[Arquivado] PC não instala nada

[Cássio Sá 0]

Olá. Meu pc ultimamente tem sido bombardeado por um vírus chamado reader_s.exe, que, até então, eu achava que havia o neutralizado. Até que fiquei durante algumas semanas utilizando meu pc somente pelo modo de segurança. De repente ele não me permite mais instalar programas dizendo que "O administrador do sistema definiu diretivas para impedir a instalação" e não me permite também abrir vários programas anti-vírus, e nem fazer pesquisas pelo google ou qualquer outro engine da internet. Sim o negócio tá feio, rs. Pra a minha sorte eu ainda tenho o Hijack This pra deixar o log do scan aqui pra vocês.

 

PS: Não formatei meu PC porque meu driver de CD está quebrado e eu preciso muito fazer um backup antes que eu perca documentos importantes, como aconteceu há alguns meses.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:32:56, on 07/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\DLL\RUNDLL32.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

D:\Arquivos de programas\ThreatFire\TFService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\svchost.exe

D:\Arquivos de programas\BSplayer\bsplayer.exe

C:\WINDOWS\system32\3361\services.exe

C:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

D:\Arquivos de programas\ThreatFire\TFGui.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Arquivos de programas\Hijack This\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

F3 - REG:win.ini: load=C:\WINDOWS\system32\msbrv.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\msyhljp.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\mscjmz.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\DLL\RUNDLL32.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: sopidkc Service (sopidkc) - NewYork DVD LT - C:\WINDOWS\system32\sopidkc.exe

O23 - Service: Serviço de Partilha de Rede do Windows Media Player (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe (file missing)

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

 

 

Espero resposta e agradeço desde já!

[PedroN 1]

Olá Cássio Sá, seja bem vindo ao Fórum, esse vírus Reader_s.exe que você citou é um file infector de arquivos. Às vezes fazer backup para formatação não resolve. Mais temos ferramentas apropriadas para esta infecção. É Necessário realizarmos o tópico até o final, ok? :)

 

• Baixe: < Kaspersky Virus Removal Tool >

• Salve-o em Arquivos de Programas,e instale-o aí mesmo!

• Reinicie o computador,em Modo de Segurança! <-- Importante!

• Dê início ao exame,clicando em "Scan".

• A verificação é um pouco demorada. Aguarde!

• Caso seja encontrada infecções,clique em "disinfect".

• Terminando,clique na aba Events.

• Desmarque a caixa de seleção "Show all events".

• Clique em "Save to file".

• Nomeie-o e salve-o no desktop! <-- Relatório para postagem!

• Poste,também,HijackThis atualizado.

[Cássio Sá 0]

Então, cara, esse vírus é tão miserável, que não deixou nem eu baixar o kapersky. Apareceu a mensagem "...kav2010.0.0.463en.exe não pôde ser salvo porque o arquivo de origem não pôde ser lido. Tente de novo mais tarde ou contate o administrador do servidor". E mesmo se eu tivesse conseguido, duvido que eu conseguiria instalar ele, por causa daquele problema que eu falei anteriormente. Estou completamente acuado =/

[PedroN 1]

Estar realizando os procedimento como adiministrador? Ou com outra conta?

 

- Reinicie o computador em ]Modo de Segurança (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização);

 

- Abra o HijackThis, clique em Do a system scan only e marque as entradas abaixo:

 

F3 - REG:win.ini: load=C:\WINDOWS\system32\msbrv.exe

 

F3 - REG:win.ini: run=C:\WINDOWS\system32\msyhljp.exe

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

 

E Clique em Fix Checked.

 

- Feche todas as janelas, clique em Sim;

 

Tente executar o Kaspersky Virus Removal Tool novamente.

