[Arquivado] Analise de LOG-Virus muito chato

[Fabyo 66]

Ola pessoal

 

estou com um virus muito chato, os principais sintomas dele são:

 

* Aparece arquivos temporarios na lista de processos, exemplo 1324343233c.tmp

* Aparece executaveis muitos suspeitos na C:

* Maquina fica muito lenta e trava tudo

* Ja chegou a detonar windows

* Se tiver antivirus instalado, o antivirus some.

* Começa a falhar a instalação de qualquer programa, dando erro de windows

* E os programas instalados vao sendo deletados um por um

* O Virus chama a todo instante o drwtsn32.exe

* Virus enche a HD

* Ele usa a "restauração de sistemas" do windows para sobreviver

 

agora as providencias que eu ja tomei:

 

* Rodei HiJackThis, ComboFix, bankerfix, etc... e nada adiantou

* Ja entrei no regedit e msconfig, deletei todas entradas suspeitas e nada

* Instalei varios antivirus famosos, e nenhum consegue tirar esse virus

* Ja rodei antivirus pelo boot e nao adiantou nada

* Ja formatei minha maquina e nada

* Formatei de novo e nada

* Ja baixei tudo que é antivirus, anti spyware, rodei diversos programas e nada

 

ja instalei o windows umas 4 vezes só ontem.

 

eu cheguei a pegar um CD Original mesmo do windows SP1, office 2007, instalei, nao coloquei pendrive e nem instalei nada

atualizei tudo pelo site windows update, depoi instalei um antivirus e o antivirus nem acha o virus

 

pior que instalei um firewall, e ele acha o virus, e nao deixa o virus executar, mas o virus nao morre

 

o firewall fica disparando alertas dizendo para eu bloquear ou permitir, enche o saco

 

gostaria de saber qual virus é esse, e por onde ele infecta os micros, pela internet?

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:21:05, on 24/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\G Data\AVKProxy\AVKProxy.exe

C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKService.exe

C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKWCtl.exe

C:\Arquivos de programas\G Data\AntiVirus\AVKTray\AVKTray.exe

C:\Arquivos de programas\UPHClean\uphclean.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Arquivos comuns\G Data\GDScan\GDScan.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Fabyo\Desktop\HiJackThis.exe

C:\Arquivos de programas\G Data\AntiVirus\AVK\AVK.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: G Data WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Arquivos de programas\G Data\AntiVirus\WebFilter\AvkWebIE.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: G Data WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Arquivos de programas\G Data\AntiVirus\WebFilter\AvkWebIE.dll

O4 - HKLM\..\Run: [G Data AntiVirus Tray Application] C:\Arquivos de programas\G Data\AntiVirus\AVKTray\AVKTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139406804265

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D51B31D4-1C9F-4CF8-B1D8-DC5CEE072112}: NameServer = 192.168.0.1

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: G Data AntiVirus Proxy (AVKProxy) - G Data Software AG - C:\Arquivos de programas\Arquivos comuns\G Data\AVKProxy\AVKProxy.exe

O23 - Service: G Data Scheduler (AVKService) - G Data Software AG - C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKService.exe

O23 - Service: G Data Sentinela AntiVirus (AVKWCtl) - G Data Software AG - C:\Arquivos de programas\G Data\AntiVirus\AVK\AVKWCtl.exe

O23 - Service: G Data Scanner (GDScan) - G Data Software AG - C:\Arquivos de programas\Arquivos comuns\G Data\GDScan\GDScan.exe

 

--

End of file - 4220 bytes

[wings 22]

Boa tarde Fabyo

 

*O PROCEDIMENTO ABAIXO SÓ PODERÁ SER FEITO USANDO O INTERNET EXPLORER

*Desative seu antivírus temporariamente

*Faça um scan online com o NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

[Fabyo 66]

Valeu

 

