[Resolvido!] Analize de Log Hijackthis

Bolaosoft · Dezembro 3, 2009

Por Favor Analizem pra mim, meu msn ta mandando e-mail pra minha lista :(

Obrigado.

------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:49:24, on 3/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\mydpla.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Alessandro\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Arquivos de programas\K-Lite Codec Pack\Real\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {8763AFE3-8175-481B-BC0E-96E56DA06B87}BC0E-96E56DA06B87} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Technology NT] C:\WINDOWS\system32\mydpla.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Enviar para Dispositivo &Bluetooth... - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Arquivos de programas\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254234487265

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF5ACA8-33DA-4B16-A319-D4230DCCA3CE}: NameServer = 208.67.222.222,200.171.71.54

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Arquivos de programas\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Arquivos de programas\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--

End of file - 6336 bytes

-----------------------------------------------------------------------------------------------------------

Obrigado

wings · Dezembro 3, 2009

Boa tarde Bolaosoft

*Desative temporariamente seu antivírus

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela será aberta. Aceite a instalação do mesmo.

*Após a instalação, clique em [sim] para continuar.

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

*O programa será fechado automaticamente

*Cole o relatório criado em C:\combofix.txt

Bolaosoft · Dezembro 3, 2009

ComboFix 09-12-02.08 - Alessandro 03/12/2009 17:40.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2038.1672 [GMT -2:00]

Executando de: c:\documents and settings\Alessandro\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\KB70CC13.log

c:\windows\system32\flashcpx.dll

c:\windows\system32\mydpla.exe

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-03 to 2009-12-03 ))))))))))))))))))))))))))))

.

2009-12-01 00:42 . 2009-01-08 10:09 218624 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\EPSON\EPSON T24 Series\Language\0416.E_DI0FAA.DLL

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-03 19:42 . 2004-08-04 12:00 83186 ----a-w- c:\windows\system32\perfc016.dat

2009-12-03 19:42 . 2004-08-04 12:00 477468 ----a-w- c:\windows\system32\perfh016.dat

2009-11-13 02:30 . 2009-11-02 10:45 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-11-02 10:50 . 2009-11-02 10:50 -------- d-----w- c:\arquivos de programas\Microsoft Works

2009-11-02 10:50 . 2009-09-29 19:38 -------- d-----w- c:\arquivos de programas\MSBuild

2009-11-02 10:49 . 2009-11-02 10:49 -------- d-----w- c:\arquivos de programas\Microsoft.NET

2009-11-02 10:46 . 2009-11-02 10:46 -------- d-----w- c:\arquivos de programas\Microsoft Visual Studio 8

2009-10-30 15:09 . 2009-10-30 15:09 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-10-28 14:46 . 2009-10-28 14:46 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\EPSON

2009-10-23 15:13 . 2009-10-23 14:45 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight

2009-10-23 14:44 . 2009-10-03 21:48 -------- d-----w- c:\arquivos de programas\Microsoft

2009-10-09 17:38 . 2009-09-29 22:11 -------- d-----w- c:\arquivos de programas\Webzen

2009-10-08 13:46 . 2009-10-08 13:46 -------- d-----w- c:\documents and settings\Alessandro\Dados de aplicativos\Ahead

2009-10-08 13:45 . 2009-09-29 13:55 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2009-10-08 13:41 . 2009-10-08 13:40 -------- d-----w- c:\arquivos de programas\Ahead

2009-10-08 13:41 . 2009-10-08 13:40 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Ahead

2009-10-05 18:57 . 2009-10-05 18:56 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Real

2009-10-05 18:57 . 2009-10-05 18:57 -------- d-----w- c:\arquivos de programas\Arquivos comuns\xing shared

2009-10-05 18:56 . 2009-09-29 14:00 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-10-05 18:56 . 2009-09-29 14:00 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-09-29 15:46 . 2009-09-29 13:38 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-09-29 13:35 . 2009-09-29 13:35 21844 ----a-w- c:\windows\system32\emptyregdb.dat

