[Arquivado] secure32 new.net cws.searchmeup wupd savenow webhancer

[Palc 0]

Este PC tem Spy-bot residente e atualizado, Ad-aware atualizado e AVG atualizado. Com eles tudo limpo.

Como desconfiava de algum verme ou vírus no PC, já que o IE às vezes não abria a janela ao clicar no ícone e a temperatura da cpu anda subindo além do normal, passei o PANDA http://www.pandasoftware.com/products/activescan.htm e obtive como resultado esse monte de vermes: :o

 

Incident Status Location

 

Adware:adware/secure32 Not disinfected C:\WINDOWS\country.exe

Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall6_98.exe

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\toolbar.exe

Adware:adware/wupd Not disinfected C:\ARQUIVOS DE PROGRAMAS\MediaGateway

Adware:adware/savenow Not disinfected C:\ARQUIVOS DE PROGRAMAS\VVSN

Adware:adware/webhancer Not disinfected C:\ARQUIVOS DE PROGRAMAS\whInstall

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@ad.yieldmanager[2].txt

Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@admotion.com[1].txt

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@adopt.hbmediapro[2].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@ath.belnk[2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@atwola[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@bannerlandia.com[1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@belnk[1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@burstnet[2].txt

Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@c.goclick[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@com[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@de.uol.com[1].txt

Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@did-it[1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@dist.belnk[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@google.com[1].txt

Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@go[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@ig.com[2].txt

Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@kinghost[1].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@searchportal.information[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@terra.com[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@uol.com[1].txt

Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@yadro[1].txt

Adware:Adware/WinAD Not disinfected C:\Arquivos de programas\Bit Lord 1.1\Downloads\Alcohol 120% 1.9.3105 Latest [Corporate Edition With CRACK- BEST YET]\Alcohol 120% 1.9.3105 Latest [Corporate Edition With Patch]\Keygen.exe

Adware:Adware/WinAD Not disinfected C:\Arquivos de programas\Bit Lord 1.1\Downloads\Alcohol 120% 1.9.3105 Latest [Corporate Edition With CRACK- BEST YET].zip[Keygen.exe]

Hacktool:Hacktool/Netbuster Not disinfected C:\Backup_HD_antigo\c em pc1 (S3o2a7)\Netbuster\NetBuster.exe

Hacktool:Hacktool/Netbuster Not disinfected C:\Backup_HD_antigo\c em pc1 (S3o2a7)\xx_1\Hacker\Nucker_i\netbuster1_31.zip[NetBuster.exe]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\Cookies\administrador@ig.com[1].txt

Adware:Adware/WinAD Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\MGW_SH.exe

Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\SHNT288.exe

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe[whAgent.inf]

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe[whAgent.exe]

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe[whInstaller.exe]

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe[whSurvey.exe]

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe[webhdll.dll]

Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe[whiehlpr.dll]

Potentially unwanted tool:Application/Zango Not disinfected C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\41WTONER\Setup[1].exe

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@ad.yieldmanager[2].txt

Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@admotion.com[1].txt

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@adopt.hbmediapro[2].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@ath.belnk[2].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@atwola[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@bannerlandia.com[1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@belnk[1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@burstnet[2].txt

Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@c.goclick[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@com[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@de.uol.com[1].txt

Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@did-it[1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@dist.belnk[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@google.com[1].txt

Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@go[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@ig.com[2].txt

Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@kinghost[1].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@searchportal.information[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@terra.com[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@uol.com[1].txt

Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@yadro[1].txt

Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_98.exe

Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall7_14.exe

 

Como o Panda não elimina os vermes só vírus, fui examinar o log do PANDA e ele informa vermes até nuns arquivos "nada a ver" como os marcados em verde acima. Imagino serem falsos positivos do Panda.

