[Resolvido!] HiJackThis para análise

[VeLLkan 0]

Algumas página da net aparecem

 

................................................................................

.................................

" ACCESS DENIED The requested URL could not be retrieved "

 

" The requested object is forbidden "

 

" Generated Sun Nov 30 14:54:09 2008 by Kaspersky Internet Security 7.0 "

................................................................................

.................................

 

Tudo começou depois de clik em um link indevido no orkut.

 

espero q possam me ajudar.

 

abraçosssss

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:39:05, on 30/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Free Desktop Clock\DesktopClock.exe

C:\Arquivos de programas\RK Launcher\RKLauncher.exe

C:\WINDOWS\Alt+Q Hotkey.exe

C:\Arquivos de programas\UberIcon\UberIcon Manager.exe

C:\Arquivos de programas\WinRoll\winroll.exe

C:\Arquivos de programas\YzShadow\YzShadow.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\HiJackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ig.com.br/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\ARQUIV~1\IDA\idaiehlp.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.6.26.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Arquivos de programas\Webshots\WSToolbar4IE.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: IDA Bar - {C70E30C7-140A-4166-A2E8-43557E62B41A} - C:\Arquivos de programas\IDA\idabar.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL (file missing)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [RaidTool] C:\Arquivos de programas\VIA\RAID\raid_t

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKLM\..\Run: [system Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skinClock] C:\Arquivos de programas\Free Desktop Clock\DesktopClock.exe

O4 - HKCU\..\Run: [RK Launcher] C:\Arquivos de programas\RK Launcher\RKLauncher.exe

O4 - HKCU\..\Run: [Alt+Q Hotkey Tool] C:\WINDOWS\Alt+Q Hotkey.exe

O4 - HKCU\..\Run: [uberIcon] "C:\Arquivos de programas\UberIcon\UberIcon Manager.exe"

O4 - HKCU\..\Run: [WinRoll] C:\Arquivos de programas\WinRoll\winroll.exe

O4 - HKCU\..\Run: [Yz Shadow] C:\Arquivos de programas\YzShadow\YzShadow.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Webshots Photo Search - res://C:\Arquivos de programas\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Anti-Banner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download ALL with IDA - C:\Arquivos de programas\IDA\idaieall.htm

O8 - Extra context menu item: Download with IDA - C:\Arquivos de programas\IDA\idaie.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Arquivos de programas\IDA\ida.exe

O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Arquivos de programas\IDA\ida.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: wbsys.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1.0\adialhk.dll

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: License Management Service ESD - Unknown owner - C:\Arquivos de programas\Arquivos comuns\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

--

End of file - 7854 bytes

[DigRam 144]

Bom Dia! VeLLkan

 

<@> Baixe: < avz4.zip > ou < avz4.zip >

<@> Salve-o em Arquivos de programas,e descompacte-o aí mesmo!

<@> Abra a pasta avz4 e execute o aplicativo,com um duplo-clique. <-- Ícone escudo e espada!

<@> Conecte-se à Internet,e atualize o Toolkit. <-- "Database Update"

<@> Terminando,não faça ainda nenhuma verificação.

<@> Na aba "Search range",marque todas as caixinhas.

<@> Em "Actions",marque: "Perform healing"

<@> Nos campos,abaixo de "Perform healing",escolha "Report only",para todos os ítens.

<@> Feche os programas que estejam abertos,e rode a ferramenta! <-- Clique em Start.

<@> Terminando,clique no ícone "Save log",para dispormos do relatório. ( avz_log )

<@> Clique,também,no ícone dos "óculos".

<@> Clique em "Save as CSV".

<@> Salve,este relatório,no desktop! <-- Formato de texto. ( *.txt )

<@> Nomeie-o como: View_log

<@> Copie e poste: avz_log.txt + View_log.txt,na sua resposta.

 

Abraços!

[VeLLkan 0]

Bom Dia! VeLLkan

 

<@> Baixe: < avz4.zip > ou < avz4.zip >

<@> Salve-o em Arquivos de programas,e descompacte-o aí mesmo!

<@> Abra a pasta avz4 e execute o aplicativo,com um duplo-clique. <-- Ícone escudo e espada!

<@> Conecte-se à Internet,e atualize o Toolkit. <-- "Database Update"

<@> Terminando,não faça ainda nenhuma verificação.

