[Resolvido!]exmodul32d.4

[joka_br 0]

:angry: Karaka Cortei um dobrado com um tal de "Foto10" e agora esse "exmodul" tah la no meu "documents and settings" afinal pra q q serve esses antevirus?

 

Logfile of HijackThis v1.99.1

Scan saved at 12:13:24, on 22/9/2006

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

 

Running processes:

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files (x86)\HDD Health\HDDHealth.exe

C:\Program Files (x86)\DoubleDesktop\dd.exe

C:\Program Files (x86)\Paltalk Messenger\palstart.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files (x86)\QuickTime\qttask.exe

C:\WINDOWS\SysWOW64\svchost.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\27exmodul32d.4.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\svchost.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44exinjs.d.exe

C:\Program Files (x86)\WinRAR\WinRAR.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.765\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/

F2 - REG:system.ini: UserInit=userinit

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\SysWOW64\\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKCU\..\Run: [HDDHealth] C:\Program Files (x86)\HDD Health\HDDHealth.exe -wl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: DoubleDesktop.lnk = C:\Program Files (x86)\DoubleDesktop\dd.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PalStart.lnk = C:\Program Files (x86)\Paltalk Messenger\palstart.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files (x86)\XstreamRadio 3.02\RadioHelper.dll

O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files (x86)\XstreamRadio 3.02\RadioHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154410187399

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll

O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

 

Ja andei tentando alguma coisa q foi aqui mandado pra outros infectados com esse fd... exmodul espero q naum tenha piorado nada desabilitando servicos do meu Win64.

 

O tal do Panda naum rodou

 

Q Q EU FACO?????????????? :(

 

Brigadaum gente e desculpe o desespero.

[Sam Spade 2]

Olá joka_br! O HijackThis está em pasta temporária. Para o correto funcionamento do programa, abra uma pasta com qualquer nome e extraia os arquivos do HijackThis para esta pasta. Baixe:

 

KillBox

CCleaner > instale, mas não use ainda.

 

Copie e salve no Bloco de notas este texto em azul. Salve com um nome fácil de localizar:

 

C:\WINDOWS\system\smss.exe

C:\WINDOWS\system32\nvsvcd.exe

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

1 - Vá em Iniciar > Executar > digite: services.msc e clique em OK.

 

Procure o serviço Windows Log, clique em cima com o direito e depois em Propriedades.

 

Pare o serviço e coloque o Tipo de Inicialização como desativado.

 

2 - Abra o HijackThis e clique no botão Open the Misc Tools section e depois em Delete an NT service.

 

Coloque isto: Windows Log

 

Clique em OK. Não reinicie o PC ainda.

 

3 - Copie o texto que salvou no bloco de notas. Rode o KillBox e marque Delete on Reboot, no menu File clique em Paste from Clipboard.

Depois clique no botão All Files.

 

Clique no botão com o X. Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

4 - Faça um scan com o HijackThis, marque a entrada abaixo, se ainda a encontrar e clique em Fix checked:

 

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

 

5 - Feche o HijackThis e rode o CCleaner, clicando em Executar Cleaner. Aguarde o exame acabar.

 

6 - Reinicie em modo normal, faça um scan com o HijackThis e salve/poste o log.

[joka_br 0]

Oi Sam :joia: acho q kabamos com ele >>> :devil: vae ai o log:

Logfile of HijackThis v1.99.1

Scan saved at 12:34:52, on 24/9/2006

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

 

Running processes:

C:\Program Files (x86)\HDD Health\HDDHealth.exe

C:\Program Files (x86)\DoubleDesktop\dd.exe

C:\Program Files (x86)\Paltalk Messenger\palstart.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files (x86)\QuickTime\qttask.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jorgetadeuduarte.googlepages.com/ellivingdejoka

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/

F2 - REG:system.ini: UserInit=userinit

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\SysWOW64\\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [HDDHealth] C:\Program Files (x86)\HDD Health\HDDHealth.exe -wl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: DoubleDesktop.lnk = C:\Program Files (x86)\DoubleDesktop\dd.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PalStart.lnk = C:\Program Files (x86)\Paltalk Messenger\palstart.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files (x86)\XstreamRadio 3.02\RadioHelper.dll

O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files (x86)\XstreamRadio 3.02\RadioHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154410187399

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll

O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

 

 

Eu tinha desabilitado um servico errado antes "event log" mas ja concertei.

Queria agradecer a você pela ajuda Brigadaum você naum imagina quanto a gente q se ve livre desse :devil: se sente grato a vcs :clap:

Uma sugestaum, com tantos topicos a respeito desse esmodul pq naum criar um topico geral com explicacoes de como se livrar desse e de outros virus ??? depende da configuracaum do PC??

Seria legal a gente ter uma ideia de como funciona a coisa, pq desabilitamos um servico deletamos um arquivo e tudo mais ... bem eh soh uma humilde sugestaum.

Novamente muito obrigado

[Sam Spade 2]

Ok, o log está limpo. É uma boa idéia criar um tópico com o método de remoção deste IRCbot, pois pode ser padronizado. Obrigado pela sugestão.

 

Para finalizar, vá no Painel de Controle > Sistema > Restauração do Sistema > marque Desativar a restauração do sistema > Aplicar > OK.

Depois desmarque novamente.

 

Abraço.

[Sam Spade 2]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.