[Resolvido] &nbspFailed to set data for "SynNglp"

[BrunoPilek 0]

Boa tarde iMasters!

 

Estive lendo neste fórum, sobre problemas teoricamente iguais ao meu, porém como regra do fórum, não atravessei o tópico de ninguém, pois sem ler as regras já sabia que cada log trata-se de cada PC e seus respectivos problemas. Portanto me inteirando sobre as regras de postagens vi que o correto mesmo seria abrir um novo e aguardar que o meu Log fosse analisado. Então assim o fiz e aguardo uma analise.

 

Dos fatos que acredito ter sido o motivo da infecção do meu PC, sito:

Ontem, como de costume minha namorada usou meu PC para ler alguns de seus email, sendo ela ainda mais leiga que eu, acabou abrindo um suposto arquivo em PPT, que na verdade era um Executavel (.exe), só soube, pois ela gostou do email e foi me mostrar e quando vi que o arquivo exigiu permissão de acesso, já estava feito e hoje quando liguei o PC, me deparei com 3 janelas de Erro [Failed to set data for "SynNglp"], [Failed to set data for "BTStarcFrr"] e [Failed to set data for "BTStarcLrj"], a quarta e maior janela de erro, apareceu depois que o PC ja estava iniciado a alguns minutos.

 

 

====== Abaixo, segue meu log atual ======

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:06:47, on 19/03/2011

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Windows\System32\BTStacLrj.exe

C:\Windows\System32\BTStacFrr.exe

C:\Windows\System32\SynNglp.exe

C:\Users\Bruno\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\HiJackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll (file missing)

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [TVTray] C:\Program Files\ENLTV-FM3\TVTray.exe

O4 - HKLM\..\Run: [CallControl 4.5] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload

O4 - HKLM\..\Run: [C:\Windows\system32\V0540Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0540Ext.ax

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [bTStacLrj] C:\Windows\system32\BTStacLrj.exe

O4 - HKLM\..\Run: [bTStacFrr] C:\Windows\system32\BTStacFrr.exe

O4 - HKLM\..\Run: [synNglp] C:\Windows\system32\SynNglp.exe

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKCU\..\Run: [Google Update] "C:\Users\Bruno\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: scpVista - Unknown owner - C:\Program Files\Scpad\scpVista.exe (file missing)

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

 

--

End of file - 6231 bytes

[wings 22]

Olá BrunoPilek

 

 

*Baixe o MalwareBytes e salve-o no desktop

*Instale o programa e aguarde a atualização

*O programa será aberto automaticamente

*Na aba [Verificação], selecione [Verificação completa]

*Clique [Verificar] e selecione a partição onde o Windows está instalado

*Ao finalizar o scan, clique [sIM] > [OK] > [Ver Resultados] > [Remover Selecionados]

*Cole o relatório apresentado

[BrunoPilek 0]

Wings, segue o log

 

PS: Ao reiniciar o PC, ainda persistiram 2 janelas de Erro {Failed to set data for "BTStarcFrr"] e [Failed to set data for "BTStarcLrj"]

 

 

========== Segue o LOG ==========

 

 

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

 

Versão da Base de Dados: 6107

 

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

 

19/03/2011 15:28:15

mbam-log-2011-03-19 (15-28-15).txt

 

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 271571

Tempo decorrido: 38 minuto(s), 0 segundo(s)

 

Processos de Memória Infectados: 1

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 0

Valores de Registro Infectados: 1

Itens de Dados no Registro Infectados: 0

Pastas Infectadas: 0

Arquivos Infectados: 1

 

Processos de Memória Infectados:

C:\Windows\System32\SynNglp.exe (Trojan.Banker) -> Unloaded process successfully.

 

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Infectadas:

(Não foram detectados ítens maliciosos)

 

Valores de Registro Infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synnglp (Trojan.Banker) -> Quarantined and deleted successfully.

 

Itens de Dados no Registro Infectados:

(Não foram detectados ítens maliciosos)

 

Pastas Infectadas:

(Não foram detectados ítens maliciosos)

 

Arquivos Infectados:

C:\Windows\System32\SynNglp.exe (Trojan.Banker) -> Quarantined and deleted successfully.

