Rootkits

Question

Tmfeijo/ boa noite;vi a  sua mensagem em MP/ li todos os relatos/

O que eu faria/
[COLOR=blue]Tutorial             do Junkware Removal Tool[/COLOR]

Depois desinstalaria o Java/ e tambem o GB plugin[desativaria]
Nunca usaria o Avast/ e sim ou o Panda Cloud ou o Avira

Fica a seu crit&eacute;rio/
abs

Answer

Dizem por a&iacute; que, (os realmente especialistas) a melhor coisa a se fazer quando um sistema est&aacute; infectado com rootkits &eacute; formatar o hd com nova partic&atilde;o. Como eu ainda estou estudando sobre isso n&atilde;o posso afirmar.
Agora, se analisarmos pela l&oacute;gica, faz todo sentido. Eu faria isso.

Answer

Boa  noite ! edutango

Por que n&atilde;o o  avast ?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Home Basic x86
Ran by EDSON on 22/02/2014 at 22:18:31,41
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 22/02/2014 at 22:20:50,26
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sem  o  java  alguns programas  n&atilde;o abrem; principalmente os da  RFB receita federal do Brasil; declara&ccedil;&atilde;o de imposto de renda para ser  mais  exato .   E no m&ecirc;s  quem  vem  j&aacute;  terei que declarar .

# AdwCleaner v3.019 - Relat&oacute;rio criado 23/02/2014 &agrave;s 10:15:27
# Atualizado 17/02/2014 por Xplode
# Sistema Operacional : Windows 7 Home Basic Service Pack 1 (32 bits)
# Usu&aacute;rio : EDSON - EDSON-PC
# Executando de : C:\Users\EDSON\Downloads\AdwCleaner.exe
# Op&ccedil;&atilde;o : Limpar

***** [ Servi&ccedil;os ] *****

***** [ Arquivos / Pastas ] *****

Arquivo Deletada : C:\Windows\System32\Tasks\NCH Software

***** [ Atalhos ] *****

***** [ Registro ] *****

***** [ Navegadores ] *****

-\ Internet Explorer v11.0.9600.16518

-\ Google Chrome v33.0.1750.117

[ Arquivo : C:\Users\EDSON\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [840 octets] - [23/02/2014 10:14:34]
AdwCleaner[S0].txt - [757 octets] - [23/02/2014 10:15:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [816 octets] ##########

Abra&ccedil;os

Answer

Ol&aacute; @Tmfeijo  
Recebi sua MP atendendo sua d&uacute;vida!
O relat&oacute;rio de Combofix e DDS est&atilde;o limpos, se seu sistema estivesse com algum tipo de Rootkit o Combofix nem iria iniciar o varredura no sistema, pois muitos Rootkits bloqueiam sua execu&ccedil;&atilde;o, e em seu scan n&atilde;o foi encontrado nenhum Rootkits e nem foi nada removido.
Caso fosse Rootkit ZeroAcess o Combofix j&aacute; teria removido automaticamente, e o Gmer que j&aacute; vem acoplado com Combofix n&atilde;o detectou nenhum outro tipo de Rootkit.

O Avast &eacute; um dos melhores Anti v&iacute;rus recomendo que deixa-o instalado, e o Avast tem uma op&ccedil;&atilde;o excelente a varredura em boot, j&aacute; tentou fazer um scan em boot antes do sistema iniciar ?
Pelo que observei seu sistema tem pouco aplicativos instalados, e voc&ecirc; executou uma excelente limpeza e ainda continua o problema!
Resumindo: Seu sistema n&atilde;o est&aacute; contaminado por Rootkits, o problema deve ser de hardwares, placa de mem&oacute;ria, placa de v&iacute;deo, ou algum drive icompativel foi instalado.

Answer

Boa  tarde !  #Leandro#

Ent&atilde;o meu post do dia 20/02/2014 totalmente atualizado/editado .

Todos programas e arquivos ao primar est&atilde;o abrindo normal e r&aacute;pido  .

Tamb&eacute;m  rodei  o avira cleanner registrer e o mesmo pegou uma chave da praga baidu  (  para mim  rootkits s&atilde;o sobras de v&aacute;rios softwares; tamb&eacute;m;    s&atilde;o  sobras  de todos  os  programas que n&oacute;s  usu&aacute;rios usamos  no  pc . Infelizmente !   Tipo  um  cookie bem  desenvolvido <  http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one  -   http://en.wikipedia.org/wiki/System_Service_Dispatch_Table ) .   Isto  tamb&eacute;m ajudou muito .  Este software al&eacute;m de limpar chaves dos produtos da alem&atilde; avira; detecta de outros anti virus .  At&eacute;  detectou chaves do avast; que est&aacute; instalado ; l&oacute;gico .

http://www.avira.com/en/download/product/avira-registrycleaner

J&aacute;  sim .   J&aacute;  rodei  o avast  ao reiniciar o windows .  E nada foi encontrado .