2009-09-23 20:42 . 2009-09-29 23:05 53616 ----a-w- c:\windows\system32\CMStarter_Eng.dll

2009-09-23 20:42 . 2009-09-29 23:05 53616 ----a-w- c:\windows\system32\CMStarter_Kor.dll

2009-09-23 20:42 . 2009-09-29 23:05 364912 ----a-w- c:\windows\system32\CMStarterCore.exe

2009-09-11 14:19 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:04 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2004-03-11 16:27 . 2009-10-08 13:29 40960 ----a-w- c:\arquivos de programas\Uninstall_CDS.exe

2009-03-21 14:08 . 2004-08-04 12:00 1081344 --sha-r- c:\windows\system32\bmzxbuox.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2009-10-05 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^BTTray.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\BTTray.lnk

backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7174:TCP"= 7174:TCP:zkbqsaqd

S2 ahgoh;Installer Boot;c:\windows\system32\svchost.exe -k netsvcs [4/8/2004 10:00 14336]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ahgoh

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-12-03 c:\windows\Tasks\User_Feed_Synchronization-{E3AEEBEB-A888-45B3-8E56-E82C43DF3756}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 07:31]

.

------- Scan Suplementar -------

.

uStart Page = about:blank

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Enviar para Dispositivo &Bluetooth... - c:\arquivos de programas\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: {DFF5ACA8-33DA-4B16-A319-D4230DCCA3CE} = 208.67.222.222,200.171.71.54

.

- - - - ORFÃOS REMOVIDOS - - - -

BHO-{8763AFE3-8175-481B-BC0E-96E56DA06B87}BC0E-96E56DA06B87} - (no file)

HKLM-Run-Technology NT - c:\windows\system32\mydpla.exe

AddRemove-M104UninstallerSetup - c:\program files\TVDriverUninstall\\M104_Drv_V1.0.1.39_Uninstaller.exe

AddRemove-RealPlayer 12.0 - c:\arquivos de programas\Arquivos comuns\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-03 17:50

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ahgoh]

"ServiceDll"="c:\windows\system32\bmzxbuox.dll"

.

Tempo para conclusão: 2009-12-03 17:52

ComboFix-quarantined-files.txt 2009-12-03 19:52

Pré-execução: 5 pasta(s) 16.901.169.152 bytes disponíveis

Pós execução: 8 pasta(s) 17.186.705.408 bytes disponíveis

- - End Of File - - 73EEDBA4504D33BA6C8E481325662BB3

----------------------------------------------------------------------------------

Ta ai cara.

Obrigado.

wings · Dezembro 3, 2009

Por favor....

Envie o arquivo abaixo para análise em http://virscan.org

c:\windows\system32\bmzxbuox.dll

Cole o link contendo o resultado.

Bolaosoft · Dezembro 3, 2009

Olá,

Apesar de constar esta linha no log com esse arquivo, na maquina eu não encontrei ele.

O que fazer ? :)

wings · Dezembro 4, 2009

Boa noite Bolaosoft

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7174:TCP"=-

Driver::

ahgoh

NetSvc::

ahgoh

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório criado em C:\combofix.txt e novo log do hijack

Bolaosoft · Dezembro 4, 2009

ComboFix 09-12-03.05 - Alessandro 04/12/2009 12:04.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2038.1667 [GMT -2:00]

Executando de: c:\documents and settings\Alessandro\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Alessandro\Desktop\CFScript.txt.txt

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AHGOH

-------\Service_ahgoh

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-04 to 2009-12-04 ))))))))))))))))))))))))))))

.

2009-12-04 00:54 . 2009-01-08 08:00 53248 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\EPSON\EPSON T24 Series\Language\0416.E_SBE0A7.DLL

2009-12-04 00:54 . 2009-01-08 10:09 218624 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\EPSON\EPSON T24 Series\Language\0416.E_DI0FAA.DLL

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-04 14:01 . 2004-08-04 12:00 83186 ----a-w- c:\windows\system32\perfc016.dat

2009-12-04 14:01 . 2004-08-04 12:00 477468 ----a-w- c:\windows\system32\perfh016.dat