[Resolvido!]Estou infectado pelo virus "Win32/Hoax.RenosLQ o

[Maurelli 0]

Meu NOD32 periodicamente abre uma janela dizendo que estou infectado com Uma variante modificada do win32/hoax.renos aplicação. Quando tento limpar ele ápenas manda para quarentena e continuo infectado.

Help!

[DigRam 144]

Bom Dia Maurelli!

 

<!> Faça o download do HijackThis.

<!> Baixe-o para o Disco Local-C e estabeleça uma pasta própria para o programa.

<!> Temos como exemplo: < C:\HijackThis.exe > ou < C:\HijackThis\HijackThis.exe >

<!> Mas,não execute-o ainda!

<!> Para que o Log do HijackThis saia completo,vá em Iniciar >> Executar.

<!> Digite: msconfig >> Ok.

<!> Na guia Inicializar,marque tôdos os ítens e confirme!

<!> Reinicie o computador!

<!> Abra o HijackThis e clique em Do a system scan and save a logfile.

<!> Abrir-se-á um Bloco de Notas!

<!> Selecione e copie o seu conteúdo para êste Tópico. Não crie outro!

 

Abraços!

[Maurelli 0]

O que aparece eh isso aki!!!!!

 

Logfile of HijackThis v1.99.1

Scan saved at 12:01:38, on 19/10/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1046

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

[DigRam 144]

Boa Tarde Maurelli!

 

>@< Faça o download do SmitfraudFix.

>@< Salve-o no Disco Local-C e descompacte-o aí mesmo,enviando o executável ( SmitfraudFix.cmd ),para o Desktop.

>@< Reinicie o computador em Modo de Segurança!

>@< Execute o SmitfraudFix.cmd <!>

>@< Aperte a opção 2 >> Enter.

>@< Quando aparecer a mensagem: Do you want to clean the registry,aperte a opção Y >> Enter.

>@< Reinicie,normalmente,o computador!

>@< Caso tenha ocorrido mudanças,no desktop,corrija nas propriedades de vídeo.( Tema )

>@< Copie o Log ( rapport.txt ) e poste,na sua resposta + HijackThis,atualizado.

 

Abraços!

[Maurelli 0]

Cara estou com um grande problema.... Meu teclado é USB, e como imagino ele naum abilita até o windows estar carregado e naum consigo entrar em modo de segurança o que faço????PS: já tentei F8, F5, Tab de tudo...

[DigRam 144]

Cara estou com um grande problema.... Meu teclado é USB, e como imagino ele naum abilita até o windows estar carregado e naum consigo entrar em modo de segurança o que faço????

PS: já tentei F8, F5, Tab de tudo...

@@@@@@@@@

Bom Dia Maurelli!

 

>@< Após o Windows estar carregado,tente entrar em Modo de Segurança,pelo msconfig.

>@< Vá a êste Tópico,e leia o Tutorial.

 

Abraços!

[Maurelli 0]

Boa Noite!!!

 

Consegui fazer o que você mandou....

 

Esse aki eh o ( rapport.txt )...

 

SmitFraudFix v2.240

 

Scan done at 0:48:21,34, dom 21/10/2007

Run from C:\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"

 

[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{64790D00-4AC7-4CEE-8694-F5F8BB10ABC4}: DhcpNameServer=200.162.196.29 200.162.194.244

HKLM\SYSTEM\CS1\Services\Tcpip\..\{64790D00-4AC7-4CEE-8694-F5F8BB10ABC4}: DhcpNameServer=200.162.196.29 200.162.194.244

HKLM\SYSTEM\CS2\Services\Tcpip\..\{64790D00-4AC7-4CEE-8694-F5F8BB10ABC4}: DhcpNameServer=200.162.196.29 200.162.194.244

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=200.162.196.29 200.162.194.244

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=200.162.196.29 200.162.194.244

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=200.162.196.29 200.162.194.244

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"

 

[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]

@="C:\Arquivos de programas\Scpad\scpLIB.dll"

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

 

C:\WINDOWS\system32\sulimo.dat Please, Reboot and Run SmitfraudFix option 2 once again.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

________________________________________________________________________________

___________________________________________________

________________________________________________________________________________

___________________________________________________

________________________________________________________________________________

___________________________________________________

________________________________________________________________________________

________________________________________________________________________________

________________________________________________________________________________

_____________________

 

O (hijackthis) que você fala eh passar de nov neh!!!!

Eu passei e deu isso aki....

Até o que parece o Virus naum aparece mais....

Se tiver mais alguma a fazer só falar.....

