[Arquivado] Malware olhrwef

Tormentor · Abril 29, 2009

Olá,

sou novo por aqui, e bem pra resumir o assunto de maneira objetiva, meu pc está infectado com este malware chamado Olhrwef, que peguei qdo copiei arquivos de um pen drive de um "mui amigo"...rsrs Então resolvi consultar o Oráculo.

Vendo os outros posts vi q a galera pede pra fazer o processo com o combofix, então me adiantei, se não for este o caso me desculpe, pois minha intenção é de apenas adiantar o processo....tá ai o log:

ComboFix 09-04-28.02 - Careca 28/04/2009 23:21.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.735.519 [GMT -3:00]

Executando de: c:\documents and settings\Careca\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)

FW: Kaspersky Anti-Virus *disabled*

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

c:\documents and settings\Careca\Dados de aplicativos\inst.exe

c:\windows\IE4 Error Log.txt

c:\windows\system32\nmdfgds0.dll

c:\windows\system32\nmdfgds1.dll

D:\Autorun.inf

E:\Autorun.inf

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-28 to 2009-4-29 ))))))))))))))))))))))))))))

.

2009-04-28 19:53 . 2009-04-28 19:53 105774 --sh--r C:\ymxf2.exe

2009-04-28 19:53 . 2009-04-24 20:29 106749 --sh--r C:\npee.com

2009-04-28 19:46 . 2009-04-28 19:46 -------- d-----w c:\documents and settings\Careca\Dados de aplicativos\U3

2009-04-18 04:27 . 2009-04-28 20:07 -------- d-----w c:\arquivos de programas\URUSoft

2009-04-15 23:02 . 2009-04-15 23:02 -------- d-----w c:\arquivos de programas\AMR Converter Pro

2009-04-15 23:02 . 2009-04-15 23:02 -------- d--h--w c:\documents and settings\All Users\Dados de aplicativos\{00BAB1C5-D99B-4EF4-B1D6-1DEB5DA070DA}

2009-04-02 03:16 . 2009-04-02 03:16 -------- d-s---w c:\documents and settings\Patrícia\Histórico

2009-04-02 03:16 . 2009-04-02 03:16 -------- d-s---w c:\documents and settings\Patrícia\Temporary Internet Files

2009-04-02 03:16 . 2009-04-02 03:16 -------- d-s---w c:\documents and settings\Patrícia\Histórico

2009-04-02 03:16 . 2009-04-02 03:16 -------- d-s---w c:\documents and settings\Patrícia\Temporary Internet Files

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-29 02:33 . 2008-04-17 23:31 740896 --sha-w c:\windows\system32\drivers\fidbox2.dat

2009-04-28 22:36 . 2008-04-17 23:31 81584 --sha-w c:\windows\system32\drivers\fidbox2.idx

2009-04-28 22:36 . 2008-04-17 23:31 190196 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-04-28 22:36 . 2008-04-17 23:31 12916768 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-04-16 10:59 . 2009-02-12 22:31 25696 ----a-w c:\documents and settings\Patrícia\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2009-04-15 20:13 . 2008-04-02 12:22 25696 ----a-w c:\documents and settings\Careca\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2009-04-09 19:40 . 2008-12-22 15:09 90112 ----a-w c:\windows\DUMP3ac6.tmp

2009-03-28 16:06 . 2009-03-28 16:06 -------- d-----w c:\arquivos de programas\7-Zip

2009-03-07 15:58 . 2009-03-07 15:58 -------- d-----w c:\arquivos de programas\K-Lite Codec Pack

2009-02-24 17:19 . 2009-02-24 17:19 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys

2009-02-24 17:19 . 2009-02-24 17:19 47360 ----a-w c:\documents and settings\Careca\Dados de aplicativos\pcouffin.sys

2009-02-08 15:46 . 2001-10-28 18:07 67232 ----a-w c:\windows\system32\perfc016.dat

2009-02-08 15:46 . 2001-10-28 18:07 425072 ----a-w c:\windows\system32\perfh016.dat

