[Resolvido!]Problema com Bot e Rootkit

[Luis Magalhaes 0]

Necessito de help aqui com um log.

 

Já limpei alguns dos virus, mas aqui um bot volta sempre apos ter eliminado-o. Suponho que falte aqui actualização para que ele não volte.

 

tambem suspeitava de rootkits e de facto estava com um tal de pe386.sys, detectei-o com o sophos anti rootkit e eliminei-o pelo regedit. (mas nao tenho 100% de certeza)

 

Agora esse bot que aparece na linha 04 (startup), não me larga. Elimino-o mas ele volta sempre.

 

Suspeito tambem que a linha 020 que aparece no log, esteja relacionada com o rootkit, pois eu ja dei o fiz nela em modo seguro e sempre aparece, sem mostrar o caminho do arquivo.

 

feita esta descrição, espero que alguem consiga dar aqui uma help. Agradeço antecipadamente.

 

segue log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:59:50, on 01-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\qttask.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

:joia:

[Sam Spade 2]

Olá Luis Magalhaes! Baixe: ComboFix > salve no desktop.

 

Feche todas as janelas e programas.

Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir o Fix. Vai durar uma média de 10 minutos.

O ComboFix reiniciará o PC automaticamente para completar o processo de remoção.

 

Quando acabar, será gerado um log, que vai estar em C:\ComboFix.txt.

 

Atenção:

Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, pois senão irá parar e seu desktop ficará em branco.

 

Para parar ou sair do ComboFix, tecle "N".

 

Gere um novo log com o HijackThis e poste, juntamente com o ComboFix.txt.

[Luis Magalhaes 0]

Antes mais obrigado pela help Sam :thumbsup:

 

Vi no resultado do combo o pedido pra scan a rootkit. Para adiantar e te ajudar eu passei o da F-Secure e o da sophos e nada de rootkit :upset:

 

Alguma ideia sobre que raio de *#&*X# :angry: é esse [ÿ_zskholtsyb^txntgjo]niwmdksz_] ?

 

Thanks

 

Logfile of HijackThis v1.99.1

Scan saved at 23:22:28, on 01-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\System32\qttask.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Programas\Internet Explorer\iexplore.exe

C:\Programas\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

- 06-12-01 23:12:27,81 Service Pack 1

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\(confidencial)\Ambiente de trabalho"

 

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

 

REGISTRY ENTRIES REMOVED:

 

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

Granting sedebugprivilege to Administradores ... successful

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\drsmartload2.dat

C:\WINDOWS\uninstall_nmon.vbs

C:\WINDOWS\system32\atmtd.dll.tmp

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-01 to 2006-12-01 ))))))))))))))))))))))))))))))))))

 

 

2006-11-29 21:31 <DIR> d-------- C:\SOPHTEMP

2006-11-29 21:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall

2006-11-29 21:16 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe

2006-11-29 21:16 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2006-11-29 00:49 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll

2006-11-29 00:49 195,352 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll

2006-11-29 00:49 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

2006-11-29 00:49 128,280 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

2006-11-29 00:48 466,200 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

2006-11-29 00:48 175,896 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe

2006-11-29 00:48 <DIR> d-------- C:\WINDOWS\SoftwareDistribution

2006-11-29 00:26 <DIR> d-------- C:\!KillBox

2006-11-28 23:02 <DIR> d-------- C:\Programas\AOL

2006-11-28 23:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL

2006-11-28 23:00 <DIR> d--hs---- C:\Config.Msi

2006-11-27 21:22 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-11-27 21:20 603,136 --------- C:\WINDOWS\SYSTEM32\xpsp2res.dll

2006-11-27 21:20 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll

2006-11-27 21:20 550,912 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll

2006-11-27 21:20 440,320 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll

2006-11-27 21:20 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll

2006-11-27 21:08 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

Rootkit driver pe386 is present. A rootkit scan is required

 

2006-12-01 16:59 3167 --a------ C:\Programas\hijackthis.log

2006-11-28 23:15 61072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.sys

2006-11-28 23:15 59536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.sys

2006-09-04 20:46 28672 --a------ C:\WINDOWS\SYSTEM32\qttask.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

"SpybotSD TeaTimer"="C:\\Documents and Settings\\All Users\\Spybot - Search & Destroy\\TeaTimer.exe"

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"AME_CSA"="rundll32 amecsa.cpl,RUN_DLL"

"QuickTime Task"="C:\\WINDOWS\\System32\\qttask.exe"

"aol"="\"C:\\Programas\\AOL\\Active Virus Shield\\avp.exe\""

@=""

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

"SpySheriff"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"

"Microsoft Configure"="msconfigures.exe"

"Ms System Config"="Mscfg.exe"

"shell"="\"C:\\Programas\\Ficheiros comuns\\Microsoft Shared\\Web Folders\\ibm00025.exe\""

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]

"Microsoft Configure"="msconfigures.exe"

"Ms System Config"="Mscfg.exe"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

"SpySheriff"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"

"Microsoft Configure"="msconfigures.exe"

"Ms System Config"="Mscfg.exe"

"shell"="\"C:\\Programas\\Ficheiros comuns\\Microsoft Shared\\Web Folders\\ibm00025.exe\""

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]

"Microsoft Configure"="msconfigures.exe"

"Ms System Config"="Mscfg.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-carregador Browseui"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon da cache de categorias dos componentes"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{F2FA09FB-EE7A-46d8-9145-A1EEF7850052}"=""

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ÿ_zskholtsyb^txntgjo]niwmdksz_]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="_zskdmwin]ojgtnxt^bystloh"

"hkey"="HKLM"

"command"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wnfsx"=dword:00000003