[wings 22]

*Baixe o ZHPDiag e salve-o no desktop

*Instale o programa e durante a instalação selecione a opção [x]Créer une icône sur le Bureau

*Clique em e aguarde o término

*Cole os relatórios ZHPDiag.txt e mbr.txt criados em C:\Arquivos de programas\ZHPdiag

 

Caso o relatório ZHPDiag.txt seja demasiadamente grande..

*Acesse este link

*Clique [Enviar arquivo]

*Localize o arquivo ZHPDiag.txt

*Clique [Abrir] > [Créer le lien Cjoint]

*Cole o endereço criado

[BrunoPilek 0]

Ao terminar de instalar o ZHPDiag, me retornou esse erro:

 

 

Mesmo assim, fiz como falou.

 

Log ZHPDiag.txt realmente ficou grande, vide link:

http://cjoint.com/data1/1dtuaLlTEfG_ZHPDiag.Txt

 

Já o Log mbr.txt segue abaixo:

 

========= Log mbr.txt =========

 

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 6.1.7601 Disk: SAMSUNG_ rev.1AG0 -> \Device\0000005d

 

device: opened successfully

user: MBR read successfully

 

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys

C:\Windows\system32\drivers\nvstor.sys NVIDIA Corporation NVIDIA nForce™ SATA Driver

1 ntkrnlpa!IofCallDriver[0x82A7252F] -> \Device\Harddisk0\DR0[0x85E6E238]

3 CLASSPNP[0x8A99159E] -> ntkrnlpa!IofCallDriver[0x82A7252F] -> [0x84DF6700]

5 ACPI[0x8A39E3D4] -> ntkrnlpa!IofCallDriver[0x82A7252F] -> \Device\0000005d[0x857068B0]

kernel: MBR read successfully

user & kernel MBR OK

[wings 22]

Por favor....novo log do hijack.

[BrunoPilek 0]

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 16:20:13, on 19/03/2011

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Windows\System32\BTStacLrj.exe

C:\Windows\System32\BTStacFrr.exe

C:\Users\Bruno\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchFilterHost.exe

C:\HiJackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll (file missing)

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [TVTray] C:\Program Files\ENLTV-FM3\TVTray.exe

O4 - HKLM\..\Run: [CallControl 4.5] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload

O4 - HKLM\..\Run: [C:\Windows\system32\V0540Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0540Ext.ax

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [bTStacLrj] C:\Windows\system32\BTStacLrj.exe

O4 - HKLM\..\Run: [bTStacFrr] C:\Windows\system32\BTStacFrr.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKCU\..\Run: [Google Update] "C:\Users\Bruno\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [DIMBaixando a sua atualização...1285781003180] "C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.EXE" "c:\programdata\corel\downloads\540215253_410003\1285781003180\dim_params.xml" -Launch=3 -uibase="c:\programdata\corel\messages\540215253_410003\br\messagecache1\workflow"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: scpVista - Unknown owner - C:\Program Files\Scpad\scpVista.exe (file missing)

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

 

--

End of file - 7056 bytes

[wings 22]

*Faça um scan online com o NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

[BrunoPilek 0]

wings, eis o tão demorado Log ^^

Apesar de ter encontrado alguns virus e alguns keygens, ao reiniciar os dois erros persistiram.

 

========= segue o log =========

 

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=cd09753826ab7e4992f126c7874a0548

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-03-19 09:45:00

# local_time=2011-03-19 06:45:00 (-0300, Hora oficial do Brasil)

# country="Brazil"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5893 16776574 66 85 0 52111644 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=202171

# found=6

# cleaned=6

# scan_time=7846

C:\Users\Bruno\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000571 a variant of Win32/TrojanDownloader.Banload.PYP trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\Bruno\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E15TE02L\destejer[1].mp3 a variant of Win32/Spy.Banker.UQC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Windows\System32\config\Santuares.exe a variant of Win32/TrojanDownloader.Banload.PYP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\BRUNO\Software\DreamWeaver CS5\Kgen\k-gen.exe a variant of Win32/Keygen.BH application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\BRUNO\Software\PhotoShop CS5\kgen_PhotoShop-CS5.exe a variant of Win32/HackTool.Patcher.P application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Downloads\ADWCS5.v11.0.4909-www.brasildowns.com.br-.rar a variant of Win32/Keygen.BH application (deleted - quarantined) 00000000000000000000000000000000 C

[wings 22]

É pelo visto demorou mesmo....:)

 

 

Antes de encerrar o caso, quero obter informações de dois arquivos.