2009-01-13 00:26 . 2008-04-02 12:33 67688 ----a-w c:\arquivos de programas\mozilla firefox\components\jar50.dll

2009-01-13 00:26 . 2008-04-02 12:33 54368 ----a-w c:\arquivos de programas\mozilla firefox\components\jsd3250.dll

2009-01-13 00:26 . 2008-04-02 12:33 34944 ----a-w c:\arquivos de programas\mozilla firefox\components\myspell.dll

2009-01-13 00:26 . 2008-04-02 12:33 46712 ----a-w c:\arquivos de programas\mozilla firefox\components\spellchk.dll

2009-01-13 00:26 . 2008-04-02 12:33 172136 ----a-w c:\arquivos de programas\mozilla firefox\components\xpinstal.dll

.

------- Sigcheck -------

[-] 2004-08-04 02:45 14336 5DE3E7B6F7624552F2F06664F110820D c:\windows\system32\svchost.exe

[-] 2004-08-04 02:45 14336 5DE3E7B6F7624552F2F06664F110820D c:\windows\system32\dllcache\svchost.exe

[-] 2005-03-02 18:18 577536 7FFBCF1B94E6929DEECE06670C2407D6 c:\windows\SoftwareDistribution\Download\75d0f541d3a8d8d4ef5b82f923e0e460\sp2gdr\user32.dll

[-] 2005-03-02 18:20 577536 3ED0A4D74EFD5AAF8408095F452E2613 c:\windows\SoftwareDistribution\Download\75d0f541d3a8d8d4ef5b82f923e0e460\sp2qfe\user32.dll

[-] 2007-03-08 15:36 578048 B5782EE6EAFE3C218236F79F1A27B747 c:\windows\SoftwareDistribution\Download\97230336356bec55d07286344aba34f0\sp2gdr\user32.dll

[-] 2007-03-08 15:50 578560 F86D3E5C8FE13297E1C2D662F9E2D59D c:\windows\SoftwareDistribution\Download\97230336356bec55d07286344aba34f0\sp2qfe\user32.dll

[-] 2004-08-04 02:45 577536 E0FF28447D1038DE106D1F2FDF851647 c:\windows\system32\user32.dll

[-] 2004-08-04 02:45 577536 E0FF28447D1038DE106D1F2FDF851647 c:\windows\system32\dllcache\user32.dll

[-] 2004-08-04 02:45 82944 A5163442377D3C305BBFF612F80047D7 c:\windows\system32\ws2_32.dll

[-] 2004-08-04 02:45 82944 A5163442377D3C305BBFF612F80047D7 c:\windows\system32\dllcache\ws2_32.dll

[-] 2007-12-07 01:07 661504 6E9BDDEFA42886F554B115DA3A7E1180 c:\windows\SoftwareDistribution\Download\e4e64be1b8a214f3509bd1bcf7eab983\sp2gdr\wininet.dll

[-] 2007-12-07 00:46 668160 2324E8E86733233A9435F9EA6A92B6E2 c:\windows\SoftwareDistribution\Download\e4e64be1b8a214f3509bd1bcf7eab983\sp2qfe\wininet.dll

[-] 2004-08-04 02:45 658432 398A619CE60090303042D1F8CC68F712 c:\windows\system32\wininet.dll

[-] 2004-08-04 02:45 658432 398A619CE60090303042D1F8CC68F712 c:\windows\system32\dllcache\wininet.dll

[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\SoftwareDistribution\Download\b9fafcb4f08309cfc9fe52fdea805e5a\sp2gdr\tcpip.sys

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\SoftwareDistribution\Download\b9fafcb4f08309cfc9fe52fdea805e5a\sp2qfe\tcpip.sys

[-] 2004-08-04 01:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\system32\dllcache\tcpip.sys

[-] 2004-08-04 01:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 02:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 c:\windows\system32\winlogon.exe

[-] 2004-08-04 02:45 504320 6F7BDE7A1126DEBF0CC359A54953EFC1 c:\windows\system32\dllcache\winlogon.exe

