[Resolvido] &nbspnovo log para analise

[Edvan 30]

Avast está detectando virus direto.

 

 

 

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

 

Versão da Base de Dados: v2012.06.12.06

 

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Synara Lia :: SYNARALIA-HP [administrador]

 

12/06/2012 13:28:13

mbam-log-2012-06-12 (13-28-13).txt

 

Tipo de Verificação: Verificação Completa

Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM

Opções de verificação desativadas: P2P

Objetos escaneados: 346628

Tempo decorrido: 1 hora(s), 55 minuto(s), 25 segundo(s)

 

Processos de Memória Detectados: 0

(Não foram detectados ítens maliciosos)

 

Módulos de Memória Detectados: 0

(Não foram detectados ítens maliciosos)

 

Chaves de Registro Detectadas: 0

(Não foram detectados ítens maliciosos)

 

Valores de Registro Detectadas: 0

(Não foram detectados ítens maliciosos)

 

Itens de Dados no Registro Detectadas: 4

HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Ruim: (C:\Users\Synara Lia\AppData\Local\{59676c82-36f0-26c0-679b-59db555954d5}\n.) Bom: (%SystemRoot%\system32\shell32.dll) -> Enviado para a Quarentena e reparado com sucesso.

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Ruim: (1) Bom: (0) -> Enviado para a Quarentena e reparado com sucesso.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Ruim: (1) Bom: (0) -> Enviado para a Quarentena e reparado com sucesso.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Ruim: (1) Bom: (0) -> Enviado para a Quarentena e reparado com sucesso.

 

Pastas Detectadas: 0

(Não foram detectados ítens maliciosos)

 

Arquivos Detectados: 1

c:\windows\installer\{59676c82-36f0-26c0-679b-59db555954d5}\u\80000000.@ (Trojan.Sirefef) -> Enviado para a Quarentena e deletado com sucesso.

 

(fim)

 

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 16:47:08, on 12/06/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\ProgramData\DatacardService\DCSHelper.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\HP CloudDrive\zumodrive.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Windows\system32\conhost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe

C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/3

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCON/3

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON/3

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCON/3

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: 4shared.com Toolbar - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: 4shared.com - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll

O2 - BHO: DealPly - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files\DealPly\DealPlyIE.dll

O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Babylon Toolbar - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll

O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll" (file missing)

O3 - Toolbar: 4shared.com Toolbar - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe

O4 - HKLM\..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [skyhook Wireless XPS Service] C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe --no-info

O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ZumoDrive] "C:\Program Files\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk"

O4 - HKLM\..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [4shared Update] "C:\Program Files\4shared Desktop\checkUpdate.exe"

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKCU\..\Run: [4shared Desktop] "C:\Program Files\4shared Desktop\desktop.exe" "startup"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')

O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Media Suite.lnk = C:\Program Files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe

O8 - Extra context menu item: &Download All using 4shared Desktop - res://C:\Program Files\4shared Desktop\Desktop.32/D_ALL_LINK

O8 - Extra context menu item: &Download using 4shared Desktop - res://C:\Program Files\4shared Desktop\Desktop.32/D_ONE_LINK

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll

O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll

O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - C:\Program Files\Evernote\Evernote3.5\enbar.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD9CC15-AE1E-4A69-BCD4-B6ACAB0696CA}: NameServer = 200.223.0.83 200.202.193.75

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\aestsrv.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Broadcom GPS Manager (BrcmGpsMgr) - Broadcom Corporation - C:\Program Files\Broadcom\GPS\GpsMgr.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Fortes\FireBird\FireBird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Fortes\FireBird\FireBird_1_5\bin\fbserver.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe

O23 - Service: HP Health Check Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: HP Wireless Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe

O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe

O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: HPWMISVC - Unknown owner - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

O23 - Service: HWDeviceService.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: Mobinil USB Modem. OUC (Mobinil USB Modem. RunOuc) - Unknown owner - C:\Program Files\Mobinil USB Modem\UpdateDog\ouc.exe

O23 - Service: Orolix Device Monitor (OrolixDeviceMonitor) - Orolix Desenvolvimento de Software LTDA. - C:\Program Files\TIM Communicator\module\devicemon.exe

O23 - Service: RemProtNTService - Fortes Informática Ltda - C:\Fortes\RemProt\remprots.exe

O23 - Service: @%SystemRoot%\system32\stlang.dll,-10102 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe

O23 - Service: Skyhook Wireless XPS Service (xpssvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\XPS\xpssvc.exe

 

--

End of file - 13599 bytes

[wings 22]

Olá Edvan

 

Mais uma máquina?....:)

 

Está um show de contaminação por aí...

 

 

1,

*Baixe o OTL (...de Old_Timer) e salve-o no desktop (Área de Trabalho)

 

*Execute-o. Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador

 

*Selecione as opções:

Verificar All Users

Verificar Lop

Verificar Purity

 

Imagem do OTL configurado

 

 

*Clique [Verificar] e cole os relatórios OTL.txt e Extras.txt criados no desktop (Área de Trabalho)

 

*Acesse este link

 

*Clique [selecionar arquivo...]

 

*Localize o relatório OTL.txt no desktop (Área de Trabalho) e clique [Abrir]

 

*Clique [upload file]

 

*Cole o link gerado ao lado de Download link:

 

*Repita o procedimento para o relatório Extras.txt

 

 

2.