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20061129-215114-804

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061129-215114-563

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061129-215114-199

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061129-003519-950

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061129-003519-406

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061129-003519-489

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061129-003519-345

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20061127-221302-560

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-221302-780

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-221302-332

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

backup-20061127-205448-201

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-205448-806

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-205448-433

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-205448-516

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

backup-20061127-205448-838

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20061127-204624-917

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20061127-204624-451

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-204624-629

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20061127-204624-159

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20061127-204624-801

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

backup-20061127-204624-764

R3 - Default URLSearchHook is missing

backup-20061127-204624-718

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

backup-20060824-213410-218

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20060824-211308-520

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20060824-210527-135

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060824-210527-240

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20060824-204724-727

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060824-204724-517

O4 - HKLM\..\Run: [rpcc] rpcc.exe

backup-20060824-204724-285

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20060824-204724-555

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

backup-20060824-204724-737

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060824-204724-912

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-170101-213

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20060729-170101-755

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-170101-655

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-170101-876

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-170101-865

O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\e002lado1d0c.dll (file missing)

backup-20060729-163619-933

O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\e002lado1d0c.dll

backup-20060729-163619-795

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-163619-758

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-163619-538

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-163040-604

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

backup-20060729-163039-943

O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\irnml5511.dll

backup-20060729-163039-237

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-163039-320

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060729-163039-548

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-225830-485

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-225830-771

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-225255-747

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-225255-664

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-223619-990

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-223619-176

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-223619-781

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-223524-366

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-223524-246

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-223524-615

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-222417-299

O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\lvjs0917e.dll

backup-20060727-222417-209

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-222417-660

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-222417-265

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-222417-486

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\services.exe

backup-20060727-220602-289

O23 - Service: svahost - Unknown owner - C:\WINDOWS\svahost.exe

backup-20060727-220602-556

O23 - Service: Terminal Services NT (termserv.exe) - Unknown owner - C:\WINDOWS\services.exe

backup-20060727-220559-181

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\omeacc.dll

backup-20060727-220559-227

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-220559-741

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-220559-136

O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\tNpiperf.dll

backup-20060727-220559-310

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-215300-589

O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\tNpiperf.dll

backup-20060727-215300-768

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\omeacc.dll

backup-20060727-215300-459

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-215300-679

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-215300-762

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-215300-878

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\omeacc.dll

backup-20060727-211218-845

O4 - HKCU\..\RunServices: [Microsoft Configure] msconfigures.exe

backup-20060727-211218-754

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

backup-20060727-211218-555

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-211218-288

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

backup-20060727-211218-465

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-211218-651

O4 - HKLM\..\Run: [Microsoft Configure] msconfigures.exe

backup-20060727-211218-725

O4 - HKLM\..\Run: [winsystems25] winsystems.exe

backup-20060727-211218-945

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-205013-478

O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

backup-20060727-205013-211

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-205013-294

O4 - HKLM\..\Run: [Ms System Config] Mscfg.exe

backup-20060727-205013-479

O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe

backup-20060727-205013-305

O4 - HKLM\..\Run: [sysTray] C:\Program Files\miiw.exe

backup-20060727-205013-387

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060727-205013-677

O4 - HKLM\..\RunServices: [Microsoft Configure] msconfigures.exe

backup-20060725-221148-285

O4 - HKCU\..\RunServices: [Yahoo Load] msnchecker.exe

backup-20060725-221148-462

O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

backup-20060725-221148-648

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060725-221148-253

O4 - HKCU\..\Run: [Yahoo Load] msnchecker.exe

backup-20060725-221148-473

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060725-221148-759

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060725-220209-878

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060725-220209-633

O4 - HKLM\..\Run: [implib] rundll32.exe C:\WINDOWS\System32\implib.dll,start

backup-20060725-220209-658

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060725-215429-452

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

backup-20060725-215429-369

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

Completion time: 06-12-01 23:17:53.80

C:\ComboFix.txt ... 06-12-01 23:17

[Sam Spade 2]

Ok, selecione e copie no Bloco de notas o que está dentro do Quote:

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

"SpySheriff"=-

"Microsoft Configure"=-

"Ms System Config"=-

"shell"=-

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]

"Microsoft Configure"=-

"Ms System Config"=-

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

"SpySheriff"=-

"Microsoft Configure"=-

"Ms System Config"=-

"shell"=-

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]

"Microsoft Configure"=-

"Ms System Config"=-

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ÿ_zskholtsyb^txntgjo]niwmdksz_]

O REGEDIT4 fica colado aonde se inicia o texto no bloco de notas. Não altere em nada a disposição do que colou.

 

Salve no desktop com o nome fixremoval.reg e colocando como tipo de arquivo: todos os arquivos.

 

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Localize no desktop o fixremoval.reg e dê um duplo-clique em cima. Aceite a incorporação ao registro.

 

Reinicie em modo normal. Gere um novo log com o HijackThis e poste.

[Luis Magalhaes 0]

Sam you are the man :D

 

Esse treco do arquivo com aqueles caracteres esquisitos foi-se. Que raio era aquilo?

 

Sempre desconfiei de rootkit aqui e como nem sophos nem f-secure detectavam direito, achei um tal de gmer. Segue o log pra voce.

 

Mas estranho ele captar arquivos que sao do antivirus, veja:

Klif.sys http://secunia.com/advisories/15618/

Kl1.sys http://www.bleepingcomputer.com/startups/kl1.sys-15140.html

pe386.sys esse é mau http://fileinfo.prevx.com/QQaa3f21532009-P.../PE386.SYS.html

 

abaixo segue um log que eu criei do gmer. Obrigado pela disponibilidade

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:09:52, on 03-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\qttask.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Programas\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

GMER 1.0.12.12011 - http://www.gmer.net

Rootkit scan 2006-12-03 17:34:59

Windows 5.1.2600 Service Pack 1

 

 

---- Threads - GMER 1.0.12 ----

 

Thread 4:112 FFB80950

Thread 4:116 FFB35C60

Thread 4:120 FFB35C60

Thread 4:328 FFB80950

Thread 4:420 FFB80950

 

---- System - GMER 1.0.12 ----

 

SSDT \??\C:\Programas\ewido anti-malware\guard.sys ZwOpenProcess <-- ROOTKIT !!!

