[Resolvido!]Quando clico em um link no goole abre paginas estranha

[bucher 0]

Por favor me ajudem, quando faço uma busca pelo google e clico em qualquer link não a pagina que deveria

vejam meu log:

 

Logfile of HijackThis v1.99.1

Scan saved at 23:43:46, on 3/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Ebates__MoeMoney__Maker\ebatesmmmv.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\ARQUIV~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ebates__MoeMoney__Maker\eb.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ufrrj.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.11.1.254:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fertbio2006

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4c\NHelper.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [ebmmm] "C:\Arquivos de programas\Ebates__MoeMoney__Maker\ebatesmmmv.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Arquivos de programas\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Arquivos de programas\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Ebates - file://C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Arquivos de programas\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)

O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm (HKCU)

O12 - Plugin for .csm: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .rxn: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{562B24BA-664B-4A0C-8B2E-8B0C50A2CCED}: NameServer = 85.255.113.146,85.255.112.66

O17 - HKLM\System\CCS\Services\Tcpip\..\{C2386951-E26C-47A1-A823-93B5C49FAAEF}: NameServer = 85.255.113.146,85.255.112.66

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Natalia\CONFIG~1\Temp\hpdj.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

[jgarcia 1]

Opa bucher,

 

Desinstale:

-> Ebates__MoeMoney__Maker

 

Utilize Adicionar / Remover programas.

 

Desinstale e reinicie após tê-lo feito.

 

Retorne com um novo log do HijackThis.

 

Abraços.

[bucher 0]

Opa jgarcia,

 

Fiz o que pediu mas não desinstalou

 

abraços

[jgarcia 1]

Opa bucher,

 

Para desinstalar o Ebates__MoeMoney__Maker siga as instruções abaixo:

 

1. Clique em Iniciar e em Executar.

 

2. Na caixa Abrir, digite regedt32 e clique em OK.

 

3. No Editor do Registro, localize a seguinte chave do Registro: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

 

4. No painel à esquerda, clique na chave do Registro Uninstall e clique em Exportar no menu Arquivo.

 

5. Na caixa de diálogo Exportar arquivo do Registro que aparece, clique em Desktop na lista Salvar em, digite uninstall na caixa Nome do arquivo e clique em Salvar.

 

6. Cada chave listada em Uninstall no painel à esquerda no Editor do Registro representa um programa que é exibido na lista Programas instalados da ferramenta Adicionar ou remover programas. Para determinar qual programa cada chave representa, clique na chave e visualize os seguintes valores no painel de detalhes à direita:

 

DisplayName: O dado do valor para a chave DisplayName é o nome listado em Adicionar ou remover programas.

 

-e-

 

UninstallString: O dado do valor para a chave UninstallString é o programa usado para desinstalar o programa.

 

7. Após identificar a chave do Registro que representa o programa removido, mas que ainda é exibido na lista Programas instalados do Adicionar ou remover programas, clique com o botão direito do mouse na chave no painel à esquerda da janela Editor do Registro e clique em Excluir. Clique em Sim em resposta à mensagem "Tem certeza de que deseja excluir esta chave e todas as suas subchaves?".

 

8. No menu Arquivo, clique em Sair para fechar o Editor do Registro.

 

9. Clique em Iniciar, em Painel de controle e em Adicionar ou remover programas. Na lista Programas instalados, verifique se o programa do qual a chave do Registro você excluiu não está mais na lista.

 

10. Execute um dos seguintes procedimentos:

 

Se a lista de programas não estiver correta em Adicionar ou remover programas, clique duas vezes no arquivo Uninstall.reg salvo na sua Área de trabalho da etapa 5 para restaurar a lista de programas original no Registro.

 

-ou-

 

Se lista de programas estiver correta em Adicionar ou remover programas, clique com o botão direito do mouse no arquivo Uninstall.reg na sua Área de trabalho e clique em Excluir.

 

Feito isto, verifique se ele (Ebates__MoeMoney__Maker) ainda está em Adicionar / Remover programas e poste um novo log.

 

Abraços.

[bucher 0]

Opa jgarcia,

 

quando entro no painel de controle, adicionar/remover programa e clico em ALTERAR/REMOVER, a nova janela abre e fecha muito rapido, quase não da para perceber

 

abraços

[jgarcia 1]

Opa jgarcia,

 

quando entro no painel de controle, adicionar/remover programa e clico em ALTERAR/REMOVER, a nova janela abre e fecha muito rapido, quase não da para perceber

 

abraços

Exatamente por esse motivo, as instruções anteriores servem para remover o programa via Registro e não através do Adicionar / Remover programas. Veja a linha 7. Caso tenha dúvidas na execução dos procedimentos poste novamente.

