Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 02:59:48, on 19/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Ahead\InCD\InCD.exe
C:\Arquivos de programas\lg_fwupdate\fwupdate.exe
C:\WINDOWS\WinNT.exe
C:\WINDOWS\WinNT2.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Windowsupdate.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svhost.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\WINDOWS\system32\bsyys.scr
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Arquivos de programas\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\bsyys.scr
C:\WINDOWS\WinNT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Documents and Settings\Paulo\Meus documentos\Harry Potter\HiJackThis_v2.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\svchosts.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Arquivos de programas\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [WinNT] C:\WINDOWS\WinNT.exe
O4 - HKLM\..\Run: [WinNT2] C:\WINDOWS\WinNT2.exe
O4 - HKLM\..\Run: [Windowsupdate] C:\Arquivos de programas\Windowsupdate.exe
O4 - HKLM\..\Run: [Bore Locks Save Idle] C:\Documents and Settings\All Users\Dados de aplicativos\amen trust bore locks\Team locks.exe
O4 - HKLM\..\Run: [SymantecFilterCheck] C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [symanteccsysconf] C:\WINDOWS\system32\bsyys.scr
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] C:\Arquivos de programas\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [PowerBar] "C:\Arquivos de programas\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [mpeg find] C:\DOCUME~1\Paulo\DADOSD~1\KNOBVG~1\COMP BOOK.exe
O4 - Global Startup: Windowsupdate.exe
O4 - Global Startup: svhost.exe
O4 - Global Startup: bsyys.scr
O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

--
End of file - 7014 bytes

Allora, sperando che non mi sia sfuggito qualcosa (hai il computer leggermente disastrato), procedi come sotto indicato:

chiudi HijackThis in una cartella a lui dedicata (possibilmente non sul desktop), altrimenti perdi i backup;

<b>Disattiva il Ripristino configurazione di Sistema</b>: ------ > <b>procedura:</b>

<b>avvia in modalità provvisoria</b> ----- > <b>procedura:</b>

<b>rendi visibili le cartelle nascoste</b> ------ > <b>procedura</b>:
da Risorse del computer:
Strumenti >> Opzioni cartella >> visualizzazione;
metti la spunta su:
<i>Visualizza file e cartelle nascoste</i>;
togli la spunta da:
<i>Nascondi file protetti del sistema(consigliato)</i>


Avvia hijackthis, con tutte le applicazioni chiuse, premi su <b>Do a system scan only</b> , spunta ed elimina <b>(fix checked)</b> la seguente riga:

---

<font color=red>
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\svchosts.dll
O4 - HKLM\..\Run: [WinNT] C:\WINDOWS\WinNT.exe
O4 - HKLM\..\Run: [WinNT2] C:\WINDOWS\WinNT2.exe
O4 - HKLM\..\Run: [Windowsupdate] C:\Arquivos de programas\Windowsupdate.exe
O4 - HKLM\..\Run: [SymantecFilterCheck] C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [symanteccsysconf] C:\WINDOWS\system32\bsyys.scr
O4 - HKCU\..\Run: [mpeg find] C:\DOCUME~1\Paulo\DADOSD~1\KNOBVG~1\COMP BOOK.exe
O4 - Global Startup: Windowsupdate.exe
O4 - Global Startup: svhost.exe
O4 - Global Startup: bsyys.scr
</font id=red>

---

Con la funzione <b>cerca</b>, trova ed elimina i seguenti file in rosso:
___________________________________________
C:\WINDOWS\<font color=red>WinNT.exe</font id=red>
C:\WINDOWS\<font color=red>WinNT2.exe</font id=red>
C:\Arquivos de programas\<font color=red>Windowsupdate.exe</font id=red>
C:\WINDOWS\system32\<font color=red>svhost.exe</font id=red> ----- > non confonderlo con <b>svchost</b>, processo legittimo di Windows;
C:\WINDOWS\system32\<font color=red>bsyys.scr</font id=red>
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\<font color=red>bsyys.scr</font id=red>
C:\WINDOWS\<font color=red>svchosts.dll</font id=red>

_________________________________________


Da Start >> Esegui, incolla la stringa <b>%temp%</b> ed elimina tutti file della cartella temp;

segui il punto <b>1</b> al seguente link:
http://www.microsoft.com/italy/technet/community/mvp/editoriali/spyware.mspx

svuota il cestino;

riavvia il computer normalmente.

fai qui un controllo antivirus
http://www.bitdefender.com/it/

<b>Alla fine:</b>

rinascondi le cartelle di sistema;
riattiva il ripristino configurazione di sistema e, se tutto è a posto, creane uno nuovo.

Posta un log aggiornato.

<b>PS</b>

Dovresti installare un firewall, dal link sotto scarichi <font color=red>Zone Alarm</font id=red>, valido e gratuito.
http://www.aiutamici.com/software/descrizione.asp?CodSw=56


Edited by - pidue on 07/19/2007 09:07:47

---