> Ao concluir,clique "Limpar e Reparar".

> Na mensagem,clique "Limpar e Reiniciar".

> Ao concluir,clique "Ver Ficheiro de Registos".

> Copie e poste o relatório! (Mode: Clean)/(AdwCleaner[C00])

[]s

Pedroalves· 19 de ago.

acho que não detectou trojan mais tenho que fazer um scan novamente

o trojans que eu falo são estes: JS:ScriptIP-inf[Trj]

ele pediu-me para actualizar a versao e eu disse que não

fiz bem devida ter actualizado a versão

segue-se o log

# -------------------------------

# Malwarebytes AdwCleaner 7.2.1.0

# -------------------------------

# Build: 06-26-2018

# Database: 2018-08-17.2

# Support: https://www.malwarebytes.com/support

# -------------------------------

# Mode: Clean

# -------------------------------

# Start: 08-19-2018

# Duration: 00:00:03

# OS: Windows 10 Pro

# Cleaned: 5

# Failed: 0

*** [ Services ] ***

No malicious services cleaned.

*** [ Folders ] ***

Deleted C:\Users\Public\Documents\Downloaded Installers

*** [ Files ] ***

No malicious files cleaned.

*** [ DLL ] ***

No malicious DLLs cleaned.

*** [ WMI ] ***

No malicious WMI cleaned.

*** [ Shortcuts ] ***

No malicious shortcuts cleaned.

*** [ Tasks ] ***

No malicious tasks cleaned.

*** [ Registry ] ***

Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Web Companion

Deleted HKLM\Software\Wow6432Node\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}

Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}

Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}

*** [ Chromium (and derivatives) ] ***

No malicious Chromium entries cleaned.

*** [ Chromium URLs ] ***

No malicious Chromium URLs cleaned.

*** [ Firefox (and derivatives) ] ***

No malicious Firefox entries cleaned.

*** [ Firefox URLs ] ***

No malicious Firefox URLs cleaned.

*************************

[+] Delete IFEO

[+] Delete Prefetch

[+] Delete Tracing Keys

[+] Reset Chromium Policies

[+] Reset IE Policies

[+] Reset Proxy Settings

*************************

AdwCleaner[S00].txt - [1718 octets] - [19/08/2018 11:36:58]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

DigRam· 19 de ago.

/_ Bom Dia! Pedroalves _\

Citar

acho que não detectou trojan mais tenho que fazer um scan novamente

o trojans que eu falo são estes: JS:ScriptIP-inf[Trj]

ele pediu-me para actualizar a versao e eu disse que não

fiz bem devida ter actualizado a versão

Caso queira,podes realizar novo scan com a versão atualizada da AdwCleaner. Mas creio que os resultados não serão diferentes da versão anterior.

> Não havendo mais problemas,remova as ferramentas que foram utilizadas na desinfecção e estabeleça backup,ao registro do Windows.

> Baixe: < /applications/core/interface/imageproxy/imageproxy.php?img=https://imgur.com/sCLvEZN.jpg&key=bed55e00f719a84cb1bca66858fd401d4eb535454d6a41eea0c9f4f6ceb39b1b" /> > ( ... de Xplode )

/applications/core/interface/imageproxy/imageproxy.php?img=http://i1143.photobucket.com/albums/n629/j2ram/My%2520Tools%25203/My%2520Tools%25204/DelFix_Download_zpsb5d944c7.jpg&key=c11cd63c68a67a8bcd0443a3fe0e716fc51d8e7a80122a3b6bf3a92bc1cfea40" />

> Estando na página,clique em Download Now.

> Salve-a em um local conveniente. ( desktop! )

> Feche aplicativos que estejam abertos.

/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/a2UgMDf.jpg&key=ab405929aa62c01b3dadd7e07428eea8c5abca0b4b4e065703141e5722a8d294" />

> Remover ferramentas de desinfecção

> Criar backup do registro

> Limpar pontos da restauração do sistema

> Com estas caixinhas marcadas,clique Executar!

> Reinicie o computador ao concluir!

> Ps: Por fim,backup do Registro estará em: C:\WINDOWS\ERUNT\DelFix <<

/applications/core/interface/imageproxy/imageproxy.php?img=http://i.imgur.com/p4uhpuP.jpg&key=f9cc4533a9689c6cc3eaa088aac4271675428481e76211e22109438a3dab4d93" />

> Caso necessite acioná-lo,abra a pasta DelFix e execute ERDNT.exe.

> Clique OK na mensagem!

[Abs]

Pedroalves· 19 de ago.

o link que deste não funciona

DigRam· 20 de ago.

/_ Boa Noite! Pedroalves _\

< https://www.bleepingcomputer.com/download/delfix/ >

Opa! Por este aqui você consegue!

[]s

Pedroalves· 20 de ago.

obrigada pela ajuda

o meu pc estava infectado ?? ou era apenas lixo como adwares

DigRam· 20 de ago.

/_ Bom Dia! Pedroalves _\

---\\ Summary of the elements found (3)

[https://nicolascoolman.eu/2017/03/12/superfluous-lavasoftwebcompanion/](https://nicolascoolman.eu/2017/03/12/superfluous-lavasoftwebcompanion/) =>PUP.Optional.LavasoftWebCompanion
[https://nicolascoolman.eu/2017/01/27/repaquetage-et-infection/](https://nicolascoolman.eu/2017/01/27/repaquetage-et-infection/) =>BitTorrent (P2P)

https://nicolascoolman.eu/2017/03/03/superfluous-slimwareutilities/ =>.SUP.SlimWareUtilities

---

Bom trabalho!

O sumário das detecções em sua máquina,mostrou somente PUPs e objetos Superfluous.

[]s

Pedroalves· 22 de ago.

ok obrigada pela ajuda

DigRam· 22 de ago.

Caso Resolvido!

/applications/core/interface/imageproxy/imageproxy.php?img=https://cartilha.cert.br/images/logo_cartilha.png&key=c29284c52d4f77605a3156546f4064b028f81cae58ed2c62eb134eefb16b6a1a" class="ipsImage" alt="logo_cartilha.png" data-imageproxy-source="https://cartilha.cert.br/images/logo_cartilha.png" />

Para sua Segurança!

Leia as dicas ou orientações contidas na Cartilha de Segurança para Internet.

Caso Resolvido!