[Cássio Sá 0]

Com muito esforço eu consegui baixar o Kaspersky e instalá-lo no meu pc, excluindo um processo chamado minst.exe. Quando passava alguns minutos o pc simplesmente reiniciava, então resolvi desinfectar os arquivos enquanto ele fazia o scan, e salvava um log a cada minuto, daí eu obtive isso:

 

42% - Scan

----------

Scanned: 110128

Detected: 26

Untreated: 3

Start time: 10/07/2009 09:50:40

Duration: 00:23:00

Finish time: 10/07/2009 10:44:31

 

 

Detected

--------

Status Object

------ ------

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: C:\WINDOWS\system32\services.exe

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: C:\WINDOWS\system32\svchost.exe

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: C:\WINDOWS\Explorer.EXE

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: C:\WINDOWS\system32\taskmgr.exe

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: C:\WINDOWS\services.exe

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: C:\WINDOWS\system32\wbem\wmiprvse.exe

deleted: Trojan program Trojan.Win32.VB.rhv File: c:\windows\system32\msrjpof.exe

deleted: Trojan program Trojan.Win32.VB.rhv File: c:\windows\system32\msjeooao.exe

disinfected: virus Virus.Win32.Virut.ce File: d:\arquivos de programas\virus removal tool\is-5ff3a\startup.exe

will be disinfected when the computer is restarted: virus Virus.Win32.Virut.ce File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe

disinfected: virus Virus.Win32.Virut.ce File: d:\arquivos de programas\virus removal tool\is-7ih8p\is-7ih8p.exe

disinfected: virus Virus.Win32.Virut.ce File: C:\!KillBox\minst.exe

disinfected: virus Virus.Win32.Virut.ce File: C:\!KillBox\minst.exe( 1)

deleted: Trojan program Backdoor.Win32.Small.idl File: C:\Documents and Settings\Administrador\reader_s.exe

deleted: virus Email-Worm.Win32.Joleee.bwx File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\ESBOFS07\ge[1].txt

deleted: Trojan program Backdoor.Win32.Small.idl File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\LO0MRT7X\abb[1].txt

quarantined: virus Heur.Trojan.Generic (modification) File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\V37O6UQJ\bot[1].htm

deleted: Trojan program Backdoor.Win32.Small.idl File: C:\Documents and Settings\Cassio1\reader_s.exe

disinfected: virus Virus.Win32.Virut.ce File: C:\Documents and Settings\Cassio1\Configurações locais\temp\is-GETLP.tmp\Win32\drvins32.exe

deleted: Trojan program Backdoor.Win32.Small.idl File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\2ZHF4ILJ\abb[1].txt

quarantined: virus Heur.Trojan.Generic (modification) File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\GVS3054B\bot[1].htm

deleted: virus Email-Worm.Win32.Joleee.bwu File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\GVS3054B\ge[1].txt

detected: Trojan program Backdoor.Win32.Agent.ahnb File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe

detected: Trojan program Backdoor.Win32.Agent.ahnb File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part2.rar

detected: Trojan program Backdoor.Win32.Agent.ahnb File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part3.rar

disinfected: virus Virus.Win32.Virut.ce File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Foxit Reader Professional v3.0.1301.DOA\FoxitReader30_enu_Setup.exe

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

10/07/2009 09:50:49 File: C:\WINDOWS\system32\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:50 File: C:\WINDOWS\system32\services.exe not disinfected postponed

10/07/2009 09:50:51 File: C:\WINDOWS\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:51 File: C:\WINDOWS\system32\svchost.exe not disinfected postponed

10/07/2009 09:50:51 File: c:\windows\system32\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:53 File: C:\WINDOWS\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:53 File: C:\WINDOWS\system32\svchost.exe not disinfected postponed

10/07/2009 09:50:54 File: C:\WINDOWS\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:54 File: C:\WINDOWS\system32\svchost.exe not disinfected postponed

10/07/2009 09:50:54 File: c:\windows\system32\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:54 File: c:\windows\system32\services.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:54 File: c:\windows\system32\services.exe will be disinfected on system restart

10/07/2009 09:50:54 File: c:\windows\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:54 File: c:\windows\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:54 File: c:\windows\system32\svchost.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:50:54 File: c:\windows\system32\svchost.exe will be disinfected on system restart

10/07/2009 09:50:59 File: C:\WINDOWS\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:00 File: C:\WINDOWS\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:00 File: C:\WINDOWS\Explorer.EXE detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:00 File: C:\WINDOWS\Explorer.EXE not disinfected postponed