C:\Arquivos de programas\DsNET Corp\aTube Catcher 2.0\asfbin.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\DsNET Corp\aTube Catcher 2.0\uninstall.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\gs\uninstgs.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\gs\gs8.64\bin\gswin32.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\gs\gs8.64\bin\gswin32c.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Filters\Haali\gdsmux.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\dsconfig.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\graphstudio.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\mediainfo.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\StatsReader.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\VobSubStrip.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\K-Lite Codec Pack\Tools\gspot\gspot.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\PDF to Image Converter\uninst.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\VDownloader\ffmpeg.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\VDownloader\VDownloader.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\CABARC.EXE	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\CDIMAGE.EXE	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\Creator.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\modifyPE.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\reboot.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\Windows Unattended CD Creator\uninst.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Arquivos de programas\WinPcap\uninstall.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\ComboFix\iexplore.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\ComboFix\NircmdB.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\ComboFix\pev.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\ComboFix\SF.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\ComboFix\swreg.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\AMagicDefrag.3.0.2.78.rar	probably a variant of Win32/Agent trojan	deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\cmdow.exe	Win32/CMDOW.143 application	cleaned by deleting - quarantined
C:\Documents and Settings\Fabyo\Desktop\cmdow.rar	Win32/CMDOW.143 application	deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\ParetoLogic.Inc.Data.Recovery.Pro.v1.1.zip	probably a variant of Win32/HackTool.Patcher.A application	deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\antivirus segurança\Avast_Antivirus.Pro.4.8.1351.Portable.by_zulkani.rar	multiple threats	deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\antivirus segurança\BOX_KTR3.0.rar	Win32/HackTool.Kiser.GC trojan	deleted - quarantined
C:\Documents and Settings\Fabyo\Desktop\antivirus segurança\Portables_para_Técnicos_em_Manutenção[www.bestuniom.com - By FeRspaik™].rar	probably a variant of Win32/IRCBot trojan	deleted - quarantined
C:\Documents and Settings\Fabyo\Meus documentos\Downloads\MiNODLogin_3.8.1.2_bygap87.rar	multiple threats	deleted - quarantined
C:\SpybotSDPortable\SpybotSDPortable.exe	Win32/AutoRun.NAX virus	deleted - quarantined
C:\WINDOWS\system\dbghelp.dll	Win32/PSW.OnLineGames.PBB trojan	deleted (after the next restart) - quarantined
C:\WINDOWS\system\mfc3B.lOG	a variant of Win32/PSW.OnLineGames.QIK trojan	cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system\msg2.ini	a variant of Win32/PSW.OnLineGames.PMH trojan	cleaned by deleting - quarantined
C:\WINDOWS\system\msg4C.ini	a variant of Win32/PSW.OnLineGames.PMH trojan	cleaned by deleting - quarantined
C:\WINDOWS\system\msg4D.ini	a variant of Win32/PSW.OnLineGames.PMH trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\appmgmts.dll.tmp	probably a variant of Win32/Genetik trojan	cleaned by deleting - quarantined
C:\WINDOWS\system32\mspmsnsv.dll	probably a variant of Win32/Genetik trojan	unable to clean
C:\WINDOWS\system32\qmgr.dll	probably a variant of Win32/Genetik trojan	unable to clean
C:\WINDOWS\system32\systemp	Win32/PSW.OnLineGames.POB trojan	deleted - quarantined
C:\WINDOWS\system32\xmlprov.dll	probably a variant of Win32/Genetik trojan	unable to clean
C:\WINDOWS\system32\drivers\4A69730C.sys	Win32/Wapomi.D virus	deleted - quarantined
C:\WINDOWS\system32\drivers\5DC27A8F.sys	Win32/Wapomi.D virus	deleted - quarantined
C:\WINDOWS\Temp\102156718.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\120050265.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\Temp\120057625.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\120059031.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\120069093.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\120071890.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\12177046.dll	a variant of Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\122114484.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\132238515.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\162214906.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\172327187.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\192183437.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\1afe3f36.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\1c7d30fe.exe	Win32/PSW.OnLineGames.POB trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\202200265.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\222230250.dll	a variant of Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\22ce04e7.exe	Win32/PSW.OnLineGames.POB trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\22ec491a.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\232189703.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\252205656.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\262248781.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\262440421.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\27fa085f.exe	Win32/PSW.OnLineGames.POB trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\282259812.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\2d4247a7.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\305c798f.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\30797222.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\42247500.dll	Win32/PSW.OnLineGames.OST trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\47a453d2.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\49771202.exe	probably a variant of Win32/Genetik trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\4c770fb.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\52149937.dll	Win32/PSW.WOW.DZI trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\52345234.dll	Win32/PSW.WOW.DZI trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\5c2c06ab.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\5ff30eb7.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\62168828.dll	Win32/PSW.WOW.NRF trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\68b66e37.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\6c8b3143.exe	Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\6ec10bd2.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\70077359.dll	probably a variant of Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\70080000.dll	probably a variant of Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\70081171.dll	probably a variant of Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\72122328.dll	probably a variant of Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\785277a6.exe	a variant of Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\785577af.exe	a variant of Win32/PSW.OnLineGames.NSU trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\7be90c59.exe	Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\82143859.dll	a variant of Win32/Kryptik.DLU trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\dj.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\e744699.exe	Win32/TrojanDropper.Agent.ORH trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\gg.dll	Win32/PSW.OnLineGames.OST trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\lihJE.LOG	probably a variant of Win32/PSW.OnLineGames.OQU trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\my.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\rx.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\sg.dll	Win32/PSW.WOW.NOJ trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\TQ37.tmp	probably a variant of Win32/PSW.OnLineGames.OQU trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\wl.dll	Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\www.dll	Win32/PSW.WOW.DZI trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\xyjj.dll	a variant of Win32/PSW.WOW.NQS trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\zx.dll	Win32/PSW.WOW.NRF trojan	cleaned by deleting - quarantined
C:\WINDOWS\Temp\GDATA.2010.TR.1.7_[RH]\G DATA 2011 Trial Reset v1.7 incl. 1 year license [RH]\GDATA.2011.TR-v1.7.exe	Win32/AutoRun.NAX virus	deleted - quarantined
D:\AMagicDefrag.3.0.2.78.rar	probably a variant of Win32/Agent trojan	deleted - quarantined
D:\cmdow.rar	Win32/CMDOW.143 application	deleted - quarantined
D:\ParetoLogic.Inc.Data.Recovery.Pro.v1.1.zip	probably a variant of Win32/HackTool.Patcher.A application	deleted - quarantined
D:\Portables_para_Técnicos_em_Manutenção[www.bestuniom.com - By FeRspaik™].rar	probably a variant of Win32/IRCBot trojan	deleted - quarantined

[wings 22]

Boa tarde....

 

 

1.

*Desative temporariamente seu antivírus

*Baixe o USBFix e salve-o no desktop

 

*Conecte o Pendrive no PC

*Duplo clique em UsbFix

*Clique em [Pesquisa] e aguarde o término

*Remova o Pendrive

*Cole o relatório criado em C:\UsbFix.txt

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.