[-] 2004-08-04 01:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys

[-] 2004-08-04 01:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 01:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\dllcache\ip6fw.sys

[-] 2004-08-04 01:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2007-02-28 16:02 2061824 1683AF18422F7DE34575EE95BE882AD1 c:\windows\SoftwareDistribution\Download\29b62a154932d48a836bac5b0a286054\sp2gdr\ntkrnlpa.exe

[-] 2007-02-28 16:08 2063616 D027F0097B8F099C09369B8CC97D7C32 c:\windows\SoftwareDistribution\Download\29b62a154932d48a836bac5b0a286054\sp2qfe\ntkrnlpa.exe

[-] 2005-03-02 18:08 2061056 D5ED391B213FA2A6EE25DE5AB8512360 c:\windows\SoftwareDistribution\Download\75d0f541d3a8d8d4ef5b82f923e0e460\sp2gdr\ntkrnlpa.exe

[-] 2005-03-02 18:13 2061184 AED7B3AA86AD031CF39C6E4BBA37E818 c:\windows\SoftwareDistribution\Download\75d0f541d3a8d8d4ef5b82f923e0e460\sp2qfe\ntkrnlpa.exe

[-] 2004-08-04 02:55 2061056 C9BAE5544B8AA39454C50D8FF83AE5A8 c:\windows\system32\ntkrnlpa.exe

[-] 2007-02-28 16:02 2184576 986C40660057A2BAC752ED4F97CF4A10 c:\windows\SoftwareDistribution\Download\29b62a154932d48a836bac5b0a286054\sp2gdr\ntoskrnl.exe

[-] 2007-02-28 16:08 2186368 BFB4C8761976CCE0B544D557B4C70825 c:\windows\SoftwareDistribution\Download\29b62a154932d48a836bac5b0a286054\sp2qfe\ntoskrnl.exe

[-] 2005-03-02 18:09 2183552 0DA99D0CBD578AD96EFFD3A571CE8437 c:\windows\SoftwareDistribution\Download\75d0f541d3a8d8d4ef5b82f923e0e460\sp2gdr\ntoskrnl.exe

[-] 2005-03-02 18:13 2183808 6E3AB4241E058B248CB7CDC5157449C3 c:\windows\SoftwareDistribution\Download\75d0f541d3a8d8d4ef5b82f923e0e460\sp2qfe\ntoskrnl.exe

[-] 2004-08-04 02:40 2185216 3B72A63F230DFB276FC96A99173A81BE c:\windows\system32\ntoskrnl.exe

[-] 2004-08-04 02:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 c:\windows\explorer.exe

[-] 2007-06-13 13:21 1035264 DCCBF18E94D651393A3FFA060F88E0A0 c:\windows\SoftwareDistribution\Download\ded860808e92d18393ff7e54f31e0110\sp2gdr\explorer.exe

[-] 2007-06-13 13:10 1035264 45D521506825A10B80833B4E9621CCF6 c:\windows\SoftwareDistribution\Download\ded860808e92d18393ff7e54f31e0110\sp2qfe\explorer.exe

[-] 2004-08-04 02:45 1034240 FA61A19050AE14BEC1A26DE82390DD65 c:\windows\system32\dllcache\explorer.exe

[-] 2004-08-04 02:45 108544 CC73C4430C2FC27FDE16A0A4E3678148 c:\windows\system32\services.exe

[-] 2004-08-04 02:45 108544 CC73C4430C2FC27FDE16A0A4E3678148 c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 02:45 13312 35C6463B3C5F62D2B20C953B6E1538E9 c:\windows\system32\lsass.exe

[-] 2004-08-04 02:45 13312 35C6463B3C5F62D2B20C953B6E1538E9 c:\windows\system32\dllcache\lsass.exe

[-] 2004-08-04 02:45 15360 F40BC97996B8E53799EEF1D63996674B c:\windows\system32\ctfmon.exe

[-] 2004-08-04 02:45 15360 F40BC97996B8E53799EEF1D63996674B c:\windows\system32\dllcache\ctfmon.exe

