[Resolvido] Kaspersky detecta mas não remove, com log e solução

GEBar · Junho 6, 2008

Olá, tenho instalado aqui o kaspersky, e fazem alguns dias que ele está me enviando as seguintes mensagens:

LOG DO KASPERSKY:

Protection : running

--------------------

Total scanned: 7222

Detected: 2452

Untreated: 0

Start time: 5/6/2008 18:14:44

Duration: 03:57:13

Detected

--------

Status Object

------ ------

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest Bank" <no-reply@natwest.com>][subject:Customer service: your NatWest Bank banking account.][Time:2008/06/03 11:16:28]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest bank plc" <generatedmail.id2507678-0049306ncf@natwest.co.uk>][subject:Service Notification From NatWest Bank. (Tue, 03 Jun 2008 06:17:40 -0800)][Time:2008/06/03 11:17:40]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest Bank Plc" <cservice.id8572754-46577ncf@natwest.com>][subject:NatWest Bank: data confirmation. (message id: NR8351229380)][Time:2008/06/03 11:22:31]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest Bank" <no-reply@natwest.com>][subject:alert! <message id: uk017617985624dq>][Time:2008/06/03 11:22:52]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"National Westminster Bank" <mailserver.id6907249-3570025454ncf@natwest.com>][subject:Security Alert [Tue, 03 Jun 2008 06:24:18 -0800]][Time:2008/06/03 11:24:18]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest bank" <mail_service.id8359-3024ncf@natwest.com>][subject:Notice: confirm your online banking records.][Time:2008/06/03 11:24:28]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest bank plc" <autoremailer.id9671-340384023ncf@natwest.com>][subject:NatWest Bank Customer Service: Urgent Notification! [message id: ql5491213]][Time:2008/06/03 11:27:05]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest Bank" <genmail.id8439-737003ncf@natwest.co.uk>][subject:National Westminster Bank: instructions for customer!][Time:2008/06/04 04:40:13]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest bank plc" <no-reply@natwest.com>][subject:NatWest Bank: confirm your account details][Time:2008/06/04 04:40:22]\text/html

detected: Trojan program Trojan-Spy.HTML.Fraud.gen (modification) Email message body: [From:"NatWest Bank" <customersupport.id191869468527ncf@natwest.com>][subject:NatWest Bank: account management! <message ref: vh27646518824>][Time:2008/06/03 11:29:08]\text/html

e assim até o infinito.....

LOG DO HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:19:58, on 5/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\Ad-Aware 2007\aawservice.exe

D:\Kaspersky\avp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

D:\Kaspersky\avp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [AVP] "D:\Kaspersky\avp.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky\SCIEPlgn.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O20 - Winlogon Notify: traffic32 - C:\WINDOWS\SYSTEM32\traffic32.dll

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Ad-Aware 2007\aawservice.exe

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Kaspersky\avp.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Já passei o ad-aware, spybot, superantispyware, bankerfix, e nenhum detectou nada.

Notei também uma grande quantidade de processos SVCHOST no gerenciador de tarefas... um pouco fora do normal acredito (sete).

Não sei mais o que fazer, espero que alguém possa ajudar.

Muito obrigado,

Geraldo

Sam Spade · Junho 6, 2008

Olá GEBar! Configure o Windows para mostrar todos os arquivos

Acesse http://virusscan.jotti.org/

No site, na caixa Procurar, cole esta linha abaixo:

C:\WINDOWS\SYSTEM32\traffic32.dll

Clique em Submit e aguarde o resultado da análise aparecer. Salve e poste.

GEBar · Junho 6, 2008

Aí seguem todas as informações enviadas:

File: traffic32.dll

Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

MD5: 89aa68a08c22e3b2268554be1a568972

Packers detected: PE_PATCH.UPX, UPX

Scan taken on 06 Jun 2008 20:14:43 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Sophos Antivirus Found Sus/Behav-1021 (probable variant)

VirusBuster Found nothing

VBA32 Found nothing

Last file scanned at least one scanner reported something about: server.exe (MD5: d725b34b54ee827eaec41913ad2187fd, size: 52382 bytes), detected by:

Scanner Malware name

A-Squared X

AntiVir BDS/Bifrose.aci.125

ArcaVir Riskware.Constructor.Microjoiner.17

Avast Win32:Bifrose-CNF

AVG Antivirus BackDoor.Bifrose.GEN

BitDefender Trojan.Inject.HM

ClamAV X

CPsecure BackDoor.W32.Bifrose.aci

Dr.Web BackDoor.Bifrost

F-Prot Antivirus X

F-Secure Anti-Virus Backdoor.Win32.Bifrose.aci

Fortinet W32/Bdoor.ACI!tr.bdr

Ikarus Backdoor.Win32.Bifrose.aci

Kaspersky Anti-Virus Backdoor.Win32.Bifrose.aci

NOD32 X

Norman Virus Control W32/Bifrose.HSA

Panda Antivirus X

Sophos Antivirus Mal/Bifrose-A

VirusBuster X

VBA32 X

O que me sugere ?

Sam Spade · Junho 9, 2008

Olá, reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

Delete o arquivo que fez a análise:

C:\WINDOWS\SYSTEM32\traffic32.dll <<< aqui

Abra o HijackThis e clique em Do a system scan only. Aguarde o exame acabar.

Cada entrada tem uma caixa do lado esquerdo. Marque apenas a caixa da entrada abaixo, se ainda a encontrar:

O20 - Winlogon Notify: traffic32 - C:\WINDOWS\SYSTEM32\traffic32.dll

Ficará com um sinal V dentro da caixa.

Clique então em . Dê o Ok para a pergunta e depois feche o HijackThis.

Reinicie normalmente, gere um novo log com o HijackThis e poste. Informe se o problema acabou.

GEBar · Junho 10, 2008

Aí vai:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:26:51, on 9/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

D:\Kaspersky\avp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Kaspersky\avp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe