Malware, me ajudem a desinfectá-lo

bmetal1418 · 19-05-2009, 17:52

Aí, pessoal, de repente começou a aparecer na bandeja do windows o Malware Doctor aqui. Não consigo desligá-lo, ele está fazendo um scan, estava, na realidade. E toda hora aparecia aqui que o computador está infectado.

Não consigo desligar o compuador. Não consigo passar um antivírus nele. Apesar de não ter antivírus aqui, até semana passada estava fazendo o online com o Bitdefender.

Daí baixei o Fyndykill para tentar eliminar. Só que chageava na hora e não reiniciava.

Os vírus encontrados no M. Doctors foram esses Generic Rootkit.g , Generic Downloader.b e Backdoor-DUK

Alguem tem alguma idéia para me ajudar?

**Otneba62** · 19-05-2009, 18:04

Vê as indicações desse post:

Infectado? Leia aqui antes de postar

[]s

bmetal1418 · 19-05-2009, 18:14

Log do HijackThis

Código:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:13:11, on 19/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\WINDOWS\system32\csrcs.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\AV.EXE
C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
C:\WINDOWS\system32\algssl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Julio Cezar\reader_s.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\Crawler\Toolbar\CToolbar.exe
C:\DOCUME~1\JULIOC~1\CONFIG~1\Temp\Rar$EX00.953\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/disp...%s&tbid=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Microsoft copyright - {56BB6D01-7BD5-4458-A4AE-F03DF643D6EE} - gofax.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Barra de Ferramentas &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [Secure AntiVirus Pro] C:\WINDOWS\AV.EXE
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Julio Cezar\reader_s.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Julio Cezar\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com...reqlab_srl.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: sopidkc  Service (sopidkc) - 11.231.223.21 - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Atualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9484 bytes

Antonio Vieira S · 19-05-2009, 18:37

Olá bmetal1418!

Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

- Faça o download do Malwarebytes Anti-Malware.
* Faça a instalação dando um duplo clique em "mbam-setup.exe";
*Selecione a linguagem Português (Brasil)
*Selecione apenas a caixa: "Atualizar MalwareBytes'Anti-Malware"
*Se alguma atualização existir, o download será automático
*Não faça ainda scan!!!
*Reinicie o PC em Modo de Segurança (apertando a tecla F8 (ou a tecla F5 em alguns computadores) repetidas vezes quando o computador estiver reiniciando e escolhendo a opção Modo Seguro ou Modo de Segurança).
* Se não possível executar o computador em Modo Seguro, faça o escaneamento no modo normal
*Execute o programa MalwareBytes'Anti-Malware e clique na aba: "Verificação", selecione a opção "Verificação completa"
*Clique no botão: "Verificar"
* Marque todas as partes do computador que você deseja escanear e clique no botão: “Iniciar verificação”
*Ao término do scan, clique em "OK" > "Mostrar Resultados"
*Selecione todas as entradas e clique em "Remover Selecionados"
*Após a remoção poderá ser interrogado se deseja remover objetos da memória. Clique "SIM"
*Um log será apresentado com o resultado das ações
*Alguns malwares são rebeldes e necessitam de uma reinicialização para a remoção. Caso isto seja solicitado, clique para reiniciar o PC.
*Ao término do processo, reinicie o PC em Modo Normal.
* Depois de alguns dias, se o seu computador estiver funcionando normalmente sem estes arquivos que foram excluidos pelo Malwarebytes Anti-malware, abra (execute) o Malwarebytes Anti-malware, clique na aba: Quarentena e clique no botão: Remover tudo.
*Execute novamente o programa Malwarebytes Anti-malware e clique na aba “Logs”, dê um duplo clique com o mouse sobre o log mais recente, selecione o log completo e copie-o.

Poste este log gerado pelo Malwarebytes Anti-Malware juntamente com um novo log do Hijackthis na sua próxima resposta e nos diga como está o seu computador depois de seguir este procedimento acima.

