Olá, acabei de me cadastrar e tentei instalar o HijackThis.exe mas ele não roda. Olhei no msconfig e vi o bolenjx.exe e o bolenja.exe e através de dica duduh_capixaba do forúm instalei e rodei 2 outros programas: o McAfee Rootkit Detective e o Trojan Remover 6.6.5. Os 2 programas detectam um dos 2 arquivos, confirmam a interrupção dos processos mas ao reiniciar, eles voltam. Obs: nenhum anti-virus abre, avg, HijackThis, (o Ad-Aware roda mas não encontra nada.) Mando abaixo o Log do Trojan Remover que é o único que eu tenho, desculpe pelo tamanho do log mas é o único que eu consigo. Espero uma ajuda e agradeço !!!! Ingo ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 28/1/2008 22:32:27: Trojan Remover has been restarted C:\WINDOWS\system32\bolenjx.exe has been renamed to C:\WINDOWS\system32\bolenjx.exe.vir ======================================================= Deleting the following registry value(s): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[bolenjx] - deleted ======================================================= Trojan Remover forced a System Restart by terminating WINLOGON.EXE. The Cleanup Utility was used to remove locked registry keys. 28/1/2008 22:32:27: Trojan Remover closed ************************************************************ ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.6.5.2510. For information, email support@simplysup1.com [unregistered version] Scan started at: 28/1/2008 22:29:04 Using Database v6919 Operating System: Windows XP Professional Service Pack 2 (Build 2600) File System: NTFS Data directory: C:\Documents and Settings\Leticia_Arq\Dados de aplicativos\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Leticia_Arq\Meus documentos\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Arquivos de programas\Trojan Remover\ Running with Administrator privileges ************************************************** ************************************************** 22:29:04: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ************************************************** 22:29:04: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ************************************************** 22:29:04: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** 22:29:05: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): File: Explorer.exe C:\WINDOWS\Explorer.exe 1035264 bytes Created: 9/9/2002 Modified: 13/6/2007 Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): File: C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\userinit.exe 24576 bytes Created: 9/9/2002 Modified: 4/8/2004 Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: File: logonui.exe C:\WINDOWS\system32\logonui.exe 515072 bytes Created: 9/9/2002 Modified: 4/8/2004 Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: SoundMan Value Data: SOUNDMAN.EXE C:\WINDOWS\SOUNDMAN.EXE -R- 55296 bytes Created: 13/2/2005 Modified: 16/7/2003 Company: Realtek Semiconductor Corp. -------------------- Value Name: AVG7_CC Value Data: C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe 579072 bytes Created: 26/4/2007 Modified: 20/12/2007 Company: GRISOFT, s.r.o. -------------------- Value Name: !AVG Anti-Spyware Value Data: "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe 6731312 bytes Created: 11/6/2007 Modified: 11/6/2007 Company: GRISOFT s.r.o. -------------------- Value Name: MSConfig Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe 159744 bytes Created: 13/2/2005 Modified: 4/8/2004 Company: Microsoft Corporation -------------------- Value Name: TrojanScanner Value Data: C:\Arquivos de programas\Trojan Remover\Trjscan.exe C:\Arquivos de programas\Trojan Remover\Trjscan.exe 737872 bytes Created: 28/1/2008 Modified: 3/1/2008 Company: Simply Super Software -------------------- Value Name: bolenjx Value Data: bolenjx.exe C:\WINDOWS\system32\bolenjx.exe 14336 bytes Created: 28/1/2008 Modified: 28/1/2008 Company: C:\WINDOWS\system32\bolenjx.exe appears to be in-use/locked bolenjx.exe - this registry value has been removed C:\WINDOWS\system32\bolenjx.exe - process is either not running or could not be terminated C:\WINDOWS\system32\bolenjx.exe - file ownership assigned to: LETICIA\Leticia_Arq C:\WINDOWS\system32\bolenjx.exe - process is either not running or could not be terminated C:\WINDOWS\system32\bolenjx.exe - file has been neutralised C:\WINDOWS\system32\bolenjx.exe has been marked for renaming when the PC is restarted -------------------- -------------------- LOG MUITO LONGO....TRECHO CORTADO ************************************************** === CHANGES WERE MADE TO THE WINDOWS REGISTRY === Scan completed at: 28/1/2008 22:29:53 ------------------------------------------------------------------------- One or more files could not be moved or renamed as requested. They may be in use by Windows, so Trojan Remover needs to restart the system in order to deal with these files. 28/1/2008 22:29:57: restart commenced ************************************************************ ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 28/1/2008 22:20:35: Trojan Remover has been restarted C:\WINDOWS\system32\bolenjx.exe has been renamed to C:\WINDOWS\system32\bolenjx.exe.vir ======================================================= Deleting the following registry value(s): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[bolenjx] - deleted ======================================================= Trojan Remover forced a System Restart by terminating WINLOGON.EXE. The Cleanup Utility was used to remove locked registry keys. 28/1/2008 22:20:35: Trojan Remover closed ************************************************************ ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.6.5.2510. For information, email support@simplysup1.com [unregistered version] Scan started at: 28/1/2008 22:16:15 Using Database v6919 Operating System: Windows XP Professional Service Pack 2 (Build 2600) File System: NTFS Data directory: C:\Documents and Settings\Leticia_Arq\Dados de aplicativos\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Leticia_Arq\Meus documentos\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Arquivos de programas\Trojan Remover\ Running with Administrator privileges ************************************************** ************************************************** 22:16:16: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ************************************************** 22:16:16: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ************************************************** 22:16:16: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** 22:16:16: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): File: Explorer.exe C:\WINDOWS\Explorer.exe 1035264 bytes Created: 9/9/2002 Modified: 13/6/2007 Company: Microsoft Corporation ---------- This key's "Userinit" value calls the following program(s): File: C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\userinit.exe 24576 bytes Created: 9/9/2002 Modified: 4/8/2004 Company: Microsoft Corporation ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: File: logonui.exe C:\WINDOWS\system32\logonui.exe 515072 bytes Created: 9/9/2002 Modified: 4/8/2004 Company: Microsoft Corporation ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name: load -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name: SoundMan Value Data: SOUNDMAN.EXE C:\WINDOWS\SOUNDMAN.EXE -R- 55296 bytes Created: 13/2/2005 Modified: 16/7/2003 Company: Realtek Semiconductor Corp. -------------------- Value Name: AVG7_CC Value Data: C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe 579072 bytes Created: 26/4/2007 Modified: 20/12/2007 Company: GRISOFT, s.r.o. -------------------- Value Name: !AVG Anti-Spyware Value Data: "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe 6731312 bytes Created: 11/6/2007 Modified: 11/6/2007 Company: GRISOFT s.r.o. -------------------- Value Name: MSConfig Value Data: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe 159744 bytes Created: 13/2/2005 Modified: 4/8/2004 Company: Microsoft Corporation -------------------- Value Name: TrojanScanner Value Data: C:\Arquivos de programas\Trojan Remover\Trjscan.exe C:\Arquivos de programas\Trojan Remover\Trjscan.exe 737872 bytes Created: 28/1/2008 Modified: 3/1/2008 Company: Simply Super Software -------------------- Value Name: bolenjx Value Data: bolenjx.exe C:\WINDOWS\system32\bolenjx.exe 14336 bytes Created: 28/1/2008 Modified: 28/1/2008 O LOG É MUITO GRANDE....APAGUEI O RESTANTE....CASO SEJA NECESSÁRIO POSSO ENVIAR POR EMAIL. Ingo