<@> Na aba "Search range",marque todas as caixinhas.

<@> Em "Actions",marque: "Perform healing"

<@> Nos campos,abaixo de "Perform healing",escolha "Report only",para todos os ítens.

<@> Feche os programas que estejam abertos,e rode a ferramenta! <-- Clique em Start.

<@> Terminando,clique no ícone "Save log",para dispormos do relatório. ( avz_log )

<@> Clique,também,no ícone dos "óculos".

<@> Clique em "Save as CSV".

<@> Salve,este relatório,no desktop! <-- Formato de texto. ( *.txt )

<@> Nomeie-o como: View_log

<@> Copie e poste: avz_log.txt + View_log.txt,na sua resposta.

 

Abraços!

 

olá DigRam! valewww pela força brother

segui todos os seu passos...

 

 

avz_log

 

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 1/12/2008 12:44:55

Database loaded: signatures - 198578, NN profile(s) - 2, microprograms of healing - 56, signature database released 30.11.2008 20:18

Heuristic microprograms loaded: 371

SPV microprograms loaded: 9

Digital signatures of system files loaded: 74240

Heuristic analyzer mode: Medium heuristics level

Healing mode: enabled

Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->7C883FEC

Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->7C883F9C

Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->7C883FB0

Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->7C883FD8

Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->7C883FC4

IAT modification detected: LoadLibraryA - 7C883F9C<>7C801D77

IAT modification detected: GetProcAddress - 66501350<>7C80ADA0

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Function user32.dll:RegisterRawInputDevices (546) intercepted, method ProcAddressHijack.GetProcAddress ->7E3BCBD4->7E3F0010

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=082680)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 80559680

KiST = 804E26A8 (284)

Function NtClose (19) intercepted (80566D49->F545C370), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtConnectPort (1F) intercepted (8058A800->F545A420), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtCreateKey (29) intercepted (8056E7A9->F544D7A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtCreateProcess (2F) intercepted (805B0AA4->F545C0A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtCreateProcessEx (30) intercepted (80581E82->F545C210), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtCreateSection (32) intercepted (8056461B->F545CE70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtCreateSymbolicLinkObject (34) intercepted (805A0C69->F545C940), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtCreateThread (35) intercepted (8057C4A1->F545D7B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtDeleteKey (3F) intercepted (80595136->F544D8A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtDeleteValueKey (41) intercepted (80593AAC->F544D920), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtDuplicateObject (44) intercepted (80572B26->F545C510), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtEnumerateKey (47) intercepted (8056EEB0->F544D9B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtEnumerateValueKey (49) intercepted (8057FB78->F544DA60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtFlushKey (4F) intercepted (8059A8F8->F544DB10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtInitializeRegistry (5C) intercepted (805A2FA1->F544DB90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtLoadDriver (61) intercepted (805A407A->F5459FD0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtLoadKey (62) intercepted (805AE480->F544E590), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtLoadKey2 (63) intercepted (805AE2CE->F544DBB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtNotifyChangeKey (6F) intercepted (80590E16->F544DC80), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtOpenFile (74) intercepted (8056FB93->F738A030), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted

Function NtOpenKey (77) intercepted (80567CFB->F544DD60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtOpenProcess (7A) intercepted (80572D06->F545BE90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtOpenSection (7D) intercepted (8057670B->F545CCA0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtQueryKey (A0) intercepted (8056EBB9->F544DE30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtQueryMultipleValueKey (A1) intercepted (8064CBE4->F544DEE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtQuerySystemInformation (AD) intercepted (8057D786->F545D460), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtQueryValueKey (B1) intercepted (8056B103->F544DF90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtReplaceKey (C1) intercepted (8064D51E->F544E040), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtRequestWaitReplyPort (C8) intercepted (80575F2A->F545AA00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtRestoreKey (CC) intercepted (8064C042->F544E0D0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtResumeThread (CE) intercepted (8057CB14->F545D760), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSaveKey (CF) intercepted (8064C0E9->F544E2D0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSetContextThread (D5) intercepted (8062C403->F545DAE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSetInformationFile (E0) intercepted (80576E9C->F545E0A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSetInformationKey (E2) intercepted (8064C747->F544E360), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSetSecurityObject (ED) intercepted (8059B831->F5458C20), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSetSystemInformation (F0) intercepted (805A2664->F545CB20), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSetValueKey (F7) intercepted (80573C8D->F544E400), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSuspendThread (FE) intercepted (805DFA18->F545D710), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtSystemDebugControl (FF) intercepted (806483A1->F545A2E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtTerminateProcess (101) intercepted (80584740->F545D300), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtUnloadKey (107) intercepted (8064C317->F544E550), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function NtWriteVirtualMemory (115) intercepted (8057A697->F545C3D0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function FsRtlCheckLockForReadAccess (80503C29) - machine code modification Method of JmpTo. jmp F545E4C0 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Function IoIsOperationSynchronous (804E8752) - machine code modification Method of JmpTo. jmp F545E9C0 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted

Functions checked: 284, intercepted: 43, restored: 0

1.3 Checking IDT and SYSENTER

Analysis for CPU 1

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 32

Number of modules loaded: 354

Scanning memory - complete

3. Scanning disks

C:\Arquivos de programas\On-line Help Console\DetectOS.dll >>> suspicion for Trojan.Win32.Pakes.kad ( 07CF890C 0374B343 002074FF 0023E175 374784)

C:\Arquivos de programas\Pixologic\ZBrush2\ZData\ZPlugs\WebZPlug.dll >>> suspicion for Email-Worm.Win32.Donghe.c ( 004C69EB 00000000 001C9B38 00226792 49152)

Direct reading C:\Documents and Settings\Diego.FRANK\Configurações locais\Temp\fla34.tmp

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

C:\Arquivos de programas\RK Launcher\RKLauncher.dll --> Suspicion for Keylogger or Trojan DLL

C:\Arquivos de programas\RK Launcher\RKLauncher.dll>>> Behavioural analysis

1. Reacts to events: keyboard

C:\Arquivos de programas\RK Launcher\RKLauncher.dll>>> Neural net: file with probability 99.91% like a typical keyboard/mouse events interceptor

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Latent loading of libraries through AppInit_DLLs suspected: "wbsys.dll,C:\ARQUIV~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\ARQUIV~1\KASPER~1\KASPER~1.0\adialhk.dll"

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da área de trabalho do NetMeeting)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

>> HDD autorun are allowed

>> Autorun from network drives are allowed

>> Removable media autorun are allowed

Checking - complete

Files scanned: 94461, extracted from archives: 77081, malicious software found 0, suspicions - 2

Scanning finished at 1/12/2008 13:15:58

Time of scanning: 00:31:06

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

 

 

view_log

 

C:\WINDOWS\system32\drivers\klif.sys;4;Kernel-mode hook

C:\WINDOWS\system32\Drivers\kl1.sys;4;Kernel-mode hook

C:\Arquivos de programas\On-line Help Console\DetectOS.dll;2;Suspicion for Trojan.Win32.Pakes.kad ( 07CF890C 0374B343 002074FF 0023E175 374784)

C:\Arquivos de programas\Pixologic\ZBrush2\ZData\ZPlugs\WebZPlug.dll;2;Suspicion for Email-Worm.Win32.Donghe.c ( 004C69EB 00000000 001C9B38 00226792 49152)

C:\Arquivos de programas\RK Launcher\RKLauncher.dll;5;Suspicion for Keylogger or Trojan DLL

 

 

abraçossss brother!!!

[DigRam 144]

Bom Dia! VeLLkan

 

<@> Configure o Windows,para mostrar os arquivos/pastas ocultas.

 

<!> Link.

 

<@> Acesse este site: --> < http://virusscan.jotti.org/ >

<@> Em File to upload,coloque cada ficheiro em destaque.

<@> Faça um por vez!

 

C:\Arquivos de programas\On-line Help Console\DetectOS.dll <--

 

C:\Arquivos de programas\Pixologic\ZBrush2\ZData\ZPlugs\WebZPlug.dll <--

 

C:\Arquivos de programas\RK Launcher\RKLauncher.dll <--

 

C:\Documents and Settings\Diego.FRANK\Configurações locais\Temp\fla34.tmp <--

 

<@> Em seguida,clique em Submit.

<@> Copie e poste,o resultado destes exames.

 

Abraços!

[VeLLkan 0]

Bom Dia! VeLLkan

 

<@> Configure o Windows,para mostrar os arquivos/pastas ocultas.

