[Resolvido!] Rootkits ?

[EDSSX 0]

Boa noite !

 

 

Fineza verificar/confirmar se há rootkits em meu os .

 

Segue logs :

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:18:48, on 1/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

D:\Arquivos de programas\CursorXP\CursorXP.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe

D:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\system32\wbem\wmiapsrv.exe

D:\WINDOWS\system32\wuauclt.exe

D:\WINDOWS\system32\6-11-pre-r300_xp-2k_dd_ccc_wdm_38185\Setup.exe

D:\Arquivos de programas\Mozilla Firefox\firefox.exe

D:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "D:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [DWQueuedReporting] "D:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKCU\..\Run: [CursorXP] D:\Arquivos de programas\CursorXP\CursorXP.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Arquivos de programas\Java\jre6\bin\jqs.exe

 

--

End of file - 4491 bytes

 

 

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>SSDT State

==============================================

ntoskrnl.exe-->NtCreateKey, Type: Address change 0x80570833-->F8D4D87E [unknown module filename]

ntoskrnl.exe-->NtCreateThread, Type: Address change 0x80587A3C-->F8D4D874 [unknown module filename]

ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x80595316-->F8D4D883 [unknown module filename]

ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80592D64-->F8D4D88D [unknown module filename]

ntoskrnl.exe-->NtLoadKey, Type: Address change 0x805AEE7B-->F8D4D892 [unknown module filename]

ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x805719AC-->F8D4D860 [unknown module filename]

ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8058E5C4-->F8D4D865 [unknown module filename]

ntoskrnl.exe-->NtReplaceKey, Type: Address change 0x8064F446-->F8D4D89C [unknown module filename]

ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064EFDD-->F8D4D897 [unknown module filename]

ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80572A6E-->F8D4D888 [unknown module filename]

==============================================

>Shadow

==============================================

==============================================

>Processes

==============================================

0x82FCAA00 [4] System

0x8259C918 [204] D:\Arquivos de programas\Avira\AntiVir Desktop\AVSHADOW.EXE (Avira GmbH, AntiVir shadow copy service)

0x8262EBC0 [276] D:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)

0x8259FC88 [320] D:\Arquivos de programas\Java\JRE6\BIN\JQS.EXE (Sun Microsystems, Inc., Java Quick Starter Service)

0x8259BCD8 [400] D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation, Machine Debug Manager)

0x82622228 [408] D:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)

0x8258F800 [456] D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation, Microsoft SeaPort Search Enhancement Broker)

0x82611620 [508] D:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)

0x82498BE8 [652] D:\Arquivos de programas\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)

0x823AC910 [836] D:\Arquivos de programas\Mozilla Firefox\plugin-container.exe (Mozilla Corporation, Plugin Container for Firefox)

0x8275DB38 [980] D:\WINDOWS\System32\smss.exe (Microsoft Corporation, Gerenciador de Sessão do Windows NT)

0x825EBC68 [992] D:\WINDOWS\EXPLORER.EXE (Microsoft Corporation, Windows Explorer)

0x825F09E0 [1020] D:\WINDOWS\System32\SPOOLSV.EXE (Microsoft Corporation, Spooler SubSystem App)

0x82723DA0 [1036] D:\WINDOWS\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)

0x826F37E0 [1060] D:\WINDOWS\System32\winlogon.exe (Microsoft Corporation, Aplicativo de logon do Windows NT)

0x826B4348 [1116] D:\WINDOWS\System32\SERVICES.EXE (Microsoft Corporation, Aplicativo de serviços e controle)

0x826A5DA0 [1128] D:\WINDOWS\System32\LSASS.EXE (Microsoft Corporation, LSA Shell (Export Version))

0x825D4020 [1132] D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe (Avira GmbH, Antivirus Scheduler)

0x820FDDA0 [1264] D:\Documents and Settings\edsom luis\Meus documentos\Downloads\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)

0x82659330 [1308] D:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)

0x826498B0 [1372] D:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)

0x8244B628 [1636] D:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java Update Scheduler)

0x8243F440 [1644] D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH, Antivirus System Tray Tool)

0x824513C8 [1660] D:\Arquivos de programas\CursorXP\CursorXP.exe ( , CursorXP)

0x8242DDA0 [1764] D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe (Avira GmbH, Antivirus On-Access Service)

0x823BB020 [2180] D:\WINDOWS\System32\wbem\WMIAPSRV.EXE (Microsoft Corporation, Serviço de adaptador de desempenho WMI)

0x82383020 [2268] D:\WINDOWS\System32\wuauclt.exe (Microsoft Corporation, Windows Update)

0x823B36B8 [2936] D:\WINDOWS\System32\ALG.EXE (Microsoft Corporation, Application Layer Gateway Service)