 

Como não entendo muito de eliminação de vermes resolví passar o HijackThis e postar aqui:

 

Logfile of HijackThis v1.99.1

Scan saved at 06:01:02, on 27/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\slserv.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\WINDOWS\system32\NILaunch.exe

C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\dvd43\dvd43_tray.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\Services\SERVIC~1.EXE

C:\arquivos de programas\netappel\netappel.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\lotus\organize\easyclip.exe

C:\lotus\smartctr\smartctr.exe

C:\lotus\smartctr\suitest.exe

C:\Util\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registration/re...=WinXp&Lang=Ptb

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iMONTRAY] C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [DataLayer] C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill

O4 - HKLM\..\Run: [RegKillTray] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [dvd43] C:\Arquivos de programas\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [VVSN] C:\Arquivos de programas\VVSN\VVSN.exe :devil:

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NetAppel] "C:\arquivos de programas\netappel\netappel.exe" -nosplash -minimized

O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe

O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe

O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe

O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww8.banrisul.com.br/bto/link/msie/S...reControl2k.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

Gostaria que me informassem se realmente tem todos esses vermes mesmo no PC e como eliminá-los.

Pelo menos o vvsn.exe :devil: já indica algum problema :cry:

 

Desde já agradeço a ajuda.

 

{}

Palc

[jgarcia 1]

Caro Palc,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

Desinstale:

 

--> MediaGateway

--> VVSN

 

Utilize Adicionar / Remover programas.

 

Desinstale, um a um, e reinicie após tê-los desinstalado.

 

OBS.: Caso não encontre algum(ns) do(s) programa(s) apenas passe para o próximo e/ou para a próxima etapa.

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

Baixe, mas não execute ainda.

 

Baixe o CCleaner em:

CCleaner

 

Baixe, mas não execute ainda.

 

2ª Etapa

 

Execute o KillBox:

1) Selecione Delete on reboot;

 

2) Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar:

C:\WINDOWS\country.exe

C:\WINDOWS\toolbar.exe

C:\ARQUIVOS DE PROGRAMAS\MediaGateway

C:\ARQUIVOS DE PROGRAMAS\VVSN

C:\ARQUIVOS DE PROGRAMAS\whInstall

C:\Arquivos de programas\Bit Lord 1.1\Downloads\Alcohol 120% 1.9.3105 Latest [Corporate Edition With CRACK- BEST YET]\Alcohol 120% 1.9.3105 Latest [Corporate Edition With Patch]\Keygen.exe

C:\Arquivos de programas\Bit Lord 1.1\Downloads\Alcohol 120% 1.9.3105 Latest [Corporate Edition With CRACK- BEST YET].zip

C:\Backup_HD_antigo\c em pc1 (S3o2a7)\Netbuster\NetBuster.exe

C:\Backup_HD_antigo\c em pc1 (S3o2a7)\xx_1\Hacker\Nucker_i\netbuster1_31.zip

C:\Documents and Settings\Administrador\Configurações locais\Temp\MGW_SH.exe

C:\Documents and Settings\Administrador\Configurações locais\Temp\SHNT288.exe

C:\Documents and Settings\Administrador\Configurações locais\Temp\wh.exe

C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\41WTONER\Setup[1].exe

C:\WINDOWS\NDNuninstall6_98.exe

C:\WINDOWS\NDNuninstall7_14.exe

C:\TempEI4\EI40_\msxml4.cab

3) Retorne ao Killbox. Clique em File --> Paste from clipboard --> All files;

 

4) Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível.

 

3ª Etapa

 

Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8 até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e marque:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registration/re...=WinXp&Lang=Ptb

O4 - HKLM\..\Run: [VVSN] C:\Arquivos de programas\VVSN\VVSN.exe devil.gif

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

Clique em Fix Checked.

 

4ª Etapa

 

Reinicie em modo normal.

 

Execute o CCleaner e clique em Executar Cleaner.

 

Poste o novo log do HijackThis.

 

Execute o Active Scan da Panda e veja se ainda detecta algo.

 

Um abraço.

[Palc 0]

Quase :clap:

Panda ainda mostra 3 pro, o resto deve ter sido movido pelo KillBox p/ c:\!KillBox.

O CCleaner limpou até a minha senha do iMaster, ai karai :o

Log do Panda ...

