1. Este site usa cookies. Ao continuar a usar este site está a concordar com o nosso uso de cookies. Saber Mais.

fixeiros dll contaminados com virus

Discussão em 'Dúvidas e Suporte—Internet, Redes, Segurança' iniciada por andrelima, 27 de Março de 2007. (Respostas: 11; Visualizações: 21637)

  1. Ultimamente tenho reparado q o meu pc nao estava bem, 1º começou a ficar lento e 2º começou a reiniciar-se sozinho, fiz varios scans e todos eles me diziam q tava infectado pelo winlogon.exe mas tb aparecia uns fixeiros dll na pasta de windows\system32 q tb apareciam no scan como virus, os fixeiros dll sao os seguintes espkeblokgri.dll e o nbmkqsyhwqmc.dll infelismente nao consigo apagar nenhum deles, queria saber se alguem me pode ajudar.

    Na pagina virustotal fiz um scan aos fixeiros e o resultado foi o seguinte: espkeblokgri.dll


    Antivirus Version Update Result
    AhnLab-V3 2007.3.27.0 03.26.2007 Win-Trojan/Xema.variant
    AntiVir 7.3.1.44 03.26.2007 TR/WinLogonHook.D.4
    Authentium 4.93.8 03.26.2007 W32/Downloader.BETZ
    Avast 4.7.936.0 03.25.2007 Win32:Trojan-gen. {Other}
    AVG 7.5.0.447 03.26.2007 Clicker.EGY
    BitDefender 7.2 03.27.2007 Trojan.WinLogonHook.D
    CAT-QuickHeal 9.00 03.26.2007 TrojanDownloader.Delf.amb
    ClamAV devel-20070312 03.27.2007 Trojan.Downloader-3238
    DrWeb 4.33 03.26.2007 Trojan.DownLoader.19262
    eSafe 7.0.14.0 03.26.2007 no virus found
    eTrust-Vet 30.6.3512 03.26.2007 no virus found
    Ewido 4.0 03.25.2007 Hijacker.BHO.naj
    FileAdvisor 1 03.27.2007 no virus found
    Fortinet 2.85.0.0 03.26.2007 no virus found
    F-Prot 4.3.1.45 03.26.2007 W32/Downloader.BETZ
    F-Secure 6.70.13030.0 03.26.2007 Trojan-Downloader.Win32.Delf.amb
    Ikarus T3.1.1.3 03.26.2007 Trojan.WinlogonHook.D
    Kaspersky 4.0.2.24 03.27.2007 Trojan-Downloader.Win32.Delf.amb
    McAfee 4992 03.26.2007 no virus found
    Microsoft 1.2306 03.27.2007 no virus found
    NOD32v2 2145 03.26.2007 Win32/TrojanClicker.BHO.NAJ
    Norman 5.80.02 03.23.2007 W32/Delf.ACVW
    Panda 9.0.0.4 03.27.2007 Suspicious file
    Prevx1 V2 03.27.2007 no virus found
    Sophos 4.15.0 03.23.2007 no virus found
    Sunbelt 2.2.907.0 03.24.2007 no virus found
    Symantec 10 03.27.2007 no virus found
    TheHacker 6.1.6.080 03.23.2007 no virus found
    UNA 1.83 03.16.2007 TrojanDownloader.Win32.Delf.1DA7
    VBA32 3.11.2 03.26.2007 suspected of Trojan-Downloader.Delf.2
    VirusBuster 4.3.7:9 03.26.2007 Trojan.WinlogonHook.Gen
    Webwasher-Gateway 6.0.1 03.26.2007 Trojan.WinLogonHook.D.4

    Aditional Information
    File size: 71223 bytes
    MD5: febe42f165c8bad131ddb69c8627e95c
    SHA1: f8a95bfeeff27009cf2c0e6fe864cfc9b692e080
    packers: UPX
    packers: UPX


    o resultado para nbmkqsyhwqmc.dll

    Antivirus Version Update Result
    AhnLab-V3 2007.3.27.0 03.26.2007 Win-Trojan/Xema.variant
    AntiVir 7.3.1.44 03.26.2007 TR/WinLogonHook.D.4
    Authentium 4.93.8 03.26.2007 W32/Downloader.BETZ
    Avast 4.7.936.0 03.25.2007 Win32:Trojan-gen. {Other}
    AVG 7.5.0.447 03.26.2007 Clicker.EGY
    BitDefender 7.2 03.27.2007 Trojan.WinLogonHook.D
    CAT-QuickHeal 9.00 03.26.2007 TrojanDownloader.Delf.amb
    ClamAV devel-20070312 03.27.2007 Trojan.Downloader-3238
    DrWeb 4.33 03.26.2007 Trojan.DownLoader.19262
    eSafe 7.0.14.0 03.26.2007 no virus found
    eTrust-Vet 30.6.3512 03.26.2007 no virus found
    Ewido 4.0 03.25.2007 Hijacker.BHO.naj
    FileAdvisor 1 03.27.2007 no virus found
    Fortinet 2.85.0.0 03.26.2007 no virus found
    F-Prot 4.3.1.45 03.26.2007 W32/Downloader.BETZ
    F-Secure 6.70.13030.0 03.26.2007 Trojan-Downloader.Win32.Delf.amb
    Ikarus T3.1.1.3 03.26.2007 Trojan.WinlogonHook.D
    Kaspersky 4.0.2.24 03.27.2007 Trojan-Downloader.Win32.Delf.amb
    McAfee 4992 03.26.2007 no virus found
    Microsoft 1.2306 03.27.2007 no virus found
    NOD32v2 2145 03.26.2007 Win32/TrojanClicker.BHO.NAJ
    Norman 5.80.02 03.23.2007 W32/Delf.ACVW
    Panda 9.0.0.4 03.27.2007 Suspicious file
    Prevx1 V2 03.27.2007 no virus found
    Sophos 4.15.0 03.23.2007 no virus found
    Sunbelt 2.2.907.0 03.24.2007 no virus found
    Symantec 10 03.27.2007 no virus found
    TheHacker 6.1.6.080 03.23.2007 no virus found
    UNA 1.83 03.16.2007 TrojanDownloader.Win32.Delf.1DA7
    VBA32 3.11.2 03.26.2007 suspected of Trojan-Downloader.Delf.2
    VirusBuster 4.3.7:9 03.26.2007 Trojan.WinlogonHook.Gen
    Webwasher-Gateway 6.0.1 03.26.2007 Trojan.WinLogonHook.D.4

