[Resolvido!] Analise de Virus

[RafaelSonyLock 18]

Olá !

 

meu computador parece estar estranho, as veses o IE não funciona, a conexão cai.

 

Log Hijackthis

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:32:31, on 4/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\Google\Update\GoogleUpdate.exeC:\Arquivos de programas\ESET\ESET Smart Security\egui.exeC:\WINDOWS\RTHDCPL.EXEC:\Arquivos de programas\RocketDock\RocketDock.exeC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\Windows Sidebar\sidebar_clear.exeC:\Arquivos de programas\Windows Sidebar\sidebar_clear.exeC:\Arquivos de programas\DAP\DAP.exeC:\ARQUIV~1\SPEEDB~1\VideoAcceleratorService.exeC:\Arquivos de programas\SpeedBit Video Accelerator\VideoAccelerator.exeC:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exeC:\Arquivos de programas\Windows Media Player\wmplayer.exeC:\Arquivos de programas\TechSmith\Camtasia Studio 6\CamtasiaStudio.exeC:\Arquivos de programas\TechSmith\Camtasia Studio 6\TSCHelp.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Documents and Settings\Administrador\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.aspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\ARQUIV~1\DAP\DAPIEL~1.DLLO4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKCU\..\Run: [RocketDock] "C:\Arquivos de programas\RocketDock\RocketDock.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Arquivos de programas\SpeedBit Video Accelerator\VideoAccelerator.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')O4 - HKUS\S-1-5-21-842925246-152049171-1801674531-500\..\Run: [RocketDock] "C:\Arquivos de programas\RocketDock\RocketDock.exe" (User '?')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - S-1-5-21-842925246-152049171-1801674531-500 Startup: Atalho para sidebar_clear.lnk = C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe (User '?')O4 - Startup: Atalho para sidebar_clear.lnk = C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exeO8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htmO8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htmO8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htmO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\arquiv~1\speedb~1\sblsp.dllO10 - Unknown file in Winsock LSP: c:\arquiv~1\speedb~1\sblsp.dllO10 - Unknown file in Winsock LSP: c:\arquiv~1\speedb~1\sblsp.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1239756797_5b5b926cd91081deff27e172a2fa7b65&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.comO16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_v1004 Class) - http://op7.netgame.com/launch/object/mglaunch_USAv1004.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLLO23 - Service: McAfee Application Installer Cleanup (0095391241985843) (0095391241985843mcinstcleanup) -  - (no file)O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: ESET Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorService.exe--End of file - 7998 bytes

 

Obrigado e T+

[DigRam 144]

Boa Noite! RafaelSonyLock

 

<@> Baixe: < avz4en.zip > ou < avz_antiviral_toolkit >

<@> Salve-o em Arquivos de programas,e descompacte-o aí mesmo!

<@> Abra a pasta avz4 e execute o aplicativo,com um duplo-clique. <-- Ícone escudo e espada!

<@> Conecte-se à Internet,e atualize o Toolkit. --> "File" --> "Database Update". < >

<@> Terminando,não faça ainda nenhuma verificação.

<@> Na aba "Search range",marque todas as caixinhas.

<@> Em "File types",marque o botão "All files".

<@> Em "Actions",marque: "Perform healing"

<@> Nos campos,abaixo de "Perform healing",escolha "Report only",para todos os ítens.

<@> Abaixo de "RiskWare",marque a caixa "Copy suspicious files to Quarantine". <-- Somente esta caixa!

<@> No menu "Search parameters",maximize o ajuste "Heuristic analyses".

<@> Marque a caixa "Extended analysis". <-- Somente esta caixa!

<@> Por default,não desmarque as que estão assinaladas!

<@> Feche os programas que estejam abertos,e rode a ferramenta! <-- Clique em Start.

<@> Terminando o scan,clique no ícone "Save log",para dispormos do relatório. ( avz_log )

<@> Clique,também,no ícone dos "óculos".

<@> Clique em "Save as CSV".

<@> Salve,este relatório,no desktop! <-- Formato de texto. ( *.txt )

<@> Nomeie-o como: view_log

<@> Copie e poste: avz_log.txt + view_log.txt,na sua resposta.

 

Abraços!

[RafaelSonyLock 18]

Prontinho, foi mal pela demora ai !