 

Incident Status Location

 

Adware:adware/secure32 Not disinfected C:\WINDOWS\secure32.html

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq

Adware:adware/wupd Not disinfected Windows Registry

Adware:Adware/WinAD Not disinfected C:\!KillBox\Alcohol 120% 1.9.3105 Latest [Corporate Edition With CRACK- BEST YET].zip[Keygen.exe]

Adware:Adware/WinAD Not disinfected C:\!KillBox\Keygen.exe

Adware:Adware/WinAD Not disinfected C:\!KillBox\MGW_SH.exe

Spyware:Spyware/New.net Not disinfected C:\!KillBox\NDNuninstall6_98.exe

Spyware:Spyware/New.net Not disinfected C:\!KillBox\NDNuninstall7_14.exe

Hacktool:Hacktool/Netbuster Not disinfected C:\!KillBox\NetBuster.exe

Hacktool:Hacktool/Netbuster Not disinfected C:\!KillBox\netbuster1_31.zip[NetBuster.exe]

Spyware:Spyware/New.net Not disinfected C:\!KillBox\SHNT288.exe

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe[whAgent.inf]

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe[whAgent.exe]

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe[whInstaller.exe]

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe[whSurvey.exe]

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe[webhdll.dll]

Adware:Adware/WebHancer Not disinfected C:\!KillBox\wh.exe[whiehlpr.dll]

 

Log do HijackThis ...

 

Logfile of HijackThis v1.99.1

Scan saved at 00:13:59, on 29/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\slserv.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\WINDOWS\system32\NILaunch.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\Services\SERVIC~1.EXE

C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\dvd43\dvd43_tray.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\arquivos de programas\netappel\netappel.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\lotus\organize\easyclip.exe

C:\lotus\smartctr\smartctr.exe

C:\lotus\smartctr\suitest.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Util\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iMONTRAY] C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [DataLayer] C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill

O4 - HKLM\..\Run: [RegKillTray] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [dvd43] C:\Arquivos de programas\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NetAppel] "C:\arquivos de programas\netappel\netappel.exe" -nosplash -minimized

O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe

O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe

O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe

O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww8.banrisul.com.br/bto/link/msie/S...reControl2k.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[jgarcia 1]

Caro Palc,

 

Vamos lá.

 

1ª Etapa

 

Baixe o Ewido em:

Ewido

 

* Selecione "English" como idioma para a instalação;

* Clique em Next --> I Agree --> Next --> Next. Desmarque a caixa Install background guard e clique em Install e depois Finish;

* Na janela principal do Ewido clique em Actualizar no menu esquerdo e então clique em Iniciar actualização;

* Quando a atualização terminar, você verá a mensagem Actualizado com sucesso no canto inferior esquerdo;

* Pronto, mas não o execute ainda.

 

2ª Etapa

 

Execute o KillBox:

1) Selecione Delete on reboot;

 

2) Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar:

C:\WINDOWS\secure32.html

C:\WINDOWS\uniq

3) Retorne ao Killbox. Clique em File --> Paste from clipboard --> All files;

 

4) Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível.

 

3ª Etapa

 

Reinicie o computador em Modo Seguro.

 

1) Execute uma verificação completa com o Ewido.

 

* Abra o Ewido e clique em Verificar --> Verificação Completa do Sistema;

* O Ewido detecta alguns programas legítimos, portanto não marque a caixa que diz Executar a ação em todas as infecções. Se o Ewido encontrar um arquivo que você acredita ser legítimo, escolha a opção "Nenhuma" e clique em OK. Caso contrário, deixe em Remover e clique em OK.

* Quando o Ewido terminar, feche-o.

 

2) Vá até a pasta C:\!KillBox e apague o seu conteúdo.

 

4ª Etapa

 

Reinicie em modo normal.

 

Poste o novo log do HijackThis.

 

Execute o Active Scan da Panda e veja se ainda detecta algo.

 

Um abraço.

[Palc 0]

Na trave :wacko:

 

Log Panda ...

 

 

Incident Status Location

 

Adware:adware/wupd Not disinfected Windows Registry

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@google.com[1].txt

 

Log Ewido ...

---------------------------------------------------------

ewido anti-malware - Relatório de verificação

---------------------------------------------------------

 

+ Criado em: 06:25:47, 30/3/2006

+ Relatório-Checksum: 367774E1

 

+ Resultado da verificação:

 

HKU\S-1-5-21-606747145-1085031214-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Ignorado <<<<< Não sabia o q era, então não apaguei !

C:\!KillBox\Alcohol 120% 1.9.3105 Latest [Corporate Edition With CRACK- BEST YET].zip/Alcohol 120% 1.9.3105 Latest [Corporate Edition With Patch]/Keygen.exe -> Adware.WinAD : Ignorado

C:\Arquivos de programas\Click21\DialUP.exe -> Heuristic.Win32.Dialer : Ignorado

C:\Arquivos de programas\Turbo\Discador Turbo\discador.exe -> Heuristic.Win32.Dialer : Ignorado

C:\!KillBox\Keygen.exe -> Adware.WinAD : Limpo com backup

C:\!KillBox\MGW_SH.exe -> Adware.WinAD : Limpo com backup

C:\!KillBox\NDNuninstall6_98.exe -> Adware.NewDotNet : Limpo com backup

C:\!KillBox\NDNuninstall7_14.exe -> Adware.NewDotNet : Limpo com backup

C:\!KillBox\SHNT288.exe -> Adware.NewDotNet : Limpo com backup

C:\!KillBox\wh.exe/whAgent.exe -> Adware.WebHancer : Limpo com backup

C:\Backup_HD_antigo\c em pc1 (S3o2a7)\xx_1\Hacker\Nucker_i\nuker102.zip/UHANFO.EXE -> Trojan.ControlDuSockets.a : Limpo com backup

C:\Backup_HD_antigo\c em pc1 (S3o2a7)\xx_1\Hacker\Nucker_i\UHANFO.EXE -> Trojan.ControlDuSockets.a : Limpo com backup

 

 

::Fim do Relatório

 

 

Log do HijackThis ...

 

Logfile of HijackThis v1.99.1

Scan saved at 06:33:30, on 30/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\slserv.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\WINDOWS\system32\NILaunch.exe

C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\dvd43\dvd43_tray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\Services\SERVIC~1.EXE

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\arquivos de programas\netappel\netappel.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\lotus\organize\easyclip.exe

C:\lotus\smartctr\smartctr.exe

C:\lotus\smartctr\suitest.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Util\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iMONTRAY] C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [DataLayer] C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill

O4 - HKLM\..\Run: [RegKillTray] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [dvd43] C:\Arquivos de programas\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NetAppel] "C:\arquivos de programas\netappel\netappel.exe" -nosplash -minimized

O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe

O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe

O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe

O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww8.banrisul.com.br/bto/link/msie/S...reControl2k.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[jgarcia 1]

Opa Palc,

 

Vamos à luta. :)

 

1. Reinicie em Modo Seguro.

 

2. Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

3. Navegue até à seguinte chave::

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. No painel à direita, delete os seguintes valores:

 

"Windows SyncroAd" = "[PATH TO SyncroAd.exe]"

"Windows ControlAd" = "[PATH TO WinCtlAd.exe]"

5. Nevegue e delete as seguintes entradas no registro:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows SyncroAd

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows ControlAd

HKEY_LOCAL_MACHINE\Software\Windows ControlAd

5. Saia do Editor do Registro.

 

HKU\S-1-5-21-606747145-1085031214-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Ignorado <<<<< Não sabia o q era, então não apaguei !

Pode apagar. ;)

 

Quanto aos spywares cookies não se preocupe, pois basta que você execute o CCleaner para apagá-los.

 

Após ter efetivado as ações acima execute o scan da Panda e veja se ainda detecta algo.

 

Abraços.

[Palc 0]

beleza jgarcia,

 

Não achei as chaves SyncroAd e ControlAd.

Então mandei procurar em todos registros e nada.