Ficamos no aguardo de sua resposta.

bmetal1418 · 20-05-2009, 9:24

Log do Malware:

Código:

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 2
20/5/2009 10:11:45
mbam-log-2009-05-20 (10-11-45).txt
Scan type: Full Scan (C:\|)
Objects scanned: 128337
Time elapsed: 43 minute(s), 52 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 9
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 95
Memory Processes Infected:
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\tcpcon.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{56bb6d01-7bd5-4458-a4ae-f03df643d6ee} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56bb6d01-7bd5-4458-a4ae-f03df643d6ee} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pcm1394 (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pcm1394 (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcm1394 (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msncache (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\darkness (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\darkness (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\darkness (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svc (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJPMIG8.2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Doctor (Rogue.MalwareDoc) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Secure AntiVirus Pro (Rogue.SecureAntiVirusPro) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Julio Cezar\Dados de aplicativos\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\tcpcon.dll (Trojan.Agent) -> Delete on reboot.
c:\program Files\ThunMail\testabd.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stfa.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Arquivos de programas\MSN\MSNCoreFiles\copymar.exe (Worm.Luder) -> Quarantined and deleted successfully.
C:\Arquivos de programas\MSN\MSNCoreFiles\dw.exe (Worm.Luder) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0056926.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0057988.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0057989.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0058942.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0058943.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0059942.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0059943.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0060942.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0060943.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0061942.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0061944.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP41\A0061945.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0062943.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0062944.sys (Trojan.GamesThief) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0062945.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0062949.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0063942.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0063943.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0064945.sys (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0065944.sys (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP42\A0066941.sys (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP43\A0067944.sys (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP43\A0069942.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP43\A0069947.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0070962.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0070965.sys (Trojan.VB) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0070966.sys (Trojan.GamesThief) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0070968.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0070969.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0070970.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0071957.dll (Trojan.Hacktool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0072943.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0073942.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0075975.exe (Worm.Luder) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32D2C514-4319-4F20-9F52-98A16129C523}\RP44\A0078797.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\11.tmp (Trojann.Rlsloup) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\13.tmp (Trojan.Spamtool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\15.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\16.tmp (Trojan.Rlsloup) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\18.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2F.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gofax.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Packer.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pcm1394.sys (Trojan.GamesThief) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\3a3ddab4.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\cawadpoisudrfgw44.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dbfjhnofgfugwphdesbv44.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dgxnhaeruosegbawjkiserb44.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\txpxr_124682442121.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\txpxr_201361184419.b1k (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Julio Cezar\Dados de aplicativos\ptidle\ptidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msncache.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dncyool64.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Julio Cezar\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Julio Cezar\Configurações locais\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpsaxyd.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtukd32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN11.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msime80.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sys32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Arquivos de programas\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe (Rogue.MalwareDoc) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\MSAGNT32.DLL (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\AV.EXE (Rogue.SecureAntiVirusPro) -> Quarantined and deleted successfully.

Log do Hjackthis

Código:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:19, on 20/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\algssl.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Julio Cezar\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/disp...%s&tbid=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Barra de Ferramentas &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Julio Cezar\reader_s.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com...reqlab_srl.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: tbwmnrf - C:\WINDOWS\SYSTEM32\tbwmnrf.dll
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Atualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 7763 bytes

Ah, lembrando que o Gerenciador de Tarefas aqui não está abrindo... E ainda esse programa que falei, que fica na bandeja, o Malware Doctor, tem aberto junto com o Windows e feito o scan sozinho.

Wings · 20-05-2009, 9:37

Dando um auxílio....

*Desative temporariamente seu antivírus
*Baixe o programa ComboFix e salve-o no desktop
*Feche o Internet Explorer e o Windows Explorer
*Duplo-clique no arquivo Combofix.exe e aguarde o início
*Leia o contrato, tecle [1] > [ENTER]
*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado, pois seu desktop ficará em branco!!...Para interromper o procedimento tecle [N]
*Ao final do procedimento, o programa será fechado automaticamente e será mostrado um relatório
*Cole o relatório criado em C:\combofix.txt

bmetal1418 · 20-05-2009, 9:41

Citação:

Postado Originalmente por Wings

Dando um auxílio....

