Eu tentei o Kasparsky e o AVG, que não encontraram o vírus. Tentei "search and destroy", que é anti-spyware, que encontrou coisas, mas não removeu o vírus.
Acho que há um vírus no computador. Então, almocei o tubarão e analisei os resultados:
Qual o fluxo de TCP que produz:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.socialnewsworld.com/index.php?aff_id=20196
Accept-Language: en-us
UA-CPU: x86
If-Modified-Since: Wed, 01 Aug 2012 07:16:27 GMT; length=4500
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; BTRS27025; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Host: ad.globe7.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Date: Wed, 01 Aug 2012 16:47:54 GMT
Server: YTS/1.19.11
X-RightMedia-Hostname: raptor0510.rm.ch1
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Vary: *
Last-Modified: Wed, 01 Aug 2012 16:47:54 GMT
Expires: Wed, 01 Aug 2012 16:47:54 GMT
Pragma: no-cache
Content-Length: 4500
Age: 0
Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.globe7.com/imp?Z=300x250&s=2796686&T=3&_salt=1910561499";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url+="&X=";for(var i=0;i<rm_crex_data.length;i++){rm_url+=rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url+=",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url+="&X=";for(var i=0;i<rm_pb_data.length;i++){rm_url+=rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url+=",";}}rm_url+="&Y=pb";}var flash=new Object();flash=flashDetection();if(cookiesEnabled()){rm_url+=(flash.installed?"&B=10":"&B=12");}else{rm_url+=(flash.installed?"&B=11":"&B=13");}if(!flash.installed||rm_ban_flash==1){rm_url+="&m=2";}if(rm_url.indexOf("&u=")==-1){var url='';try{if(rm_tag_type=="ad"){if(top==self){url=encodeURIComponent(top.location.href);url=url.substr(0,256);rm_url+="&u="+url;}}else if(rm_tag_type=="iframe"){url=encodeURIComponent(document.referrer);url=url.substr(0,256);rm_url+="&u="+url;}}catch(e){}}if(top==self){rm_url+="&r=1";}else{rm_url+="&r=0";}var rm_tag_src='<SCRIPT TYPE="text/javascript" SRC="'+rm_url+'"><\/SCRIPT>';if(rm_pop_frequency){if(rmCanShowPop(rm_pop_id,rm_pop_times,rm_pop_frequency)||rm_pop_nofreqcap){document.write(rm_tag_src);}}else{document.write(rm_tag_src);}function cookiesEnabled(){var cookieEnabled=(navigator.cookieEnabled)?true:false;if(typeof navigator.cookieEnabled=="undefined"&&!cookieEnabled){document.cookie="testcookie";cookieEnabled=(document.cookie.indexOf("testcookie")!=-1)?true:false;}return cookieEnabled;}function rmGetCookie(Name){var search=Name+"=";var CookieString=document.cookie;var result=null;if(CookieString.length>0){offset=CookieString.indexOf(search);if(offset!=-1){offset+=search.length;end=CookieString.indexOf(";",offset);if(end==-1){end=CookieString.length;}result=unescape(CookieString.substring(offset,end));}}return result;}function flashDetection(){var flash=new Object();flash.installed=false;flash.version='0.0';if(navigator.plugins&&navigator.plugins.length){for(x=0;x<navigator.plugins.length;x++){if(navigator.plugins[x].name.indexOf('Shockwave Flash')!=-1){flash.version=navigator.plugins[x].description.split('Shockwave Flash ')[1];flash.installed=true;break;}}}else if(window.ActiveXObject){for(x=2;x<10;x++){try{oFlash=eval("new ActiveXObject('ShockwaveFlash.ShockwaveFlash."+x+"');");if(oFlash){flash.installed=true;flash.version=x+'.0';}}catch(e){}}}return flash;}function rmReplace(myString,toReplace,replaceBy){return(myString.replace(new RegExp(toReplace,'gi'),replaceBy));}function writeCookie(ckName,ckVal){var numdays=14;var today=new Date();var expires=new Date();expires.setTime(today.getTime()+(1000*60*60*24*numdays));var cookieText=ckName+"="+ckVal+";expires="+expires.toGMTString()+";path=/;";document.cookie=cookieText;return null;}function rmCanShowPop(rm_pop_id,pop_times,pop_frequency){var countCookieName=RM_POP_COOKIE_NAME+rm_pop_id;var expireCookieName=RM_POP_COOKIE_NAME+"_expiration"+rm_pop_id;var shownTimes=rmGetCookie(countCookieName);if(shownTimes==null){rmWriteExpirationCookie(expireCookieName,pop_frequency);shownTimes=0;}else{shownTimes=Number(shownTimes);}if(shownTimes<pop_times){shownTimes=1+shownTimes;var expiration=rmGetCookie(expireCookieName);rmWritePopFrequencyCookie(rm_pop_id,shownTimes,expiration);return_value=true;}else{return_value=false;}return return_value;}function rmWritePopFrequencyCookie(rm_pop_id,shownTimes,expiration){var cookieName=RM_POP_COOKIE_NAME+rm_pop_id;var cookieText=cookieName+"="+shownTimes+";"+"expires="+expiration+";path=/;";document.cookie=cookieText;}function rmWriteExpirationCookie(cookieName,frequency){var today=new Date();var expires=new Date();expires.setTime(today.getTime()+(1000*frequency));var cookieText=cookieName+"="+expires.toGMTString()+";"+"expires="+expires.toGMTString()+";path=/;";document.cookie=cookieText;}</script><noscript><a href="http://ad.globe7.com/imageclick?Z=300x250&s=2796686&T=3&_salt=1910561499&t=2" target="_parent"><img border="0" src="http://ad.globe7.com/imp?Z=300x250&s=2796686&T=3&_salt=1910561499&t=2"></img></a></noscript></body></html>
Esse é um vírus popup. Se você salvar o
html to /html
em
file.html
E abra-o no navegador que você vê. Agora, minha pergunta é: como detectar ainda mais onde o vírus está e como removê-lo do sistema? Executando no Windows XP SP3