0x823BD818 [3920] D:\WINDOWS\System32\6-11-pre-r300_xp-2k_dd_ccc_wdm_38185\Setup.exe (ATI Technologies Inc., ATI CIM Application Launcher Module)

==============================================

>Drivers

==============================================

0x804D7000 D:\WINDOWS\system32\ntoskrnl.exe 2194176 bytes (Microsoft Corporation, Núcleo e sistema do NT)

0x804D7000 PnpManager 2194176 bytes

0x804D7000 RAW 2194176 bytes

0x804D7000 WMIxWDM 2194176 bytes

0xBF800000 Win32k 1851392 bytes

0xBF800000 D:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Driver Win32 multiusuário)

0xF82D4000 D:\WINDOWS\system32\drivers\cmuda.sys 1368064 bytes (C-Media Inc, C-Media Audio WDM Driver)

0xF7EF8000 D:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF80ED000 D:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xF8025000 D:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xF7257000 D:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 D:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xF8491000 D:\WINDOWS\system32\DRIVERS\SAA713x.sys 278528 bytes (Philips Semiconductors, SAA713x PCI TV Card - Video Capture Driver)

0xF6F46000 D:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF818D000 D:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF8667000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF855F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xF7F68000 D:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF7FFD000 D:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF8611000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xF7FD7000 D:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xF85A3000 Fastfat.sys 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF82B0000 D:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF844A000 D:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF846E000 D:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF7FB5000 D:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xF7ED6000 D:\WINDOWS\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)

0xF7F93000 D:\WINDOWS\system32\DRIVERS\VBoxDrv.sys 139264 bytes (Oracle Corporation, VirtualBox Support Driver)

0x806EF000 ACPI_HAL 131840 bytes

0x806EF000 D:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF85D9000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF8637000 ftdisk.sys 126976 bytes (Microsoft Corporation, Driver de disco com tolerância a falhas)

0xF8545000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF8173000 D:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys 106496 bytes (Oracle Corporation, VirtualBox Bridged Networking Driver)

0xF85F9000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF858C000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF8285000 D:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xF81BD000 D:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys 94208 bytes (Oracle Corporation, VirtualBox Host-Only Network Adapter Driver)

0xF7959000 D:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)

0xF764C000 D:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF829C000 D:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Driver de porta paralela)

0xF80B1000 D:\WINDOWS\System32\drivers\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xF807E000 D:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 D:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF85C7000 sr.sys 73728 bytes (Microsoft Corporation, Driver de filtro do sistema de arquivos da restauração do sistema)

0xF8656000 pci.sys 69632 bytes (Microsoft Corporation, Enumerador NT Plug and Play PCI)

0xF8274000 D:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF88A6000 D:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF8776000 D:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF87B6000 D:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Driver de dispositivo serial)

0xF8796000 D:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF8786000 D:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xF8234000 D:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF8826000 D:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF8756000 D:\WINDOWS\system32\DRIVERS\i8042prt.sys 57344 bytes (Microsoft Corporation, Driver de porta i8042)

0xF86F6000 D:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF87C6000 D:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF8746000 D:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)

0xF86D6000 VolSnap.sys 53248 bytes (Microsoft Corporation, Driver de cópia de sombra de volume)

0xF87E6000 D:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF8736000 D:\WINDOWS\system32\DRIVERS\amdk7.sys 45056 bytes (Microsoft Corporation, Driver de dispositivo de processador)

0xF87A6000 D:\WINDOWS\system32\DRIVERS\fetnd5bv.sys 45056 bytes (VIA Technologies, Inc. , NDIS 5.0 miniport driver)

0xF8876000 D:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF8766000 D:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF86C6000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF87D6000 D:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF8706000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)

0xF86B6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF8816000 D:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF8806000 D:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF86E6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF8896000 D:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xF87F6000 D:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF8856000 D:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xF6BF9000 D:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF8866000 D:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys 36864 bytes (Oracle Corporation, VirtualBox USB Monitor Driver)

0xF8846000 D:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF89BE000 D:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF895E000 D:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF8976000 D:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF89D6000 D:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xF896E000 D:\WINDOWS\system32\DRIVERS\kbdclass.sys 28672 bytes (Microsoft Corporation, Driver de classe teclado)

0xF8936000 D:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF89CE000 D:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)

0xF8966000 D:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Driver de classe modem)

0xF89C6000 D:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)

0xF8956000 D:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF89AE000 D:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF899E000 D:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF89B6000 D:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF893E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF8986000 D:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF898E000 D:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF897E000 D:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF89DE000 D:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF8996000 D:\WINDOWS\system32\DRIVERS\XPVCOM.sys 20480 bytes