*Desative temporariamente seu antivírus
*Baixe o programa ComboFix e salve-o no desktop
*Feche o Internet Explorer e o Windows Explorer
*Duplo-clique no arquivo Combofix.exe e aguarde o início
*Leia o contrato, tecle [1] > [ENTER]
*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado, pois seu desktop ficará em branco!!...Para interromper o procedimento tecle [N]
*Ao final do procedimento, o programa será fechado automaticamente e será mostrado um relatório
*Cole o relatório criado em C:\combofix.txt

Cara, só tem um problema, o Malware Doctor aqui não dá pra fechá-lo. Então toda hora aparece uma janela dizendo que meu computador pode estar infectado e pergunta se quero scaneá-lo.

E toda hora abre o Mozila aqui com propaganda de perfume.

Wings · 20-05-2009, 9:50

Esqueça o Malware Doctor....siga o procedimento.

bmetal1418 · 20-05-2009, 10:25

Citação:

Postado Originalmente por Wings

Esqueça o Malware Doctor....siga o procedimento.

Caraca, que sinistro, cara. Tipo, baixei o Combofix e reiniciei o computador. Quando cliquei nele de novo apareceu uma tela preta e um alerta dizendo que não seria seguro continuar, e fechou e automaticamente o Combfix foi excluido do meu desktop, local onde eu salvei ele.

Wings · 20-05-2009, 10:30

OK...vamos lá.

1.
*Baixe o programa SmitFraudFix e salve-o no desktop
*Desative temporariamente o antivírus
*Duplo clique em SmitfraudFix.exe
*Ao surgir a primeira tela tecle ENTER
*Tecle [1] > [ENTER]...aguarde o término
*Cole o relatório criado em C:\rapport.txt

bmetal1418 · 20-05-2009, 10:50

Citação:

Postado Originalmente por Wings

OK...vamos lá.

1.
*Baixe o programa SmitFraudFix e salve-o no desktop
*Desative temporariamente o antivírus
*Duplo clique em SmitfraudFix.exe
*Ao surgir a primeira tela tecle ENTER
*Tecle [1] > [ENTER]...aguarde o término
*Cole o relatório criado em C:\rapport.txt

Po, cara, ta brabo, ta caindo nesta páina aqui: http://perso99-g5.free.fr/overload.html

Não estou conseguindo baixar.

Agradeço pela paciência.

Wings · 20-05-2009, 11:05

Enviado link por MP.

bmetal1418 · 20-05-2009, 11:49

Aí está, cara.

Código:

SmitFraudFix v2.416
Scan done at 12:23:30,04, qua 20/05/2009
Run from C:\Documents and Settings\Julio Cezar\Desktop\SmitfraudFix
OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\algssl.exe
C:\Documents and Settings\Julio Cezar\reader_s.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Julio Cezar\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\
C:\autorun.inf FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julio Cezar

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JULIOC~1\CONFIG~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julio Cezar\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JULIOC~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Arquivos de programas 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 
»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!
o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri
 
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
 
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\progra~1\\ThunMail\\testabd.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
»»»»»»»»»»»»»»»»»»»»»»»» RK
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
 

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Miniporta do agendador de pacotes
DNS Server Search Order: 10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4DEA96E6-CF12-4302-8ECB-684B1677062C}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4DEA96E6-CF12-4302-8ECB-684B1677062C}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4DEA96E6-CF12-4302-8ECB-684B1677062C}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Wings · 20-05-2009, 12:11

É...o Smitfraudfix não detectou o Malware Doctor.

Vamos com o que podemos usar, já que o Combofix não consegue ser executado.

1.
*Delete o programa SmitfraudFix e o arquivo C:\rapport.txt

2.
*Baixe o programa OTMoveIt e salve-o no desktop
*Selecione e copie (Ctrl+c) todo o código abaixo:

Citação:

:Processes
explorer.exe
:Files
C:\WINDOWS\system32\msime80.exe
C:\WINDOWS\system32\msfir80.exe
C:\WINDOWS\system32\algssl.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
C:\Documents and Settings\Julio Cezar\reader_s.exe
C:\WINDOWS\SYSTEM32\tbwmnrf.dll
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.2"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsServer"=-
"Malware Doctor"=-
"reader_s"=-
:Services
AshEvtSvc
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