 

*Baixe o SystemLook e salve-o no desktop

*Execute-o e cole o código no espaço em branco:

:file

C:\Windows\system32\BTStacLrj.exe

C:\Windows\system32\BTStacFrr.exe

*Clique [Look]

*Cole o relatório apresentado

[BrunoPilek 0]

Pois é, imagina quase 500gb de tralhas para scanear... ^_^

Então wings, ta ai, espero que estejamos perto do fim!rs

 

 

 

SystemLook 04.09.10 by jpshortstuff

Log created at 19:23 on 19/03/2011 by Bruno

Administrator - Elevation successful

 

========== file ==========

 

C:\Windows\system32\BTStacLrj.exe - File found and opened.

MD5: 7BD2BA9CFB7F4D6B0B9C05C07A774C4D

Created at 22:18 on 18/03/2011

Modified at 22:18 on 18/03/2011

Size: 2766848 bytes

Attributes: --a----

No version information available.

 

C:\Windows\system32\BTStacFrr.exe - File found and opened.

MD5: F7123D6D7DF7F9C63CEC84D6331EBFB9

Created at 22:19 on 18/03/2011

Modified at 22:19 on 18/03/2011

Size: 1824256 bytes

Attributes: --a----

No version information available.

 

-= EOF =-

[wings 22]

Realmente eles são muito estranhos....

 

1.

*Vá em Adicionar ou remover programas e desinstale ZHPDiag

*Delete a pasta C:\Arquivos de programas\ZHPdiag

 

2.

*Execute o arquivo c:\Arquivos de programas\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

 

3.

*Delete o SystemLook e seu relatório SystemLook.txt criado no desktop

 

4.

*Execute o Malwarebytes, clique na aba [Quarentena], selecione todos os resultados e clique [Apagar tudo]

*Clique na aba [Logs], selecione o relatório e clique [Apagar]

*Feche o Malwarebytes

 

5.

*Envie os arquivos abaixo para análise em http://virusscan.jotti.org

 

C:\Windows\system32\BTStacLrj.exe

C:\Windows\system32\BTStacFrr.exe

*Cole os links dos resultados.

[BrunoPilek 0]

Seguem os links:

 

Ref arquivo [bTStacLrj.exe]

http://virusscan.jotti.org/pt-BR/scanresult/1474e9dd5ba9f1c5b76048c1f03b3ac6e8aaa83f

 

Ref arquivo [bTStacFrr.exe]

http://virusscan.jotti.org/pt-BR/scanresult/d2b50e3bfaed2f556c35cf3c8a61cfa407a7ac1d

[wings 22]

A taxa de detecção foi significativa para um deles, estando em quase 50%.

 

Vamos finalizar com este antivírus.

 

 

*Baixe o Dr.WebCureit e salve-o no desktop

*Execute-o e clique [Cancelar] > [Não] > [iniciar] > [sim]

*Clique no botão para interromper o scan

*Clique [Opções] > [Alterar definições] > [Ações]

*Em "Objetos infectados" altere para "Mover" e desmarque a opção [] Perguntar na ação

 

 

*Clique [Aplicar] > [OK]

*Marque [x] Verificação Rápida

*Clique em para iniciar o scan

*Ao finalizar, feche o programa e clique [Não]

*Cole o relatório C:\Documents and Settings\Nome_do_seu_Usuário\DoctorWeb\CureIt.txt

[BrunoPilek 0]

Wings,

Ontem num primeiro momento, você me pediu que fizesse de maneira completa (a verificação pelo Dr.Web).

Então, iniciei o processo de varredura completa, como o programa pré-configurado da forma que vem na instalação.

 

Neste processo de mais de 11 horas (deixei varrendo, saí, dormi e acordei) haviam sido encontrados 15 arquivos, sendo 11 incuráveis e 4 que foram movidos, no entanto a limpeza nao foi completa pois o programa acabou travando, interrompi o processo, unica coisa que consegui salvar p/ te mostrar foi isso:

 

Que são dados que gerei ao interromper o processo.

 

========== inicio ==========

btstacfrr.exe c:\windows\system32 Trojan.PWS.Banker.origin Incurável.Movido.

btstaclrj.exe c:\windows\system32 Trojan.PWS.Banker.origin Incurável.Movido.

