[Resolvido!] Trojan-PWS.Bancos

[buzzuh1 0]

Bom dia, caro amigos.

 

O Trojan-PWS.Bancos está constantemente sendo detectado pelo antivírus Spyware Doctor.

 

Será que há uma maneira de saber se meu pc ainda está contaminado, e, ainda melhor, como poderia fazer para me livrar desse vírus?

 

Desde já agradeço qualquer ajuda.

 

Fico no aguardo ansiosamente.

[Mário Monteiro 179]

conforme este topico post um log aqui

 

http://forum.imasters.com.br/index.php?showtopic=165906

[buzzuh1 0]

Segue o log analizado (se estiver errado por favor digam o correto '-') :

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:15:30, on 23/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\WINDOWS\vVX1000.exe

C:\WINDOWS\system32\msshell.exe

C:\WINDOWS\system32\Gbpsv.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

C:\Arquivos de programas\Spyware Doctor\pctsTray.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Hijack\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file)

O3 - Toolbar: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [msshell.exe] C:\WINDOWS\system32\msshell.exe

O4 - HKLM\..\Run: [Gbpsv.exe] C:\WINDOWS\system32\Gbpsv.exe

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [iSTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

 

--

End of file - 8735 bytes

 

 

Fico ansiosamente no aguardo.

[MGuitar 11]

- Faça o download do BankerFix e salve-o no desktop;

 

● Desabilite o seu antivírus temporariamente para não detectar a ferramenta como vírus;

● Dê um duplo clique em bankerfix.exe;

● Surgirá uma mensagem dizendo que o mesmo será baixado via internet;

● Clique em OK > OK. Tecle Enter e aguarde o término do scan;

● Terminado o scan, leia a mensagem na tela e tecle Enter novamente.

● Será gerado um log em C:\LinhaDefensiva\relatorio.txt.

 

Cole este log em sua próxima resposta, juntamente com um novo log do HijackThis.

 

Delete a pasta C:\LinhaDefensiva após colar seu log aqui.

[buzzuh1 0]

Eu passo o Banker e diz que está limpo o pc, ai vou pegar o relatorio na pasta e tem 2 arquivos, um escrito relatorio (dentro só tem Fim escrito) e errorlog (sem nada dentro), lembrando quue desativei td para passa-lo. Oque eu faço?

 

@Hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:29:05, on 24/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\RunDll32.exe

C:\WINDOWS\vVX1000.exe

C:\WINDOWS\system32\msshell.exe

C:\WINDOWS\system32\Gbpsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file)

O3 - Toolbar: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [msshell.exe] C:\WINDOWS\system32\msshell.exe

O4 - HKLM\..\Run: [Gbpsv.exe] C:\WINDOWS\system32\Gbpsv.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

 

--

End of file - 7237 bytes

 

@

 

me ajudem sobre o banker se preciisar, se nao precisar vamos ao prozimo passo.

 

Aguardo ansiosamente.

[MGuitar 11]

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

[buzzuh1 0]

- Faça o download do ComboFix e salve-o na área de trabalho;

 

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;

● Duplo clique no ícone combofix.exe para iniciar o scan;

● Leia o contrato que aparecerá e clique em Sim para continuar;

● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;

● Aguarde enquanto o ComboFix faz o scan;

● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;

● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;

● Se quiser sair ou parar o ComboFix, tecle N;

● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;

● Será gerado um log em C:\ComboFix.txt.

 

Cole este log em sua próxima resposta.

 

Quando vai iniciar o scan da o seguinte erro:

 

C:\WINDOWS\regedit.exe não encontrado.

Copie esse ficheiro/arquivo de outro computador "/

 

 

Fico na espera da solução e da resposta urgentemente.

 

Abraços e fico na espera ansiosamente!

[buzzuh1 0]

Ajudem por favor, mecho muito com transações in net e estou privado disso.

 

No aguardo !

[MGuitar 11]

Poste um novo log do HijackThis aqui.

[buzzuh1 0]

Segue abaixo:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:04:25, on 28/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\vVX1000.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Hijack\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file)

O3 - Toolbar: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

 

--

End of file - 7859 bytes

 

 

 

 

OBS: O Spyware Doctor nao está mais pegando o Trojan Bancos, não sei porque, pois nao fiz nada diferente, apenas sempre que pegava excluia, mas tenho certeza que ele ainda está aqui, mas mascarado, então segue o log acima e espero a obtenção de respostas e ajuda.

 

Fico na espera ansiosamente Sr. MGuitar, e obrigado pela paciencia até agora.