 

Abraços.

[bucher 0]

beleza jgarcia,

 

segui todos os passos

segue o log

 

Logfile of HijackThis v1.99.1

Scan saved at 20:26:45, on 6/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Ebates__MoeMoney__Maker\ebatesmmmv.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Ebates__MoeMoney__Maker\eb.exe

C:\WINDOWS\system32\wuauclt.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ufrrj.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.11.1.254:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fertbio2006

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4c\NHelper.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [ebmmm] "C:\Arquivos de programas\Ebates__MoeMoney__Maker\ebatesmmmv.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Arquivos de programas\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Arquivos de programas\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Ebates - file://C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Arquivos de programas\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)

O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm (HKCU)

O12 - Plugin for .csm: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .rxn: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{562B24BA-664B-4A0C-8B2E-8B0C50A2CCED}: NameServer = 85.255.113.146,85.255.112.66

O17 - HKLM\System\CCS\Services\Tcpip\..\{C2386951-E26C-47A1-A823-93B5C49FAAEF}: NameServer = 85.255.113.146,85.255.112.66

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Natalia\CONFIG~1\Temp\hpdj.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

 

 

abraços

[jgarcia 1]

Opa bucher,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

1ª Etapa

 

Baixe o CCleaner em:

CCleaner

 

Baixe, mas não execute ainda.

 

Baixe o Killbox em:

Killbox

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm

C:\Arquivos de programas\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm

C:\Arquivos de programas\Ebates__MoeMoney__Maker\ebatesmmmv.exe

C:\Arquivos de programas\Ebates__MoeMoney__Maker\eb.exe

 

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro (ao reiniciar aperte a tecla F8 repetidamente até que apareça uma tela preta em DOS e escolha a opção Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e marque:

O4 - HKLM\..\Run: [ebmmm] "C:\Arquivos de programas\Ebates__MoeMoney__Maker\ebatesmmmv.exe"

O8 - Extra context menu item: Ebates - file://C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm

O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Arquivos de programas\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)

O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker\ebmmt\ebmmC5.htm (HKCU)

Clique em Fix Checked.

 

3ª Etapa

 

Ainda em Modo Seguro localize e delete:

 

C:\Documents and Settings\Natalia\Dados de aplicativos\Ebates__MoeMoney__Maker <- a pasta

C:\Arquivos de programas\Ebates__MoeMoney__Maker <- a pasta

C:\Arquivos de programas\EbatesMoeMoneyMaker <- a pasta

 

4ª Etapa

 

Reinicie em Modo Normal.

 

Execute o CCleaner e clique em Executar Cleaner.

 

Retorne com um novo log do HijackThis.

 

Aguardo retorno.

 

Um abraço.

[bucher 0]

Opa jgarcia,

 

desculpas pela demora, tive uma semana complicada,

 

segue o log

 

Logfile of HijackThis v1.99.1

Scan saved at 02:20:15, on 16/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ufrrj.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.11.1.254:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fertbio2006

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4c\NHelper.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe"

O4 - HKLM\..\Run: [WorksFUD] C:\Arquivos de programas\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Arquivos de programas\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Arquivos de programas\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .csm: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .rxn: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Arquivos de programas\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{562B24BA-664B-4A0C-8B2E-8B0C50A2CCED}: NameServer = 85.255.113.146,85.255.112.66

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.66

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Natalia\CONFIG~1\Temp\hpdj.exe (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

 

 

 

aguardo retorno

 

abraços

[jgarcia 1]

Opa bucher,

 

O log parece limpo. O problema persiste?

[bucher 0]

Opa jgarcia.

 

o problema ainda continua

 

Por exemplo,

 

Quando mantenho shift pressionado e clico em um link, no google, como este:

 

http://www.cababstractsplus.org/google/abs...cNo=20043045266

 

logo quando abre a nova janela aparece o endereço certo mas depois muda para:

 

http://10-top.com/potassium%20%22crop%20qu...;rpt=1&kt=1

 

outro exemplo, clico em:

http://almanaque.folha.uol.com.br/musicapopulardobrasil.htm

 

muda para:

http://q-find.com/musica%20popular.cfm?pt=...;rpt=1&kt=1

 

outro exemplo,

clico em:

http://www.sergiosakall.com.br/okapi/paleontologia.html

 

muda para:

http://wordsea.com/per%C3%ADodo%20terci%C3...;rpt=1&kt=1

 

o Ebates MoeMoney ainda aparecia no painel de controle, adicionar/remover programas, mas eu o removi e reiniciei o computador e o problema continuou.