10/07/2009 09:51:07 File: c:\windows\explorer.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:08 File: c:\windows\explorer.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:08 File: c:\windows\explorer.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:08 File: c:\windows\explorer.exe will be disinfected on system restart

10/07/2009 09:51:08 File: C:\WINDOWS\system32\taskmgr.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:08 File: C:\WINDOWS\system32\taskmgr.exe not disinfected postponed

10/07/2009 09:51:09 File: C:\WINDOWS\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:09 File: c:\windows\system32\taskmgr.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:09 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:09 File: C:\WINDOWS\services.exe not disinfected postponed

10/07/2009 09:51:09 File: c:\windows\system32\taskmgr.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:09 File: c:\windows\system32\taskmgr.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:10 File: c:\windows\system32\taskmgr.exe will be disinfected on system restart

10/07/2009 09:51:10 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:10 File: C:\WINDOWS\services.exe not disinfected postponed

10/07/2009 09:51:10 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:10 File: C:\WINDOWS\services.exe not disinfected postponed

10/07/2009 09:51:11 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:11 File: C:\WINDOWS\services.exe not disinfected postponed

10/07/2009 09:51:11 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:11 File: C:\WINDOWS\services.exe not disinfected postponed

10/07/2009 09:51:12 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:12 File: c:\windows\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:12 File: C:\WINDOWS\services.exe not disinfected postponed

10/07/2009 09:51:12 File: c:\windows\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:12 File: c:\windows\services.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:12 File: c:\windows\services.exe will be disinfected on system restart

10/07/2009 09:51:12 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:13 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:13 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:14 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:14 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:15 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:15 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:16 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:16 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:17 File: C:\WINDOWS\System32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:18 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:18 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:18 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:19 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:19 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:20 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:20 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:21 File: C:\WINDOWS\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:22 File: C:\WINDOWS\system32\wbem\wmiprvse.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:22 File: C:\WINDOWS\system32\wbem\wmiprvse.exe not disinfected postponed

10/07/2009 09:51:24 File: c:\windows\system32\wbem\wmiprvse.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:24 File: c:\windows\system32\wbem\wmiprvse.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:24 File: c:\windows\system32\wbem\wmiprvse.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:25 File: c:\windows\system32\wbem\wmiprvse.exe will be disinfected on system restart

10/07/2009 09:51:38 File: c:\windows\explorer.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:50 File: C:\WINDOWS\explorer.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:50 File: c:\windows\system32\msrjpof.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:50 File: c:\windows\system32\msrjpof.exe not disinfected postponed

10/07/2009 09:51:50 File: c:\windows\system32\msjeooao.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:50 File: c:\windows\system32\msjeooao.exe not disinfected postponed

10/07/2009 09:51:51 File: c:\windows\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:51:57 File: c:\windows\system32\svchost.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:00 File: c:\windows\system32\services.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:18 File: c:\windows\system32\msrjpof.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:18 File: c:\windows\system32\msrjpof.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:18 File: c:\windows\system32\msrjpof.exe detected Trojan program 'Trojan.Win32.VB.rhv'

10/07/2009 09:52:22 Startup object: HKEY_USERS\S-1-5-21-1606980848-1788223648-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run disinfected Trojan program 'Trojan.Win32.VB.rhv'

10/07/2009 09:52:24 File: c:\windows\system32\msrjpof.exe deleted

10/07/2009 09:52:24 File: c:\windows\system32\msjeooao.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:24 File: c:\windows\system32\msjeooao.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:24 File: c:\windows\system32\msjeooao.exe detected Trojan program 'Trojan.Win32.VB.rhv'

10/07/2009 09:52:27 Startup object: HKEY_USERS\S-1-5-21-1606980848-1788223648-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load disinfected Trojan program 'Trojan.Win32.VB.rhv'

10/07/2009 09:52:28 File: c:\windows\system32\msjeooao.exe deleted

10/07/2009 09:52:42 File: d:\arquivos de programas\virus removal tool\is-5ff3a\startup.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:42 File: d:\arquivos de programas\virus removal tool\is-5ff3a\startup.exe not disinfected postponed

10/07/2009 09:52:42 File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:42 File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe not disinfected postponed

10/07/2009 09:52:42 File: d:\arquivos de programas\virus removal tool\is-7ih8p\is-7ih8p.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:42 File: d:\arquivos de programas\virus removal tool\is-7ih8p\is-7ih8p.exe not disinfected postponed

10/07/2009 09:52:54 File: C:\!KillBox\minst.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:54 File: C:\!KillBox\minst.exe not disinfected postponed

10/07/2009 09:52:54 File: C:\!KillBox\minst.exe( 1) detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:52:54 File: C:\!KillBox\minst.exe( 1) not disinfected postponed

10/07/2009 09:53:54 File: d:\arquivos de programas\virus removal tool\is-5ff3a\startup.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:54 File: d:\arquivos de programas\virus removal tool\is-5ff3a\startup.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:54 File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: d:\arquivos de programas\virus removal tool\is-5ff3a\is-5ff3a.exe will be disinfected on system restart

10/07/2009 09:53:55 File: d:\arquivos de programas\virus removal tool\is-7ih8p\is-7ih8p.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: d:\arquivos de programas\virus removal tool\is-7ih8p\is-7ih8p.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: c:\!killbox\minst.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: c:\!killbox\minst.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: c:\!killbox\minst.exe( 1) detected virus 'Virus.Win32.Virut.ce'

10/07/2009 09:53:55 File: c:\!killbox\minst.exe( 1) disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 10:03:33 File: C:\Documents and Settings\Administrador\reader_s.exe detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:03:33 File: C:\Documents and Settings\Administrador\reader_s.exe not disinfected postponed

10/07/2009 10:03:38 File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\ESBOFS07\ge[1].txt detected virus 'Email-Worm.Win32.Joleee.bwx'

10/07/2009 10:03:38 File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\ESBOFS07\ge[1].txt not disinfected postponed

10/07/2009 10:03:41 File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\LO0MRT7X\abb[1].txt detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:03:41 File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\LO0MRT7X\abb[1].txt not disinfected postponed

10/07/2009 10:03:45 File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\V37O6UQJ\bot[1].htm detected new variant of virus 'Heur.Trojan.Generic'

10/07/2009 10:03:49 File: c:\documents and settings\administrador\reader_s.exe detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:03:50 File: c:\documents and settings\administrador\reader_s.exe deleted

10/07/2009 10:03:50 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\esbofs07\ge[1].txt detected virus 'Email-Worm.Win32.Joleee.bwx'

10/07/2009 10:03:51 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\esbofs07\ge[1].txt deleted

10/07/2009 10:03:51 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\lo0mrt7x\abb[1].txt detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:03:52 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\lo0mrt7x\abb[1].txt deleted

10/07/2009 10:03:52 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\v37o6uqj\bot[1].htm detected new variant of virus 'Heur.Trojan.Generic'

10/07/2009 10:03:54 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\v37o6uqj\bot[1].htm quarantined

10/07/2009 10:06:38 File: C:\Documents and Settings\Cassio1\reader_s.exe detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:06:38 File: C:\Documents and Settings\Cassio1\reader_s.exe not disinfected postponed

10/07/2009 10:07:42 File: c:\documents and settings\cassio1\reader_s.exe detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:07:43 File: c:\documents and settings\cassio1\reader_s.exe deleted

10/07/2009 10:08:02 File: C:\Documents and Settings\Cassio1\Configurações locais\temp\is-GETLP.tmp\Win32\drvins32.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 10:08:02 File: C:\Documents and Settings\Cassio1\Configurações locais\temp\is-GETLP.tmp\Win32\drvins32.exe not disinfected postponed

10/07/2009 10:08:11 File: c:\documents and settings\cassio1\configurações locais\temp\is-getlp.tmp\win32\drvins32.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 10:08:11 File: c:\documents and settings\cassio1\configurações locais\temp\is-getlp.tmp\win32\drvins32.exe disinfected virus 'Virus.Win32.Virut.ce'