[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\SoftwareDistribution\Download\14e5a8ba09d3f89c5d29ced3aaf0345d\sp2gdr\spoolsv.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\SoftwareDistribution\Download\14e5a8ba09d3f89c5d29ced3aaf0345d\sp2qfe\spoolsv.exe

[-] 2004-08-04 02:45 57856 3971289FA7072812CAF4D053BBC6352B c:\windows\system32\spoolsv.exe

[-] 2004-08-04 02:45 57856 3971289FA7072812CAF4D053BBC6352B c:\windows\system32\dllcache\spoolsv.exe

[-] 2004-08-04 02:45 24576 4CA695EC1EE4C7CF2144DFA00EA0E1F7 c:\windows\system32\userinit.exe

[-] 2004-08-04 02:45 24576 4CA695EC1EE4C7CF2144DFA00EA0E1F7 c:\windows\system32\dllcache\userinit.exe

[-] 2004-08-04 02:45 296960 23DFF6DAA7565CC5802E057A6B9F585E c:\windows\system32\termsrv.dll

[-] 2004-08-04 02:45 296960 23DFF6DAA7565CC5802E057A6B9F585E c:\windows\system32\dllcache\termsrv.dll

[-] 2007-04-16 15:53 1023488 ECE3A528F975CEEC8B4FAF404548A449 c:\windows\SoftwareDistribution\Download\39b89ace70b7b8835cbd8e0693198ce9\sp2gdr\kernel32.dll

[-] 2007-04-16 16:11 1025024 631A6F8B57F800E4B55F8539F76E7274 c:\windows\SoftwareDistribution\Download\39b89ace70b7b8835cbd8e0693198ce9\sp2qfe\kernel32.dll

[-] 2004-08-04 02:45 1022464 AD72A244955E89EBBB8FABF02F8041C6 c:\windows\system32\kernel32.dll

[-] 2004-08-04 02:45 1022464 AD72A244955E89EBBB8FABF02F8041C6 c:\windows\system32\dllcache\kernel32.dll

[-] 2004-08-04 02:45 17408 0F81EB414DE1D77DD315F4A3D324BC1E c:\windows\system32\powrprof.dll

[-] 2004-08-04 02:45 17408 0F81EB414DE1D77DD315F4A3D324BC1E c:\windows\system32\dllcache\powrprof.dll

[-] 2004-08-04 02:45 110080 602B88592E0690D0DFB5E5F44A9EF820 c:\windows\system32\imm32.dll

[-] 2004-08-04 02:45 110080 602B88592E0690D0DFB5E5F44A9EF820 c:\windows\system32\dllcache\imm32.dll

[-] 2004-08-04 02:45 1548288 1DD4FC7EEE3A45257528A34FDF7BC689 c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 02:45 1548288 1DD4FC7EEE3A45257528A34FDF7BC689 c:\windows\system32\dllcache\sfcfiles.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdoosoft

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\Brazilian\\setup.exe"=

"c:\\Arquivos de programas\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

"c:\\Arquivos de programas\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R3 AVPsys;AVPsys; [x]

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f18939f-342a-11de-bf58-000d8786c4d2}]

\Shell\AutoRun\command - I:\npee.com

\Shell\open\Command - I:\npee.com

.

------- Scan Suplementar -------

.

uStart Page = https://www.google.com/a/efeitonocivo.com/S...mp;ltmplcache=2

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {98CDD6E6-D93B-4333-8D58-B5CE6B78BA18} = 201.10.120.2,201.10.128.3

FF - ProfilePath - c:\documents and settings\Careca\Dados de aplicativos\Mozilla\Firefox\Profiles\70tjfj9l.default\

FF - component: c:\arquivos de programas\Mozilla Firefox\components\xpinstal.dll

.

------- Associação de arquivos/ficheiros -------

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-28 23:32

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1036)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1092)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll

.

Tempo para conclusão: 2009-04-29 23:36

ComboFix-quarantined-files.txt 2009-04-29 02:36

Pré-execução: 1.711.001.600 bytes disponíveis

Pós execução: 2.443.378.688 bytes disponíveis

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8

187

Desde já agradeço e fico no aguardo,

Pesado abraço.