SSDT \??\C:\Programas\ewido anti-malware\guard.sys ZwTerminateProcess <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwClose <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcess <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcessEx <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSection <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSymbolicLinkObject <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateThread <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteValueKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDuplicateObject <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateValueKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwFlushKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwInitializeRegistry <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey2 <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwNotifyChangeKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenSection <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryMultipleValueKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQuerySystemInformation <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryValueKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwReplaceKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwRestoreKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwResumeThread <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSaveKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetContextThread <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationFile <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationProcess <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetSecurityObject <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetValueKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSuspendThread <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwUnloadKey <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwWriteVirtualMemory <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[284] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[285] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[286] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[287] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[288] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[289] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[290] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[291] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[292] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[293] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[294] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[295] <-- ROOTKIT !!!

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[296] <-- ROOTKIT !!!

 

---- Registry - GMER 1.0.12 ----

 

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386\Enum

Reg \Registry\MACHINE\SYSTEM\ControlSet007\Services\pe386\Security

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\ControlSet008\Services\pe386\Security

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 PE files loader

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0xCF 0x36 0x93 0x6B ...

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \SystemRoot\System32\Drivers\pe386.sys

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security

 

---- Files - GMER 1.0.12 ----

 

File C:\WINDOWS\SYSTEM32\DRIVERS\pe386.sys

 

Code F9F9BC10 pIofCallDriver

 

SSDT kl1.sys ZwOpenFile <-- ROOTKIT !!!

 

---- Kernel code sections - GMER 1.0.12 ----

 

.text ntdll.dll!NtClose 77F658AA 5 Bytes JMP 72033FAA

.text ntdll.dll!NtCreateProcess 77F659F4 5 Bytes JMP 72034135

.text ntdll.dll!NtCreateProcessEx 77F65A03 5 Bytes JMP 72034019

.text ntdll.dll!NtCreateSection 77F65A21 5 Bytes JMP 72033FC8

.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2DC 80502758 4 Bytes [ 28, 10, F7, FA ]

.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 49C 80502918 4 Bytes [ E0, 0F, E3, F9 ]

.text ntoskrnl.exe!KeInitializeInterrupt + 97A 804DA04F 5 Bytes JMP 806B4999 \WINDOWS\system32\ntoskrnl.exe

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]

.text ntoskrnl.exe!KiDispatchInterrupt + AC 804F1B8D 7 Bytes JMP F9E31120 \??\C:\WINDOWS\System32\drivers\klif.sys

 

---- Services - GMER 1.0.12 ----

 

Service System32\Drivers\pe386.sys (*** hidden *** ) [sYSTEM] pe386 <-- ROOTKIT !!!

 

---- Kernel code sections - GMER 1.0.12 ----

 

.text tcpip.sys!IPSetIPSecStatus + 53A F9F3D86C 6 Bytes CALL F9F9EF7C

.text tcpip.sys!IPTransmit + 93E F9F296A2 6 Bytes CALL F9F9EF7C

.text tcpip.sys!IPTransmit + A35E F9F330C2 6 Bytes CALL F9F9EF7C

.text wanarp.sys FAD210C1 4 Bytes CALL F9F9EF86

.text wanarp.sys FAD210C6 2 Bytes [ 90, 90 ]

 

---- EOF - GMER 1.0.12 ----

[Sam Spade 2]

Ok, o log está limpo. O arquivo com aqueles caracteres, com certeza era um bot, pelas entradas no HijackThis.

 

Rode o GMER. Selecione a aba Serviços. Localize o serviço pe386.

Clique com o direito em cima e escolha: Delete the service e dê o Sim às perguntas.

Feche o GMER.

 

Reinicie o PC, rode novamente o GMER e poste o resultado.

[Luis Magalhaes 0]

Mas noticias :(

 

Não dá pra deletar com o gmer.

Dá erro 0xC000003A - Couldn't be deleted.

 

Tentei com o killbox, apagar o arquivo:

 

C:\WINDOWS\SYSTEM32\DRIVERS\pe386.sys

 

Mas não dá também. Dá um tal de pending files qualquer coisa.

 

 

Mais uma vez thanks

 

GMER 1.0.12.12011 - http://www.gmer.net

Rootkit scan 2006-12-04 21:49:42

Windows 5.1.2600 Service Pack 1

 

 

---- System - GMER 1.0.12 ----

 

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwClose

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcess

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcessEx

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSection

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSymbolicLinkObject

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateThread

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteValueKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDuplicateObject

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateValueKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwFlushKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwInitializeRegistry

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey2

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwNotifyChangeKey

SSDT kl1.sys ZwOpenFile

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenKey

SSDT \??\C:\Programas\ewido anti-malware\guard.sys ZwOpenProcess

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenSection

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryMultipleValueKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQuerySystemInformation

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryValueKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwReplaceKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwRestoreKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwResumeThread

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSaveKey

SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ÀŸàgÕOÀ1L3kN¹G”Ë´õŒ#A44,üfl`t4ÃÞ·¨Ù”TS5!X/H*7

[Sam Spade 2]

O resultado do GMER está completo, pois não está mais aparecendo o pe386?

[Luis Magalhaes 0]

Esta completo caro Sam. Falha minha nao ter dito a voce que agora quem deteta esse treco do pe386 é o sophos anti rootkit, mas não dá pra deletar nem consigo fazer log com o sophos.Thanks pela sua paciencia

[Sam Spade 2]

Está sendo detectado no System Volume Information\_restore?