 

Pra não perder a viagem rodei o EWIDO e apaguei a entrada q tinha dúvida e você disse q podia detonar:

HKU\S-1-5-21-606747145-1085031214-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic

 

Rodei o CCleaner p/ tirar os cookies.

Rodei o Panda, e o log foi esse ...

 

Incident Status Location

 

Adware:adware/wupd Not disinfected Windows Registry

 

Rodei o HijackThis e o log foi esse ...

 

Logfile of HijackThis v1.99.1

Scan saved at 13:39:44, on 1/4/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\slserv.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\WINDOWS\system32\NILaunch.exe

C:\ARQUIV~1\ARQUIV~1\PCSuite\Services\SERVIC~1.EXE

C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

C:\Arquivos de programas\dvd43\dvd43_tray.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\arquivos de programas\netappel\netappel.exe

C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\lotus\organize\easyclip.exe

C:\lotus\smartctr\smartctr.exe

C:\lotus\smartctr\suitest.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Util\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://farejador.ig.com.br/ie/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iMONTRAY] C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [DataLayer] C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill

O4 - HKLM\..\Run: [RegKillTray] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [dvd43] C:\Arquivos de programas\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [NetAppel] "C:\arquivos de programas\netappel\netappel.exe" -nosplash -minimized

O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe

O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe

O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe

O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARQUIV~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .mpeg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww8.banrisul.com.br/bto/link/msie/S...reControl2k.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Arquivos de programas\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

 

Só falta 1 verme, vamo lá :clap:

 

{}

Palc

[Palc 0]

Tentei achar um "desinfetante" p/ o wupd e nada.

Rodei em modo de segurança o Spy-bot seguido do Ad-Aware.

Rodei o PANDA de novo e o log foi ...

 

Incident Status Location

 

Adware:adware/wupd :devil: Not disinfected Windows Registry

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrador\Cookies\administrador@google.com[1].txt

 

Kct até o Google entrou nessa de verme pqp !

 

Com base no site da PANDA http://www.pandasoftware.com/virus_info/en...50447#INFECCION :

1) Confirmei q os AUTOEXEC.* sumiram

2) Procurei no hd pelos arquivos q o verme cria com o .bat a seguir:

dir /s BRIDGEX*.* >arq.txt

dir /s CLIENTCOMMN*.* >> arq.txt

dir /s COMM*.* >> arq.txt

dir /s WINAD*.* >> arq.txt

dir /s WINADX*.* >> arq.txt

dir /s WINCLT*.* >> arq.txt

dir /s WINKA*.* >> arq.txt

dir /s WINUPDT*.* >> arq.txt

dir /s IDE21201*.* >> arq.txt

De estranho achei esses arquivos .css e .js repetidos (q talvez nem tenham a ver, mas ...) :

01/04/2006 21:19 2.625 common[1].css

1 arquivo(s) 2.625 bytes

 

Pasta de C:\Documents and Settings\Administrador\Configura‡äes locais\Temporary Internet Files\Content.IE5\IH1Y7M9G

 

01/04/2006 22:11 2.820 common[1].css

1 arquivo(s) 2.820 bytes

 

Pasta de C:\Documents and Settings\Administrador\Configura‡äes locais\Temporary Internet Files\Content.IE5\JA07VHGD

 

01/04/2006 22:10 2.625 common[1].css

1 arquivo(s) 2.625 bytes

 

Pasta de C:\Documents and Settings\Administrador\Configura‡äes locais\Temporary Internet Files\Content.IE5\YXONM1S9

 

01/04/2006 21:18 2.625 Common[1].css

1 arquivo(s) 2.625 bytes

 

Pasta de C:\Documents and Settings\NetworkService\Configura‡äes locais\Temporary Internet Files\Content.IE5\2QMN9IXO

 

22/01/2005 01:37 3.159 Common[1].js

1 arquivo(s) 3.159 bytes

 

Pasta de C:\Documents and Settings\NetworkService\Configura‡äes locais\Temporary Internet Files\Content.IE5\7HFCKKMV

