Virus não deixa o internet abrir as paginas

Question

Ajude - me so consigo acessar o internet em modo de seuran&ccedil;a
 
Logfile of HijackThis v1.99.1
Scan saved at 19:13:57, on 16/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Running processes:
C:\Windows\system32	askhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\avg.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32	askeng.exe
C:\Windows\Jxaqya.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: Shell=explorer.exe, C:\Users\Bubi e Indi\AppData\Local\microsoft\windows\wtnmm.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayerpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conex&atilde;o do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CDAE9A4A-3A6A-4CC5-93C4-64C571973BB7} - unknown (file missing)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - (no file)
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [] C:\Windows\avg.exe
O4 - HKLM\..\RunServices: [DRam prosessor] Nod64.exe
O4 - HKCU\..\Run: [woaurud] C:\Users\Bubi e Indi\woaurud.exe
O8 - Extra context menu item: Add to Google Photos Screensa&amp;ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&amp;xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32
laapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32
apinsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix: 
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD08FDC9-A27F-476C-99D4-D008BC7DDEEA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{DD08FDC9-A27F-476C-99D4-D008BC7DDEEA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{DD08FDC9-A27F-476C-99D4-D008BC7DDEEA}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

Answer

1) Desative temporariamente a prote&ccedil;&atilde;o resitente do seu antiv&iacute;rus, no lado do Rel&oacute;gio.

2) Baixe o programa ComboFix e salve-o no desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

3) Feche o Internet Explorer e os Programas que tiverem abertos por exemplo ((Windows Live Mensseger MSN))

4) Duplo-clique no arquivo ((Combofix.exe)) e aguarde o in&iacute;cio

5) Abrir&aacute; algumas janelas pequenas clique sempre em ((sim))

6) Importante: enquanto o ComboFix estiver em execu&ccedil;&atilde;o, n&atilde;o use o mouse nem o teclado, pois seu desktop ficar&aacute; em branco!!...
 
7) Ao final do procedimento, o programa ser&aacute; fechado automaticamente e ser&aacute; mostrado um relat&oacute;rio

8) Copia e Cole o relat&oacute;rio aqui no seu T&oacute;pico, criado em C:\combofix.txt

*************************************************************

H&aacute;, esqueci, voce deve esta utilizando o Windows 7, se tiver em 64Bits, O combofix n&atilde;o vai funcionar.

Qualquer coisa fa&ccedil;a o procedimento do Malwarebytes, voc&ecirc; tem v&iacute;rus ai.

****************************************

1) Baixe essa ferramenta ((Malwarebytes)), no link abaixo
http://www.baixaki.com.br/download/malwarebytes-anti-malware.htm

http://www.malwarebytes.org/mbam-download.php

2) Instale-o , quando termina executa-o seleciona ((scan completo))
e clique em ((verificar agora))

3) Quando termina o scam clique em ((Exibir resultado)) , e se detectou algum v&iacute;rus clique em ((remover selecionados)) Abrir&aacute; um Relat&oacute;rio log automatico, Copia e cole aqui.

4) Esses v&iacute;rus ser&atilde;o mandado para quarentena,  ele pedira pra renicia o pc abrir&aacute; uma janela pequena clique em ((sim)) pra reniciar o pc e completar a remo&ccedil;&atilde;o dos v&iacute;rus.

Answer

Log combofix
ComboFix 10-04-15.05 - Bubi e Indi 16/04/2010  20:28:40.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.55.1046.18.1528.855 [GMT -3:00]
Executando de: c:\users\Bubi e Indi\Desktop\ComboFix.exe
.
((((((((((((((((   Arquivos/Ficheiros criados de 2010-03-16 to 2010-04-16  ))))))))))))))))))))))))))))
.
2010-04-16 23:33 . 2010-04-16 23:33 -------- d-----w- c:\users\Public\AppData\Local	emp
2010-04-16 23:33 . 2010-04-16 23:33 -------- d-----w- c:\users\Default\AppData\Local	emp
2010-04-16 23:14 . 2010-04-16 23:14 -------- d-----w- C:\Device
2010-04-16 23:13 . 2010-04-16 23:33 -------- d-----w- c:\users\Bubi e Indi\AppData\Local	emp
2010-04-16 22:13 . 2010-04-16 22:13 -------- d-----w- C:\HijackThis
2010-04-16 22:01 . 2010-04-16 22:01 0 ----a-w- c:\windows
sreg.dat
2010-04-16 22:01 . 2010-04-16 22:01 -------- d-----w- c:\users\Bubi e Indi\AppData\Local\Mozilla
2010-04-13 12:22 . 2010-04-13 12:22 172544 ----a-w- c:\windows\Jxaqya.exe
2010-04-06 22:01 . 2010-04-13 22:02 439816 ----a-w- c:\users\Bubi e Indi\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-20 23:05 . 2010-03-20 23:05 -------- d-----w- c:\users\Bubi e Indi\AppData\Local\Microsoft Help
2010-03-20 23:05 . 2010-03-20 23:09 -------- d-----w- c:\programdata\Microsoft Help
2010-03-20 23:04 . 2010-03-20 23:04 -------- d-----w- c:\program files\MSECache
2010-03-18 15:58 . 2010-03-18 15:59 2742272 ----a-w- c:\windows\winl.exe
.
(((((((((((((((((((((((((((((((((((((   Relat&oacute;rio Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 22:05 . 2009-11-22 23:51 -------- d-----w- c:\program files\Google
2010-04-16 21:57 . 2010-02-13 14:33 -------- d-----w- c:\programdata\Alwil Software
2010-04-13 03:20 . 2009-07-14 08:31 654272 ----a-w- c:\windows\system32\prfh0416.dat
2010-04-13 03:20 . 2009-07-14 08:31 124724 ----a-w- c:\windows\system32\prfc0416.dat
2010-04-05 22:53 . 2009-11-16 23:16 -------- d-----w- c:\programdata\Messenger Plus!
2010-04-05 22:19 . 2009-11-16 20:24 -------- d-----w- c:\program files\Messenger Plus! Live
2010-03-21 00:54 . 2009-11-16 19:50 63752 ----a-w- c:\users\Bubi e Indi\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-18 15:58 . 2010-01-03 15:32 2273280 ----a-w- c:\windows\wins.exe
2010-02-24 15:07 . 2010-01-30 02:27 -------- d-----w- c:\program files\Shutterfly
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-01-11 12:42 . 2010-01-11 12:42 1527024 --sh--w- c:\windows\iexplore7.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
(((((((((((((((((((((((((((((   [EMAIL=SnapShot@2010-04-16_23.16.32]SnapShot@2010-04-16_23.16.32[/EMAIL]   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:34 . 2010-04-16 23:19 72456              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 02:03 . 2010-04-16 23:30 6553600              c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:03 . 2010-03-20 23:06 6553600              c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e leg&iacute;timas por defeito n&atilde;o s&atilde;o mostradas. 
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 14:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{3041d03e-fd4b-44e0-b742-2d9b88305f98}= c:\program files\AskBarDis\bar\bin\askBar.dll [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
wins.exe=c:\windows\wins.exe [2010-03-18 2273280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
ConsentPromptBehaviorAdmin= 0 (0x0)
ConsentPromptBehaviorUser= 3 (0x3)
EnableLUA= 0 (0x0)
EnableUIADesktopToggle= 0 (0x0)
PromptOnSecureDesktop= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
aux=wdmaud.drv
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R2 hiwhrdrc;Remote Desktop Device Redirector Bus Support;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
hiwhrdrc
.
Conte&uacute;do da pasta 'Tarefas Agendadas'
2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:54]
2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:54]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&amp;ver - c:\windows\system32\GPhotos.scr/200
IE: E&amp;xportar para o Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {DD08FDC9-A27F-476C-99D4-D008BC7DDEEA} = 192.168.1.1
FF - ProfilePath - c:\users\Bubi e Indi\AppData\Roaming\Mozilla\Firefox\Profiles\yuqhb98w.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components
prpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Picasa3
pPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23
pGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref(ui.use_native_colors, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(ui.use_native_popup_windows, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.enable_click_image_resizing, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(accessibility.browsewithcaret_shortcut.enabled, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(javascript.options.mem.high_water_mark, 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(javascript.options.mem.gc_frequency,   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(network.auth.force-generic-ntlm, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(svg.smil.enabled, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(ui.trackpoint_hack.enabled, -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.debug,            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.agedWeight,       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.bucketSize,       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.maxTimeGroupings, 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.timeGroupingSize, 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.boundaryWeight,   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.prefixWeight,     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(html5.enable, false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref, true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.renego_unrestricted_hosts, );
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.treat_unsafe_negotiation_as_broken, false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.require_safe_negotiation,  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref(app.update.download.backgroundInterval, 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref(app.update.url.manual, http://www.firefox.com);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref(browser.search.param.yahoo-fr-ja, mozff);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref(browser.fixup.alternate.suffix, .com.br);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name, chrome://browser/locale/browser.properties);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description, chrome://browser/locale/browser.properties);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(xpinstall.whitelist.add, addons.mozilla.org);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(xpinstall.whitelist.add.36, getpersonas.com);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(lightweightThemes.update.enabled, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.allTabs.previews, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(plugins.hide_infobar_for_outdated_plugin, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(plugins.update.notifyUser, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(toolbar.customization.usesheet, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.taskbar.previews.enable, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.taskbar.previews.max, 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.taskbar.previews.cachetime, 20);
.
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll &gt;&gt;UNKNOWN [0x855C0618]&lt;&lt; 
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -&gt; DumpProcedure -&gt; 0xd46a624f
 SecurityProcedure -&gt; 0x849299d8
 QueryNameProcedure -&gt; 0x84929b68
user &amp; kernel MBR OK 
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hiwhrdrc]
ServiceDll=unknown
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
BlindDial=dword:00000000
MSCurrentCountry=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclus&atilde;o: 2010-04-16  20:36:47
ComboFix-quarantined-files.txt  2010-04-16 23:36
ComboFix2.txt  2010-04-16 23:21
Pr&eacute;-execu&ccedil;&atilde;o: 138.815.696.896 bytes dispon&iacute;veis
P&oacute;s execu&ccedil;&atilde;o: 138.540.498.944 bytes dispon&iacute;veis
- - End Of File - - 9C390870C11851B4D5C86A144545A467

Answer

1)*Abra o bloco de notas, selecione, copie e cole nele todo o conte&uacute;do do c&oacute;digo abaixo:

KillAll::
File::
c:\windows\Jxaqya.exe
C:\Windows\avg.exe

Filelook::
c:\windows\wins.exe
c:\windows\winl.exe

Folder::
c:\program files\AskBarDis

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{3041d03e-fd4b-44e0-b742-2d9b88305f98}=-

NetSvcs::
hiwhrdrc*Salve o arquivo no desktop como -&gt; CFScript.txt
Arraste o arquivo para o Combofix conforme ilustra&ccedil;&atilde;o abaixo:

*Importante: enquanto o combofix estiver em execu&ccedil;&atilde;o, n&atilde;o use o mouse nem o teclado!!

*Ao final do procedimento, o programa ser&aacute; fechado automaticamente e ser&aacute; mostrado o relat&oacute;rio
*Cole o relat&oacute;rio criado em C:\combofix.txt e novo log.

Answer

Nao entendi olog criado &eacute; pra colar aqui no forum ou em c:combofix e depois criar outro log

Answer

Voce fez algo errado no Script, voce n&atilde;o salvo em extens&atilde;o (TXT), aguarde um momento, vou ter que fazer aqui e enviar em anexo.

Fa&ccedil;a o Download abaixo em anexo do Script e salve no desktop, e arraste para o Combofix.

Answer

desculpa pela demora

ComboFix 10-04-15.05 - Bubi e Indi 16/04/2010  22:30:48.4.2 - x86
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.55.1046.18.1528.912 [GMT -3:00]
Executando de: c:\users\Bubi e Indi\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\Bubi e Indi\Desktop\CFScript.txt
FILE ::
c:\windows\avg.exe
c:\windows\Jxaqya.exe
.
(((((((((((((((((((((((((((((((((((((   Outras Exclus&otilde;es   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\windows\Jxaqya.exe
c:\windows\system32\gmnsmkt.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Servi&ccedil;os   )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hiwhrdrc