[Luis Magalhaes 0]

Está sendo detectado no System Volume Information\_restore?

não :(

 

Sorry estive ausente

 

Resultado do Log do Sophos Anti-Rootkit

 

Area: Windows Registry

Description: Hidden Registry Key

Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\EventLog

Removable: No

Notes: (No more detail avaible)

 

F-Secure Blacklight, não detectou nada.

 

_zskdmwin]ojgtnxt^bystloh.exe este voltou está no registo, no caminho abaixo, ms se deletar ele volta sempre

 

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunServices

 

Tentei submeter a análise mas não da pra encontra-lo na pasta system32

 

STATUS: FINISHEDComplete scanning result of "pe386.sys", received in VirusTotal at 12.08.2006, 20:34:27 (CET).

 

Antivirus Version Update Result

AntiVir 7.2.0.49 12.08.2006 TR/Rootkit.Gen

Authentium 4.93.8 12.07.2006 no virus found

Avast 4.7.892.0 12.08.2006 no virus found

AVG 386 12.08.2006 no virus found

BitDefender 7.2 12.08.2006 no virus found

CAT-QuickHeal 8.00 12.08.2006 no virus found

ClamAV devel-20060426 12.08.2006 no virus found

DrWeb 4.33 12.08.2006 no virus found

eSafe 7.0.14.0 12.07.2006 Win32.Rustock.B

eTrust-InoculateIT 23.73.80 12.08.2006 no virus found

eTrust-Vet 30.3.3238 12.08.2006 no virus found

Ewido 4.0 12.08.2006 no virus found

Fortinet 2.82.0.0 12.08.2006 suspicious

F-Prot 3.16f 12.07.2006 no virus found

F-Prot4 4.2.1.29 12.07.2006 no virus found

Ikarus T3.1.0.26 12.07.2006 no virus found

Kaspersky 4.0.2.24 12.08.2006 no virus found

McAfee 4914 12.08.2006 no virus found

Microsoft 1.1804 12.08.2006 Win32/Rustock.gen!B

NOD32v2 1911 12.08.2006 Win32/Rustock.NAN

Norman 5.80.02 12.08.2006 no virus found

Panda 9.0.0.4 12.08.2006 no virus found

Prevx1 V2 12.08.2006 Win32.Rootkit.Gen

Sophos 4.12.0 12.08.2006 no virus found

Sunbelt 2.2.907.0 11.30.2006 no virus found

 

Logfile of HijackThis v1.99.1

Scan saved at 0:42:47, on 08-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\regedit.exe

C:\Programas\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

Tou quase a partir para o format c :angry:

[Sam Spade 2]

Vamos prosseguir, pois a dificuldade de remoção dessa nova safra de rootkits é imensa e há até piores, como o Gromozon, que pode impedir de rodar até as ferramentas de remoção.

 

Baixe: RustbFix > salve no desktop.

 

Selecione e copie no Bloco de notas o que está dentro do Quote:

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ÿ_zskholtsyb^txntgjo]niwmdksz_]

Faça o mesmo que no anterior, salvando no desktop com o nome fixremoval2.reg e colocando como tipo de arquivo: todos os arquivos.

 

Salve ou imprima estas instruções, pois vai segui-las desconectado e sem acesso a esta página:

 

ETAPA 1

 

Dê um duplo-clique no rustbfix.exe. Se uma infecção pelo Rustock.b for encontrada, será pedido que reinicie o PC.

 

Pode acontecer de ser necessário mais de um reboot, mas isso será feito automaticamente.

 

A ferramenta depois de completar a remoção, gerará dois logs:

 

C:\avenger.txt

C:\rustbfix\pelog.txt

 

 

ETAPA 2

 

1 - Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

 

Clique no botão com o X. Responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

Se o KillBox não aceitar o arquivo, feche o programa e reinicie em modo seguro.

 

2 - Localize no desktop o fixremoval2.reg e dê um duplo-clique em cima. Aceite a incorporação ao registro.

 

3 - Reinicie em modo normal. Rode o Sophos Anti-Rootkit.

 

4 - Gere um novo log com o HijackThis.

 

Poste:

 

avenger.txt

pelog.txt

log do Sophos Anti-Rootkit

log do HijackThis

 

OBS: Formatar é a última opção. Pense nisso como um desafio, pois está lidando com a nata dos malwares, que são os rootkits, criados por programadores altamente capazes.

[Luis Magalhaes 0]

Estive sem conexão, e entretanto fiz alguns passos para alem dos que voce sugeriu

 

Do rootkit estamos livres, rodei o gmer e o f-secure também e nada detectado. Vasculhei pleo regedit e não o encontrei. :joia:

 

Mas esse _zskdmwin]ojgtnxt^bystloh.exe[/collor] não sai :devil:

 

avenger.txt

esse não encontrei!!!

log do Sophos Anti-Rootkit

Não fez log, mas eu rodei e: no items found

OBS: Formatar é a última opção. Pense nisso como um desafio, pois está lidando com a nata dos malwares, que são os rootkits, criados por programadores altamente capazes.

É mesmo meu caro. Até essa data eu não tinha interesse nenhum nesse tipo de computação, mas isso me fez estudar e agora eu entendo um pouco disso, fiz muita pesquisa. Você não acha que para esse arquivo que ta sempre voltando, deverá faltar algum patch que corrija a vulnerabilidade que ele explora?

