[Arquivado] Análise de log: "Exploit-ByteVerify"

[lopesmichelini 0]

Bom dia pessoal, sou bem leiga no assunto mas tentei fazer o máximo para que você's possam me ajudar.

:blush:

 

Baixei o HijackThis e cliquei em "Do a system scan and save a logfile", retornando o seguinte log:

 

-- HijackThis --

Logfile of HijackThis v1.99.1

Scan saved at 09:15:46, on 13/9/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\oracle\ora92\bin\omtsreco.exe

C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Notes\psnotes.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\WINDOWS\system32\notepad.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: WTBho Class - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINDOWS\Downloaded Program Files\gbiehCef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [babylon Client] C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe -AutoStart

O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\Fabiola\CONFIG~1\Temp\MsgPlusUninstall.exe" /Cleanup

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [googletalk] "C:\Arquivos de programas\Google\Google Talk\googletalk.exe" /autostart

O4 - Startup: psnotes.exe.lnk = C:\Arquivos de programas\Notes\psnotes.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxpt021YYBR

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{08389CFF-FB37-4DE4-AC19-7798DDC0B6E9}: NameServer = 200.204.0.138,200.204.0.38

O17 - HKLM\System\CS1\Services\Tcpip\..\{08389CFF-FB37-4DE4-AC19-7798DDC0B6E9}: NameServer = 200.204.0.138,200.204.0.38

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Apache Group\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Serviço McAfee Framework (McAfeeFramework) - Unknown owner - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe

O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE

O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Arquivos de programas\Registry Defragmentation\RegManServ.exe (file missing)

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Arquivos de programas\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

 

-- fim --

 

 

-- log panda on line --

Incident Status Location

 

Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf

Potentially unwanted tool:application/altnet Not disinfected c:\program files\Altnet

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-64aacf3f.zip[blackBox.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-64aacf3f.zip[VerifierBug.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-64aacf3f.zip[Dummy.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-367f7d2e-64aacf3f.zip[beyond.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-40f122a5-7b764f88.zip[blackBox.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-40f122a5-7b764f88.zip[VerifierBug.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-40f122a5-7b764f88.zip[Dummy.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Fabiola\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-40f122a5-7b764f88.zip[beyond.class]

-- fim --

 

 

Obs.: Fiz a limpeza com o CCleaner.

Passei o VirusScan e não encontrou nada, porém, aparece uma tela de mensagem do VirusScan dizendo que foram encontrado vários vírus, tipo...

 

Vários arquivos...

 

Beyond.class

BlackBox.class

Dummy.class

VerifierBug.class

 

Aparecendo detectado como: "Exploit-ByteVerify".

 

Nas pastas C:\Documents and Settings\Fabiola\Configurações locais\Temp\AAWTMP\(varios arquivo)

Esta pasta do temporário, volta mesmo depois de excluída.

 

Pessoal, não sei o que fazer, me ajudem.

Esta mensagem está aparecendo constantemente.

 

:wacko: :upset:

Obrigada.

[jgarcia 1]

Opa lopesmichelini,

 

O Exploit Verify não deixa rastros no HijackThis, portanto faz-se necessária a execução de um scan online que o elimine.

 

Execute o Housecall da TrendMicro e retorne com o resultado.

 

Abraços.

[Shine 0]

TÓPICO ARQUIVADO

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada

para um moderador da área juntamente com o link para este tópico e explique

o motivo da reabertura.