De modo  geral  s&oacute;  aguardei  uns 2 dias ( desde o dia 20/02 )  para  ver se os problemas ainda persistiam/voltavam  ( n&atilde;o abria e nem fechava janelas de maneira r&aacute;pida  aqui ); ap&oacute;s as limpezas .   Est&aacute;  normal .                          Caso  encerrado .                Embora tenha  o avast  que bloqueiou um tal de Kickstarter; por&eacute;m n&atilde;o  constou  mais .

:dance::dance:

Obrigado &agrave;  todos pela aten&ccedil;&atilde;o e abra&ccedil;os

Answer

Ok!!

Fa&ccedil;a o procedimento abaixo para desinstalar todos os programas utilizados!

:veja: Baixe o [COLOR=#800080]DelFix[/COLOR] (...de [COLOR=#0000FF]Xplode[/COLOR]) e salve-o no Desktop (&Aacute;rea de Trabalho) 
 
*Execute-o e clique [Run] 
 
*Cole o relat&oacute;rio apresentado

Answer

Boa  tarde !

# DelFix v10.6 - Logfile created 23/02/2014 at 12:34:34
# Updated 11/11/2013 by Xplode
# Username : EDSON - EDSON-PC
# Operating System : Windows 7 Home Basic Service Pack 1 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\Users\EDSON\Downloads\AdwCleaner.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Cleaning system restore ...

Deleted : RP #985 [PS SA AT 2070 CD GER | 02/22/2014 16:10:22]
Deleted : RP #986 [PS SA CD AT 2070 | 02/22/2014 17:58:02]
Deleted : RP #987 [Removed Java 7 Update 51 | 02/23/2014 01:33:14]
Deleted : RP #988 [Installed Java 7 Update 51 | 02/23/2014 02:26:16]
Deleted : RP #989 [PS SA AT 2070 CD GER | 02/23/2014 02:38:52]
Deleted : RP #990 [PS SA AT 2070 | 02/23/2014 14:55:40]

New restore point created !

########## - EOF - ##########

Editando :

Incr&iacute;vel como &eacute; a inform&aacute;tica !!!    Pois ap&oacute;s remover estes pontos de restaura&ccedil;&atilde;o  ( leia - se s&oacute; modificar o sistema ); os  arquivos e pastas est&atilde;o &agrave; demorar para abrir e fechar novamente .

Mesmo  restaurando para o  novo  ponto  criado  pelo  delfix; nada de normalizar .

:fiquei_triste::fiquei_triste::xingamentos::xingamentos:

Vou acompanhar o meu t&oacute;pico todo e  repetir todos  os pro&ccedil;edimentos ; vamos  ver  no que vai  resultar .

Olha que interessante;  cfe.  vou  executando/atualizando o runscanner;  ora consta :

063 autocheck , ora  063 ᐀@ e ora o    063 O .       Vai  alternando estes  arquivos  cfe. &agrave; cada fixada tamb&eacute;m .

>>>>>>>>>>>>>>>>>>> :

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

General info
------------
Computer name : EDSON-PC
Creation time : 23/02/2014 16:17:02
Hosts  127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 9.11.9600.16518
OS : Windows 7 Home Basic
OS Build : 7601
OS SP : Service Pack 1
RunScanner Version : 2.0.0.60
User Language : Portugu&ecirc;s (Brasil)
User rights : Administrator
Windows folder : C:\Windows

Running processes
-----------------
* C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
* C:\Windows\System32\wininit.exe (Microsoft Corporation)
* C:\Windows\System32\winlogon.exe (Microsoft Corporation)
* C:\Windows\System32\services.exe (Microsoft Corporation)
* C:\Windows\System32\spoolsv.exe (Microsoft Corporation)
* C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
* C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
* C:\Program Files\Comodo\Dragon\dragon_updater.exe
* C:\PROGRA~1\GbPlugin\gbpsv.exe (GAS Tecnologia)
* C:\Windows\System32\dwm.exe (Microsoft Corporation)
* C:\Windows\System32\smss.exe (Microsoft Corporation)
* C:\Program Files\Glary Utilities 4\Integrator.exe (Glarysoft Ltd)
* C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
* C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
* C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
* C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
* C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
* C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
* C:\Program Files\Google\Update\1.3.22.5\GoogleCrashHandler.exe (Google Inc.)
* C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Java\Java Update\jusched.exe (Oracle Corporation)
* C:\Windows\System32\lsass.exe (Microsoft Corporation)
* C:\Windows\System32\SearchFilterHost.exe (Microsoft Corporation)
* C:\Windows\System32\SearchProtocolHost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32	askhost.exe (Microsoft Corporation)
* C:\Windows\System32	askhost.exe (Microsoft Corporation)
* C:\Windows\System32\csrss.exe (Microsoft Corporation)
* C:\Windows\System32\csrss.exe (Microsoft Corporation)
* C:\Users\EDSON\Downloadsunscanner.exe (Runscanner.net)
* C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
* C:\Windows\System32\lsm.exe (Microsoft Corporation)
* C:\Windows\explorer.exe (Microsoft Corporation)