 

O meu muito obrigado, novamente! Aguardo a sua análise

 

************************* Rustock.b-fix -- By ejvindh *************************

09-12-2006 0:33:37,33

 

 

No Rustock.b-rootkits found

 

 

******************************* End of Logfile ********************************

 

 

 

- 06-12-10 17:36:32,56 Service Pack 1

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\confidential\Ambiente de trabalho\Ferramentas___virus"

 

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

Granting sedebugprivilege to Administradores ... successful

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))

 

 

2006-12-10 16:46 <DIR> d-------- C:\Programas\SUPERAntiSpyware

2006-12-10 16:46 <DIR> d-------- C:\Documents and Settings\confidential\Application Data\SUPERAntiSpyware.com

2006-12-10 16:45 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard

2006-12-10 16:40 <DIR> dr-h----- C:\Documents and Settings\confidential \Recent

2006-12-09 00:33 <DIR> d-------- C:\Rustbfix

2006-12-04 20:46 <DIR> d-------- C:\Documents and Settings\confidential\Application Data\Help

2006-12-04 16:53 155,648 --a------ C:\WINDOWS\SYSTEM32\adadix32.dll

2006-12-04 16:53 127,456 --a------ C:\WINDOWS\SYSTEM32\ipdetect.exe

2006-12-04 16:53 126,889 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adiusbaw.sys

2006-12-04 16:52 50,007 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adildr.sys

2006-12-04 16:52 46,892 --a------ C:\WINDOWS\SYSTEM32\adadix16.dll

2006-12-04 16:52 4,981 --a------ C:\WINDOWS\SYSTEM32\adadix2k.dll

2006-12-04 16:52 24,576 --a------ C:\WINDOWS\enddisk32.exe

2006-12-04 16:52 143,360 --a------ C:\WINDOWS\SYSTEM32\coclassfast.dll

2006-12-04 16:52 114,688 --a------ C:\WINDOWS\SYSTEM32\unaddrv.exe

2006-12-04 16:52 <DIR> d-------- C:\Programas\SAGEM

2006-12-04 16:11 143,360 --a------ C:\WINDOWS\adiras.exe

2006-12-04 16:10 143,360 --a------ C:\WINDOWS\autoclk.exe

2006-12-04 15:48 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe

2006-12-03 20:33 <DIR> d-------- C:\Programas\EmpirePokerMaster

2006-12-02 17:05 <DIR> d-------- C:\Programas\PokerStars

2006-12-02 00:23 <DIR> d-------- C:\Temp

2006-12-02 00:10 <DIR> d-------- C:\Documents and Settings\confidential\Application Data\Gaijin Ent

2006-12-02 00:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Exetender

2006-12-01 23:52 117,760 --a------ C:\WINDOWS\GPlrLanc.exe

2006-12-01 23:52 <DIR> d-------- C:\Programas\Gestor de Jogos

2006-12-01 23:28 70,724 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pe386.sys

2006-11-29 21:31 <DIR> d-------- C:\SOPHTEMP

2006-11-29 21:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall

2006-11-29 21:16 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe

2006-11-29 21:16 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2006-11-29 00:49 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll

2006-11-29 00:49 195,352 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll

2006-11-29 00:49 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

2006-11-29 00:49 128,280 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

2006-11-29 00:48 466,200 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

2006-11-29 00:48 175,896 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe

2006-11-29 00:48 <DIR> d-------- C:\WINDOWS\SoftwareDistribution

2006-11-29 00:26 <DIR> d-------- C:\!KillBox

2006-11-28 23:02 <DIR> d-------- C:\Programas\AOL

2006-11-28 23:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL

2006-11-27 21:22 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-11-27 21:20 603,136 --------- C:\WINDOWS\SYSTEM32\xpsp2res.dll

2006-11-27 21:20 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll

2006-11-27 21:20 550,912 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll

2006-11-27 21:20 440,320 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll

2006-11-27 21:20 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll

2006-11-27 21:08 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-09 14:04 3042 --a------ C:\Programas\hijackthis.log

2006-12-07 20:29 61584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.sys

2006-11-28 23:15 59536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

"SpybotSD TeaTimer"="C:\\Documents and Settings\\All Users\\Spybot - Search & Destroy\\TeaTimer.exe"

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

"SUPERAntiSpyware"="C:\\Programas\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"QuickTime Task"="C:\\WINDOWS\\System32\\qttask.exe"

"aol"="\"C:\\Programas\\AOL\\Active Virus Shield\\avp.exe\""

@=""

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"="c:\\windows\\system32\\_zskdmwin]ojgtnxt^bystloh.exe"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-carregador Browseui"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon da cache de categorias dos componentes"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{F2FA09FB-EE7A-46d8-9145-A1EEF7850052}"=""

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wnfsx"=dword:00000003

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\At1.job

 

Completion time: 06-12-10 17:42:34.49

C:\ComboFix2.txt ... 06-12-01 23:17

C:\ComboFix.txt ... 06-12-10 17:42

 

********************************************************************************

*************

 

SUPERAntiSpyware Scan Log

Generated 12/10/2006 at 05:27 PM

 

Application Version : 3.4.1000

 

Core Rules Database Version : 3143

Trace Rules Database Version: 1159

 

Scan type : Complete Scan

Total Scan Time : 00:24:23

 

Memory items scanned : 280

Memory threats detected : 0

Registry items scanned : 3402

Registry threats detected : 19

File items scanned : 1358

File threats detected : 2

 

Unclassified.Unknown Origin

HKCR\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052}

HKCR\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052}\InprocServer32

HKCR\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052}\InprocServer32#ThreadingModel

 

Trojan.SpySheriff

HKU\.DEFAULT\Software\SpySheriff

HKU\S-1-5-18\Software\SpySheriff

 

Adware.UCMore/The Search Accelerator

HKU\.DEFAULT\Software\Effective-i

HKU\S-1-5-18\Software\Effective-i

 

Trojan.cmdService

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE00#DeviceDesc

 

Trojan.PestTrap

HKU\.DEFAULT\Software\SNO2

HKU\S-1-5-18\Software\SNO2

 

Adware.IPWins

HKU\S-1-5-21-1220945662-1708537768-310116467-1003\Software\IpWins

 

Trojan.DollarRevenue

C:\WINDOWS\newname.dat

C:\WINDOWS\keyboard1.dat

 

********************************************************************************

*************

 

 

Logfile of HijackThis v1.99.1

Scan saved at 17:46:13, on 10-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Programas\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKLM\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKLM\..\RunServices: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\All Users\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ÿ_zskholtsyb^txntgjo]niwmdksz_] c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

[Sam Spade 2]

Olá, o avenger.txt está diretamente em C:\ . O ComboFix mostrou agora isso:

 

O malware está com uma tarefa agendada para se reinstalar:

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\At1.job

Bem, combinando as informações dos logs, inclusive o do SUPERAntiSpyware, vamos precisar de novas ferramentas. Baixe:

 

BFU

SmitFraudFix

DelCmdService > extraia os arquivos para o desktop. Será criada a pasta delcmdservice.