 

Logfile of HijackThis v1.99.1

Scan saved at 01:04:27, on 21/10/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jucheck.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1046

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

[DigRam 144]

Bom Dia Maurelli!

 

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

 

C:\WINDOWS\system32\sulimo.dat Please, Reboot and Run SmitfraudFix option 2 once again.

 

»»»»»»»»»»»»»»»»»»»»»»»» End

>@< Execute,novamente,o SmitfraudFix,e poste o relatório. ( rapport.txt )

>@< Execute-o em Modo de Segurança!

_______________________

 

>@< Abra o HijackThis e clique em,Do a system scan only.

>@< Marque as entradas,logo abaixo,e clique em Fix checked!

 

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

>@< Reinicie,normalmente,o computador!

>@< Poste: rapport.txt + HJT,atualizado.

 

Abraços!

[Maurelli 0]

Acima do seu post eu ja fiz isso!!!!!!Os posts do HJT e do outro programa ja estão lá!!!O resto da sua mensagem não entendi pode esplicar mais claramente por favor!!!!Obrigado!!

[DigRam 144]

Acima do seu post eu ja fiz isso!!!!!!

Os posts do HJT e do outro programa ja estão lá!!!

O resto da sua mensagem não entendi pode esplicar mais claramente por favor!!!!

Obrigado!!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

Boa Noite Maurelli!

 

>@< Execute,novamente,o SmitfraudFix,e poste o relatório. ( rapport.txt )

>@< Execute-o em Modo de Segurança!

>@< Creio,estar bem claro!

 

Abraços!

[Maurelli 0]

Bom Dia!!!O post esta aki!!!!SmitFraudFix v2.240Scan done at 13:16:36,87, qua 24/10/2007Run from C:\SmitfraudFixOS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]@="C:\Arquivos de programas\Scpad\scpLIB.dll"[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]@="C:\Arquivos de programas\Scpad\scpLIB.dll"»»»»»»»»»»»»»»»»»»»»»»»» Killing process»»»»»»»»»»»»»»»»»»»»»»»» hosts127.0.0.1 localhost»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 FixS!Ri's WS2Fix: LSP not Found.»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos FixGenericRenosFix by S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected filesC:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat Deleted»»»»»»»»»»»»»»»»»»»»»»»» DNSHKLM\SYSTEM\CCS\Services\Tcpip\..\{64790D00-4AC7-4CEE-8694-F5F8BB10ABC4}: DhcpNameServer=200.162.196.29 200.162.194.244HKLM\SYSTEM\CS1\Services\Tcpip\..\{64790D00-4AC7-4CEE-8694-F5F8BB10ABC4}: DhcpNameServer=200.162.196.29 200.162.194.244HKLM\SYSTEM\CS2\Services\Tcpip\..\{64790D00-4AC7-4CEE-8694-F5F8BB10ABC4}: DhcpNameServer=200.162.196.29 200.162.194.244HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=200.162.196.29 200.162.194.244HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=200.162.196.29 200.162.194.244HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=200.162.196.29 200.162.194.244»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{A3717295-941D-416F-9384-ED1736729F1C}"="scpLIB"[HKEY_CLASSES_ROOT\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]@="C:\Arquivos de programas\Scpad\scpLIB.dll"[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}\InProcServer32]@="C:\Arquivos de programas\Scpad\scpLIB.dll"»»»»»»»»»»»»»»»»»»»»»»»» End

[DigRam 144]

Boa Tarde Maurelli!

 

>@< O SmitfraudFix,removeu o malware!.

>@< Poste,na sua resposta,um nôvo Log do HijackThis.

 

Abraços!

[Maurelli 0]

Boa Tarde DigRam

 

Esta aki o que você me pediu!!!

 

Logfile of HijackThis v1.99.1

Scan saved at 17:52:57, on 24/10/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Eset\nod32krn.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jucheck.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\HijackThis.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1046

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

[DigRam 144]

Boa Noite Maurelli!

 

>@< O Log,ainda,apresenta infecção!

>@< Faça o download do a-squared Free 3.0

>@< Abra o programa e clique em: Atualizar agora >> Aguarde!

>@< Terminando,clique em: Analisar agora.

>@< Procure fazer,esta análise,em Modo de Segurança!

>@< Escolha a opção: A fundo.

>@< Clique em Analisar!

>@< Terminando,envie os ítens encontrados para a quarentena. Aonde,daí,serão excluídos ou restaurados.

>@< Salve o relatório,desta verificação,e poste na sua resposta + HJT,atualizado.

 

Abraços!