 

Abraços

 

Aguardo resposta

[jgarcia 1]

Opa bucher,

 

Baixe o ComboFix em:

ComboFix

 

1) Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir. O processo vai durar, em média, 10 minutos;

2) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

3) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

4) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

5) Para parar ou sair do ComboFix, tecle "N";

6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

 

Abraços.

[bucher 0]

Opa jgarcia

 

segue o log combofix

 

 

- 2007-07-17 17:34:43 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\cfx32.ocx

C:\WINDOWS\system32\kdsxg.exe

 

 

((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))

 

 

2007-07-17 17:33 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-17 17:23 1,168,935 --a------ C:\ComboFix.exe

2007-07-16 02:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Yahoo! Companion

2007-07-16 02:15 <DIR> d-------- C:\Arquivos de programas\Yahoo!

2007-07-16 02:15 <DIR> d-------- C:\Arquivos de programas\CCleaner

2007-07-16 01:45 <DIR> d-------- C:\!KillBox

2007-07-11 23:09 38,306 --a------ C:\WINDOWS\macromix.dll

2007-07-03 23:38 <DIR> d-------- C:\hijackthis

2007-07-03 01:47 13,776 --a------ C:\WINDOWS\system32\drivers\recagent.sys

2007-07-03 01:47 13,240 --a------ C:\WINDOWS\system32\drivers\slwdmsup.sys

2007-06-30 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Ebates__MoeMoney__Maker

2007-06-25 15:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2007-06-24 21:18 <DIR> d-------- C:\DOCUME~1\Natalia\DADOSD~1\MSN6

2007-06-24 21:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\MSN6

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2011-05-02 23:13:13 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Media Player Classic

2011-04-04 05:54:11 286,720 ------w C:\WINDOWS\Setup1.exe

2011-04-04 05:54:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2011-04-03 02:07:01 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Template

2011-03-02 03:30:36 -------- d-----w C:\Arquivos de programas\Ahead

2011-03-02 03:28:01 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Ahead

2011-01-22 02:59:32 4 ----a-w C:\WINDOWS\system32\micr0st.dll

2011-01-22 02:44:54 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\dvdcss

2011-01-22 02:42:07 -------- d-----w C:\Arquivos de programas\ImTOO

2011-01-22 02:29:13 -------- d-----w C:\Arquivos de programas\NavExcel

2010-12-27 23:16:24 29,184 ----a-w C:\WINDOWS\system32\sstunst2.exe

2010-12-24 16:00:32 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\ArcSoft

2010-12-24 15:59:16 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll

2010-12-24 15:59:16 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll

2010-11-10 03:09:24 -------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2009-11-03 23:33:55 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\StatSoft

2009-10-13 00:35:41 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Help

2007-07-12 04:57:22 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\AdobeUM

2007-06-30 20:49:25 -------- d-----w C:\Arquivos de programas\1Click DVD Ripper

2007-06-09 17:49:22 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Google

2007-06-09 17:48:18 -------- d-----w C:\Arquivos de programas\Google

2007-06-09 17:48:16 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-06-04 05:29:31 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\WinRAR

2007-05-23 21:42:32 -------- d-----w C:\Arquivos de programas\MSN Messenger

2007-05-21 05:44:51 -------- d-----w C:\Arquivos de programas\Messenger

2007-05-21 00:02:21 -------- d-----w C:\Arquivos de programas\MSXML 4.0

2007-05-20 14:10:07 48,628 ----a-w C:\WINDOWS\system32\perfc016.dat

2007-05-20 14:10:07 344,380 ----a-w C:\WINDOWS\system32\perfh016.dat

2007-05-19 22:09:54 -------- d-----w C:\Arquivos de programas\Windows Live Toolbar

2007-05-19 00:47:35 0 ----a-w C:\WINDOWS\nsreg.dat

2007-05-18 14:04:05 -------- d-----w C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility

2007-05-18 14:04:00 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 03:34:48 638,428 ----a-w C:\WINDOWS\Bobsaver.exe

2007-04-18 03:34:47 362,880 ----a-w C:\WINDOWS\Bobsaver.scr

2007-04-18 03:34:47 29,696 ----a-w C:\WINDOWS\mickey32.dll

2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-02-03 18:55:28 28,184 ----a-w C:\DOCUME~1\Natalia\DADOSD~1\GDIPFONTCACHEV1.DAT