    Aditional Information
    File size: 71223 bytes
    MD5: 2a85fb168edf3f88ecee7c085399a32e
    SHA1: f1cb2a3de150d2b8e8e2a4fb29b982db12618f03
    packers: UPX
    packers: UPX
    packers: UPX


    Sera q alguem me pode ajudar?!
    Obrigado
     
  2. DavidJamez

    DavidJamez Power Member

    usa o killbox e mandas fazer delete on reboot a esses ficheiros dll, assim ja nao devem ser carregados pelo winlogon. depois de fazeres reboot fazes um scan com o hijackthis e postas aqui o log
     


  3. tentei fazer o scan com o hijackthis mas ao abri-lo ele fecha-se logo de seguida nao da tempo a fazer nada, tentei fazer uma pesquisa na net a procura de outro hijackthis pois pensei q podia ter uma versao desatualizada mas qd abre a pagina de resultados fecha-se logo a janela tentei de tudo mas nao consegui, sera q posso fazer mais alguma coisa
     
    Última edição: 28 de Março de 2007
  4. DavidJamez

    DavidJamez Power Member

    se o hijackthis fecha sozinho é pk existe algum processo na memoria que o obriga a fechar. tenta fazer isso em modo de segurança para ver se o problema se mantem.
    presumo que tenhas ja apagado os dll's com o killbox, certo?
     
  5. luikki

    luikki Power Member

    se o hjt fecha sózinho quer dizer que está bem infectado!
    aqui instruções de comop resolver.....
     

  6. ja consegui abrir o hijackthis aqui vai o log


    Logfile of HijackThis v1.99.1
    Scan saved at 12:53:23, on 28-03-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [CTAvTray] C:\Programas\Creative\SBLive\Program\CTAvTray.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunOnce: [CTAVTray] C:\Programas\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\npjpi150_10.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\npjpi150_10.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168895376031
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: espkeblokgri - C:\WINDOWS\system32\espkeblokgri.dll (file missing)
    O20 - Winlogon Notify: nbmkqsyhwqmc - C:\WINDOWS\system32\nbmkqsyhwqmc.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
     
    Última edição: 28 de Março de 2007
  7. DavidJamez

    DavidJamez Power Member

    O20 - Winlogon Notify: espkeblokgri - C:\WINDOWS\system32\espkeblokgri.dll (file missing)
    O20 - Winlogon Notify: nbmkqsyhwqmc - C:\WINDOWS\system32\nbmkqsyhwqmc.dll (file missing)

    remove estes 2 e faz reboot.
    tenta depois abrir o hijackthis novamente. se voltar a fechar sozinho é pk deve haver algum rootkit ai metido.
     

  8. agora nao encontro esses 2 ficheiros, mas ja consigo abrir o hijackthis fiz o scan e o log parece ser o mesmo


    Logfile of HijackThis v1.99.1
    Scan saved at 14:15:03, on 28-03-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Programas\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programas\Creative\SBLive\Program\CTAvTray.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Programas\Alwil Software\Avast4\ashWebSv.exe
    C:\Programas\MSN Messenger\usnsvc.exe
    C:\Programas\eMule\emule.exe
    C:\Programas\Mozilla Firefox\firefox.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.128.10:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [CTAvTray] C:\Programas\Creative\SBLive\Program\CTAvTray.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunOnce: [CTAVTray] C:\Programas\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168895376031
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: espkeblokgri - C:\WINDOWS\system32\espkeblokgri.dll (file missing)
    O20 - Winlogon Notify: nbmkqsyhwqmc - C:\WINDOWS\system32\nbmkqsyhwqmc.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


    sera q tenho de fazer mais alguma coisa?!
    mais uma vez obrigado
     
  9. DavidJamez

    DavidJamez Power Member

    aquelas 2 linhas que pedi para removeres voltaram a aparecer mas como os dll's em causa ja foram apagados eu sugeria que deixasses ficar isso assim.
     

  10. ok, mas sabes me dizer se de resto ta td bem ou aparenta estar?!
    mais uma vez obrigado
     
  11. DavidJamez

    DavidJamez Power Member

    de resto nada de perigoso a assinalar.
     
  12. ok
    obrigado mais uma vez
     

Partilhar esta Página