[Maurelli 0]

beleza Vou fazer isso agora....

[Maurelli 0]

Intaum cara eu pedi para meu pai fazer isso e ele não salvou o relatório eu passei de novo e salvei talves não seja a mesma coisa me desculpe....

 

a-squared Free - Versão 3.0

Last update: N/A

 

Configurações da análise:

 

Objetos: Memória, Rastros, Cookies, C:\, D:\

Análise de arquivos: Ligado

Heurística: Ligado

Análise de ADS: Ligado

 

Início da análise: 29/10/2007 12:48:42

 

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR00 --> Class detectado: Trace.Registry.BestsellerAntivirus

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR00 --> ClassGUID detectado: Trace.Registry.BestsellerAntivirus

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR00 --> ConfigFlags detectado: Trace.Registry.BestsellerAntivirus

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR00 --> DeviceDesc detectado: Trace.Registry.BestsellerAntivirus

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR00 --> Legacy detectado: Trace.Registry.BestsellerAntivirus

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR00 --> Service detectado: Trace.Registry.BestsellerAntivirus

Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FMTR --> NextInstance detectado: Trace.Registry.BestsellerAntivirus

D:\Caio\Naruto\Filme\Naruto_Project_Movie1.part1.rar/Naruto_Project_Movie1.rmvb detectado: Heuristic.ArchiveBomb

D:\Caio\Naruto\Naruto_Project_-_Shippuuden_29-30.part1.rmvb/Naruto_Project_-_Shippuuden_29-30.rmvb detectado: Heuristic.ArchiveBomb

 

Analisado

 

Arquivos: 98771

Objetos: 141204

Cookies: 135

Processos: 9

 

Encontrado

 

Arquivos: 2

Objetos: 7

Cookies: 0

Processos: 0

Chaves do registro: 0

 

Fim da análise: 29/10/2007 13:35:14

Duração da análise: 00:46:32

 

D:\Caio\Naruto\Filme\Naruto_Project_Movie1.part1.rar/Naruto_Project_Movie1.rmvb Em quarentena Heuristic.ArchiveBomb

D:\Caio\Naruto\Naruto_Project_-_Shippuuden_29-30.part1.rmvb/Naruto_Project_-_Shippuuden_29-30.rmvb Em quarentena Heuristic.ArchiveBomb

 

Em quarentena

 

Arquivos: 2

Objetos: 0

Cookies: 0

________________________________________________________________________________

_________________________________________

________________________________________________________________________________

_________________________________________

 

Aqui está o HJT....

 

Logfile of HijackThis v1.99.1

Scan saved at 14:28:26, on 29/10/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Eset\nod32krn.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1046

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

[DigRam 144]

Boa Noite Maurelli!

 

Intaum cara eu pedi para meu pai fazer isso e ele não salvou o relatório eu passei de novo e salvei talves não seja a mesma coisa me desculpe....

>@< Se o seu pai,ao finalizar a verificação,não tomou nenhuma ação...tudo bem!Mas,se deletou o que foi encontrado,não é a mesma coisa.

_____________________

 

>@< Abra o HijackThis e,com todas as janelas fechadas,dê Fix nestas entradas:

 

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

>@< Poste,na sua resposta,um nôvo Log do HijackThis.

 

Abraços!

[Maurelli 0]

Bom dia DigRam esta aki o que você me pediu....

 

Logfile of HijackThis v1.99.1

Scan saved at 12:42:37, on 31/10/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Arquivos de programas\Eset\nod32kui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Eset\nod32krn.exe

C:\HijackThis.exe

C:\Arquivos de programas\Java\jre1.6.0_02\bin\jucheck.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1046

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe

[DigRam 144]

Boa Tarde Maurelli!

 

>@< Faça o download do CCleaner.

>@< Baixe-o para o Desktop!

>@< Abra o programa e clique em Executar cleaner.

>@< Terminando,clique em Erros >> Procurar erros >> Corrigir erros.

_____________________

 

>@< Desabilite e reabilite a RS.

_____________________

 

>@< Cuidados ao navegar na Net.

_____________________

 

Meu NOD32 periodicamente abre uma janela dizendo que estou infectado com Uma variante modificada do win32/hoax.renos aplicação. Quando tento limpar ele ápenas manda para quarentena e continuo infectado.

>@< Êsse problema,ainda,lhe ocorre?

>@< Pois o Log está Limpo!

 

Abraços!

[Maurelli 0]

Boa Tarde...

 

Esse problema não me ocorre mais muito obrigado pela ajuda....

Já acabou o que tinha que fazer???