10/07/2009 10:09:54 File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\2ZHF4ILJ\abb[1].txt detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:09:54 File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\2ZHF4ILJ\abb[1].txt not disinfected postponed

10/07/2009 10:10:04 File: c:\documents and settings\cassio1\configurações locais\temporary internet files\content.ie5\2zhf4ilj\abb[1].txt detected Trojan program 'Backdoor.Win32.Small.idl'

10/07/2009 10:10:06 File: c:\documents and settings\cassio1\configurações locais\temporary internet files\content.ie5\2zhf4ilj\abb[1].txt deleted

10/07/2009 10:10:17 File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\GVS3054B\bot[1].htm detected new variant of virus 'Heur.Trojan.Generic'

10/07/2009 10:10:18 File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\GVS3054B\ge[1].txt detected virus 'Email-Worm.Win32.Joleee.bwu'

10/07/2009 10:10:18 File: C:\Documents and Settings\Cassio1\Configurações locais\Temporary Internet Files\Content.IE5\GVS3054B\ge[1].txt not disinfected postponed

10/07/2009 10:12:17 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\dBPAMC12.3P.rar password protected

10/07/2009 10:12:17 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\dBPAMC12.3P.rar password protected

10/07/2009 10:13:00 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe detected Trojan program 'Backdoor.Win32.Agent.ahnb'

10/07/2009 10:13:00 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe not disinfected postponed

10/07/2009 10:13:03 File: c:\documents and settings\cassio1\configurações locais\temporary internet files\content.ie5\gvs3054b\bot[1].htm detected new variant of virus 'Heur.Trojan.Generic'

10/07/2009 10:13:04 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part2.rar detected Trojan program 'Backdoor.Win32.Agent.ahnb' by hash

10/07/2009 10:13:04 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Applian.Replay.Music.v3.6-RESURRECTiON\RMSetup.part3.rar detected Trojan program 'Backdoor.Win32.Agent.ahnb' by hash

10/07/2009 10:13:04 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Foxit Reader Professional v3.0.1301.DOA\FoxitReader30_enu_Setup.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 10:13:04 File: C:\Documents and Settings\Cassio1\Desktop\don't click in this folder, stupid!\Foxit Reader Professional v3.0.1301.DOA\FoxitReader30_enu_Setup.exe not disinfected postponed

10/07/2009 10:13:04 File: c:\documents and settings\cassio1\configurações locais\temporary internet files\content.ie5\gvs3054b\bot[1].htm quarantined

10/07/2009 10:13:04 File: c:\documents and settings\cassio1\configurações locais\temporary internet files\content.ie5\gvs3054b\ge[1].txt detected virus 'Email-Worm.Win32.Joleee.bwu'

10/07/2009 10:13:05 File: c:\documents and settings\cassio1\configurações locais\temporary internet files\content.ie5\gvs3054b\ge[1].txt deleted

10/07/2009 10:13:06 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe detected Trojan program 'Backdoor.Win32.Agent.ahnb'

10/07/2009 10:13:11 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe not disinfected skipped by user

10/07/2009 10:13:23 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe detected Trojan program 'Backdoor.Win32.Agent.ahnb'

10/07/2009 10:13:24 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part1.rar/RMSetup.EXE//data0000.cab/loadll.exe not disinfected skipped by user

10/07/2009 10:13:30 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part2.rar detected Trojan program 'Backdoor.Win32.Agent.ahnb' by hash

10/07/2009 10:13:31 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part2.rar not disinfected skipped by user

10/07/2009 10:13:31 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part3.rar detected Trojan program 'Backdoor.Win32.Agent.ahnb' by hash

10/07/2009 10:13:32 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\applian.replay.music.v3.6-resurrection\rmsetup.part3.rar not disinfected skipped by user

10/07/2009 10:13:32 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\foxit reader professional v3.0.1301.doa\foxitreader30_enu_setup.exe detected virus 'Virus.Win32.Virut.ce'

10/07/2009 10:13:32 File: c:\documents and settings\cassio1\desktop\don't click in this folder, stupid!\foxit reader professional v3.0.1301.doa\foxitreader30_enu_setup.exe disinfected virus 'Virus.Win32.Virut.ce'

