[Resolvido] &nbspMalware rootkit

lucasbsp · Novembro 26, 2010

olá gostaria que vcs me ajudassem a tirar um virus que nao consigo retirar e ja formatei os hds aguardo ancioso obrigado

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:53:31, on 11/25/aaaa

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20627)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\VM305_STI.EXE

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Arquivos de programas\Windows Media Player\wmplayer.exe

C:\Documents and Settings\Lucas\Meus documentos\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://so92.com/?

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [uSB Antivirus] C:\Arquivos de programas\USB Disk Security\USBGuard.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Arquivos de programas\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [bigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ccleaner] "C:\Arquivos de programas\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{8D0E73B4-96AE-4D5B-9CD1-48F0473B9492}: NameServer = 10.0.1.254

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 5671 bytes

wings · Novembro 26, 2010

Olá lucasbsp

*Faça um scan online com o NOD32

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

lucasbsp · Novembro 26, 2010

Olá Wings fiz o scaneamento lembrando que ele travou em 70% aguardei 1hora e nd depois conclui.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=623a8f04a5d4d84a803ca57c12af8f9c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-11-26 04:07:53

# local_time=2010-11-26 02:07:53 (-0300, Hora oficial do Brasil)

# country="Brazil"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=52858

# found=6

# cleaned=6

# scan_time=2361

D:\backup\pc cruel\profiles\Downloads\Desflasheando w300i\Programas\Far Manager\Plugins\SEFP\sefp0.10.0.51patch.exe probably a variant of Win32/Agent.NMZPOJA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\programas\sound forge 8.0\keygen - Sound Forge 8.0.exe a variant of Win32/Keygen.AQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\Utilitários básicos\nero 7 full\Nero-7.7.5.1_ptb_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\programas\MsgPlusLive-483.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\programas\unlocker1.8.7.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\programas\nero 7 full\Nero-7.7.5.1_ptb_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

esets_scanner_update returned -1 esets_gle=53251

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=623a8f04a5d4d84a803ca57c12af8f9c

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-11-26 05:58:28

# local_time=2010-11-26 03:58:28 (-0300, Hora oficial do Brasil)

# country="Brazil"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=49884

# found=10

# cleaned=10

# scan_time=6369

D:\backup\DEKSTOP\Downloads\crack + keygen NFS.www.therebels.biz.rar probably a variant of Win32/Agent.BXDOMKW trojan (deleted - quarantined) 00000000000000000000000000000000 C

D:\backup\pc cruel\profiles\Downloads\Desflash_w300i.zip probably a variant of Win32/Agent.NMZPOJA trojan (deleted - quarantined) 00000000000000000000000000000000 C

D:\backup\pc cruel\profiles\Downloads\SETOOL v0.915034.rar a variant of Win32/Packed.Themida application (deleted - quarantined) 00000000000000000000000000000000 C

D:\backup\pc cruel\profiles\Downloads\ultrasurf.zip Win32/UltraReach application (deleted - quarantined) 00000000000000000000000000000000 C

D:\backup\pc cruel\profiles\Downloads\Desflasheando w300i\Programas\Far Manager.zip probably a variant of Win32/Agent.NMZPOJA trojan (deleted - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\Anti-virus\programas para recuperar senhas do msn\systempassrec4134.rar Win32/PassRecovery application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\Anti-virus\programas para recuperar senhas do msn\mailpv\mailpv.exe Win32/MailPassView.132 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\Anti-virus\programas para recuperar senhas do msn\System Password Recovery 4.1.3.4.455 + Serial\setup.exe Win32/PassRecovery application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\programas\WinXP keyChanger.exe Win32/PSWTool.RAS.A application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Meus documentos\Pen driver\Utilitários básicos\nero 7 full\Nero.Premium.Edition.v7.0.5.4.Incl.KeyMaker.REPACK-DVT.ZIP probably a variant of Win32/Agent.HZREFUA trojan (deleted - quarantined) 00000000000000000000000000000000 C

wings · Novembro 26, 2010

1.

*Desative seu antivírus temporariamente

*Baixe o RSIT e salve-o no desktop

*Execute o RSIT e clique [Continue]

*Cole o relatório C:\rsit\log.txt

2.

*Baixe o GMER e salve-o no desktop

*Crie uma pasta chamada GMER em C:\ e extraia para lá

*Feche todos os programas ativos (MSN, IE, Firefox, etc...)

*Desative temporariamente o antivírus

*Execute o gmer

*Se receber um aviso sobre atividade de rootkit clique [Não]

*Desmarque

[] IAT/EAT

*Clique [scan] e aguarde. Pode demorar....

*Ao finalizar, clique [save...]

*Salve no desktop como gmer

*Cole o relatório gmer.txt

lucasbsp · Novembro 26, 2010

Segue os logs

Logfile of random's system information tool 1.08 (written by random/random)

Run by Lucas at 2010-11-26 13:57:06

Microsoft Windows XP Professional Service Pack 2

System drive C: has 67 GB (87%) free of 76 GB

Total RAM: 1023 MB (74% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:57:28, on 11/26/aaaa

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20627)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\VM305_STI.EXE

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Documents and Settings\Lucas\Desktop\RSIT.exe

C:\Arquivos de programas\trend micro\Lucas.exe