 

avz_log.txt

Pronto, e desculpa pela demora ai !AVZ_LOG.txt[code]AVZ Antiviral Toolkit log; AVZ version is 4.30Scanning started at 6/6/2009 18:23:54Database loaded: signatures - 226502, NN profile(s) - 2, microprograms of healing - 56, signature database released 06.06.2009 21:51Heuristic microprograms loaded: 372SPV microprograms loaded: 9Digital signatures of system files loaded: 120746Heuristic analyzer mode: Maximum heuristics levelHealing mode: enabledWindows version: 5.1.2600, Service Pack 3; AVZ is launched with administrator rightsSystem Restore: enabled1. Searching for Rootkits and programs intercepting API functions1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=07C020) Kernel ntkrnlpa.exe found in memory at address 804D7000   SDT = 80553020   KiST = 80501B9C (284)Function NtAssignProcessToJobObject (13) intercepted (805CC950->88FED630), hook not definedFunction NtCreateKey (29) intercepted (8061A330->BA491FFA), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtDeleteKey (3F) intercepted (8061A7C0->BA492116), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtDeleteValueKey (41) intercepted (8061A990->BA49226A), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtEnumerateKey (47) intercepted (8061AB70->BA4921F2), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtEnumerateValueKey (49) intercepted (8061ADDA->BA4923CA), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtOpenKey (77) intercepted (8061B702->BA4920A4), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtOpenProcess (7A) intercepted (805C1322->88FECA60), hook not definedFunction NtOpenThread (80) intercepted (805C15AE->88FECE80), hook not definedFunction NtQueryKey (A0) intercepted (8061BA28->BA49217E), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtQueryValueKey (B1) intercepted (80618568->BA492352), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtSetValueKey (F7) intercepted (806188B6->BA4922D8), hook C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trustedFunction NtSuspendProcess (FD) intercepted (805CAD76->88FED460), hook not definedFunction NtSuspendThread (FE) intercepted (805CABE8->88FED280), hook not definedFunction NtTerminateProcess (101) intercepted (805C8CB6->88FECC90), hook not definedFunction NtTerminateThread (102) intercepted (805C8EB0->88FED0B0), hook not definedFunctions checked: 284, intercepted: 16, restored: 01.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully1.5 Checking of IRP handlers\FileSystem\ntfs[IRP_MJ_CREATE] = BA491758 -> C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trusted\FileSystem\ntfs[IRP_MJ_CLOSE] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_WRITE] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = BA491AC2 -> C:\WINDOWS\System32\Drivers\ShldDrv.SYS, driver recognized as trusted\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_SET_EA] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89E441F8 -> hook not defined\FileSystem\ntfs[IRP_MJ_PNP] = 89E441F8 -> hook not defined Checking - complete2. Scanning memory Number of processes found: 28Analyzer: process under analysis is 1884 C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorService.exe[ES]:Application has no visible windowsAnalyzer: process under analysis is 2516 C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe[ES]:Contains network functionality[ES]:Application has no visible windows[ES]:Loads RASAPI DLL - may use dialing ? Number of modules loaded: 348Scanning memory - complete3. Scanning disksDirect reading C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.datDirect reading C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Microsoft\Windows Sidebar\Settings.iniDirect reading C:\Documents and Settings\Administrador\Configurações locais\Histórico\History.IE5\index.datDirect reading C:\Documents and Settings\Administrador\Configurações locais\Histórico\History.IE5\MSHist012009060620090607\index.datDirect reading C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\index.datDirect reading C:\Documents and Settings\Administrador\Cookies\index.datDirect reading C:\Documents and Settings\Administrador\IETldCache\index.datDirect reading C:\Documents and Settings\Administrador\NTUSER.DATDirect reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Charon\CACHE.NDBDirect reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Logs\virlog.datDirect reading C:\Documents and Settings\All Users\Dados de aplicativos\ESET\ESET Smart Security\Logs\warnlog.datDirect reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.datDirect reading C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.datDirect reading C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.datDirect reading C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.datDirect reading C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.datDirect reading C:\Documents and Settings\LocalService\Cookies\index.datDirect reading C:\Documents and Settings\LocalService\NTUSER.DATDirect reading C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.datDirect reading C:\Documents and Settings\NetworkService\NTUSER.DATC:\System Volume Information\_restore{9FF893E0-3303-438B-87D0-C0D72557B852}\RP41\A0013567.exe - Suspicion for Virus.Win32.PE_Type1(dangerousness level is 75%)File quarantined succesfully (C:\System Volume Information\_restore{9FF893E0-3303-438B-87D0-C0D72557B852}\RP41\A0013567.exe)Direct reading C:\System Volume Information\_restore{9FF893E0-3303-438B-87D0-C0D72557B852}\RP61\change.logDirect reading C:\WINDOWS\SoftwareDistribution\ReportingEvents.logDirect reading C:\WINDOWS\system32\CatRoot2\edb.logDirect reading C:\WINDOWS\system32\CatRoot2\tmp.edbDirect reading C:\WINDOWS\system32\config\AppEvent.EvtDirect reading C:\WINDOWS\system32\config\defaultDirect reading C:\WINDOWS\system32\config\Internet.evtDirect reading C:\WINDOWS\system32\config\ODiag.evtDirect reading C:\WINDOWS\system32\config\OSession.evtDirect reading C:\WINDOWS\system32\config\SAMDirect reading C:\WINDOWS\system32\config\SecEvent.EvtDirect reading C:\WINDOWS\system32\config\SECURITYDirect reading C:\WINDOWS\system32\config\SysEvent.EvtDirect reading C:\WINDOWS\system32\config\systemDirect reading C:\WINDOWS\system32\config\WindowsPowerShell.evtDirect reading C:\WINDOWS\system32\drivers\sptd.sysDirect reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRDirect reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPDirect reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPDirect reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATADirect reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPDirect reading C:\WINDOWS\WindowsUpdate.log4. Checking  Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)C:\ARQUIV~1\SPEEDB~1\sblsp.dll --> Suspicion for Keylogger or Trojan DLLC:\ARQUIV~1\SPEEDB~1\sblsp.dll>>> Behavioural analysis  Behaviour typical for keyloggers not detectedC:\Arquivos de programas\SpeedBit Video Accelerator\ConfigDB.dll --> Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\ConfigDB.dll>>> Behavioural analysis  Behaviour typical for keyloggers not detectedC:\Arquivos de programas\SpeedBit Video Accelerator\Accelerator.dll --> Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\Accelerator.dll>>> Behavioural analysis  Behaviour typical for keyloggers not detectedC:\Arquivos de programas\SpeedBit Video Accelerator\CommPipe.dll --> Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\CommPipe.dll>>> Behavioural analysis  Behaviour typical for keyloggers not detectedC:\Arquivos de programas\SpeedBit Video Accelerator\Collector.dll --> Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\Collector.dll>>> Behavioural analysis  Behaviour typical for keyloggers not detectedNote: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user7. Heuristic system check>>> C:\ARQUIV~1\DAP\dapie.dll HSC: suspicion for Adware.SpeedBitFile quarantined succesfully (C:\ARQUIV~1\DAP\dapie.dll)>>> C:\ARQUIV~1\DAP\dapie.dll HSC: suspicion for Adware.SpeedBit>>> C:\autorun.inf HSC: suspicion for  hidden autorun (high degree of probability)File quarantined succesfully (C:\autorun.inf)Checking - complete8. Searching for vulnerabilities>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!>> Security: disk drives' autorun is enabled>> Security: administrative shares (C$, D$ ...) are enabled>> Security: anonymous user access is enabled>> Security: sending Remote Assistant queries is enabledChecking - complete9. Troubleshooting wizard >>  Service termination timeout is out of admissible values >>  HDD autorun are allowed >>  Autorun from network drives are allowed >>  Removable media autorun are allowedChecking - completeFiles scanned: 181757, extracted from archives: 92546, malicious software found 0, suspicions - 0Scanning finished at 6/6/2009 18:53:13Time of scanning: 00:29:21If you have a suspicion on presence of viruses or questions on the suspected objects,you can address http://virusinfo.info conference

 

view_log

C:\WINDOWS\System32\Drivers\ShldDrv.SYS	4	Kernel-mode hookC:\System Volume Information\_restore{9FF893E0-3303-438B-87D0-C0D72557B852}\RP41\A0013567.exe	3	Suspicion for Virus.Win32.PE_Type1(dangerousness level is 75%)C:\ARQUIV~1\SPEEDB~1\sblsp.dll	5	Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\ConfigDB.dll	5	Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\Accelerator.dll	5	Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\CommPipe.dll	5	Suspicion for Keylogger or Trojan DLLC:\Arquivos de programas\SpeedBit Video Accelerator\Collector.dll	5	Suspicion for Keylogger or Trojan DLLC:\ARQUIV~1\DAP\dapie.dll	3	 HSC: suspicion for Adware.SpeedBitC:\autorun.inf	3	 HSC: suspicion for  hidden autorun (high degree of probability)

[DigRam 144]

Boa Noite! RafaelSonyLock

 

<@> Abra o avz4 e delete os arquivos,que estão quarantinados.

<@> Clique em File --> 'Quarantine Folder Viewer.

<@> Marque todas as caixinhas,e clique em Delete --> Yes!

<@> Clique,também,em Delete folder --> Yes --> OK.

<><><><><><><><><><>

<@> Baixe: < WinsockFix >

<@> Salve-o no Desktop!

<@> Reinicie o computador em Modo de Segurança!

<@> Execute o WinsockFix!

<@> Duplo clique em WinsockFix.exe

<@> Abrir-se-á a janela: VB_Winfix 1.2

<@> Clique em Fix.

<@> Surgirá uma mensagem! >> Clique em Sim!

<@> Terminando,reinicie normalmente o computador!

<><><><><><><><><><>

<@> Baixe: < a-squared Free 4.0 >

 

<!> Link Opcional: < >

 

<@> Salve-o em Arquivos de programas.