{91AF978A-C3D1-C200-B913-655FBA36707C}-Santuares.exe C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy Trojan.DownLoader.origin Incurável.Movido.

crodesc[1].mp3 C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDOV6 Trojan.PWS.Banker.origin Incurável.Movido.

alaost[1].mp3 C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Microsoft\Windows\Temporary Internet Files\Content.IE5\E15TE Trojan.PWS.Banker.origin Incurável.Movido.

mail[3].js C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1 Provavelmente SCRIPT.Virus Movido.

mail[3].js C:\Documents and Settings\Bruno\AppData\Local\Dados de aplicativos\Temporary Internet Files\Low\Content.IE5\1BHQJ51N Provavelmente SCRIPT.Virus Caminho inválido para o ficheiro

mail[3].js C:\Documents and Settings\Bruno\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1BHQJ51N Provavelmente SCRIPT.Virus Caminho inválido para o ficheiro

alaost[1].mp3 C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.

btstacfrr.exe C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.

btstaclrj.exe C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.

crodesc[1].mp3 C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.PWS.Banker.origin Incurável.Movido.

{91AF978A-C3D1-C200-B913-655FBA36707C}-Santuares.exe C:\Documents and Settings\Bruno\DoctorWeb\Quarantine Trojan.DownLoader.origin Incurável.Movido.

mail[3].js C:\Users\Bruno\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1BHQJ51N Provavelmente SCRIPT.Virus Caminho inválido para o ficheiro

$R7CRLFE.exe D:\$RECYCLE.BIN\S-1-5-21-355165010-1247274135-1621168963-1001 Trojan.DownLoader1.36257 Incurável.Movido.

========== fim ==========

 

PS: Depois que interrompi o processo, o proprio Dr.Web sugeriu o reinicio do sistema, assim o fiz e os erros ja não aconteceram.

 

Então, voltei aqui no fórum e percebi que você havia alterado o seu ultimo post, sugerindo que fizesse de maneira rápida, então fiz novamente desta forma sugerida e o resultado foi de zero arquivos infectados, gerando esse enorme log:

 

http://mancaro.com.br/CureIt.log (Hospedei em um de meus domínios)

 

Por via das dúvidas, já segue novo log hijack:

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 09:09:32, on 20/03/2011

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Users\Bruno\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\Windows\system32\ctfmon.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Bruno\AppData\Local\Google\Chrome\Application\chrome.exe

C:\HiJackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll (file missing)

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [TVTray] C:\Program Files\ENLTV-FM3\TVTray.exe

O4 - HKLM\..\Run: [CallControl 4.5] "C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" /autoload

O4 - HKLM\..\Run: [C:\Windows\system32\V0540Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0540Ext.ax

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKCU\..\Run: [Google Update] "C:\Users\Bruno\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [DIMBaixando a sua atualização...1285781003180] "C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.EXE" "c:\programdata\corel\downloads\540215253_410003\1285781003180\dim_params.xml" -Launch=3 -uibase="c:\programdata\corel\messages\540215253_410003\br\messagecache1\workflow"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: scpVista - Unknown owner - C:\Program Files\Scpad\scpVista.exe (file missing)

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

 

--

End of file - 6709 bytes

 

====================

 

Bom, espero que desta vez tenha sido concluído este processo...

 

Obrigado!

[wings 22]

Olá BrunoPilek

 

Desculpe ter mudado o procedimento. Pensei que não havias feito ainda, e como o scan online demorou muito, achei melhor fazer um scan rápido.

 

Mas, tudo bem...sem problemas.

 

O log está limpo.....:)

 

 

1.

*Como este programa não tem instalador, basta deletar o DrWebCureIt e a pasta C:\Documents and Settings\Nome_do_seu_Usuário\DoctorWeb

 

 

Um abraço.

[BrunoPilek 0]

Sem problemas wings, muito obrigado pela atenção e pela disponibilidade em ajudar.

 

Deveriam existir mais pessoas como você, dispostas a ajudar!rsrs

 

Grande abraço e muita satisfação por ter colaborado com o fórum, virei assinante, principalmente na parte de Design Gráfico!

 

PS: o DrWeb, não pode deixar salvo para verificações corriqueiras ou não há necessidade, ou ainda é um programa arriscado?!

Att

 

Bruno Luís

[wings 22]

Não precisa manter no PC pois este programa é atualizado diariamente. Digamos: usou....joga fora...rss

 

 

Um abraço.

[wings 22]

PROBLEMA RESOLVIDO

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.