 

22/01/2005 01:37 3.159 Common[1].js

1 arquivo(s) 3.159 bytes

 

E esses aqui também:

Pasta de C:\WINDOWS\PCHealth\HelpCtr\System\Remote Assistance

 

22/09/2004 02:47 <DIR> Common

0 arquivo(s) 0 bytes

 

Pasta de C:\WINDOWS\PCHealth\HelpCtr\System\Remote Assistance\Common

 

23/12/2004 14:23 5.248 common.js

1 arquivo(s) 5.248 bytes

 

Pasta de C:\WINDOWS\PCHealth\HelpCtr\System\Remote Assistance\Interaction

 

23/12/2004 14:23 <DIR> Common

0 arquivo(s) 0 bytes

 

Pasta de C:\WINDOWS\PCHealth\HelpCtr\System\scripts

 

23/12/2004 14:23 3.159 Common.js

1 arquivo(s) 3.159 bytes

 

3) Procurei com o localizar do regedit pelas chaves e de estranho achei essas (rapá como tem bridge*.* :P ):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\rccl.bridgetrack

HKEY_LOCAL_MACHINE\SOFTWARE\LightComm\Starter\Results

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\novo0407

 

4) Inspecionei a chave HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e não ví nada de estranho, segue ela exportada integralmente:

Nome da chave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Nome da classe: <Sem classe>

Hora da última gravação: 28/3/2006 - 23:37

Valor 0

Nome: SoundMAXPnP

Tipo: REG_SZ

Dados: C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

 

Valor 1

Nome: SoundMAX

Tipo: REG_SZ

Dados: "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

 

Valor 2

Nome: AVG7_CC

Tipo: REG_SZ

Dados: C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

 

Valor 3

Nome: AVG7_EMC

Tipo: REG_SZ

Dados: C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe

 

Valor 4

Nome: NeroFilterCheck

Tipo: REG_SZ

Dados: C:\WINDOWS\system32\NeroCheck.exe

 

Valor 5

Nome: NvMediaCenter

Tipo: REG_SZ

Dados: RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

 

Valor 6

Nome: IMONTRAY

Tipo: REG_SZ

Dados: C:\Arquivos de programas\Intel\Intel® Active Monitor\imontray.exe

 

Valor 7

Nome: DataLayer

Tipo: REG_SZ

Dados: C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

 

Valor 8

Nome: PCSuiteTrayApplication

Tipo: REG_SZ

Dados: C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

 

Valor 9

Nome: Net-It Launcher

Tipo: REG_SZ

Dados: C:\WINDOWS\system32\NILaunch.exe

 

Valor 10

Nome: nwiz

Tipo: REG_SZ

Dados: nwiz.exe /install

 

Valor 11

Nome: RegKillElbyCheck

Tipo: REG_SZ

Dados: "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill

 

Valor 12

Nome: RegKillTray

Tipo: REG_SZ

Dados: "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"

 

Valor 13

Nome: SunJavaUpdateSched

Tipo: REG_SZ

Dados: C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

 

Valor 14

Nome: dvd43

Tipo: REG_SZ

Dados: C:\Arquivos de programas\dvd43\dvd43_tray.exe

 

Valor 15

Nome: iTunesHelper

Tipo: REG_SZ

Dados: "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

 

Valor 16

Nome: QuickTime Task

Tipo: REG_SZ

Dados: "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

 

 

Nome da chave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

Nome da classe: <Sem classe>

Hora da última gravação: 25/12/2004 - 16:14

 

Nome da chave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL

Nome da classe: <Sem classe>

Hora da última gravação: 25/12/2004 - 16:14

Valor 0

Nome: Installed

Tipo: REG_SZ

Dados: 1

 

 

Nome da chave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI

Nome da classe: <Sem classe>

Hora da última gravação: 25/12/2004 - 16:14

Valor 0

Nome: NoChange

Tipo: REG_SZ

Dados: 1

 

Valor 1

Nome: Installed

Tipo: REG_SZ

Dados: 1

 

 

Nome da chave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS

Nome da classe: <Sem classe>

Hora da última gravação: 25/12/2004 - 16:14

Valor 0

Nome: Installed

Tipo: REG_SZ

Dados: 1

 

Sei lá se isso ajuda, mas talvez ilumine :thumbsup:

[jgarcia 1]

Opa Palc,

 

Baixe este soft aqui, atualize e execute uma varredura em Modo Seguro.