2004-03-11 16:27:22 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]

2006-10-26 10:28 440384 --a------ C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

2006-08-31 20:33 322368 --a------ C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}]

2004-06-21 00:58 135168 -rah----- C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4c\NHelper.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2004-09-02 02:47 C:\WINDOWS\system32\SiSPower.dll]

"ShStatEXE"="C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00]

"McAfeeUpdaterUI"="C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 08:00]

"WorksFUD"="C:\Arquivos de programas\Microsoft Works\wkfud.exe" []

"RemoteControl"="C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]

"Microsoft Works Update Detection"="C:\Arquivos de programas\Microsoft Works\WkDetect.exe" []

"Microsoft Works Portfolio"="C:\Arquivos de programas\Microsoft Works\WksSb.exe" []

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerBar"="" []

"Microsoft Works Update Detection"="C:\Arquivos de programas\Microsoft Works\WkDetect.exe" []

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2005-06-14 17:05]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

C:\Arquivos de programas\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"InCDsrv"=2 (0x2)

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9144fbe-2e61-11dc-95d9-000e2eaa97a1}]

Auto\command- tel.xls.exe

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7dd79ad-b943-11db-b0bb-0013d42636e9}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

 

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-17 17:39:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PowerBar = ????<???D??sh??????w????h???2??w(??????wt?@?l?@?? d???????????????????????????2????????????????????w???????w???w???????w???w????D??sL??????????w????l?@?????.??w????t?@?h?b?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-17 17:41:21 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-17 17:40

 

--- E O F ---

 

abraços

[jgarcia 1]

Opa bucher,

 

Reinicie o computador em Modo Seguro.

 

Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

Navegue até a seguinte sub-chave:

 

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2

 

Localize e delete as seguintes pastas:

 

{b9144fbe-2e61-11dc-95d9-000e2eaa97a1}

 

{d7dd79ad-b943-11db-b0bb-0013d42636e9}

 

Navegue até a seguinte sub-chave:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

No painel à direita localize e delete:

 

PowerBar = ????<???D??sh??????w????h???2??w(??????wt?@?l?@?? d???????????????????????????2????????????????????w???????w???w???????w???w????D??sL??????????w????l?@?????.??w????t?@?h?b?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

 

Saia do Editor do Registro.

 

Reinicie em Modo Normal.

 

Delete o conteúdo da pasta C:\!Killbox.

 

Poste um novo log do ComboFix.

 

Aguardo retorno.

 

Um abraço.

[bucher 0]

Opa jgarcia,

 

o novo log do combofix,

 

- 2007-07-18 17:33:49 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))

 

 

2007-07-17 17:33 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-17 17:23 1,168,935 --a------ C:\ComboFix.exe

2007-07-16 02:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Yahoo! Companion

2007-07-16 02:15 <DIR> d-------- C:\Arquivos de programas\Yahoo!

2007-07-16 02:15 <DIR> d-------- C:\Arquivos de programas\CCleaner

2007-07-16 01:45 <DIR> d-------- C:\!KillBox

2007-07-11 23:09 38,306 --a------ C:\WINDOWS\macromix.dll

2007-07-03 23:38 <DIR> d-------- C:\hijackthis

2007-07-03 01:47 13,776 --a------ C:\WINDOWS\system32\drivers\recagent.sys

2007-07-03 01:47 13,240 --a------ C:\WINDOWS\system32\drivers\slwdmsup.sys

2007-06-30 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Ebates__MoeMoney__Maker

2007-06-25 15:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2007-06-24 21:18 <DIR> d-------- C:\DOCUME~1\Natalia\DADOSD~1\MSN6

2007-06-24 21:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\MSN6

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2011-05-02 23:13:13 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Media Player Classic

2011-04-04 05:54:11 286,720 ------w C:\WINDOWS\Setup1.exe

2011-04-04 05:54:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2011-04-03 02:07:01 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Template

2011-03-02 03:30:36 -------- d-----w C:\Arquivos de programas\Ahead

2011-03-02 03:28:01 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Ahead

2011-01-22 02:59:32 4 ----a-w C:\WINDOWS\system32\micr0st.dll

2011-01-22 02:44:54 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\dvdcss

2011-01-22 02:42:07 -------- d-----w C:\Arquivos de programas\ImTOO

2011-01-22 02:29:13 -------- d-----w C:\Arquivos de programas\NavExcel

2010-12-27 23:16:24 29,184 ----a-w C:\WINDOWS\system32\sstunst2.exe

2010-12-24 16:00:32 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\ArcSoft