<@> Abra o programa e clique em: Atualizar agora --> Aguarde!

<@> Terminando,clique em: "Scan PC"

<@> Escolha a opção: "A fundo" --> Clique,à seguir,em "Analisar".

<@> Terminando,marque as caixinhas dos ítens encontrados e clique em "Enviar marcados à Quarentena".

<@> Salve e poste o relatório desta verificação. ( a2scan_xxyy09-xxxxxx.txt ) <--

<@> Poste,também,HijackThis atualizado.

 

Abraços!

[RafaelSonyLock 18]

Fiz tudo, deletei os arquivos da Quarentena (AVZ4)

 

Fiz os processos do WinSockFix

 

Log a-squared Free 4.0 (eu já o usava antes)

a-squared Free - Versão 4.5Última atualização 7/6/2009 12:01:43Configurações da análise:Scan type: deepObjetos: Memória, Rastros, Cookies, C:\Análise de arquivos: LigadoHeurística: DesligadoAnálise de ADS: LigadoInício da análise:	7/6/2009 12:01:56C:\Documents and Settings\Administrador\Cookies\administrador@google.com[1].txt 	detectado: Trace.TrackingCookie.google.com!A2C:\Arquivos de programas\Megacubo\bin\HTML.dll 	detectado: Trojan.Generic!IKAnalisadoArquivos: 164717Objetos: 	352451Cookies: 	68Processos: 25EncontradoArquivos: 1Objetos: 	0Cookies: 	1Processos: 0Chaves do registro: 0Fim da análise:7/6/2009 12:53:50Duração da análise:0:51:54

 

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:16:24, on 7/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\Google\Update\GoogleUpdate.exeC:\Arquivos de programas\ESET\ESET Smart Security\egui.exeC:\WINDOWS\RTHDCPL.EXEC:\Arquivos de programas\RocketDock\RocketDock.exeC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\SpeedBit Video Accelerator\VideoAccelerator.exeC:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\system32\IoctlSvc.exeC:\ARQUIV~1\SPEEDB~1\VideoAcceleratorService.exeC:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Arquivos de programas\Internet Explorer\iexplore.exeC:\Documents and Settings\Administrador\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.aspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\ARQUIV~1\DAP\DAPIEL~1.DLLO4 - HKLM\..\Run: [egui] "C:\Arquivos de programas\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKCU\..\Run: [RocketDock] "C:\Arquivos de programas\RocketDock\RocketDock.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Arquivos de programas\SpeedBit Video Accelerator\VideoAccelerator.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')O4 - HKUS\S-1-5-21-842925246-152049171-1801674531-500\..\Run: [RocketDock] "C:\Arquivos de programas\RocketDock\RocketDock.exe" (User '?')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - S-1-5-21-842925246-152049171-1801674531-500 Startup: Atalho para sidebar_clear.lnk = C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exe (User '?')O4 - Startup: Atalho para sidebar_clear.lnk = C:\Arquivos de programas\Windows Sidebar\sidebar_clear.exeO8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htmO8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htmO8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htmO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1239756797_5b5b926cd91081deff27e172a2fa7b65&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.comO16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_v1004 Class) - http://op7.netgame.com/launch/object/mglaunch_USAv1004.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLLO23 - Service: McAfee Application Installer Cleanup (0095391241985843) (0095391241985843mcinstcleanup) -  - (no file)O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: ESET Service (ekrn) - ESET - C:\Arquivos de programas\ESET\ESET Smart Security\ekrn.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Nero AG - (no file)O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorService.exe--End of file - 7572 bytes

 

Depois que fiz o processo do WinSockFix, o meu Antivirus ficou vermelho !!!

Imagem: http://pic1.piccdrop.com/i/4/1244275312.jpg

[DigRam 144]

Boa Noite! RafaelSonyLock

 

<@> Faça um escaneamento,online,em Eset.

<@> Utilize o navegador Internet Explorer.

<@> Marque a caixa: "SIM,aceito as condições de uso" --> Iniciar.

<@> Marque a caixa: "YES, I accept the Terms of Use" --> Start.

<@> Aceite a instalação do ActiveX e,ao terminar,salve e poste o relatório. ( C:\Arquivos de programas\EsetOnlineScanner\log )

 

Abraços!

[RafaelSonyLock 18]

DigRam, eu cheguei a fazer o scan, mas depois, reiniiei o PC e ele simplesmente tava doidão

Não executava músicas, não abria nem o IE, nem o FF

 

Entrei em Modo Seguro e fiz o backup dos arquivos mais importantes para o meu MP5)

A única opção que eu teria é formatar, e formatei e ocorreu tudo bem

 

Desculpa ai, mas não tive culpa, ocorreu sem motivo nenhum .

 

Vlw, T+ e topico + ou - Resolvido

 

Trancado !

[DigRam 144]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.