 

No aguardo.

[MGuitar 11]

A entrada do trojan banker não aparece mais no log.

 

OBS: O Spyware Doctor nao está mais pegando o Trojan Bancos, não sei porque, pois nao fiz nada diferente, apenas sempre que pegava excluia, mas tenho certeza que ele ainda está aqui, mas mascarado, então segue o log acima e espero a obtenção de respostas e ajuda.

Por que acha que o banker ainda está aí? Está ocorrendo algum problema no micro?

 

Execute o HijackThis e clique em Do a system scan only. Marque as entradas abaixo no log e clique no botão Fix Checked.

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file)O3 - Toolbar: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - (no file)O9 - Extra button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - (no file)O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing)

 

- Faça o download do Malwarebytes Anti-Malware e salve-o no desktop;

 

● Dê dois cliques no programa para iniciar a instalação. Selecione o idioma Português (Brasil);

● Ao final da instalação, marque as opções "Atualizar Malwarebytes Anti-Malware" e "Executar Malwarebytes Anti-Malware", e clique em Concluir;

● Após a instalação execute o programa;

● Marque a opção Verificação Completa e depois clique em Verificar. Selecione sua unidade C: e clique no botão Iniciar Verificação;

● Quando o scan terminar, clique em OK e o log será automaticamente aberto para você;

● Se algo for detectado, verifique se todos os itens estão marcados e clique no botão Remover.

OBS: Caso apareça uma mensagem pedindo para que você reinicie o computador para completar o processo de remoção, reinicie-o imediatamente;

● O log pode ser consultado clicando em Logs do menu principal também;

 

Copie e cole o conteúdo desse log na sua próxima resposta, juntamente com um novo log do HijackThis.

[buzzuh1 0]

Sei que ele está aqui pois está camuflando-se com outros nomes, pois toda hora tbm meu avast pega o virus com nome diferente e local igual.

 

@Malwarebytes Log

 

Malwarebytes' Anti-Malware 1.31

Versão do banco de dados: 1569

Windows 5.1.2600 Service Pack 3

 

29/12/2008 19:43:55

mbam-log-2008-12-29 (19-43-55).txt

 

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 107434

Tempo decorrido: 41 minute(s), 2 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 1

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 1

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

C:\WINDOWS\system32\configex.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

OBS: devo remover o file e a key da quarentena?

 

@Hijackthis Log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:49:47, on 29/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\vVX1000.exe

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\BTTray.exe

C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

C:\ARQUIV~1\SOFTWA~1\BLUETO~1\BTSTAC~1.EXE

C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe

C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe

O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe

O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe

O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe

O4 - Global Startup: BTTray.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

 

--

End of file - 7575 bytes

 

 

@Fico ansiosamente na espera de um novo contato.

 

Abraços.

[MGuitar 11]

- Faça download do Kaspersky Removal Tool e salve na pasta de Arquivos de programas.

 

● Instale o programa normalmente seguindo todos os seus passos;

● Não faça ainda scan;

● Reinicie o PC em Modo de Segurança;

● Na tela principal do programa marque todas as caixas disponíveis, como mostra a imagem abaixo:

 

 

● Clique no botão Scan e aguarde;

● Seja paciente, o scan pode demorar;

● Se ele encontrar alguma infecção confirme a solicitação de remoção aos arquivos detectados;

● Ao término, salve o relatório no desktop;

● Reinicie o PC em Modo Normal e cole o relatório do scan aqui.

[buzzuh1 0]

Passei, e no final exclui os files, mas não apareceu relátorio, então fechei e fui procurar ele mas não achei.

Onde ele está?

 

 

OBS: Devido as festas de fim de ano, poderei me ausentar por alguns dias, vindo a nãoi responder, então peço que nao arquivem o topico, pois voltarei e postarei.

 

bzzh~

[Mário Monteiro 179]

voce terá um mes antes do arquivamento

 

é so postar neste prazo que nao será arquivado

[buzzuh1 0]

voce terá um mes antes do arquivamento

 

é so postar neste prazo que nao será arquivado

 

Thank's Mário.

 

@topic

 

Passei, e no final exclui os files, mas não apareceu relátorio, então fechei e fui procurar ele mas não achei.

Onde ele está?

 

 

OBS: Devido as festas de fim de ano, poderei me ausentar por alguns dias, vindo a nãoi responder, então peço que nao arquivem o topico, pois voltarei e postarei.