 

Selecione e copie no Bloco de notas o que está dentro do Quote:

 

REGEDIT4

 

[-HKEY_CLASSES_ROOT\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052}]

 

[-HKEY_USERS\.default\software\Effective-i]

 

[-HKEY_USERS\s-1-5-18\software\Effective-i]

 

[-HKEY_USERS\S-1-5-21-1220945662-1708537768-310116467-1003\Software\IpWins]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zskholtsyb^txntgjo]niwmdksz_"=-

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall]

Salve no desktop com o nome newfix.reg e colocando como tipo de arquivo: todos os arquivos.

 

Vai ser importante usar este reg, por isso não deixe de cumprir este passo.

 

Salve ou imprima estas instruções:

 

1 - Desabilite o seu anti vírus e os seus anti spywares (com proteção em tempo real).

 

É necessário que esteja conectado para baixar o script que será usado no BFU.

 

Dê um duplo clique no ícone do BFU.

Na parte superior (Scriptfile to execute:) clique no botão Web (segundo botão com o ícone verde e azul).

 

Na caixa Download BFU script... coloque:

 

http://metallica.geekstogo.com/alcanshorty.bfu

 

Clique em OK e depois no botão Execute.

 

Quando o processo acabar aparecerá o aviso: Completed script execution.

Clique em OK e depois em Exit.

 

2 - Extraia os arquivos do SmitFraudFix para o seu desktop. não rode-o ainda.

 

3 - Nesta etapa, o KillBox pode não aceitar algum dos arquivos, mas continue seguindo as instruções, com o que aceitar.

 

Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\tasks\At1.job

 

Clique no botão com o X. Responda Não à pergunta.

 

Coloque agora:

 

C:\WINDOWS\SYSTEM32\DRIVERS\pe386.sys

 

Clique no botão com o X. Responda Não à pergunta.

 

Coloque:

 

c:\windows\system32\_zskdmwin]ojgtnxt^bystloh.exe

 

Clique no botão com o X. Responda Não à pergunta.

 

4 - Entre na pasta delcmdservice e dê um duplo-clique no delreg.bat

 

Quando a ferramenta acabar o scan, reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

 

5 - Dê um duplo-clique em smitfraudfix.cmd.

Escolha a opção 2.

Quando perguntar Do you want to clean the registry? , escolha o sim (y).

 

6 - Localize no desktop o newfix.reg e dê um duplo-clique em cima. Aceite a incorporação ao registro.

 

7 - Rode o ComboFix.

 

8 - Habilite o anti vírus e anti spywares. Rode o SUPERAntiSpyware.

 

9 - Gere um novo log com o HijackThis.

 

Poste:

 

resultado do SUPERAntiSpyware

log do HijackThis

ComboFix.txt

log do SmitFraudFix (rapport.txt), que encontrará em C:\

 

.

[Luis Magalhaes 0]

Melhorias

 

SmitFraudFix v2.128

 

Scan done at 21:55:10,66, 11-12-2006

Run from C:\Documents and Settings\(confidencial)\Ambiente de trabalho\SmitfraudFix

OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT

The filesystem type is FAT32

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

==================================================

 

Isabel Esteves - 06-12-11 22:02:28,72 Service Pack 1

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\(confidencial)\Ambiente de trabalho\Ferramentas___virus"

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-11 to 2006-12-11 ))))))))))))))))))))))))))))))))))

 

 

2006-12-11 21:54 338 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2006-12-11 21:53 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe

2006-12-11 21:53 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2006-12-11 21:53 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2006-12-11 21:53 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe

2006-12-11 21:53 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2006-12-11 21:53 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe

2006-12-11 21:48 <DIR> d-------- C:\!KillBox

2006-12-11 21:46 <DIR> d-------- C:\bintheredunthat

2006-12-10 20:37 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Talkback

2006-12-10 20:36 <DIR> d-------- C:\Programas\Mozilla Firefox

2006-12-10 20:36 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Mozilla

2006-12-10 16:46 <DIR> d-------- C:\Programas\SUPERAntiSpyware

2006-12-10 16:46 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\SUPERAntiSpyware.com

2006-12-10 16:45 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard

2006-12-10 16:40 <DIR> dr-h----- C:\Documents and Settings\(confidencial)\Recent

2006-12-09 00:33 <DIR> d-------- C:\Rustbfix

2006-12-04 20:46 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Help

2006-12-04 16:53 155,648 --a------ C:\WINDOWS\SYSTEM32\adadix32.dll

2006-12-04 16:53 127,456 --a------ C:\WINDOWS\SYSTEM32\ipdetect.exe

2006-12-04 16:53 126,889 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adiusbaw.sys

2006-12-04 16:52 50,007 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adildr.sys

