[Arquivado] Virus que faz o computador reiniciar

dgoprosit · Agosto 19, 2008

Boa tarde,

estou com algum virus no meu pc e não estou conseguindo remove-lo.

Sempre que eu tentava usar o avg o computador reiniciava, aí sempre que eu tentava excluir o agv acontecia a mesma coisa.

Li alguns tópicos daqui e usei o Killbox para excluir o avg, isso deu certo.

Mas mesmo assim meu pc continua reiniciando.

Baixei o HijackThis e salvei o log que ele gerou, acho que isso pode ajudar neh...

Segue o log:

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

F:\Virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\ARQUIV~1\Odigo\Bin\OdigoBHO.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [web-fi-bc] C:\web-fi-bc\webf.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll (file missing)

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

Estou quase formatando meu pc, será que este é o unico meio?

Alguem tem outra solução sem ser formatar o pc??

Fico no aguardo de uma ajuda, obrigado.

jgarcia · Agosto 22, 2008

Opa dgoprosit,

Baixe o ComboFix em:

ComboFix

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um log do Hijackthis.

Abraços.

dgoprosit · Agosto 26, 2008

Valew pela resposta jgarcia, me desculpe ter demorado para mandar os logs, só conseguir fazer isso ontem.

Segue o combofix.txt

ComboFix 08-08-21.02 - teste 2008-08-25 23:39:25.6 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.738 [GMT -3:00]

Executando de: C:\ComboFix.exe

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((( Ficheiros criados de 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))))

.

2008-08-25 23:33 . 2008-08-22 16:53 2,720,466 -ra------ C:\ComboFix.exe

2008-08-25 23:33 . 2008-08-25 23:33 218,112 --a------ C:\HijackThis.exe

2008-08-19 00:30 . 2008-08-19 00:30 <DIR> d-------- C:\Documents and Settings\teste\Dados de aplicativos\MEGAUPLOADTOOLBAR

2008-08-19 00:20 . 2007-04-19 10:02 <DIR> d--h----- C:\Documents and Settings\teste\Modelos

2008-08-19 00:20 . 2008-08-19 00:20 <DIR> d---s---- C:\Documents and Settings\teste\Meus documentos

2008-08-19 00:20 . 2007-04-19 05:59 <DIR> dr------- C:\Documents and Settings\teste\Menu Iniciar

2008-08-19 00:20 . 2008-08-19 00:20 <DIR> d-------- C:\Documents and Settings\teste\Favoritos

2008-08-19 00:20 . 2008-08-19 00:30 <DIR> dr-h----- C:\Documents and Settings\teste\Dados de aplicativos

2008-08-19 00:20 . 2008-08-25 23:40 <DIR> d--h----- C:\Documents and Settings\teste\Configurações locais

2008-08-19 00:20 . 2007-04-19 05:59 <DIR> d--h----- C:\Documents and Settings\teste\Ambiente de rede

2008-08-19 00:20 . 2007-04-19 05:59 <DIR> d--h----- C:\Documents and Settings\teste\Ambiente de impressão

2008-08-19 00:20 . 2008-08-19 00:20 <DIR> d-------- C:\Documents and Settings\teste

2008-08-18 23:40 . 2008-08-19 01:01 <DIR> d-------- C:\!KillBox

2008-08-04 08:59 . 2008-08-04 08:59 <DIR> d--hs---- C:\found.000

2008-07-26 23:41 . 2008-07-26 23:41 <DIR> d-------- C:\Documents and Settings\Casa\Dados de aplicativos\aAvgApi

2008-07-26 23:30 . 2008-07-26 23:30 <DIR> d-------- C:\spoolerlogs

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-19 04:11 --------- d-----w C:\Arquivos de programas\Image2Ico

2008-08-19 03:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\avg8

2008-07-23 22:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft Help

2008-07-22 21:36 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR

2008-07-15 23:25 --------- d-----w C:\Documents and Settings\Casa\Dados de aplicativos\DivX

2008-07-09 19:36 --------- d-----w C:\Arquivos de programas\Microsoft SQL Server

2008-07-03 23:20 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack

2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2007-08-05 05:17 49,152 ----a-w C:\Documents and Settings\Casa\TempoJovem.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 09:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-12-15 00:20 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-12-15 00:07 118784]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-01-22 22:02 185896]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 09:00 15360]

"DWQueuedReporting"="C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

C:\Documents and Settings\Casa\Menu Iniciar\Programas\Inicializar\

Recorte de tela e Iniciador do OneNote 2007.lnk - C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= "C:\WINDOWS\Downloaded Program Files\gbiehabn.dll" [2007-01-10 14:08 222392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys []

S2 avg8wd;AVG Free8 WatchDog;C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe []

S2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe [2007-06-15 15:49]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Arquivos de programas\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-08-25 C:\WINDOWS\Tasks\A2ADDF0091AE5E24.job

- c:\docume~1\dieg\dadosd~1\refjun~1\ISO FOUR CLOCK.exe []

2008-08-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job

- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

------- Ccan Suplementar -------

.

O8 -: E&xport to Microsoft Excel - C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

C:\WINDOWS\Downloaded Program Files\GbPluginABN.inf

C:\WINDOWS\Downloaded Program Files\Abn.gpc

C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-25 23:40:59

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

**************************************************************************

.

Tempo para conclusão: 2008-08-25 23:42:00

ComboFix-quarantined-files.txt 2008-08-26 02:41:56

ComboFix2.txt 2008-08-26 02:37:16

ComboFix3.txt 2008-08-26 02:32:11

ComboFix4.txt 2008-08-24 03:23:48

ComboFix5.txt 2008-08-26 02:38:53

Pre-Run: 7,176,679,424 bytes disponíveis

Post-Run: 7,164,698,624 bytes disponíveis

109 --- E O F --- 2008-08-25 01:12:28

Segue o log do Hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 00:11:14, on 26/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\HijackThis.exe