 

bzzh~

[MGuitar 11]

- Baixe o DatFind e salve-o em sua área de trabalho;

 

● Extraia o conteúdo do zip para o desktop;

● Dê um duplo clique em datFind.bat;

● Um relatório será apresentado. Feche-o clicando no X e tecle Enter;

● Repita o procedimento acima até o fechamento automático da janela do programa;

● Serão gerados os resultados em:

 

- C:\down.txt

- C:\sys.txt

- C:\system.txt

- C:\system32.txt

- C:\systemtemp.txt

- C:\tmp.txt

 

Cole-os em sua próxima resposta. Alguns são extensos, portanto, sugiro que upe-os no host abaixo e cole o link para download aqui:

 

http://rapidshare.com/

[buzzuh1 0]

Voltei e ai está:

 

C:\down.txt : http://rapidshare.com/files/179755901/down.txt.html

 

C:\sys.txt : http://rapidshare.com/files/179756612/sys.txt.html

 

C:\system.txt: http://rapidshare.com/files/179756944/system.txt.html

 

C:\system32.txt: http://rapidshare.com/files/179757129/system32.txt.html

 

C:\systemtemp.txt: http://rapidshare.com/files/179757379/systemtemp.txt.html

 

C:\tmp.txt: http://rapidshare.com/files/179757555/tmp.txt.html

 

 

Fico no aguardo de um novo contato, espero que breve.

[MGuitar 11]

Delete os logs do DatFind em C: > down.txt, sys.txt, system.txt, system32.txt, systemtemp.txt e tmp.txt.

 

- Faça o download do Avenger e salve-o no desktop;

 

● Extraia o conteúdo do zip para o desktop;

● Selecione e copie todo texto aqui abaixo:

 

Files to delete:

C:\autorun.inf

C:\WINDOWS\system32\patriciabuzzulini@uol.com.br

C:\WINDOWS\system32\uid=1045989527845440743

C:\WINDOWS\system32\uid=2885686896121853632

C:\WINDOWS\system32\uid=4504076080066645359

C:\WINDOWS\system32\uid=9602814483311113588

C:\WINDOWS\system32\uid=4580484133748391924

C:\WINDOWS\system32\uid=16048152644328462097

C:\WINDOWS\system32\uid=5825329121304732190

C:\WINDOWS\system32\uid=4591410426697234689

C:\WINDOWS\system32\uid=12876075998116755317

C:\WINDOWS\system32\uid=4577255811691623242

C:\WINDOWS\system32\uid=17101820517533745410

C:\WINDOWS\system32\uid=9158892763698024250

C:\WINDOWS\system32\uid=8557442134876207098

C:\WINDOWS\system32\uid=14404010794439640396

C:\WINDOWS\system32\uid=7663043091546830328

C:\WINDOWS\system32\uid=13772043648797331110

C:\WINDOWS\system32\uid=15067451386710891240

C:\WINDOWS\system32\uid=7439721156832052866

C:\WINDOWS\system32\uid=11192917282963329867

C:\WINDOWS\system32\uid=11167543363058348710

C:\WINDOWS\system32\uid=12523530883770630765

C:\WINDOWS\system32\uid=1009911936326315757

C:\WINDOWS\system32\uid=13338729928094154483

C:\WINDOWS\system32\uid=14585942152447435720

C:\WINDOWS\system32\uid=4624755382826965959

C:\WINDOWS\system32\uid=10739193928949400571

C:\WINDOWS\system32\uid=11513382310301150731

C:\WINDOWS\system32\uid=14848414288034899911

C:\WINDOWS\system32\uid=13252300349884649416

C:\WINDOWS\system32\uid=883351913936270544

C:\WINDOWS\system32\uid=4380447701989621275

C:\WINDOWS\system32\uid=14359176092716221074

C:\WINDOWS\system32\uid=11134791620756834142

C:\WINDOWS\system32\uid=16597138843653278225

C:\WINDOWS\system32\uid=3282441757440383801

C:\WINDOWS\system32\uid=18240982950239791665

C:\WINDOWS\system32\uid=13333655747226541244

C:\WINDOWS\system32\uid=5164556958691532765

C:\WINDOWS\system32\uid=3835022811352473769

C:\WINDOWS\system32\uid=10827420020903341892

C:\WINDOWS\system32\uid=4724895322280578819

C:\WINDOWS\system32\uid=12186675244164180891

C:\WINDOWS\system32\uid=2030408281809444569

C:\WINDOWS\system32\uid=4211501964227543910

C:\WINDOWS\system32\uid=15827685243954394824

C:\WINDOWS\system32\uid=10280341339406871048

C:\WINDOWS\system32\uid=11557267685515620872

C:\WINDOWS\system32\uid=8167821711845495899

C:\WINDOWS\system32\uid=12944802152005432064

C:\WINDOWS\system32\uid=14915571585510247110

C:\WINDOWS\system32\uid=4229811842761538179

C:\WINDOWS\system32\uid=5743121400396174574

C:\WINDOWS\system32\uid=8549419526561509745

C:\WINDOWS\system32\uid=14615432934337853229

C:\WINDOWS\system32\uid=14469937097488124807

C:\WINDOWS\system32\uid=16696020375962317007

C:\WINDOWS\system32\uid=16286774345415758249

C:\WINDOWS\system32\uid=9834609693019369588

C:\WINDOWS\system32\uid=14927455998618586549

C:\WINDOWS\system32\uid=2253032288795791711

C:\WINDOWS\system32\uid=15264520718467380340

C:\WINDOWS\system32\uid=2473474355759605793

C:\WINDOWS\system32\uid=11982867404172742985

C:\WINDOWS\system32\uid=17596874675938031725

C:\WINDOWS\system32\uid=10724607122913695366

C:\WINDOWS\system32\uid=13421561404747706885

C:\WINDOWS\system32\uid=15487735035592855767

C:\WINDOWS\system32\uid=2968292252978635384

C:\WINDOWS\system32\uid=10328085689903561590

C:\WINDOWS\system32\uid=368464081701822072

C:\WINDOWS\system32\uid=8352731057528418805

C:\WINDOWS\system32\uid=10223451005171818194

C:\WINDOWS\system32\uid=6828286922337887152

C:\WINDOWS\system32\uid=15520590001040757640

C:\WINDOWS\system32\uid=5324603696595594455

C:\WINDOWS\system32\uid=2100542427674102073

C:\WINDOWS\system32\uid=1320856687146704207

 

● Execute o programa Avenger, dando dois cliques em avenger.exe;

● Clique no menu Load Script > Paste from Clipboard;

● Clique no botão Execute > Yes > OK;

● Seu computador será reiniciado;

● Será gerado um log em C:\avenger.txt

 

Cole este log em sua próxima resposta.

[buzzuh1 0]

Conforme o pedido:

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

File "C:\autorun.inf" deleted successfully.

File "C:\WINDOWS\system32\patriciabuzzulini@uol.com.br" deleted successfully.

File "C:\WINDOWS\system32\uid=1045989527845440743" deleted successfully.

File "C:\WINDOWS\system32\uid=2885686896121853632" deleted successfully.

File "C:\WINDOWS\system32\uid=4504076080066645359" deleted successfully.

File "C:\WINDOWS\system32\uid=9602814483311113588" deleted successfully.

File "C:\WINDOWS\system32\uid=4580484133748391924" deleted successfully.

File "C:\WINDOWS\system32\uid=16048152644328462097" deleted successfully.

File "C:\WINDOWS\system32\uid=5825329121304732190" deleted successfully.

File "C:\WINDOWS\system32\uid=4591410426697234689" deleted successfully.

File "C:\WINDOWS\system32\uid=12876075998116755317" deleted successfully.

File "C:\WINDOWS\system32\uid=4577255811691623242" deleted successfully.

File "C:\WINDOWS\system32\uid=17101820517533745410" deleted successfully.

File "C:\WINDOWS\system32\uid=9158892763698024250" deleted successfully.

File "C:\WINDOWS\system32\uid=8557442134876207098" deleted successfully.

File "C:\WINDOWS\system32\uid=14404010794439640396" deleted successfully.

File "C:\WINDOWS\system32\uid=7663043091546830328" deleted successfully.

File "C:\WINDOWS\system32\uid=13772043648797331110" deleted successfully.

File "C:\WINDOWS\system32\uid=15067451386710891240" deleted successfully.

File "C:\WINDOWS\system32\uid=7439721156832052866" deleted successfully.

File "C:\WINDOWS\system32\uid=11192917282963329867" deleted successfully.

File "C:\WINDOWS\system32\uid=11167543363058348710" deleted successfully.

File "C:\WINDOWS\system32\uid=12523530883770630765" deleted successfully.

File "C:\WINDOWS\system32\uid=1009911936326315757" deleted successfully.

File "C:\WINDOWS\system32\uid=13338729928094154483" deleted successfully.

File "C:\WINDOWS\system32\uid=14585942152447435720" deleted successfully.

File "C:\WINDOWS\system32\uid=4624755382826965959" deleted successfully.