2006-12-04 16:52 46,892 --a------ C:\WINDOWS\SYSTEM32\adadix16.dll

2006-12-04 16:52 4,981 --a------ C:\WINDOWS\SYSTEM32\adadix2k.dll

2006-12-04 16:52 24,576 --a------ C:\WINDOWS\enddisk32.exe

2006-12-04 16:52 143,360 --a------ C:\WINDOWS\SYSTEM32\coclassfast.dll

2006-12-04 16:52 114,688 --a------ C:\WINDOWS\SYSTEM32\unaddrv.exe

2006-12-04 16:52 <DIR> d-------- C:\Programas\SAGEM

2006-12-04 16:11 143,360 --a------ C:\WINDOWS\adiras.exe

2006-12-04 16:10 143,360 --a------ C:\WINDOWS\autoclk.exe

2006-12-04 15:48 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe

2006-12-03 20:33 <DIR> d-------- C:\Programas\EmpirePokerMaster

2006-12-02 17:05 <DIR> d-------- C:\Programas\PokerStars

2006-12-02 00:10 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Gaijin Ent

2006-12-02 00:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Exetender

2006-12-01 23:52 117,760 --a------ C:\WINDOWS\GPlrLanc.exe

2006-11-29 21:31 <DIR> d-------- C:\SOPHTEMP

2006-11-29 21:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall

2006-11-29 21:16 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe

2006-11-29 21:16 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2006-11-29 00:49 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll

2006-11-29 00:49 195,352 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll

2006-11-29 00:49 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

2006-11-29 00:49 128,280 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

2006-11-29 00:48 466,200 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

2006-11-29 00:48 175,896 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe

2006-11-29 00:48 <DIR> d-------- C:\WINDOWS\SoftwareDistribution

2006-11-28 23:02 <DIR> d-------- C:\Programas\AOL

2006-11-28 23:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL

2006-11-27 21:22 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-11-27 21:20 603,136 --------- C:\WINDOWS\SYSTEM32\xpsp2res.dll

2006-11-27 21:20 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll

2006-11-27 21:20 550,912 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll

2006-11-27 21:20 440,320 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll

2006-11-27 21:20 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll

2006-11-27 21:08 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-10 17:46 3304 --a------ C:\Programas\hijackthis.log

2006-12-07 20:29 61584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.sys

2006-11-28 23:15 59536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

"SUPERAntiSpyware"="C:\\Programas\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"aol"="\"C:\\Programas\\AOL\\Active Virus Shield\\avp.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-carregador Browseui"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon da cache de categorias dos componentes"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wnfsx"=dword:00000003

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\At5.job

C:\WINDOWS\tasks\At6.job

 

Completion time: 06-12-11 22:04:07.06

C:\ComboFix3.txt ... 06-12-01 23:17

C:\ComboFix.txt ... 06-12-11 22:04

C:\ComboFix2.txt ... 06-12-10 17:42

 

================================================================================

==============

 

Logfile of HijackThis v1.99.1

Scan saved at 23:57:51, on 11-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\notepad.exe

C:\Programas\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

[Sam Spade 2]

Ok, apareceram mais tarefas agendadas. Devem ter sido criadas depois que postou o penúltimo ComboFix.txt e antes de ter seguido as últimas instruções:

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\At5.job

C:\WINDOWS\tasks\At6.job

Salve ou imprima estas instruções:

 

1 - Rode o KillBox, marque Delete on Reboot e coloque em Full Path of File to Delete:

 

C:\WINDOWS\tasks\At5.job

 

Clique no botão com o X. Responda Não à pergunta.

 

Coloque agora:

 

C:\WINDOWS\tasks\At6.job

 

Clique no botão com o X. Desta vez, responda Sim à pergunta.

 

Ao reiniciar o PC, aperte F8 intermitentemente. No menu escolha: modo seguro.

 

2 - Rode novamente o KillBox. Marque Standard File Kill. Para checar se não existe mais nenhuma tarefa, vá colocando cada arquivo, um por vez e clicando no botão com o X.

 

C:\WINDOWS\tasks\At1.job

 

O KillBox poderá ir dando mensagem de que não existe.

 

Vá mudando só o número At > At2.job, At3.job:

 

C:\WINDOWS\tasks\At2.job

 

C:\WINDOWS\tasks\At3.job

 

Até chegar a At10.job.

 

Depois reinicie o PC em modo normal. Rode o ComboFix.

 

Poste o novo ComboFix.txt, juntamente com um novo log do HijackThis. Você não informou o resultado do SUPERAntiSpyware. Ainda encontrou algo?

[Luis Magalhaes 0]

Grandes melhorias ;) :natal_noel:

 

Grande ajuda meu caro amigo. Nao vejo nada de anormal no hijack, nos outros logs nao me atrevo a falar :P

 

SUPERAntiSpyware Scan Log

Generated 12/12/2006 at 08:25 PM

 

Application Version : 3.4.1000

 

Core Rules Database Version : 3143

Trace Rules Database Version: 1159

 

Scan type : Quick Scan

Total Scan Time : 00:14:03

 

Memory items scanned : 155

Memory threats detected : 0

Registry items scanned : 643

Registry threats detected : 2

File items scanned : 1338

File threats detected : 0

 

Unclassified.Unknown Origin

HKCR\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052}

HKCR\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052}\InprocServer32

 

 

Logfile of HijackThis v1.99.1

Scan saved at 22:58:23, on 12-12-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\AOL\Active Virus Shield\avp.exe

C:\Programas\Messenger\msmsgs.exe

C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Programas\Mozilla Firefox\firefox.exe

C:\Programas\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [aol] "C:\Programas\AOL\Active Virus Shield\avp.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: DSLMON.lnk = C:\Programas\SAGEM\SAGEM F@st 800-840\dslmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164764868512

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programas\AOL\Active Virus Shield\avp.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

 

- 06-12-12 21:38:09,26 Service Pack 1

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Isabel Esteves\Ambiente de trabalho\Ferramentas___virus"

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-12 to 2006-12-12 ))))))))))))))))))))))))))))))))))

 

 

2006-12-11 21:54 338 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2006-12-11 21:53 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe

2006-12-11 21:53 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe

2006-12-11 21:53 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe

2006-12-11 21:53 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe

2006-12-11 21:53 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe

2006-12-11 21:53 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe

2006-12-11 21:48 <DIR> d-------- C:\!KillBox

2006-12-11 21:46 <DIR> d-------- C:\bintheredunthat

2006-12-10 20:37 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Talkback

2006-12-10 20:36 <DIR> d-------- C:\Programas\Mozilla Firefox

2006-12-10 20:36 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Mozilla

2006-12-10 16:46 <DIR> d-------- C:\Programas\SUPERAntiSpyware

2006-12-10 16:46 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\SUPERAntiSpyware.com

2006-12-10 16:45 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard

2006-12-10 16:40 <DIR> dr-h----- C:\Documents and Settings\(confidencial)\Recent

2006-12-09 00:33 <DIR> d-------- C:\Rustbfix

2006-12-04 20:46 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Help

2006-12-04 16:53 155,648 --a------ C:\WINDOWS\SYSTEM32\adadix32.dll

2006-12-04 16:53 127,456 --a------ C:\WINDOWS\SYSTEM32\ipdetect.exe

2006-12-04 16:53 126,889 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adiusbaw.sys

2006-12-04 16:52 50,007 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\adildr.sys

2006-12-04 16:52 46,892 --a------ C:\WINDOWS\SYSTEM32\adadix16.dll

2006-12-04 16:52 4,981 --a------ C:\WINDOWS\SYSTEM32\adadix2k.dll

2006-12-04 16:52 24,576 --a------ C:\WINDOWS\enddisk32.exe

2006-12-04 16:52 143,360 --a------ C:\WINDOWS\SYSTEM32\coclassfast.dll

2006-12-04 16:52 114,688 --a------ C:\WINDOWS\SYSTEM32\unaddrv.exe

2006-12-04 16:52 <DIR> d-------- C:\Programas\SAGEM

2006-12-04 16:11 143,360 --a------ C:\WINDOWS\adiras.exe

2006-12-04 16:10 143,360 --a------ C:\WINDOWS\autoclk.exe

2006-12-04 15:48 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe

2006-12-03 20:33 <DIR> d-------- C:\Programas\EmpirePokerMaster

2006-12-02 17:05 <DIR> d-------- C:\Programas\PokerStars

2006-12-02 00:10 <DIR> d-------- C:\Documents and Settings\(confidencial)\Application Data\Gaijin Ent

2006-12-02 00:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Exetender

2006-12-01 23:52 117,760 --a------ C:\WINDOWS\GPlrLanc.exe

2006-11-29 21:31 <DIR> d-------- C:\SOPHTEMP

2006-11-29 21:17 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall

2006-11-29 21:16 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe

2006-11-29 21:16 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2006-11-29 00:49 41,240 --a------ C:\WINDOWS\SYSTEM32\wups.dll

2006-11-29 00:49 195,352 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll

2006-11-29 00:49 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll

2006-11-29 00:49 128,280 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll

2006-11-29 00:48 466,200 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll

2006-11-29 00:48 175,896 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe

2006-11-29 00:48 <DIR> d-------- C:\WINDOWS\SoftwareDistribution

2006-11-28 23:02 <DIR> d-------- C:\Programas\AOL

2006-11-28 23:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL

2006-11-27 21:22 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-11-27 21:20 603,136 --------- C:\WINDOWS\SYSTEM32\xpsp2res.dll

2006-11-27 21:20 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll

2006-11-27 21:20 550,912 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll

2006-11-27 21:20 440,320 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll

2006-11-27 21:20 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll

2006-11-27 21:08 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-11 23:57 2851 --a------ C:\Programas\hijackthis.log

2006-12-07 20:29 61584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.sys

2006-11-28 23:15 59536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

"SUPERAntiSpyware"="C:\\Programas\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"aol"="\"C:\\Programas\\AOL\\Active Virus Shield\\avp.exe\""

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-carregador Browseui"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon da cache de categorias dos componentes"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

"DisableTaskMgr"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]

"Wallpaper"=""

"DisableTaskMgr"=dword:00000000

"DisableRegistryTools"=dword:00000000

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

"NoActiveDesktop"=dword:00000000

"ClassicShell"=dword:00000000

"ForceActiveDesktopOn"=dword:00000001

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wnfsx"=dword:00000003

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

Completion time: 06-12-12 21:39:45.91

C:\ComboFix.txt ... 06-12-12 21:39

C:\ComboFix2.txt ... 06-12-11 22:04

C:\ComboFix3.txt ... 06-12-10 17:42

[Sam Spade 2]

Ok, o ComboFix e o HijackThis já não mostram problemas. Vamos ver o resultado do SUPERAntiSpyware.

 

Reinicie o PC em modo seguro. Vá em Iniciar > Executar > digite regedit

 

Navegue pelo Editor da mesma forma que no Windows Explorer.

 

Siga este caminho:

 

HKEY_CLASSES_ROOT\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052} <<< aqui

 

Clique com o direito em cima da pasta {F2FA09FB-EE7A-46D8-9145-A1EEF7850052} e exclua a mesma.

 

Saia do Editor do Registro. Reinicie em modo normal. Veja se o SUPERAntiSpyware ainda detecta algo.

[Luis Magalhaes 0]

Siga este caminho:

 

HKEY_CLASSES_ROOT\CLSID\{F2FA09FB-EE7A-46D8-9145-A1EEF7850052} <<< aqui

 

Clique com o direito em cima da pasta {F2FA09FB-EE7A-46D8-9145-A1EEF7850052} e exclua a mesma. Não deixa excluir a pasta

 

Veja se o SUPERAntiSpyware ainda detecta algo. TUDO OK :natal_smile:

 

Thanks :natal_happy:

[Sam Spade 2]

Ok, teria de descobrir alguma outra entrada relacionada para ver o que impediu, mas se o SUPERAntiSpyware não detectou mais está inativa.

 

Para finalizar, vá no Painel de Controle > Sistema > Restauração do Sistema > marque Desativar a restauração do sistema > Aplicar > OK.

Depois desmarque novamente.

 

Abraço.