Ir ao conteúdo
  • Cadastre-se
Entre para seguir isso  
T-Shark

Malware impossível de ser eliminado

Recommended Posts

Pessoal,

To com um problema e ja faz alguns meses... não sei como e porque algum programa que eu utilizei (eu suspeito que tenha sido o windows messenger discovery, ja ouviram falar???) instalou um malware e algumas vezes quando eu vou realizar qualquer tarefa o antivirus (Avast) informa sobre a ameaça só que na hora que eu mando excluir ele dá uma msg que não é possível. Se eu tento mover para quarentena a mesma coisa e se eu tento renomeá-lo a mesma coisa.

O relatório do Avast informa o seguinte:

Arquivo: C:\WINDOWS\system32\avifilet.dll\[uPX]

Nome do Malware: Win32:Podnuha-Q [Rtk]

Tipo do Malware: Rootkit

VPS (Versão): 080529-1, 29/05/2008´

É um arquivo .dll chamado avifilet.dll só que esse arquivo não é uma dll real, mas tb não aceita ser deletada nem manualmente.

Eu até passei o SmitFraudFix v2.323 mas pelo que pareceu nem ele detectou e eliminou esse malware e continua aparecendo o alerta do antivirus.

Segue o relatório de log:

Scan done at 18:55:29,79, qui 29/05/2008

Run from C:\Documents and Settings\Peixinho\Meus documentos\SmitfraudFix

OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0E420EC1-B988-428A-B0CE-F8AE9AD78AA6}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A8742316-4BA1-4AE5-9ABC-B04836ACA431}: DhcpNameServer=201.6.0.113 201.6.0.100

HKLM\SYSTEM\CS1\Services\Tcpip\..\{0E420EC1-B988-428A-B0CE-F8AE9AD78AA6}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A8742316-4BA1-4AE5-9ABC-B04836ACA431}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{0E420EC1-B988-428A-B0CE-F8AE9AD78AA6}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{A8742316-4BA1-4AE5-9ABC-B04836ACA431}: DhcpNameServer=201.6.0.113 201.6.0.100

HKLM\SYSTEM\CS3\Services\Tcpip\..\{0E420EC1-B988-428A-B0CE-F8AE9AD78AA6}: DhcpNameServer=192.168.1.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{A8742316-4BA1-4AE5-9ABC-B04836ACA431}: DhcpNameServer=201.6.0.113 201.6.0.100

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=201.6.0.113 201.6.0.100

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=201.6.0.113 201.6.0.100

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=201.6.0.113 201.6.0.100

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Alguém tem alguma ideia do que é isso ou do que posso fazer?

Valeu galera

Abs

------------------------------------------------------------------------------------------------------------

Fiz também um scan com o HiJack. Segue o log do Hijack:

Logfile of HijackThis v1.99.1

Scan saved at 11:52:16, on 6/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Arquivos de programas\Java\jre1.5.0_09\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\sm56hlpr.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Ares\Ares.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Arquivos de programas\MessengerDiscovery\MessengerDiscovery Live.exe

C:\Hijack This\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de

programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {53B309B0-2DEE-41E3-AEFD-EEAD4A5910B6} - C:\WINDOWS\system32\avifilet.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

programas\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de

programas\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de

programas\Google\GoogleToolbarNotifier\3.0.1225.98 68\swg.dll

O2 - BHO: (no name) - {B3A245AC-0659-48CA-8B7E-4032A62E43C7} - c:\windows\system32\comsnapn.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de

programas\Windows Live Toolbar\msntb.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} -

C:\Arquivos de programas\GbPlugin\gbiehabn.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de

programas\google\googletoolbar3.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de

programas\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de

programas\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKCU\..\Run: [mwzd] C:\WINDOWS\system32\mwzd.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe"

/background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat

7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live

Toolbar\msntb.dll/search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Arquivos de programas\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de

programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer -

{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows

Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de

programas\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

https://wwwss.bradesco.com.br/ib2k1/scpsssh2.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://messenger.zone.msn.com/binary...o.cab56649.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) -

http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab56907.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -

https://wwws.realsecureweb.com.br/mp...bPluginABN.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -

http://200.212.184.212/g_bin/eng/billard8_2_0_0_28.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) -

http://200.212.184.212/g_bin/eng/billardt_2_0_0_28.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de

programas\Windows Live\Mail\mailcomm.dll

O20 - Winlogon Notify: GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll

O20 - Winlogon Notify: niamymqv - C:\WINDOWS\SYSTEM32\comsnapn.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de

programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil

Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de

programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de

programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos

comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. -

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: wampapache - Unknown owner - C:\Arquivos de

programas\wamp\bin\apache\apache2.2.6\bin\httpd.ex e" -k runservice (file missing)

O23 - Service: wampmysqld - Unknown owner - C:\Arquivos de

programas\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe" wampmysqld (file missing)

Até agora eu ja passei tudo quanto foi antispyware, antivirus, ccleaner, regcure e nada.

Fico no aguardo de mais ajuda.

Valeu,

abs

Compartilhar este post


Link para o post
Compartilhar em outros sites

" Tópico Arquivado "

Como o tópico está inativo, o mesmo é arquivado.

Se você necessita que o tópico seja reaberto, entre em contato com um dos membros da equipe de moderação (Lusitano ou RenatoMejias) e inclua no seu pedido o link para este tópico e a justificação para a respetiva reabertura.

Obrigado!

Compartilhar este post


Link para o post
Compartilhar em outros sites
Visitante
Este tópico está impedido de receber novos posts.
Entre para seguir isso  





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×