 

Após executá-lo efetue uma nova verificação com o Scan da Panda e veja se ainda detecta algo.

 

Abraços.

[Palc 0]

beleza jgarcia,

 

O bicho é duuuuro na queda :(

 

Interessante o funcionamento desse Prevx1 heim, um pouco diferente dos AV e anti-verme comuns.

Só que ainda não foi suficiente.

Depois de instalado tentei rodar em "modo seguro" mas apareceu uma janelinha dizendo q o programa não roda em "modo seguro", tentei então em "modo seguro com rede" (já q de repente ele iria acessar o banco de dados externo etc etc) e deu o mesmo resultado.

Unable to start Prevx service. Your machine is not protected by Prevx.

Reason: Não é possível compartilhar este serviço em modo de segurança. <botão de OK>

Clicando no botão OK aparecia outra janelinha com:

Prevx was unable to start the security agent.

Please reinstall the software if the problem persists.

Prevx will exit now. <botão de OK>

Então rodei em "modo normal" mesmo. Pegou só 1 arquivo e nada a ver com o WUPD.

Rodei o Panda e o WUPD :devil: continua firme e forte.

 

Obrigado pela paciência e ajuda.

 

Vamo lá q só falta um verme :thumbsup:

 

{}

Palc

[jgarcia 1]

Opa Palc,

 

Atualize o banco de dados do SpySweeper e execute uma varredura completa em Modo Seguro.

 

Veja se o scan da Panda ainda detecta algo.

 

Abraços.

[Palc 0]

Spysweeper já expirou aqui neste pc :cry:Putz eu achava ele muito bom.

[Sr.SmitH 0]

Spysweeper já expirou aqui neste pc :cry:

Putz eu achava ele muito bom.

 

Amigo,

 

Olá, qual versão você usa desse programa?

 

Bye...

 

Sr.SmitH

 

Editado por conter trechos fora das regras (Pirataria) jgarcia465.

[Palc 0]

A coisa tá ficando feia, olhem só.

Depois de uma das tentativas de limpeza do Prevx1 a área de trabalho sumiu :cry:

Agora to entrando só pelo "modo de segurança com rede" pra postar !

Já fiz as seguintes coisas:

1) Entrei em "modo de segurança" e passei o Ewido, detectou nada !

2) Já havia baixado, instalado e atualizado o Spyware Doctor da PcTools então rodei em "modo de segurança" e olha só o monte de vermes detectado :o ele não limpa, só detecta. Pra limpar tem q pagar ! Segue o log ...

Infection Name Location Risk

Trojan.Downloader.Druser HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows##run High

Trojan.Downloader.Small.BWS HKCU\Software\Microsoft\Windows\CurrentVersion##adv698 High

Webhancer HKLM\software\microsoft\windows\currentversion\app management\arpcache\whsurvey Medium

Webhancer HKLM\software\microsoft\windows\currentversion\app management\arpcache\whsurvey## Medium

Webhancer HKLM\software\microsoft\windows\currentversion\app management\arpcache\whsurvey##SlowInfoCache Medium

Webhancer HKLM\software\microsoft\windows\currentversion\app management\arpcache\whsurvey##Changed Medium

Radlight C:\WINDOWS\RLUninstall.exe Medium

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}## High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore## High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Type High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Count High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Time High

YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Blocked High

 

3) Rodei o Panda em "modo de segurança" e detectou o bom e velho verme wupd

 

Incident Status Location

 

Adware:adware/wupd Not disinfected Windows Registry

4) Rodei o Ad-aware em "modo de segurança" e detectou nada !