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

All objects 3224 6 0 0 0 1 0 0 0

System memory 3213 6 6 0 0 1 0 0 0

Startup objects 5 0 0 0 0 0 0 0 0

Disk boot sectors 0 0 0 0 0 0 0 0 0

Disco local (C:) 0 0 0 0 0 0 0 0 0

Disco local (D:) 0 0 0 0 0 0 0 0 0

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology No

Enable iSwift technology No

Show detected threats on "Detected" tab Yes

Rootkits search Yes

Deep rootkits search No

Use heuristic analyzer Yes

 

 

Quarantine

----------

Status Object Size Added

------ ------ ---- -----

 

 

Backup

------

Status Object Size

------ ------ ----

 

 

Depois do PC reiniciar, eu fiz um scan com o Hijack This e deu isso:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:20:25, on 10/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode with network support

 

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

D:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\reader_s.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\services.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\services.exe

C:\WINDOWS\services.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

D:\Arquivos de programas\Hijack This\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

F3 - REG:win.ini: load=C:\WINDOWS\system32\msjeooao.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\msrjpof.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O4 - HKLM\..\Run: [12214] C:\WINDOWS\system32\34.tmp.exe

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msqaqipv.exe

O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe

O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Cassio1\reader_s.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Cassio1\reader_s.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User 'Default user')

O4 - Startup: is-5FF3A.lnk = D:\Arquivos de programas\Virus Removal Tool\is-5FF3A\startup.exe

O4 - Startup: is-7IH8P.lnk = D:\Arquivos de programas\Virus Removal Tool\is-7IH8P\startup.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\DLL\RUNDLL32.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: sopidkc Service (sopidkc) - NewYork DVD LT - C:\WINDOWS\system32\sopidkc.exe

O23 - Service: Serviço de Partilha de Rede do Windows Media Player (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe (file missing)

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

 

--

End of file - 3312 bytes

 

 

 

 

 

Espero que possa me ajudar com isso. Abraços!

[PedroN 1]

<@> Baixe: < DrWebCureIt >

<@> Caso tenha dificuldades para o download,utilize outro computador.

<@> Salve-o no desktop!

<@> Reinicie o computador em Modo de Segurança.

<@> Inicie a instalação/execução,com um duplo-clique em drweb-cureit.

<@> Na janela que abrir,clique em Iniciar --> OK.

<@> Será dado início a "Verificação rápida" --> Feche a janela de propaganda!

<@> Terminando,marque a caixa de "Verificação Completa".

<@> Click em "Options" --> Em Change settings,desmarque a "Heuristic analysis".

 

Neste modo são verificados os seguintes objectos:

 

* Sectores de Arranque de Todos os Discos. <--

 

* Todas as Unidades Removíveis. <--

 

* Todos os Discos Locais. <--

<@> Clique em "Iniciar verificação" --> Aguarde!

<@> Surgindo mensagens para mover ou desinfectar arquivos,clique em Sim.

<@> Terminando,clique em "Ficheiro" --> "Guardar lista de relatórios".

<@> Procure salvá-lo em um local adequado. ( DrWeb.csv ) <-- Texto!

<@> Poste: DrWeb.csv + HijackThis,atualizado.

[Cássio Sá 0]

Eu até consegui baixar o Dr Web, mas não consegui instalá-lo no computador. Estou com sérios problemas quando se trata de instalar algum programa. Não haveria uma outra maneira?

[PedroN 1]

Sei que nessa infecção deveremos usar programas que desinfeta arquivos. Mais o vírus reader_s.exe pode ser removido através de um CFScript.txt. Portanto utilize o comboFix conforme as instruções abaixo.

 

Faça o download do ComboFix de um destes locais:

 

Link 1.

Link 2.

Link 3.

 

Importante!

Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.

Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.

Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional.

 

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

 

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

 

• Dê um duplo clique no ComboFix.exe & siga as instruções.

 

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

 

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

 

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

 

 

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

 

 

Clique em Sim, para continuar a varredura de malware.

 

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.