[Arquivado]Log do Hijackthis pra análise

Lord Undertaker · Novembro 19, 2007

Envio, abaixo log do Hijackthis da minha máquina.

Agradeço desde já a atenção dispensada.

Logfile of HijackThis v1.99.1

Scan saved at 14:32:02, on 19/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

C:\WINDOWS\system32\_svchost.exe

C:\WINDOWS\system32\~tmp8918.exe

C:\SiteClient\clisvc.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\SiteClient\SiteCli.exe

C:\WINDOWS\system32\_svchost.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe

C:\Arquivos de programas\Avant Browser\avant.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Arquivos de programas\UltraVNC\vncviewer.exe

F:\2xExplorer.exe

C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Documents and Settings\Sandro\Desktop\Sandro\Bases e Backups\Backups clientes diversos\guaiba86\URGMHOSP.EXE

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\ViRobot NT\vrmonsvc.exe

C:\Arquivos de programas\ViRobot NT\VRMONNT.EXE

F:\RGM\RGM SIG - Poa\umCAUw.EXE

C:\Documents and Settings\Sandro\Desktop\Sandro\Variedades\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rgmdobrasil.com.br/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128

R3 - URLSearchHook: Nexus Radio Toolbar - {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - C:\Arquivos de programas\Nexus_Radio\tbNexu.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Nexus Radio Toolbar - {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - C:\Arquivos de programas\Nexus_Radio\tbNexu.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Nexus Radio Toolbar - {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - C:\Arquivos de programas\Nexus_Radio\tbNexu.dll (file missing)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [\\RGM-11\EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P32 "\\RGM-11\EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [siteClient] C:\SiteClient\SiteCli.exe

O4 - HKLM\..\Run: [Vrmon] C:\Arquivos de programas\ViRobot NT\vrmonnt.exe Main

O4 - HKLM\..\Run: [VrSchedule] C:\Arquivos de programas\ViRobot NT\Vrres.exe

O4 - HKLM\..\Run: [initClient] C:\SiteClient\InitCli.exe

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\_svchost.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Arquivos de programas\Privacy Guardian\PgIndex.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Arquivos de programas\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [Privacy Guardian] C:\Arquivos de programas\Privacy Guardian\pg.exe /clean

O4 - HKCU\..\RunOnce: [PGhist] C:\Arquivos de programas\Privacy Guardian\PgHist.exe WinguidesPG

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{B9F5F6CA-5554-448F-8943-1E34FA72FBBD}: NameServer = 192.168.0.254,0.0.0.0

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe

O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\system32\_svchost.exe

O23 - Service: Microsoft Internet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe

O23 - Service: Provisioning Transaction Service (pangupan) - Unknown owner - C:\WINDOWS\system32\~tmp8918.exe

O23 - Service: PostgreSQL (pgsql-8.1) - Unknown owner - C:\Arquivos de programas\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Arquivos de programas\PostgreSQL\8.1\data\ (file missing)

O23 - Service: SiteClient Service for VMS (SiteClientService) - Unknown owner - C:\SiteClient\clisvc.exe

O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Arquivos de programas\ViRobot NT\vrmonsvc.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\UltraVNC\WinVNC.exe" -service (file missing)

Obrigado pela ajuda!

Lord Undertaker

Sam Spade · Novembro 19, 2007

Olá Lord Undertaker! Faça o download do SDFix:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Salve-o em sua área de trabalho. Dê um duplo clique no SDFix.exe e a ferramenta será instalada em %SystemDrive%\SDFix (geralmente C:\SDFix)

Reinicie o PC e aperte F8 intermitentemente. No menu escolha: modo seguro.

Entre na pasta SDFix que foi instalada no seu computador e dê um duplo clique no arquivo RunThis.bat
Tecle Y para que a ferramenta inicie o processo de remoção
Quando tudo terminar, você verá um aviso dizendo para apertar qualquer tecla para continuar. Ao pressionar qualquer tecla, o computador será reiniciado automaticamente
Após reiniciar, a ferramenta ainda será executada novamente e irá terminar o seu trabalho e a palavra Finished irá aparecer. Pressione qualquer tecla.
Uma janela com o relatório do SDFix irá aparecer.
Copie e cole este relatório na sua resposta. Caso você tenha fechado a janela, uma cópia do relatório estará na pasta SDFix com o nome Report.txt
Poste também um novo log do HijackThis.

Lord Undertaker · Novembro 19, 2007

Agradeço muitíssimo o apoio, espero um dia estar em condições de auxiliar outras pessoas, que assim como eu, tem interesse nesta área do conhecimento humano, tão fascinante, que é a informática...

Vocês fazem um belo Trabalho!!!

Muito obrigado!

:natal_w00t:

Lord Undertaker · Novembro 21, 2007

Boa tarde!

De acordo com as orientações recebidas, envio o Report do SDFix e novo log do HijackThis...

Posso garantir que minha máquina está muito melhor e sem os sintomas que vinham se manifestando.

Report SDFix

SDFix: Version 1.115

Run by Sandro on 21/11/2007 at 11:34

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Name:

Microsoft Internet Explorer

Path:

C:\WINDOWS\system32\_svchost.exe -A

Microsoft Internet Explorer - Deleted

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\_SVCHOST.EXE - Deleted

C:\Documents and Settings\Sandro\ie_update3r.exe - Deleted

C:\WINDOWS\system32\~.exe - Deleted

C:\WINDOWS\system32\1.exe - Deleted

C:\WINDOWS\system32\3.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-21 11:39:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\WINDOWS\\system32\\~tmp8918.exe"="C:\\WINDOWS\\system32\\~tmp8918.exe:*:Enabled:Microsoft ® Internetal IExplore"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:

---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 13 Nov 2007 83,456 ...H. --- "C:\Documents and Settings\Sandro\Desktop\~WRL0315.tmp"

Finished!

________________________________________________________________________________

____

Log HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 13:44:54, on 21/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbguard.exe

C:\WINDOWS\system32\~tmp8918.exe

C:\SiteClient\clisvc.exe

C:\Arquivos de programas\ViRobot NT\vrmonsvc.exe

C:\Arquivos de programas\Firebird\Firebird_2_0\bin\fbserver.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\SiteClient\SiteCli.exe

C:\Arquivos de programas\ViRobot NT\vrmonnt.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Avant Browser\avant.exe

C:\Arquivos de programas\UltraVNC\vncviewer.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Documents and Settings\Sandro\Desktop\Sandro\Variedades\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rgmdobrasil.com.br/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128

R3 - URLSearchHook: Nexus Radio Toolbar - {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Nexus Radio Toolbar - {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Nexus Radio Toolbar - {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - (no file)