*Duplo clique em OTMoveIt3.exe
*Mantenha selecionada a caixa "Unregister Dll's and Ocx's"
*Cole (Ctrl+v) o código que você copiou no espaço em branco abaixo de "Paste Instructions for items to be Moved"
*Clique em [MoveIt]
*Clique em [Sim] se for solicitado para reiniciar o PC
*Cole o relatório criado em C:\_OTMoveIt\MovedFiles\###_###.log, onde ### é data_hora e novo log do hijack

bmetal1418 · 20-05-2009, 12:41

Log desse programa:

Código:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\msime80.exe not found.
File/Folder C:\WINDOWS\system32\msfir80.exe not found.
C:\WINDOWS\system32\algssl.exe moved successfully.
File/Folder C:\WINDOWS\System32\AshEvtSvc.exe not found.
File/Folder C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe not found.
File/Folder C:\Documents and Settings\Julio Cezar\reader_s.exe not found.
File/Folder C:\WINDOWS\SYSTEM32\tbwmnrf.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run not found.
========== SERVICES/DRIVERS ==========
Service\Driver AshEvtSvc deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Julio Cezar\Configurações locais\Temporary Internet Files\Content.IE5\index.dat 
scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1a4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05202009_133731
Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_1a4.dat not found!

e do Hijackthis:

Código:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39:38, on 20/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\sds2.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Julio Cezar\Desktop\HijackThis.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/disp...%s&tbid=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Microsoft copyright - {56BB6D01-7BD5-4458-A4AE-F03DF643D6EE} - stfa.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Barra de Ferramentas &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Julio Cezar\reader_s.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com...reqlab_srl.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: tbwmnrf - C:\WINDOWS\SYSTEM32\tbwmnrf.dll
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Atualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 8284 bytes

Wings · 20-05-2009, 12:51

Poucas mudanças no log.

1.
*Acesse a página abaixo:
http://www.kellys-korner-xp.com/regs...ytoolsundo.reg
*Clique com o botão direito do mouse nela e selecione "Salvar como.."
*Salve no desktop
*Duplo clique em disableregistrytoolsundo.reg e aceite a entrada no registro.
*Reinicie o PC

2. Vá em Adicionar/Remover programas e desinstale ThunMail

3. Novo log do hijack

bmetal1418 · 20-05-2009, 12:55

Citação:

Postado Originalmente por Wings

Poucas mudanças no log.

1.
*Acesse a página abaixo:
http://www.kellys-korner-xp.com/regs...ytoolsundo.reg
*Clique com o botão direito do mouse nela e selecione "Salvar como.."
*Salve no desktop
*Duplo clique em disableregistrytoolsundo.reg e aceite a entrada no registro.
*Reinicie o PC

2. Vá em Adicionar/Remover programas e desinstale ThunMail

3. Novo log do hijack

Hum....Deu aqui que a edição de registro foi desativada pelo administrador...

Wings · 20-05-2009, 13:00

A guerra vai ser longa....

1.
*Delete o arquivo disableregistrytoolsundo.reg

2. Desinstale o programa que solicitei.

3.
*Baixe o programa RegistryFix e salve-o no desktop
*Duplo clique em RegistryFix.exe e clique em Fix Registry

*Reinicie o PC

4. Novo log do hijack

bmetal1418 · 20-05-2009, 13:04

Depois destes dois últimos procedimentos, o M. Doctors não tem ligado mais. Que bom. Mas ainda surge uma propaganda de perfume pelo Firefox. E quando dou Ctrl + Alt + Del diz que o Gerenciador de Tarefas foi desativado pelo administrador.

Código:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:03:13, on 20/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julio Cezar\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/disp...%s&tbid=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_**...spx?TbId=60265
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Microsoft copyright - {56BB6D01-7BD5-4458-A4AE-F03DF643D6EE} - stfa.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Barra de Ferramentas &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julio Cezar\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Julio Cezar\reader_s.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com...reqlab_srl.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\ARQUIV~1\INBOXT~1\Inbox.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\ARQUIV~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: tbwmnrf - C:\WINDOWS\SYSTEM32\tbwmnrf.dll
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Arquivos de programas\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Atualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 7820 bytes

Wings · 20-05-2009, 13:17

OK...o malware havia bloqueado o acesso ao registro.