Power Max · Abril 29, 2009

:thumbsup: Olá! Seja bem-vindo ao Fórum Imasters.

Vários problemas foram removidos pelo Combofix.

Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

- Faça o download do USBFix e salve-o no desktop (área de trabalho):

http://rapidshare.com/files/186762158/UsbFix.exe

Obs: Quando acessar o site acima, clique no botão Free user > aguarde a contagem regressiva > Clique no botão Download.

● Desative temporariamente seu antivírus;

● Dê um duplo clique no ícone do programa e instale-o clicando em (Suivant > Aceite o contrato > Suivant > Suivant > Démarrer > Quitter);

● Dê um duplo clique no ícone do USBFix criado no desktop para executá-lo;

● Insira o pen drive, MP3, MP4, ou outra mídia removível que você suspeite que possa estar infectada na porta USB do PC;

● Tecle 1, pressione Enter e siga as instruções que aparecer. Seu computador será reiniciado, aguarde e espere-o reiniciar;

● O PC será reiniciado. Mantenha o pen drive no local. Não remova!

● Quando estiver reiniciando aparecerá uma tela azul lhe dizendo que as unidades estão sendo verificadas;

● Após reiniciar, a ferramenta será executada automaticamente. Apenas aguarde sem mover o mouse ou usar o teclado;

● Ao receber a mensagem "Nettoyage effectue!", tecle ENTER

● Será aberto o log no bloco de notas automaticamente. O log também estará em C:\UsbFix.txt.

OBS: Se após reiniciar o seu desktop sumir, tecle Ctrl + Alt + Delete para rodar o gerenciador de tarefas. Clique em Arquivo > Executar nova tarefa, digite: explorer.exe e dê um OK.

Poste este log em sua próxima resposta juntamente com um log do programa Hijackthis e nos diga como está o PC após este procedimento.

Para postar o log do Hijackthis é só seguir as dicas deste tópico:

http://forum.imasters.com.br/index.php?showtopic=165906

Ficamos no aguardo.

Tormentor · Abril 29, 2009

Salve Salve Antonio,

cara, o problema é que eu já devolvi o pen drive infectado :upset:

até que o pc tá de boa, mas o maldito olhrwef tá ali....rsrsr

então minha dúvida é se devo proceder como orientado acima ou de outra forma???

Power Max · Abril 29, 2009

Salve Salve Antonio,

cara, o problema é que eu já devolvi o pen drive infectado :upset:

até que o pc tá de boa, mas o maldito olhrwef tá ali....rsrsr

então minha dúvida é se devo proceder como orientado acima ou de outra forma???

Mesmo sem estar com o pendrive você pode executar o Usbfix conforme lhe passei pois ele é muito importante para remover os problemas de seu computador. E se em algum momento ele dizer que não há pendrive ou alguma mensagem deste tipo é só você escolher sempre a opção de Continuar até que ele complete o trabalho dele.

Depois disto poste os novos logs e nos diga como está o PC depois disto.

Tormentor · Abril 30, 2009

Fala Antonio,

então, segue os logs:

-------------- UsbFix V2.413.4 ---------------

* User : xxxxxx - XXXX

* Outils mis a jours le 11/12/2008 par Chiquitine29 et Chimay8

* Recherche effectuée à 23:29:30 le qua 29/04/2009

* Windows Xp - Internet Explorer 6.0.2900.2180

--------------- [ Processus actifs ] ----------------

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\logonui.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\userinit.exe

C:\DOCUME~1\Careca\CONFIG~1\Temp\1.tmp\b2e.exe

--------------- [ Informations lecteurs ] ----------------

C: - Unidade de disco fixoD: - Unidade de disco fixoE: - Unidade de disco fixo

--------------- [ Lecteur C ] ----------------

C: - Unidade de disco fixo

+- Listing des fichiers présents :