 

<!> Link.

 

<@> Acesse este site: --> < http://virusscan.jotti.org/ >

<@> Em File to upload,coloque cada ficheiro em destaque.

<@> Faça um por vez!

 

C:\Arquivos de programas\On-line Help Console\DetectOS.dll <--

 

C:\Arquivos de programas\Pixologic\ZBrush2\ZData\ZPlugs\WebZPlug.dll <--

 

C:\Arquivos de programas\RK Launcher\RKLauncher.dll <--

 

C:\Documents and Settings\Diego.FRANK\Configurações locais\Temp\fla34.tmp <--

 

<@> Em seguida,clique em Submit.

<@> Copie e poste,o resultado destes exames.

 

Abraços!

Fala brother DigRam!

 

segui o q você citou... ai está:

 

 

C:\Arquivos de programas\On-line Help Console\DetectOS.dll

 

A-Squared - Found nothing

AntiVir - Found nothing

ArcaVir - Found nothing

Avast - Found nothing

AVG Antivirus - Found nothing

BitDefender - Found nothing

ClamAV - Found nothing

CPsecure - Found nothing

Dr.Web - Found nothing

F-Prot Antivirus - Found nothing

F-Secure Anti-Virus - Found nothing

G DATA - Found nothing

Ikarus - Found nothing

Kaspersky Anti-Virus - Found nothing

NOD32 - Found nothing

Norman Virus Control - Found nothing

Panda Antivirus - Found nothing

Sophos Antivirus - Found nothing

VirusBuster - Found nothing

VBA32 - Found nothing

 

C:\Arquivos de programas\Pixologic\ZBrush2\ZData\ZPlugs\WebZPlug.dll

 

A-Squared - Found nothing

AntiVir - Found nothing

ArcaVir - Found nothing

Avast - Found nothing

AVG Antivirus - Found nothing

BitDefender - Found nothing

ClamAV - Found nothing

CPsecure - Found nothing

Dr.Web - Found nothing

F-Prot Antivirus - Found nothing

F-Secure Anti-Virus - Found nothing

G DATA - Found nothing

Ikarus - Found nothing

Kaspersky Anti-Virus - Found nothing

NOD32 - Found nothing

Norman Virus Control - Found nothing

Panda Antivirus - Found nothing

Sophos Antivirus - Found nothing

VirusBuster - Found nothing

VBA32 - Found nothing

 

C:\Arquivos de programas\RK Launcher\RKLauncher.dll

 

A-Squared - Found nothing

AntiVir - Found nothing

ArcaVir - Found nothing

Avast - Found nothing

AVG Antivirus - Found nothing

BitDefender - Found nothing

ClamAV - Found nothing

CPsecure - Found nothing

Dr.Web - Found nothing

F-Prot Antivirus - Found nothing

F-Secure Anti-Virus - Found nothing

G DATA - Found nothing

Ikarus - Found nothing

Kaspersky Anti-Virus - Found nothing

NOD32 - Found nothing

Norman Virus Control - Found nothing

Panda Antivirus - Found nothing

Sophos Antivirus - Found nothing

VirusBuster - Found nothing

VBA32 - Found nothing

 

C:\Documents and Settings\Diego.FRANK\Configurações locais\Temp\fla34.tmp

 

Obs: o arquivo " fla34 " eu não encontrei só havia o " fla31 " mesmo assim não consegui escania-lo

pois o arquivo é muito grande (15,8 MG )

 

 

abraçosssss!!!

[DigRam 144]

Bom Dia! VeLLkan

 

<!> Todos os ficheiros analisados,são legítimos!

<!> O problema de acesso,parece estar relacionado à configurações de seu antivírus.

<!> Vá a este link,abaixo,e faça o ajuste de acesso restrito: Controle Parental

 

 

< http://support.kaspersky.com/kis7/parental...p;qid=208279697 >

 

<!> Ps: O Tutorial está em Inglês.

-------------------------

<!> Portanto! Log limpo. :thumbsup:

 

Abraços!

[VeLLkan 0]

oie DigRam!!!

 

você estava certo msm!!!

 

o problema era soh de alguns sites q o Kaspersky tinha restringido

 

vallewww brother!!!

 

abraçosssss!!!

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.