Unrated items
-------------
002 * C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
010 * C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (.NET Runtime Optimization Service)
010 * C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Acrobat Update Service)
010 * C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe&reg; Flash&reg; Player Update Service 12.0 r0)
010 * C:\Program Files\AVAST Software\Avast\AvastSvc.exe (avast! Service)
010 * C:\Program Files\Comodo\Dragon\dragon_updater.exe (dragon_updater.exe)
010 * C:\PROGRA~1\GbPlugin\GbpSv.exe (G-Buster Browser Defense - Service)
011 * C:\Windows\system32\drivers\aswRvrt.sys (aswRvrt.sys)
011   C:\Windows\system32\drivers\aswSP.sys (aswSP.sys)
011 * C:\Windows\system32\drivers\aswVmm.sys (aswVmm.sys)
011 * C:\Windows\system32\drivers\aswMonFlt.sys (avast! File System Minifilter for Windows 2003/Vista)
011 * C:\Windows\system32\drivers\aswSnx.sys (avast! Virtualization Driver)
011 * C:\Windows\system32\drivers\aswRdr2.sys (avast! WFP Redirect Driver)
011 * C:\Windows\system32\drivers\gbpkm.sys (GbPlugin Device Driver)
011 * C:\Windows\system32\DRIVERS\gbpndisrd.sys (GbPlugin NDIS Device Driver)
011 * C:\Windows\system32\DRIVERS\gbpndisrd.sys (NdisrdMP)
011 * C:\Windows\system32\drivers\aswStm.sys (Stream Filter)
035 * C:\Program Files\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe (Google Inc.) {8A69D345-D564-463c-AFF1-A69D9E530F96}
041 * C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F}
047   Zone: www.bancobrasil.com.br : *.www.bancobrasil.com.br
047   Zone: www.bb.com.br : *.www.bb.com.br
047   Zone: www14.bancobrasil.com.br : *.www14.bancobrasil.com.br
047   Zone: www2.bancobrasil.com.br : *.www2.bancobrasil.com.br
050 * C:\PROGRAM FILES\GBPLUGIN\gbieh.dll (Banco do Brasil) {E37CB5F0-51F5-4395-A808-5FA49E399F83}
052 * C:\PROGRAM FILES\GBPLUGIN\gbieh.dll (Banco do Brasil) {C41A1C0E-EA6C-11D4-B1B8-444553540000}
052 * C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) {8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
052 * C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
052 * C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) {DBC80044-A445-435b-BC74-9C25C1C588A9}
061 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
061 * C:\PROGRAM FILES\GBPLUGIN\gbieh.dll (Banco do Brasil) {98C11555-BC81-40aa-A053-DAADC5630000}
061 * C:\PROGRAM FILES\GBPLUGIN\gbieh.dll (Banco do Brasil) {E37CB5F0-51F5-4395-A808-5FA49E399F83}
062 * C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
067 * C:\PROGRAM FILES\GBPLUGIN\gbieh.dll (Banco do Brasil)
073   Adobe Flash Player Updater.job : C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
073   GlaryInitialize 4.job : C:\Program Files\Glary Utilities 4\Initialize.exe (Glarysoft Ltd)
104   GUID / CLSID not found {C3F79A2B-B9B4-4A66-B012-3EE46475B072}
104 * C:\Program Files\Java\jre7\bin\jp2iexp.dll {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA}
104 * C:\Program Files\Java\jre7\bin\jp2iexp.dll {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
104 * C:\Windows\system32\Macromed\Flash\Flash32_12_0_0_70.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}
105   E&xport to Microsoft Excel : res://C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
105   E&xportar para o Microsoft Excel : res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
105   Se&nd to OneNote : res://C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
173 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
173 * C:\Program Files\Glary Utilities 4\ContextHandler.dll (Glarysoft Ltd) {B3C418F8-922B-4faf-915E-59BC14448CF7}
221 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
221 * C:\Program Files\Glary Utilities 4\ContextHandler.dll (Glarysoft Ltd) {B3C418F8-922B-4faf-915E-59BC14448CF7}
223 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
223 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
225 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
225 * C:\Program Files\Glary Utilities 4\ContextHandler.dll (Glarysoft Ltd) {B3C418F8-922B-4faf-915E-59BC14448CF7}
225 * C:\Program Files\Glary Utilities 4\ContextHandler.dll (Glarysoft Ltd) {B3C418F8-922B-4faf-915E-59BC14448CF7}
225 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
231 * C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) PDF Column Info
241 * C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software) {472083B0-C522-11CF-8763-00608CC02F24}
254 * C:\PROGRAM FILES\GBPLUGIN\gbieh.dll (Banco do Brasil) {98C11555-BC81-40aa-A053-DAADC5630000}

Missing files
-------------
032 rdpclip
063 autocheck

Repetindo  todos os  pro&ccedil;edimentos e inclusive com um ponto limpo de restaura&ccedil;&atilde;o ; normalizou !!!

Caso  resolvido .

Abra&ccedil;os

Ferramentas

Mover Tópico