Vamos tentar novamente o procedimento com o OTMoveIt.

*Selecione e copie (Ctrl+c) todo o código abaixo:

Citação:

:Processes
explorer.exe

:Files
C:\WINDOWS\SYSTEM32\tbwmnrf.dll
C:\Documents and Settings\LocalService\Dados de aplicativos\916653139.exe
C:\Documents and Settings\Julio Cezar\reader_s.exe
C:\WINDOWS\System32\reader_s.exe

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tbwmnrf]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Malware Doctor"=-
"reader_s"=-
"MsServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersio*n\Run]
"Malware Doctor"=-
"reader_s"=-
"IMJPMIG8.2"=-

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

*Duplo clique em OTMoveIt3.exe
*Mantenha selecionada a caixa "Unregister Dll's and Ocx's"
*Cole (Ctrl+v) o código que você copiou no espaço em branco abaixo de "Paste Instructions for items to be Moved"
*Clique em [MoveIt]
*Clique em [Sim] se for solicitado para reiniciar o PC
*Cole o relatório criado em C:\_OTMoveIt\MovedFiles\###_###.log, onde ### é data_hora e novo log do hijack

19-05-2009, 17:52	#1 (permalink)
bmetal1418 Membro Senior Registrado em: Sep 2006 Mensagens: 250 Reputação: 12	Malware, me ajudem a desinfectá-lo Aí, pessoal, de repente começou a aparecer na bandeja do windows o Malware Doctor aqui. Não consigo desligá-lo, ele está fazendo um scan, estava, na realidade. E toda hora aparecia aqui que o computador está infectado. Não consigo desligar o compuador. Não consigo passar um antivírus nele. Apesar de não ter antivírus aqui, até semana passada estava fazendo o online com o Bitdefender. Daí baixei o Fyndykill para tentar eliminar. Só que chageava na hora e não reiniciava. Os vírus encontrados no M. Doctors foram esses Generic Rootkit.g , Generic Downloader.b e Backdoor-DUK Alguem tem alguma idéia para me ajudar? __________________ Processador (Athlon 3500 Single Core) - Placa mãe (A8NX) - Placa de Video (8500GT) -M. Ram (2 GB DDr400) - HD 160 GB Seargate - Gravador de DVD LG - Monitor LCD 15' LG - Fonte (???)

19-05-2009, 18:04	#2 (permalink)
Otneba62 Moderador Registrado em: Apr 2007 Localização: Portugal ou 0° 20′ 0″ N, 6° 44′ 0″ E Mensagens: 6.498 Reputação: 1464	Vê as indicações desse post: Infectado? Leia aqui antes de postar []s __________________ Leiam antes de postar! Regras de conduta!

19-05-2009, 18:37	#4 (permalink)
Antonio Vieira S GeeK Registrado em: Jul 2008 Mensagens: 2.879 Reputação: 211	Olá bmetal1418! Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet: - Faça o download do Malwarebytes Anti-Malware. * Faça a instalação dando um duplo clique em "mbam-setup.exe"; Selecione a linguagem Português (Brasil) Selecione apenas a caixa: "Atualizar MalwareBytes'Anti-Malware" Se alguma atualização existir, o download será automático Não faça ainda scan!!! Reinicie o PC em Modo de Segurança (apertando a tecla F8 (ou a tecla F5 em alguns computadores) repetidas vezes quando o computador estiver reiniciando e escolhendo a opção Modo Seguro ou Modo de Segurança). Se não possível executar o computador em Modo Seguro, faça o escaneamento no modo normal Execute o programa MalwareBytes'Anti-Malware e clique na aba: "Verificação", selecione a opção "Verificação completa" Clique no botão: "Verificar" * Marque todas as partes do computador que você deseja escanear e clique no botão: “Iniciar verificação” Ao término do scan, clique em "OK" > "Mostrar Resultados" Selecione todas as entradas e clique em "Remover Selecionados" Após a remoção poderá ser interrogado se deseja remover objetos da memória. Clique "SIM" Um log será apresentado com o resultado das ações Alguns malwares são rebeldes e necessitam de uma reinicialização para a remoção. Caso isto seja solicitado, clique para reiniciar o PC. Ao término do processo, reinicie o PC em Modo Normal. * Depois de alguns dias, se o seu computador estiver funcionando normalmente sem estes arquivos que foram excluidos pelo Malwarebytes Anti-malware, abra (execute) o Malwarebytes Anti-malware, clique na aba: Quarentena e clique no botão: Remover tudo. Execute novamente o programa Malwarebytes Anti-malware e clique na aba “Logs”, dê um duplo clique com o mouse sobre o log mais recente, selecione o log completo e copie-o. Poste este log gerado pelo Malwarebytes Anti-Malware juntamente com um novo log do Hijackthis na sua próxima resposta e nos diga como está o seu computador depois de seguir este procedimento acima. Ficamos no aguardo de sua resposta. __________________ <><><><><><><><><><><><><><><><> Pop Blogs* = O melhor dos blogs você encontra aqui! Caixa de Dicas = Sempre com novos tutoriais e novidades em informática e tecnologia.

