Mensagem de vírus ao ligar o PC.

Non-English Boards Português
21

Re-run Zoek.exe as you did before with this script:

process;
srinfo;
systemscpecs;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
WebCake;z
WebCake;a
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

Please attach here fresh zoek log. :wink:

22

Zoek LOG

23

Hi,

You are malware free. Junkware software makes problem with your PC and browsers.

Run this zoek script:


emptyclsid;
{AF6B0594-6008-4327-93E5-608AD710A6FA};c
fjoijdanhaiflhibkljeklcghcmmfffh;chr
C:\Program Files (x86)\WebCake;fs
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\WebCakeIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7169BBB3-3289-4696-B35D-4A88BCF6FB12}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF6B0594-6008-4327-93E5-608AD710A6FA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebCakeIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\WebCakeIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\WebCakeUpdaterService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\Application\WebCakeUpdaterService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WebCake Desktop Updater]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WebCake Desktop Updater]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WebCake Desktop Updater]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WebCakeUpdaterService]
FFdefaults;
chrdefaults;
resetIEproxy;
netsh int ip reset >> %temp%\log.txt;b
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;

Attach here fresh zoek log. How is your computer running now? Any malware warnings?

If you still have mawlare warnings …

Your habits to use jankware software like IminentMessenger or previusly WebCake make the problems with your PC.
Do you know for RaidCall software? If not, remove it. And IminentMessenger is recommend to remove…

Go to Chrome;
In URL plase copy-paste this:

chrome://extensions

All extensions that you don’t know or not using, remove it. That should solve the problem.

To remove all used tools at the end. This is important, needs to be done.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

24

zoek LOG.

Yes, when I initialize the Windows, this still happens: http://img855.imageshack.us/img855/2345/604m.jpg

I removed RaidCall deleting it by the root folder, in Programs Files (x86).

There’s a chance it still haunts my computer?

25

Hi,

I still see DAP’s extensions in Chrome. Remove that. Your PC is malware free. Problem is made by some browser extensions or some jankware software.

If you still have mawlare warnings ...

Your habits to use jankware software like IminentMessenger or previusly WebCake make the problems with your PC.
Do you know for RaidCall software? If not, remove it. And IminentMessenger is recommend to remove…

Go to Chrome;
In URL plase copy-paste this:

chrome://extensions

All extensions that you don’t know or not using, remove it. That should solve the problem.

Then if you have malware warning, I can check again system one more time if you want.

  1. Download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



process;
installedprogs;
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

  1. Download GMER , AntiRootkit tool from the link below and save it to your Desktop :

Download GMER

Double-clicking to run GMER .

[*] Wait for initial scan to finish - if there is any query, click No ;

[*] Click Scan and wait until the full scan is complete;
[*] Click Save … - save the report to the Desktop (called Gmer1 );
// note: the scan for Gmer1 log may take some time

[*] Right-click in the window GMER and select Options> Only non MS files - click Scan ;
[*] after a fasts scan, click Save … - save the report to the Desktop (called Gmer2 );

[*] Click the >>> and select Autostart card;
[*] after a fast scan, click copy ;
[*] open notepad and it copy-paste text - save the report to the Desktop (called Gmer3 )

Attach here Gmer1; Gmer2 and Gmer3 logreports.

26

Here the logs you asked for. Svchost is appearing everytime again and the initial viruses still appears.

I’m crazy about these malwares, I removed all extensions from chrome, I’m removing all suspicious programs but that doesn’t seems to work.

27

I forgot about you. Strange situation of yours …

Run this zoek script:


C:\Windows\SYSTEM32\ntdll.dll;i
C:\Users\Luiz\AppData\Local\Temp\svchost.exe;f
C:\Users\Luiz\AppData\Local\Temp\zlib1.dll;f
C:\Users\Luiz\AppData\Local\Temp\ssleay32.dll;f
C:\Users\Luiz\AppData\Local\Temp\pthreadGC2.dll;f
C:\Users\Luiz\AppData\Local\Temp\libusb-1.0.dll;f
C:\Users\Luiz\AppData\Local\Temp\libidn-11.dll;f
C:\Users\Luiz\AppData\Local\Temp\Nexus%20Mod%20Manager-0.45.1.exe;f
C:\Users\Luiz\AppData\Local\Temp\instloffer.exe;f
C:\Users\Luiz\AppData\Local\Temp\libeay32.dll;f
C:\Users\Luiz\AppData\Local\Temp\libcurl-4.dll;f
C:\Users\Luiz\Downloads\8zc85yky.exe;f
C:\Users\Luiz\AppData\Local\Temp\svchost.exe;f
C:\Users\Luiz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BHQ3ZLL\svchost[1].exe;f
C:\Users\Luiz\AppData\Local\Temp\instloffer.exe;f
bodfdknjhecmadheclfjkhhiofeagdbh;chr
ffdcfjdljhbehggjdkdioajnknjcpbjb;chr
C:\Program Files (x86)\DAP;fs
FFdefaults;
chrdefaults;
emptyalltemp;
autoclean;


THEN …

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

THEN …

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.