0xF851D000 D:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xF798A000 D:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF8B92000 D:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF8AC6000 D:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF816B000 D:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBFF70000 D:\WINDOWS\System32\framebuf.dll 12288 bytes (Microsoft Corporation, Framebuffer Display Driver)

0xF843A000 D:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xF8436000 D:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xF8B96000 D:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF84ED000 D:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF84DD000 D:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)

0xF8BCC000 D:\Arquivos de programas\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)

0xF8BC4000 D:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF8BBC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF8BC2000 D:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF8BB6000 D:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF8BC6000 D:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF8C2E000 D:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, Driver paralelo VDM)

0xF8BC8000 D:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF8BBE000 D:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF8BC0000 D:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF8BBA000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0xF8BB8000 D:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF8CF4000 D:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF8D9E000 D:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF8D28000 D:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

==============================================

>Stealth

==============================================

==============================================

>Files

==============================================

!-->[Hidden] D:\Documents and Settings\edsom luis\Recent\avgremover.lnk

==============================================

>Hooks

==============================================

ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]

ntoskrnl.exe+0x0000B75C, Type: Inline - RelativeJump 0x804E275C-->804E273A [ntoskrnl.exe]

ntoskrnl.exe+0x0000B78C, Type: Inline - RelativeJump 0x804E278C-->804E276A [ntoskrnl.exe]

[1644]avgnt.exe-->user32.dll-->DrawIconEx, Type: Inline - RelativeJump 0x7E37CB84-->00000000 [CurXP0.dll]

[1644]avgnt.exe-->user32.dll-->GetCursor, Type: Inline - RelativeJump 0x7E37A91B-->00000000 [CurXP0.dll]

[1644]avgnt.exe-->user32.dll-->GetIconInfo, Type: Inline - RelativeJump 0x7E37D427-->00000000 [CurXP0.dll]

[2268]wuauclt.exe-->user32.dll-->DrawIconEx, Type: Inline - RelativeJump 0x7E37CB84-->00000000 [CurXP0.dll]

[2268]wuauclt.exe-->user32.dll-->GetCursor, Type: Inline - RelativeJump 0x7E37A91B-->00000000 [CurXP0.dll]

[2268]wuauclt.exe-->user32.dll-->GetIconInfo, Type: Inline - RelativeJump 0x7E37D427-->00000000 [CurXP0.dll]

[652]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3-->00000000 [firefox.exe]

[652]firefox.exe-->user32.dll-->DrawIconEx, Type: Inline - RelativeJump 0x7E37CB84-->00000000 [CurXP0.dll]

[652]firefox.exe-->user32.dll-->GetCursor, Type: Inline - RelativeJump 0x7E37A91B-->00000000 [CurXP0.dll]

[652]firefox.exe-->user32.dll-->GetIconInfo, Type: Inline - RelativeJump 0x7E37D427-->00000000 [CurXP0.dll]

[836]plugin-container.exe-->user32.dll-->DrawIconEx, Type: Inline - RelativeJump 0x7E37CB84-->00000000 [CurXP0.dll]

[836]plugin-container.exe-->user32.dll-->GetCursor, Type: Inline - RelativeJump 0x7E37A91B-->00000000 [CurXP0.dll]

[836]plugin-container.exe-->user32.dll-->GetIconInfo, Type: Inline - RelativeJump 0x7E37D427-->00000000 [CurXP0.dll]

[836]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E3B531E-->00000000 [xul.dll]

[992]EXPLORER.EXE-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F51218-->00000000 [shimeng.dll]

[992]EXPLORER.EXE-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77E510B4-->00000000 [shimeng.dll]

[992]EXPLORER.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[992]EXPLORER.EXE-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[992]EXPLORER.EXE-->user32.dll-->DrawIconEx, Type: Inline - RelativeJump 0x7E37CB84-->00000000 [CurXP0.dll]

[992]EXPLORER.EXE-->user32.dll-->GetCursor, Type: Inline - RelativeJump 0x7E37A91B-->00000000 [CurXP0.dll]

[992]EXPLORER.EXE-->user32.dll-->GetIconInfo, Type: Inline - RelativeJump 0x7E37D427-->00000000 [CurXP0.dll]

[992]EXPLORER.EXE-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C-->00000000 [shimeng.dll]

[992]EXPLORER.EXE-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3FA514B0-->00000000 [shimeng.dll]

[992]EXPLORER.EXE-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A7109C-->00000000 [shimeng.dll]

 

 

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

 

 

Abraços

[wings 22]

Bom dia...

