[Arquivado] Analise de Log hijack this

[julio-rs 0]

...ja tentei remover de tudo que é jeito e nao consigo, por favor se alguem souber como resolver peço ajuda

 

rodei o combofix ( sujestao de um amigo ) , antes disso rodei o smitfraudfix que corrigiu alguns problemas ( removeu um tal de smart 2009 antivirus e outras porcarias que o virus/trojan instalou , e tb voltei a enxergar varias pastas que tinham desaparecido )

 

..entao , o combofix estava travando o micro ( acho que algum tipo de conflito , pois travava e dava uma tela azul falando de um erro de kernel ) , entao tive que executa-lo no modo de segurança. depois que executei fiz outro scan com o hijack this seguem os logs:

 

novo Log do Hijackathis:

Logfile of HijackThis v1.99.1

Scan saved at 13:01, on 2008-09-23

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Arquivos de programas\EzBackup\EZ-Backup Manager\EzBackup.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Orbitdownloader\orbitdm.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Júlio\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.Microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.Microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.Microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: (no name) - {644D9331-F010-4A1A-99B1-6D2F04622803} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [spywareTerminator] "C:\Arquivos de programas\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSPM] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Orbit.lnk = C:\Arquivos de programas\Orbitdownloader\orbitdm.exe

O8 - Extra context menu item: & Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.Microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F41244E-D4FF-4812-9951-63063E084C18}: NameServer = 200.176.2.10,200.176.2.11

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live Mail desktop\mailcomm.dll

O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: EZ-Backup Manager - Unknown owner - C:\Arquivos de programas\EzBackup\EZ-Backup Manager\EzBackup.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Arquivos de programas\WinClamAVShield\sp_clamsrv.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

 

e Log do Combofix.txt:

 

ComboFix 08-09-20.05 - Júlio 2008-09-23 12:10:00.4 - NTFSx86 MINIMAL

Executando de: C:\Documents and Settings\Júlio\Desktop\ComboFix.exe

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\fqbewlna.dll

C:\WINDOWS\system32\casino1.ico

C:\WINDOWS\system32\casino2.ico

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\mlJAtqRj.dll

C:\WINDOWS\system32\nnnnOfdE.dll

C:\WINDOWS\system32\Packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\rqRlIywX.dll

C:\WINDOWS\system32\ssqOIcyX.dll

C:\WINDOWS\system32\tdssinit.dll

C:\WINDOWS\system32\tdssservers.dat

C:\WINDOWS\system32\wpcap.dll

C:\Documents and Settings\Júlio\Dados de aplicativos\inst.exe . . . . falha na exclusão

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NPF

-------\Service_NPF

 

 

((((((((((((((((((((((( Ficheiros criados de 2008-08-23 to 2008-09-23 ))))))))))))))))))))))))))))))))

.

 

2008-09-21 23:34 . 2008-09-21 23:35 <DIR> d-------- C:\!KillBox

2008-09-18 13:35 . 2008-09-18 13:35 <DIR> d-------- C:\Arquivos de programas\Alwil Software

2008-09-18 02:03 . 2008-09-18 02:03 <DIR> d-------- C:\VundoFix Backups

2008-09-18 01:15 . 2008-09-18 01:15 3,112 --a------ C:\WINDOWS\system32\tmp.reg

2008-09-18 00:42 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-09-18 00:42 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-09-18 00:42 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe

2008-09-18 00:42 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\system32\VACFix.exe

2008-09-18 00:42 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-09-18 00:42 . 2008-09-15 18:51 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe

2008-09-18 00:42 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe

2008-09-18 00:42 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-09-18 00:42 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-09-18 00:42 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-09-13 13:17 . 2007-04-16 20:54 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-09-13 13:17 . 2007-03-19 15:00 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-09-13 13:17 . 2007-03-19 15:00 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-09-13 13:17 . 2007-03-19 15:00 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-09-13 13:17 . 2007-03-19 15:00 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-09-13 13:17 . 2008-09-13 13:17 <DIR> d--h----- C:\Documents and Settings\Administrador\Configura‡äes locais

2008-09-13 13:17 . 2007-03-19 15:00 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-09-13 13:17 . 2007-03-19 15:00 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressÆo

2008-09-13 13:16 . 2008-09-13 13:17 <DIR> d-------- C:\Documents and Settings\Administrador

2008-09-09 11:55 . 2008-09-09 11:55 <DIR> d-------- C:\Arquivos de programas\Bonjour

2008-09-09 11:45 . 2008-09-09 11:45 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Macrovision Shared

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-23 15:21 622,624 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat

2008-09-23 15:21 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2008-09-23 15:20 4,256 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2008-09-23 02:43 4,110,880 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat

2008-09-23 02:43 34,244 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2008-09-22 02:22 --------- d-----w C:\Arquivos de programas\Spyware Terminator

2008-09-22 01:36 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spyware Terminator

2008-09-14 18:49 --------- d-----w C:\Arquivos de programas\Orbitdownloader

2008-09-11 20:38 --------- d-----w C:\Arquivos de programas\Elaborate Bytes

2008-09-09 16:47 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-09-09 14:39 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-08-22 14:38 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-08-18 20:58 --------- d-----w C:\Arquivos de programas\UseNeXT

2008-08-07 00:41 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat

2008-07-27 20:08 --------- d-----w C:\Arquivos de programas\RealFlightG4

2008-07-27 01:10 --------- d-----w C:\Arquivos de programas\Arquivos comuns\KnifeEdge

2008-07-26 17:52 --------- d-----w C:\Arquivos de programas\Java

2008-07-24 01:49 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat

2007-06-25 23:24 8 --sh--r C:\WINDOWS\system32\E9AD73DF8B.sys

.

 

 

aguardo instrucoes.: desde ja agradeço

 

[]´s Julio

[PedroN 1]

- Digite no Executar combofix /u e clique em Ok e aguarde a remoção do combofix.

 

- Execute o combofix novamente.

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.