5) Rodei o Spybot em "modo de segurança" e detectou nada !

6) Rodei o CCleaner em "modo de segurança com rede" e ele tirou lá uns cookies.

 

 

Jgarcia, como eu faço para tirar esses outros vermes detectados pelo Spyware Doctor da PcTools ?

E para voltar a área de trabalho que sumiu ?

 

Sr. Smith, num outro PC tentei baixar um serial pro SpySweeper, mas na hora de baixar o AVG detectou trojan etc e tal no arquivo ! Então desistí da idéia. Até pq são tudo site do "lado negro da força" :D

 

 

{}

Palc

[Palc 0]

Olha q loucuuura, baixei o SpySweeper do site do fabricante versão 4.5.9.711E agora instalou e rodou, estou no "modo de segurança com rede"Também não pegou nada, não sei se :D ou :cry: Segue o log ...********03:32: | Start of Session, sábado, 8 de abril de 2006 |03:32: Spy Sweeper started03:32: Sweep initiated using definitions version 55603:32: Starting Memory Sweep03:33: Memory Sweep Complete, Elapsed Time: 00:01:0303:33: Starting Registry Sweep03:33: Registry Sweep Complete, Elapsed Time:00:00:1903:33: Starting Cookie Sweep03:33: Cookie Sweep Complete, Elapsed Time: 00:00:0003:33: Starting File Sweep03:38: File Sweep Complete, Elapsed Time: 00:04:3903:38: Full Sweep has completed. Elapsed time 00:06:0503:38: Traces Found: 0********03:31: | Start of Session, sábado, 8 de abril de 2006 |03:31: Spy Sweeper started03:31: Program Version 4.5.9 (Build 711) Using Spyware Definitions 55603:32: | End of Session, sábado, 8 de abril de 2006 |

[jgarcia 1]

Adware:adware/wupd Not disinfected Windows Registry

... isto é paranóia da Panda. :)

 

... considero o seu log LIMPO. :thumbsup:

 

Para finalizar:

 

1. Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui para ver como.

 

Abraços.

 

PS.: Como está a sua área de trabalho?

[Palc 0]

PS.: Como está a sua área de trabalho?

 

A área de trab. tá linda :P sem nada dos ícones, pra postar aqui tenho q entrar em "modo de segurança com rede" :cry:

Dá uma dica aí please ;) de como voltar ao normal.

 

Outra coisa, e o monte de verme detectado pelo Spyware Doctor da PcTools, também é alarme falso ? :unsure: Parece q tem uns vermes beeeem furiosos na lista que postei e que estariam infestando meu PC.

 

{}

Palc

[jgarcia 1]

Caro Palc,

 

Faça o download do Cleandesktop, execute e veja se o problema relativo à Área de Trabalho é resolvido.

 

Abraços.

[Palc 0]

Caro Palc,

 

Faça o download do Cleandesktop, execute e veja se o problema relativo à Área de Trabalho é resolvido.

 

Abraços.

 

Após o boot em modo normal, ficou só uma tela azul e o ponteiro do mouse mais nada :cry:

Se eu teclar o botãozinho do Win (embaixo a esquerda do teclado) nada acontece.

Se eu teclar Ctrl+Alt+Del aparece a telinha do Ger. de Tarefas.

 

 

{}

Palc

[jgarcia 1]

Caro Palc,

 

Baixe:

Restorethemes.reg

 

-e-

 

Restore Luna Theme

 

* Para o Restorethemes.reg aja assim:

 

Clique com o botão direito do mouse --> escolha Salvar destino como (melhor salvar no desktop).

 

O arquivo.reg será baixado. Dê duplo clique sobre o arquivo. Responda "sim" quando for perguntado sobre as adições ao registro.

 

Reinicie o PC.

 

-ou-

 

* Para o Restore Luna Theme aja assim:

 

Descompacte o arquivo dentro da pasta C:\Windows\Resources.

 

Reinicie o PC.

 

Um destes deve resolver o problema relativo à área de trabalho.

 

Um abraço.