File "C:\WINDOWS\system32\uid=10739193928949400571" deleted successfully.

File "C:\WINDOWS\system32\uid=11513382310301150731" deleted successfully.

File "C:\WINDOWS\system32\uid=14848414288034899911" deleted successfully.

File "C:\WINDOWS\system32\uid=13252300349884649416" deleted successfully.

File "C:\WINDOWS\system32\uid=883351913936270544" deleted successfully.

File "C:\WINDOWS\system32\uid=4380447701989621275" deleted successfully.

File "C:\WINDOWS\system32\uid=14359176092716221074" deleted successfully.

File "C:\WINDOWS\system32\uid=11134791620756834142" deleted successfully.

File "C:\WINDOWS\system32\uid=16597138843653278225" deleted successfully.

File "C:\WINDOWS\system32\uid=3282441757440383801" deleted successfully.

File "C:\WINDOWS\system32\uid=18240982950239791665" deleted successfully.

File "C:\WINDOWS\system32\uid=13333655747226541244" deleted successfully.

File "C:\WINDOWS\system32\uid=5164556958691532765" deleted successfully.

File "C:\WINDOWS\system32\uid=3835022811352473769" deleted successfully.

File "C:\WINDOWS\system32\uid=10827420020903341892" deleted successfully.

File "C:\WINDOWS\system32\uid=4724895322280578819" deleted successfully.

File "C:\WINDOWS\system32\uid=12186675244164180891" deleted successfully.

File "C:\WINDOWS\system32\uid=2030408281809444569" deleted successfully.

File "C:\WINDOWS\system32\uid=4211501964227543910" deleted successfully.

File "C:\WINDOWS\system32\uid=15827685243954394824" deleted successfully.

File "C:\WINDOWS\system32\uid=10280341339406871048" deleted successfully.

File "C:\WINDOWS\system32\uid=11557267685515620872" deleted successfully.

File "C:\WINDOWS\system32\uid=8167821711845495899" deleted successfully.

File "C:\WINDOWS\system32\uid=12944802152005432064" deleted successfully.

File "C:\WINDOWS\system32\uid=14915571585510247110" deleted successfully.

File "C:\WINDOWS\system32\uid=4229811842761538179" deleted successfully.

File "C:\WINDOWS\system32\uid=5743121400396174574" deleted successfully.

File "C:\WINDOWS\system32\uid=8549419526561509745" deleted successfully.

File "C:\WINDOWS\system32\uid=14615432934337853229" deleted successfully.

File "C:\WINDOWS\system32\uid=14469937097488124807" deleted successfully.

File "C:\WINDOWS\system32\uid=16696020375962317007" deleted successfully.

File "C:\WINDOWS\system32\uid=16286774345415758249" deleted successfully.

File "C:\WINDOWS\system32\uid=9834609693019369588" deleted successfully.

File "C:\WINDOWS\system32\uid=14927455998618586549" deleted successfully.

File "C:\WINDOWS\system32\uid=2253032288795791711" deleted successfully.

File "C:\WINDOWS\system32\uid=15264520718467380340" deleted successfully.

File "C:\WINDOWS\system32\uid=2473474355759605793" deleted successfully.

File "C:\WINDOWS\system32\uid=11982867404172742985" deleted successfully.

File "C:\WINDOWS\system32\uid=17596874675938031725" deleted successfully.

File "C:\WINDOWS\system32\uid=10724607122913695366" deleted successfully.

File "C:\WINDOWS\system32\uid=13421561404747706885" deleted successfully.

File "C:\WINDOWS\system32\uid=15487735035592855767" deleted successfully.

File "C:\WINDOWS\system32\uid=2968292252978635384" deleted successfully.

File "C:\WINDOWS\system32\uid=10328085689903561590" deleted successfully.

File "C:\WINDOWS\system32\uid=368464081701822072" deleted successfully.

File "C:\WINDOWS\system32\uid=8352731057528418805" deleted successfully.

File "C:\WINDOWS\system32\uid=10223451005171818194" deleted successfully.

File "C:\WINDOWS\system32\uid=6828286922337887152" deleted successfully.

File "C:\WINDOWS\system32\uid=15520590001040757640" deleted successfully.

File "C:\WINDOWS\system32\uid=5324603696595594455" deleted successfully.

File "C:\WINDOWS\system32\uid=2100542427674102073" deleted successfully.

File "C:\WINDOWS\system32\uid=1320856687146704207" deleted successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

No aguardo de um novo contato, espero que breve.