[01/04/2008 20:00][--a------] C:\AUTOEXEC.BAT

[24/04/2009 17:29][-r-hs----] C:\npee.com

[24/04/2009 17:29][-r-hs----] C:\NTDETECT.COM

[28/04/2009 16:53][-r-hs----] C:\ymxf2.exe

[28/04/2009 18:22][---hs----] C:\boot.ini

[28/04/2009 23:37][--a------] C:\ComboFix.txt

[28/04/2009 23:37][--a------] C:\UsbFix.txt

[01/04/2008 20:00][--a------] C:\CONFIG.SYS

[01/04/2008 20:00][--a------] C:\hiberfil.sys

[01/04/2008 20:00][--a------] C:\IO.SYS

[01/04/2008 20:00][--a------] C:\MSDOS.SYS

[01/04/2008 20:00][--a------] C:\pagefile.sys

--------------- [ Lecteur D ] ----------------

D: - Unidade de disco fixo

+- Listing des fichiers présents :

[24/04/2009 17:29][-r-hs----] D:\npee.com

[28/04/2009 16:53][-r-hs----] D:\ymxf2.exe

--------------- [ Lecteur E ] ----------------

E: - Unidade de disco fixo

+- Listing des fichiers présents :

[24/04/2009 17:29][-r-hs----] E:\npee.com

[28/04/2009 16:53][-r-hs----] E:\ymxf2.exe

--------------- [ Registre / Startup ] ----------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}="C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

NeroFilterCheck=C:\WINDOWS\system32\NeroCheck.exe

AVP="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=

Installed=1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=

Installed=1

NoChange=1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=

Installed=1

--------------- [ Registre / Mountpoint2 ] ----------------

Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H\Shell\AutoRun\command

Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f18939f-342a-11de-bf58-000d8786c4d2}\Shell\AutoRun\command

Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7f18939f-342a-11de-bf58-000d8786c4d2}\Shell\open\Command

--------------- [ Nettoyage des disques ] ----------------

--------------- [ Resumé ] ----------------

-> /!\ Le resultat doit etre [http://www.virustotal.com/fr/ interprété] par un spécialiste /!\

[01/04/2008 20:00][--a------] C:\AUTOEXEC.BAT

[24/04/2009 17:29][-r-hs----] C:\npee.com

[24/04/2009 17:29][-r-hs----] C:\NTDETECT.COM

[28/04/2009 16:53][-r-hs----] C:\ymxf2.exe

[28/04/2009 18:22][---hs----] C:\boot.ini

[24/04/2009 17:29][-r-hs----] D:\npee.com

[28/04/2009 16:53][-r-hs----] D:\ymxf2.exe

[24/04/2009 17:29][-r-hs----] E:\npee.com

[28/04/2009 16:53][-r-hs----] E:\ymxf2.exe

--------------- ! Fin du rapport ! ----------------

******************************************************************************

Hijack

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:36:34, on 29/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\Hijack\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{98CDD6E6-D93B-4333-8D58-B5CE6B78BA18}: NameServer = 201.10.120.2,201.10.128.3

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

--

End of file - 2678 bytes

Power Max · Abril 30, 2009

:thumbsup: Mais outros problemas foram resolvidos pelo UsbFix.

________________________________________________________________________________

:seta: Abra o HijackThis, clique em Do a system scan only, marque a entrada abaixo e clique em Fix checked:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

________________________________________________________________________________

:seta: Depois disto siga as dicas deste tutorial:

Tutorial do Spyware Doctor Starter Edition

Poste o log do Spyware Doctor juntamente com um novo log do Hijackthis em sua próxima resposta e nos diga como está o seu PC depois disto.

Tormentor · Maio 3, 2009

Grande Antonio,

nossa, to de cara com o tanto de coisa que o Spyware Doctor pegou... :blink:

como iria dar muitas telas, optei por postar apenas uma parte do que o spyware pegou....hehehe

agora se for de suma importância que você veja tudo, dá um toque que aí eu posto.

segue os logs:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:55:39, on 3/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\lib\NMBgMonitor.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Hijack\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank