[Ajuda] Eliminar virus

[fmsm]

Boas tardes..

É assim, estou com um virus que me esta constantemente ( de 5 em 5 min. +/-) a apresentar esta mensagem **. De vez em quando (ao iniciar o pc) também me muda o wallpaper para um vermelho com uma hiperligaçao* (com o simbolo de virus). O problema é que eles penso que estao situados na pasta System32, e da ultima vez que fiz um scan e eliminei-os fiquei sem acesso ao arranque (até hoje, va la resolvi)..

Tenho o Nod32 como antivirus. Acham que deva instalar outro e por os virus em quarentena?? Qe faço

**

*

 

[ShadeX]

Isso não é vírus, é scamware (calhando scumware ficava melhro, mas adiante...). Procura aplicações estranhas na lista de programas instalados que encontras um ou dois. E depois de desinstalar dá uma olhada com o hijack this só para garantir...

 

[fmsm]

Nao encontrei nada de especial, mas fica aqui o relatorio do hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 19:35:02, on 03-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\programas\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inf\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Eset\nod32krn.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Programas\Ficheiros comuns\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Eset\nod32kui.exe
C:\Programas\Ficheiros comuns\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Stickies\stickies.exe
C:\PROGRA~1\FICHEI~1\PCSuite\Services\SERVIC~1.EXE
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\eMule\emule.exe
C:\Programas\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Fábio\Ambiente de trabalho\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by SAPO
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP06568 Class - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Programas\AOL Security Toolbar\AOL_security_toolbar.dll
O2 - BHO: SXG Advisor - {7603FD22-36C0-4DE7-A28F-ADFA9CE3ACB8} - C:\WINDOWS\dpvtporxno.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Programas\AOL Security Toolbar\AOL_security_toolbar.dll
O3 - Toolbar: GVDownloader - {ae4df123-9140-4f93-9b32-ff0186389cc3} - mscoree.dll (file missing)
O3 - Toolbar: The elfwgps - {6F56DE14-6C49-493B-8353-1F9689D5E8A5} - C:\WINDOWS\elfwgps.dll (file missing)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programas\Ficheiros comuns\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\setrysrvc.exe -runservice
O4 - HKLM\..\Run: [win32dlll] "C:\windows\system32\win32dlll.exe"
O4 - HKLM\..\Run: [TaskList] "C:\windows\system32\win32dlll.exe"
O4 - HKLM\..\RunOnce: [Explorer] C:\WINDOWS\Inf\explorer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Startup: Stickies.lnk = C:\Programas\Stickies\stickies.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15030/CTPID.cab
O17 - HKLM\System\CS4\Services\Tcpip\..\{044C64C6-EA05-45D5-9687-954392F2EC71}: NameServer = 194.65.100.117
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FICHEI~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bqxomdo - {080987D9-E40B-4C35-B72B-B2F164A03BDA} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {FDD57F86-6D8F-4846-9AF6-C8ECF9CC18C2} - C:\WINDOWS\aswmklt.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programas\Ares\chatServer.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: CT Device Query service (CTDevice_Srv) - Unknown owner - C:\Programas\Creative\Shared Files\CTDevSrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programas\Eset\nod32krn.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\programas\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programas\Windows Live\installer\WLSetupSvc.exe

 

[Samuka Klax]

Elimina:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O4 - HKLM\..\Run: [TaskList] "C:\windows\system32\win32dlll.exe
O4 - HKLM\..\RunOnce: [Explorer] C:\WINDOWS\Inf\explorer.exe

 

[fmsm]

Tens a certeza? É que depois tenho receio que me volte a estragar o arranque do pc..

Mas bogdo pelas soluçoes.

 

[Samuka Klax]

eu vi no site:
www.hijackthis.de

 

[nono54]

hello
scan con :http://siri.urz.free.fr/Fix/SmitfraudFix.exe
abre a option 1 et da o log quando accabe
a+

 

[fmsm]

Ok, entao nao me vai prejudicar em nada eliminar isso? E qe estou co receio. Mas obgdo na mesma

 

[fmsm]

Ja eliminei e nao mudficou em nada o arranq, mas o wallpaper vcontinua a aparecer-me!!

 

[ShadeX]

É o problema das ferramentas "auto-mágicas" vs miolos+olhos...

O4 - HKLM\..\Run: [win32dlll] "C:\windows\system32\win32dlll.exe"

mesmo por cima do outro, basicamente a mesma coisa, mas omitido e continua a correr provavelmente...

O4 - HKLM\..\RunOnce: [Explorer] C:\WINDOWS\Inf\explorer.exe

Isto de certeza que não é o Explorer... Se quiseres confirmar, faz upload do ficheiro para aqui e vê o relatório...

O2 - BHO: SXG Advisor - {7603FD22-36C0-4DE7-A28F-ADFA9CE3ACB8} - C:\WINDOWS\dpvtporxno.dll

Só o nome é suspeito... confirma se é malware ou não e toma a decisão de apagar ou não.


p.s. O wallpaper nunca vai sair sozinho. Quando já não tiveres nada de malware a correr vais ter de o mudar à patex como de costume.

p.s.2 O teu startup sinceramente parece o caixote do lixo... Já pensaste no tempo que perdes em cada boot com essa tralha toda?

 

[fmsm]

Nao precebi o p.s.2

Podes explicar melhor ?

Cumprimentos, obrigado pelas respostas

 

[fmsm]

Outra coisa qe me tem estado a acontecer e de repente darem "breaks" no meu pc, ou seja parar tudo (excepto o rato) ..
Ja nao sei o que fzer visto que o Nod32 nao me esta a detectar nada!!

Ajudem pff.