[resolvido]
Galera é o seguinte, sou novo aqui e estou precisando da ajuda de vc`s, to com um virus muito chato em meu notebook, formatei mais o danado continua na maquina, já usei o AVG e AVAST eles acusam mais não conseguem remove-lo, o nome do maledeto é WINXP.EXE.. procurei como remover esse virus mais so encontrei informações em Ingles, vou posta o LOG do HiJackThis e AVZ aqui, quem puder ajudar eu fiquei grato eternamento..
Segue o LOG do HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:31, on 1/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\IURIEH~1\CONFIG~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\CoolSMS\CoolSMS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\Iuri E Hohlenwerger\Desktop\avz4\avz.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Arquivos de programas\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\ARQUIV~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [regdiit] C:\WINDOWS\system32\winxp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CoolSMS] C:\Arquivos de programas\CoolSMS\CoolSMS.exe /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 5763 bytes
Log do AVZ:
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 1/4/2010 10:04:09
Database loaded: signatures - 269067, NN profile(s) - 2, malware removal microprograms - 56, signature database released 31.03.2010 14:07
Heuristic microprograms loaded: 382
PVS microprograms loaded: 9
Digital signatures of system files loaded: 191412
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights
System Restore: Disabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055B6E0
KiST = 80503734 (284)
Function NtClose (19) intercepted (805BAEB4->AA7A9C56), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateKey (29) intercepted (80622048->AA7A9B12), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateProcessEx (30) - machine code modification Method of JmpTo. jmp AA7B6502\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateSection (32) - machine code modification Method of JmpTo. jmp AA7B6326\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (806224D8->AA7AA0C6), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (806226A8->AA7A9FF0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BC890->AA7A96E8), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtLoadDriver (61) - machine code modification Method of JmpTo. jmp AA7B6460\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenKey (77) intercepted (806233DE->AA7A9BEC), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805C9C46->AA7A9628), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtOpenThread (80) intercepted (805C9ED2->AA7A968C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (80620102->AA7A9D0C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtRenameKey (C0) intercepted (80621A6E->AA7AA194), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (80620450->AA7A9CCC), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80620708->AA7A9E4C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function NtCreateSection (805A9DEE) - machine code modification Method of JmpTo. jmp AA7B6326 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function ObInsertObject (805C1810) - machine code modification Method of JmpTo. jmp AA7B3972 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Function ObMakeTemporaryObject (805BAEDA) - machine code modification Method of JmpTo. jmp AA7B24BA \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
Functions checked: 284, intercepted: 12, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = AA7B5FEE -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_CLOSE] = AA7B602E -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_WRITE] = AA7B610A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = AA7B614A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
Checking - complete
2. Scanning RAM
Number of processes found: 37
Number of modules loaded: 364
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Danger - process debugger "drwtsn32.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "dwwinxp.exe" = "C:\WINDOWS\system32\winxp.exe"
Danger - process debugger "MSConfig.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "procexp.exe" = "\winxp.exe"
Danger - process debugger "regedit.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "rstrui.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Danger - process debugger "taskmgr.exe" = "C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)
>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)
>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)
>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)
>> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da área de trabalho do NetMeeting)
>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> System process debugger detected
>> System Restore settings blocked
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 64516, extracted from archives: 47916, malicious software found 0, suspicions - 0
Scanning finished at 1/4/2010 10:14:35
Time of scanning: 00:10:27
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Desde já agradeço a ajuda de todos

iuritauros
Novo Membro
Registrado
4 Mensagens
0 Curtidas
[Resolvido] Analise no HiJackThis
#1 Por iuritauros
01/04/2010 - 10:17