2010-12-24 15:59:16 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll

2010-12-24 15:59:16 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll

2010-11-10 03:09:24 -------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2009-11-03 23:33:55 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\StatSoft

2009-10-13 00:35:41 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Help

2007-07-18 04:47:30 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\AdobeUM

2007-06-30 20:49:25 -------- d-----w C:\Arquivos de programas\1Click DVD Ripper

2007-06-09 17:49:22 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\Google

2007-06-09 17:48:18 -------- d-----w C:\Arquivos de programas\Google

2007-06-09 17:48:16 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-06-04 05:29:31 -------- d-----w C:\DOCUME~1\Natalia\DADOSD~1\WinRAR

2007-05-23 21:42:32 -------- d-----w C:\Arquivos de programas\MSN Messenger

2007-05-21 05:44:51 -------- d-----w C:\Arquivos de programas\Messenger

2007-05-21 00:02:21 -------- d-----w C:\Arquivos de programas\MSXML 4.0

2007-05-20 14:10:07 48,628 ----a-w C:\WINDOWS\system32\perfc016.dat

2007-05-20 14:10:07 344,380 ----a-w C:\WINDOWS\system32\perfh016.dat

2007-05-19 22:09:54 -------- d-----w C:\Arquivos de programas\Windows Live Toolbar

2007-05-19 00:47:35 0 ----a-w C:\WINDOWS\nsreg.dat

2007-05-18 14:04:05 -------- d-----w C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility

2007-05-18 14:04:00 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 03:34:48 638,428 ----a-w C:\WINDOWS\Bobsaver.exe

2007-04-18 03:34:47 362,880 ----a-w C:\WINDOWS\Bobsaver.scr

2007-04-18 03:34:47 29,696 ----a-w C:\WINDOWS\mickey32.dll

2007-02-03 18:55:28 28,184 ----a-w C:\DOCUME~1\Natalia\DADOSD~1\GDIPFONTCACHEV1.DAT

2004-03-11 16:27:22 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]

2006-10-26 10:28 440384 --a------ C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]

2006-08-31 20:33 322368 --a------ C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}]

2004-06-21 00:58 135168 -rah----- C:\Arquivos de programas\NavExcel\NavHelper\v2.0.4c\NHelper.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2004-09-02 02:47 C:\WINDOWS\system32\SiSPower.dll]

"ShStatEXE"="C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 07:00]

"McAfeeUpdaterUI"="C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 08:00]

"WorksFUD"="C:\Arquivos de programas\Microsoft Works\wkfud.exe" []

"RemoteControl"="C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]

"Microsoft Works Update Detection"="C:\Arquivos de programas\Microsoft Works\WkDetect.exe" []

"Microsoft Works Portfolio"="C:\Arquivos de programas\Microsoft Works\WksSb.exe" []

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="C:\Arquivos de programas\Microsoft Works\WkDetect.exe" []

"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2005-06-14 17:05]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

C:\Arquivos de programas\Ahead\InCD\InCD.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"InCDsrv"=2 (0x2)

 

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-18 17:36:18

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-18 17:37:11

C:\ComboFix-quarantined-files.txt ... 2007-07-18 17:36

C:\ComboFix2.txt ... 2007-07-17 17:41

 

--- E O F ---

 

abraço

[jgarcia 1]

Opa bucher,

 

O log parece limpo. O problema persiste?

[vanvero 0]

Olá Boa noite!Estava a semanas tendo este mesmo problema. Postei em vários foruns e não consegui remover o maldito malware. Descobri a solução da seguinte forma:Quando clicava no link do google sempre aparecia na barra de status a url 64.28.180.211/click.php/ .... (apenas depois de clicar, quando coloca o mouse em cima não aparece). Então apenas bloqueei esta URL no meu anti-virus (AVAST) e o problema ACABOU. Faça isto pra gente ver se vai dar certo tambem, valeu!? É claro, que o legal seria achar e remover o spyware que faz isso, mas pelo menos você não fica vendo aquelas m. de novo.abraços!

[bucher 0]

Opa jgarcia,

 

desde a postagem anterior o problema desapareceu,

pelo jeito o problema foi resolvido

 

muito obrigado

abraços

 

bucher

[jgarcia 1]

Opa bucher,

 

Fico feliz por saber que o problema foi resolvido. :thumbsup:

 

Para finalizar:

 

1. Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui para ver como;

 

2. Leia o artigo Cuidados ao navegar na net e saiba como evitar novas infecções.

 

Abraços.

[jgarcia 1]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.