((((((((((((((((   Arquivos/Ficheiros criados de 2010-03-17 to 2010-04-17  ))))))))))))))))))))))))))))
.
2010-04-17 01:36 . 2010-04-17 01:38 -------- d-----w- c:\users\Bubi e Indi\AppData\Local	emp
2010-04-17 01:36 . 2010-04-17 01:36 -------- d-----w- c:\users\Public\AppData\Local	emp
2010-04-17 01:36 . 2010-04-17 01:36 -------- d-----w- c:\users\Default\AppData\Local	emp
2010-04-16 23:40 . 2010-04-16 23:40 -------- d-----w- c:\users\Bubi e Indi\AppData\Roaming\Malwarebytes
2010-04-16 23:40 . 2010-03-30 03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-16 23:40 . 2010-04-16 23:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-16 23:40 . 2010-04-16 23:40 -------- d-----w- c:\programdata\Malwarebytes
2010-04-16 23:40 . 2010-03-30 03:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 23:14 . 2010-04-16 23:14 -------- d-----w- C:\Device
2010-04-16 22:13 . 2010-04-16 22:13 -------- d-----w- C:\HijackThis
2010-04-16 22:01 . 2010-04-16 22:01 0 ----a-w- c:\windows
sreg.dat
2010-04-16 22:01 . 2010-04-16 22:01 -------- d-----w- c:\users\Bubi e Indi\AppData\Local\Mozilla
2010-04-06 22:01 . 2010-04-13 22:02 439816 ----a-w- c:\users\Bubi e Indi\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-20 23:05 . 2010-03-20 23:05 -------- d-----w- c:\users\Bubi e Indi\AppData\Local\Microsoft Help
2010-03-20 23:05 . 2010-03-20 23:09 -------- d-----w- c:\programdata\Microsoft Help
2010-03-20 23:04 . 2010-03-20 23:04 -------- d-----w- c:\program files\MSECache
2010-03-18 15:58 . 2010-03-18 15:59 2742272 ----a-w- c:\windows\winl.exe
.
(((((((((((((((((((((((((((((((((((((   Relat&oacute;rio Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 22:05 . 2009-11-22 23:51 -------- d-----w- c:\program files\Google
2010-04-16 21:57 . 2010-02-13 14:33 -------- d-----w- c:\programdata\Alwil Software
2010-04-13 03:20 . 2009-07-14 08:31 654272 ----a-w- c:\windows\system32\prfh0416.dat
2010-04-13 03:20 . 2009-07-14 08:31 124724 ----a-w- c:\windows\system32\prfc0416.dat
2010-04-05 22:53 . 2009-11-16 23:16 -------- d-----w- c:\programdata\Messenger Plus!
2010-04-05 22:19 . 2009-11-16 20:24 -------- d-----w- c:\program files\Messenger Plus! Live
2010-03-21 00:54 . 2009-11-16 19:50 63752 ----a-w- c:\users\Bubi e Indi\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-18 15:58 . 2010-01-03 15:32 2273280 ----a-w- c:\windows\wins.exe
2010-02-24 15:07 . 2010-01-30 02:27 -------- d-----w- c:\program files\Shutterfly
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-01-11 12:42 . 2010-01-11 12:42 1527024 --sh--w- c:\windows\iexplore7.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
--- c:\windows\winl.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 2742272
Created time: 2010-03-18 15:58
Modified time: 2010-03-18 15:59
MD5: 24A350D871C63A17E7F4B1CD34FCABA8
SHA1: 5E1F6029E7366D897F4CC0F7A1F82A184167F082

--- c:\windows\wins.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 2273280
Created time: 2010-01-03 15:32
Modified time: 2010-03-18 15:58
MD5: 685CEA4ED74E88C6A2E3E80734A4E8F7
SHA1: 8C4C042F7A48A44521791A46B6D7F14A6A8029C1

(((((((((((((((((((((((((((((   [EMAIL=SnapShot@2010-04-16_23.16.32]SnapShot@2010-04-16_23.16.32[/EMAIL]   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 20:17 . 2010-04-17 00:05 27914              c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-04-17 01:39 33382              c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-11-16 19:30 . 2010-04-16 21:52 16384              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-16 19:30 . 2010-04-17 00:03 16384              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-16 19:30 . 2010-04-17 00:03 49152              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-16 19:30 . 2010-04-16 21:52 49152              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2010-04-17 00:03 32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-04-16 21:52 32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-14 23:48 . 2010-04-16 23:16 16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-14 23:48 . 2010-04-17 00:04 16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:34 . 2010-04-16 23:19 72456              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-04-14 23:48 . 2010-04-17 00:04 32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-14 23:48 . 2010-04-16 23:16 32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-14 23:48 . 2010-04-16 23:16 16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-14 23:48 . 2010-04-17 00:04 16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-16 19:49 . 2010-04-16 23:16 16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-16 19:49 . 2010-04-17 00:03 16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-17 00:06 . 2010-04-17 01:14 32768              c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-17 00:06 . 2010-04-16 23:11 32768              c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-17 00:06 . 2010-04-16 23:11 16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-17 00:06 . 2010-04-17 01:14 16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-17 00:06 . 2010-04-17 01:14 16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-17 00:06 . 2010-04-16 23:11 16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-16 19:49 . 2010-04-16 23:16 32768              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-16 19:49 . 2010-04-17 01:14 32768              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-16 19:49 . 2010-04-16 23:16 16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-16 19:49 . 2010-04-17 00:03 16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-16 20:17 . 2010-04-17 01:39 7978              c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2805247023-1808114932-4193644298-1000_UserData.bin
+ 2010-04-17 00:03 . 2010-04-17 01:37 2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-16 22:10 . 2010-04-16 23:15 2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-17 00:03 . 2010-04-17 01:37 2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-04-16 22:10 . 2010-04-16 23:15 2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-13 23:11 . 2009-07-13 23:11 147712              c:\windows\System32\zvtedsui.dat
+ 2009-07-13 23:11 . 2009-07-13 23:11 109568              c:\windows\System32\wzdvjmt.dll
+ 2009-07-13 23:11 . 2009-07-13 23:11 145152              c:\windows\System32\lfqbtiml.dat
+ 2009-07-13 23:11 . 2009-07-13 23:11 152320              c:\windows\System32\ihgdtyez.dat
+ 2009-07-14 02:03 . 2010-04-16 23:30 6553600              c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:03 . 2010-03-20 23:06 6553600              c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e leg&iacute;timas por defeito n&atilde;o s&atilde;o mostradas. 
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
wins.exe=c:\windows\wins.exe [2010-03-18 2273280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
ConsentPromptBehaviorAdmin= 0 (0x0)
ConsentPromptBehaviorUser= 3 (0x3)
EnableLUA= 0 (0x0)
EnableUIADesktopToggle= 0 (0x0)
PromptOnSecureDesktop= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
aux=wdmaud.drv
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
Conte&uacute;do da pasta 'Tarefas Agendadas'
2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:54]
2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 20:54]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&amp;ver - c:\windows\system32\GPhotos.scr/200
IE: E&amp;xportar para o Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {DD08FDC9-A27F-476C-99D4-D008BC7DDEEA} = 192.168.1.1
FF - ProfilePath - c:\users\Bubi e Indi\AppData\Roaming\Mozilla\Firefox\Profiles\yuqhb98w.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components
prpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Picasa3
pPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23
pGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref(ui.use_native_colors, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(ui.use_native_popup_windows, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.enable_click_image_resizing, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(accessibility.browsewithcaret_shortcut.enabled, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(javascript.options.mem.high_water_mark, 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(javascript.options.mem.gc_frequency,   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(network.auth.force-generic-ntlm, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(svg.smil.enabled, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(ui.trackpoint_hack.enabled, -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.debug,            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.agedWeight,       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.bucketSize,       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.maxTimeGroupings, 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.timeGroupingSize, 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.boundaryWeight,   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(browser.formfill.prefixWeight,     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(html5.enable, false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref, true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.renego_unrestricted_hosts, );
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.treat_unsafe_negotiation_as_broken, false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(security.ssl.require_safe_negotiation,  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref(app.update.download.backgroundInterval, 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref(app.update.url.manual, http://www.firefox.com);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref(browser.search.param.yahoo-fr-ja, mozff);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref(browser.fixup.alternate.suffix, .com.br);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name, chrome://browser/locale/browser.properties);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description, chrome://browser/locale/browser.properties);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(xpinstall.whitelist.add, addons.mozilla.org);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(xpinstall.whitelist.add.36, getpersonas.com);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(lightweightThemes.update.enabled, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.allTabs.previews, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(plugins.hide_infobar_for_outdated_plugin, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(plugins.update.notifyUser, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(toolbar.customization.usesheet, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.taskbar.previews.enable, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.taskbar.previews.max, 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(browser.taskbar.previews.cachetime, 20);
.
- - - - ORF&Atilde;OS REMOVIDOS - - - -
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
BHO-{E46416AD-9F9B-44A0-9CE3-0A9CDD99526A} - c:\windows\system32\gmnsmkt.dll
ShellIconOverlayIdentifiers-{E46416AD-9F9B-44A0-9CE3-0A9CDD99526A} - c:\windows\system32\gmnsmkt.dll
 
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll &gt;&gt;UNKNOWN [0x855C0618]&lt;&lt; 
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -&gt; DumpProcedure -&gt; 0xd46a624f
 SecurityProcedure -&gt; 0x849299d8
 QueryNameProcedure -&gt; 0x84929b68
user &amp; kernel MBR OK 
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
BlindDial=dword:00000000
MSCurrentCountry=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execu&ccedil;&atilde;o ------------------------
.
c:\windows\system32	askhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Tempo para conclus&atilde;o: 2010-04-16  22:42:21 - M&aacute;quina reiniciou
ComboFix-quarantined-files.txt  2010-04-17 01:42
ComboFix2.txt  2010-04-16 23:36
ComboFix3.txt  2010-04-16 23:21
Pr&eacute;-execu&ccedil;&atilde;o: 138.575.863.808 bytes dispon&iacute;veis
P&oacute;s execu&ccedil;&atilde;o: 138.520.096.768 bytes dispon&iacute;veis
- - End Of File - - 84F980F2E1BB9051A25922156CE511BB

Answer

Agora fez certo os arquivos foram removidos.

E vamos analizar dois arquivos suspeitos no site Virscan.org.

&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;

1) Fa&ccedil;a o seguinte, copia esse caminho que esta em Cita&ccedil;&atilde;o: c:\windows\winl.exe

2) E agora entra nesse site http://virscan.org abrindo voc&ecirc; clique no bot&atilde;o ((Procurar)) ou ((Arquivo))

E abrir&aacute; uma janela, depois cola o caminho na janela e clique em ((abrir)) e depois clique no bot&atilde;o ((Upload))

Aguarde o arquivo ser&aacute; verificado por varios antiv&iacute;rus, finalizando o resultado poste o link do site aqui.

&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;

E depois fa&ccedil;a o mesmo procedimento com esse arquivoc:\windows\wins.exe

Answer

http://virscan.org/report/57a06697c8971ee45f6a0fd92c86a805.html

Answer

http://virscan.org/report/37f5b1a5bca29f62442032b340e662d1.html

Answer

Muito bom!

Dessa vez n&atilde;o vamos utilizar o script do combofix pra remover esses v&iacute;rus demoro muito o scan dele.

Fa&ccedil;a os procedimentos abaixo.

&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;

1) Copia Todo os comandos abaixo no C&oacute;digo.MD C:\Quarentena

Move c:\windows\wins.exe C:\Quarentena\wins.exe.vir

Move c:\windows\winl.exe C:\Quarentena\winl.exe.vir

Reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /f /v wins.exe

Shutdown -r -t 002) Abra seu bloco de notas cole o conteudo no bloco e Salve no Desktop com este nome--&gt; DelFix.bat

E executa o Aquivo DelFix.bat.

O PC ser&aacute; reiniciado. depois cole um novo log do hijackthis.

Answer

Logfile of HijackThis v1.99.1
Scan saved at 23:37:06, on 16/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Running processes:
C:\Windows\system32	askhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayerpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conex&atilde;o do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O8 - Extra context menu item: Add to Google Photos Screensa&amp;ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&amp;xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32
laapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32
apinsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/pt/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

Answer

No hijackthis, selecione essas duas entradas abaixo, marcando uma seta 	  	O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)E depois clique em (Fix checked).

Fecha o hijack.

***************************************

Agora desinstalar o Combofix:

1) Copia os comando abaixo.Combofix /uninstall2) Clique no menu (Iniciar)-&gt; (Executar), cole o comando e clique em (OK).

**************************************************

E na pasta Quarentena que se localiza em C:\Quarentena verifique se tem dois arquivos l&aacute;, se tiver delete a pasta Quarentena, s&atilde;o os v&iacute;rus que est&atilde;o nela.

O resto esta limpo!, Como esta agora resolveu o problema?

Answer

Resolvido o problema muito obrigado
Voc&ecirc;s s&atilde;o 10

Answer

Quase n&atilde;o falamos isso aqui mas seria bom vc trocar as senhas de suas contas.

por exemplo:
Orkut , MSN, site de Banco etc..

At&eacute; um abra&ccedil;o, Boa noite!

Ferramentas

Mover Tópico