20-05-2009, 9:37	#6 (permalink)
Wings Highlander Registrado em: Apr 2007 Mensagens: 15.651 Reputação: 2819	Dando um auxílio.... Desative temporariamente seu antivírus Baixe o programa ComboFix e salve-o no desktop Feche o Internet Explorer e o Windows Explorer Duplo-clique no arquivo Combofix.exe e aguarde o início Leia o contrato, tecle [1] > [ENTER] Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado, pois seu desktop ficará em branco!!...Para interromper o procedimento tecle [N] Ao final do procedimento, o programa será fechado automaticamente e será mostrado um relatório Cole o relatório criado em C:\combofix.txt __________________

20-05-2009, 9:50	#8 (permalink)
Wings Highlander Registrado em: Apr 2007 Mensagens: 15.651 Reputação: 2819	Esqueça o Malware Doctor....siga o procedimento. __________________

		FórumGdH > Software, Segurança e Mac (Apple) > Segurança: discussões, dúvidas e informações
Malware, me ajudem a desinfectá-lo

1. Como remover esse Malware "Rootkit" 2. Infectado com Malware... por favor me ajudem analisando o log do Hijack... 3. me ajudem a tirar o malware doctor do meu pc, ja fiz o log (tit.edit.)	4. Ajuda com vírus
Mais resultados? Use nossa pesquisa.

20-05-2009, 10:30	#10 (permalink)
Wings Highlander Registrado em: Apr 2007 Mensagens: 15.651 Reputação: 2819	OK...vamos lá. 1. Baixe o programa SmitFraudFix* e salve-o no desktop Desative temporariamente o antivírus Duplo clique em SmitfraudFix.exe Ao surgir a primeira tela tecle ENTER Tecle [1] > [ENTER]...aguarde o término *Cole o relatório criado em C:\rapport.txt __________________

20-05-2009, 11:05	#12 (permalink)
Wings Highlander Registrado em: Apr 2007 Mensagens: 15.651 Reputação: 2819	Enviado link por MP. __________________

20-05-2009, 12:51	#16 (permalink)
Wings Highlander Registrado em: Apr 2007 Mensagens: 15.651 Reputação: 2819	Poucas mudanças no log. 1. Acesse a página abaixo: http://www.kellys-korner-xp.com/regs...ytoolsundo.reg Clique com o botão direito do mouse nela e selecione "Salvar como.." Salve no desktop Duplo clique em disableregistrytoolsundo.reg e aceite a entrada no registro. Reinicie o PC 2. Vá em Adicionar/Remover programas e desinstale ThunMail* 3. Novo log do hijack __________________

20-05-2009, 13:00	#18 (permalink)
Wings Highlander Registrado em: Apr 2007 Mensagens: 15.651 Reputação: 2819	A guerra vai ser longa.... 1. Delete o arquivo disableregistrytoolsundo.reg 2. Desinstale o programa que solicitei. 3. Baixe o programa RegistryFix e salve-o no desktop Duplo clique em RegistryFix.exe e clique em Fix Registry Reinicie o PC 4. Novo log do hijack __________________

Opções do Tópico
Exibir Versão para Impressão Envie essa página por e-mail