*Baixe o GMER (...de Przemyslaw Gmerek) e salve-o no desktop (Área de Trabalho)

 

*Desative temporariamente o antivírus e feche todos os programas ativos

 

*Execute-o. Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador

 

 

*Se receber um aviso sobre atividade de rootkit e se deseja fazer um scan clique [NO]

 

*Clique [scan] e aguarde o término

 

*Clique [save...] e salve no desktop (Área de Trabalho) com o nome de gmer

 

*Acesse este link

 

*Clique [selecionar arquivo...]

 

*Localize o relatório gmer.txt no desktop (Área de Trabalho) e clique [Abrir]

 

*Clique [upload file]

 

*Cole o link gerado ao lado de Download link:

[Edvan 30]

Olá Edvan

 

Mais uma máquina?....

 

Está um show de contaminação por aí...

 

Pois é wings!

 

Sempre deixo a formatação para ultimo caso, por isso que recorro a vcs quando vejo que dar para resolver por qui.

Existe muitos usuarios inexperientes ainda, que sai clicando onde nao deve e depois sobra para mim, daí tenho que perder tempo para fazer backup e formatar as maquinas, quando vejo que dar para resolver pelo fórum recorro a DigRam ou a você que são analistas de confiança. :thumbsup:

 

Logs:

EXTRA http://wikisend.com/download/273064/Extras.Txt

OTL http://wikisend.com/download/250766/OTL.Txt

GMER http://wikisend.com/download/582950/gmer.log

 

Avast disparando alertas:

[wings 22]

*Baixe o SystemLook (...de jpshortstuff) e salve-o no desktop (Área de Trabalho)

 

*Execute-o. Usuários do Windows Vista ou do Windows 7 devem clicar com o botão direito do mouse no arquivo e selecionar Executar como administrador

 

 

*Cole as linhas em marrom no espaço em branco:

:reg

HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s

 

:filefind

services.exe

*.@

 

:regfind

{59676c82-36f0-26c0-679b-59db555954d5}

 

:folderfind

{59676c82-36f0-26c0-679b-59db555954d5}

*Clique [Look] e cole o relatório apresentado

[Edvan 30]

SystemLook 30.07.11 by jpshortstuff

Log created at 14:44 on 13/06/2012 by Synara Lia

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="%SystemRoot%\system32\shell32.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="%systemroot%\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shell32.dll"

"ThreadingModel"="Apartment"

 

 

[]

Hive unrecognized.

 

========== filefind ==========

 

Searching for " services.exe"

[wings 22]

Copie e cole na íntegra o relatório SystemLook.txt localizado no desktop

[Edvan 30]

SystemLook 30.07.11 by jpshortstuff

Log created at 14:44 on 13/06/2012 by Synara Lia

Administrator - Elevation successful

 

========== reg ==========

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

(No values found)

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]

"ThreadingModel"="Both"

@="%SystemRoot%\system32\shell32.dll"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}]

@="Microsoft WBEM New Event Subsystem"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]

@="%systemroot%\system32\wbem\wbemess.dll"

"ThreadingModel"="Both"

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

@="MruPidlList"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

@="%SystemRoot%\system32\shell32.dll"

"ThreadingModel"="Apartment"

 

 

[]

Hive unrecognized.

 

========== filefind ==========

 

Searching for " services.exe"

No files found.

 

Searching for " *.@"

No files found.

 

Searching for " "

No files found.

 

========== regfind ==========

 

Searching for " {59676c82-36f0-26c0-679b-59db555954d5}"

[wings 22]

Você possui o DVD do Windows 7 em mãos?

[Edvan 30]

sim, mais é um netbook, nao tem driver de DVD!

[wings 22]

*Baixe o Farbar's Recovery Scanner Tool (...de Farbar) e salve-o no pen drive

 

*Entre no Console de Recuperação do Windows.

 

a) Siga as orientações daqui até o passo 4.

Fonte: http://www.guiadopc.com.br/dicas/13098/como-recuperar-o-boot-mbr-do-windows-7.html

 

*Conecte o pen drive no PC

 

*Caso não saiba a letra do drive do pen drive, digite notepad e tecle [ENTER]

 

*Clique [Arquivo] > [Abrir] > [Computador], anote a letra e feche o bloco de notas

 

*Digite x:\frst.exe <- x é a letra do drive do pen drive

 

*Tecle [ENTER]

 

*Clique [sim]

 

 

*Clique [scan]

 

 

*Ao término clique [OK]

 

*Remova o pen drive do PC e cole o relatório FRST.txt criado no pen drive

[Edvan 30]

Obrigado wings, a menina precisa urgentemente do Netbook para faculdade então dei a sugestão de fazer um Recovery Manager, então salvei os dados dela no meu HD externo e estou voltando as configurações de fabrica..

 

P.S: estou com medo do meu HD está contaminado e quando for voltar os dados dela para o pc, infectar novamente..

 

qual sua sugestão nesse caso?

[Edvan 30]

Boa noite wings!

 

Fiz o Recovery Manager conforme tinha falado, a maquina está perfeita agora, ela estava precisando da maquina urgente por isso nao pude dar continuidade no analise, mais agora esta tudo normal.

 

Que virus era esse que o Avast estava detectando direto?

[wings 22]

Boa noite Edvan...

 

 

Ele é também chamado de ZeroAccess.

 

 

OK...então, caso encerrado.

[wings 22]

PROBLEMA RESOLVIDO

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.