 

 

*Baixe o MBR e salve-o em C:\

*Duplo clique em C:\mbr.exe

*Clique em [iniciar] > [Executar] > copie e cole: c:\mbr.exe -t

*Clique OK

*Cole o relatório (C:\mbr.txt) apresentado

[EDSSX 0]

Boa tarde ! wings

 

 

Segue o log :

 

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

 

 

Abraços e obrigado

[wings 22]

1.

*Delete os arquivos C:\mbr.exe e C:\mbr.txt

 

2.

*Baixe o GMER e salve-o no desktop

*Extraia o conteúdo para C:\

*Desative seu antivírus

*Duplo clique em gmer.exe

*Caso receba um alerta sobre atividade de rootkit e se deseja fazer um scan, clique em [Não]

*Clique em [scan]...caso receba um alerta sobre rootkit, clique [OK]

*Ao término, clique em [save]

*Salve o arquivo no desktop como gmer.txt

*Cole-o na sua próxima resposta

*Ative novamente seu antivírus

[EDSSX 0]

Boa noite !

 

 

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-07-04 18:10:50

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\pxtdapoc.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT F8D4DFC6 ZwCreateKey

SSDT F8D4DFBC ZwCreateThread

SSDT F8D4DFCB ZwDeleteKey

SSDT F8D4DFD5 ZwDeleteValueKey

SSDT F8D4DFDA ZwLoadKey

SSDT F8D4DFA8 ZwOpenProcess

SSDT F8D4DFAD ZwOpenThread

SSDT F8D4DFE4 ZwReplaceKey

SSDT F8D4DFDF ZwRestoreKey

SSDT F8D4DFD0 ZwSetValueKey

 

---- User code sections - GMER 1.0.15 ----

 

.text D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer(2).zip\gmer.exe[204] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 10001080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer(2).zip\gmer.exe[204] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 10001120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para gmer(2).zip\gmer.exe[204] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 10001030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\WINDOWS\explorer.exe[1444] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 10001080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\WINDOWS\explorer.exe[1444] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 10001120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\WINDOWS\explorer.exe[1444] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 10001030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe[1600] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 018D1080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe[1600] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 018D1120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe[1600] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 018D1030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Mozilla Firefox\plugin-container.exe[2916] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 018C1080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Mozilla Firefox\plugin-container.exe[2916] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 018C1120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Mozilla Firefox\plugin-container.exe[2916] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 018C1030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Mozilla Firefox\plugin-container.exe[2916] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104505FE D:\Arquivos de programas\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3700] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 D:\Arquivos de programas\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3700] USER32.dll!GetCursor 7E37A91B 5 Bytes JMP 03821080 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3700] USER32.dll!DrawIconEx 7E37CB84 5 Bytes JMP 03821120 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

.text D:\Arquivos de programas\Mozilla Firefox\firefox.exe[3700] USER32.dll!GetIconInfo 7E37D427 5 Bytes JMP 03821030 D:\Arquivos de programas\CursorXP\CurXP0.dll (CursorXP control panel/ )

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

 

---- EOF - GMER 1.0.15 ----

[wings 22]

Até o momento nada de anormal.

 

*Baixe o F-Secure Blacklight e salve-o no desktop

*Duplo clique em fsbl.exe e aceite o contrato

*Feche todos os programas e janelas

*Na janela inicial "Step 1: Scan for hidden items" clique em [scan]

*Ao terminar o scan clique em [Close]

*Será criado um log com o nome fsb-xxxxx.log na mesma pasta do programa

*Cole o resultado na sua próxima resposta

[EDSSX 0]

Bom dia !

 

 

Eis o log :

 

07/05/10 09:01:45 [info]: BlackLight Engine 2.2.1092 initialized

07/05/10 09:01:45 [info]: OS: 5.1 build 2600 (Service Pack 3)

07/05/10 09:01:55 [Note]: 7019 4

07/05/10 09:01:55 [Note]: 7005 0

07/05/10 09:02:24 [Note]: 7006 0

07/05/10 09:02:25 [Note]: 7011 1396

07/05/10 09:02:25 [Note]: 7035 0

07/05/10 09:02:25 [Note]: 7026 0

07/05/10 09:02:25 [Note]: 7026 0

07/05/10 09:02:28 [Note]: FSRAW library version 1.7.1024

07/05/10 09:09:28 [Note]: 7007 0

 

 

 

Abraços e obrigado

[wings 22]

Pode deletar o F-Secure Blacklight e seu relatório.

 

O PC está limpo.

 

O problema do scan com o rootkit unhook ter acusado atividade é decorrente de programas que usam ganchos como o CursorXP.

 

 

Um abraço.

[EDSSX 0]

Bom dia!

 

Ok então; pode encerrar o tópico .

 

 

 

 

Abraços

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.