[Resolvido]Log Do Hijackthis

Diogo Flammarion · Fevereiro 25, 2007

está aqui o log do hijackthis, seguinte, esse tal de lsass.exe e services.exe, faz meu computador reiniciar do nada.... ;) isso sempre acontece, além de que meu pc fica com 100% de uso direto

Logfile of HijackThis v1.99.1

Scan saved at 21:55:28, on 24/2/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe

C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Arquivos de programas\Winamp\winampa.exe

C:\WINNT\system32\csrs.exe

C:\WINNT\system32\iexploler.exe

C:\WINNT\SOUNDMAN.EXE

C:\WINNT\system32\lssas.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\svchost.exe

D:\Downloads\MuNetPlay\Launcher.exe

D:\Downloads\MuNetPlay\main.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\MSN Apps\Updater1.02.0002.1001\pt-br\msnappau.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.MSN.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Barra de Ferramentas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Toolbar1.01.2607.0\pt-br\msntb.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe

O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe

O4 - HKLM\..\Run: [services] C:\WINNT\system32\iexploler.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\lssas.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater1.02.0002.1001\pt-br\msnappau.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

RenatoMejias · Fevereiro 25, 2007

Ok, há uma infecção por um trojan banker. Este trojan captura senhas e as envia para um cracker. É recomendável que troque as mesmas.

Baixe > BankerFix

Desative o seu anti vírus temporariamente, para não haver conflitos.

Dê um duplo-clique no bankerfix.exe, dê o Enter e espere ele terminar. Ao terminar, leia a mensagem na tela e aperte Enter novamente.

Habilite o seu anti vírus.

Faça também um novo log do HijackThis para colocar na sua resposta, junto com o relatorio.txt do BankerFix. Está em C:\LinhaDefensiva\relatorio.txt

Depois de fazer sua resposta você pode apagar a pasta LinhaDefensiva que está em C:\

Diogo Flammarion · Fevereiro 25, 2007

ok, fiz o procedimento que você me falou...

aqui esta o relatorio do bankerfix

INICIANDO BANKER FIX

=======================================================

Arquivo infectado detectado: C:\WINNT\system32\csrs.exe

Arquivo infectado removido com sucesso!

INICIANDO FOX FIX

=======================================================

Iniciando Log do PV

-----------------------------------

Killing '*'

Arquivos a remover

-----------------------------------

Arquivos ruins restantes

-----------------------------------

Reg Importado

-----------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

e também aqui um novo logo do hijack

Logfile of HijackThis v1.99.1

Scan saved at 10:26:38, on 25/2/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe

C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe

C:\Arquivos de programas\Winamp\winampa.exe

C:\WINNT\system32\iexploler.exe

C:\WINNT\SOUNDMAN.EXE

C:\WINNT\system32\lssas.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\WINNT\system32\wuauclt.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\MSN Apps\Updater1.02.0002.1001\pt-br\msnappau.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.MSN.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Barra de Ferramentas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Toolbar1.01.2607.0\pt-br\msntb.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe

O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\lssas.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater1.02.0002.1001\pt-br\msnappau.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

alguém aí pra analisar meu log??? :lol:

RenatoMejias · Fevereiro 25, 2007

Baixe o Pocket KillBox

Salve em uma pasta em C:\

Abra o Bloco de Notas, copie estas linhas e salve.

C:\WINNT\system32\iexploler.exe

C:\WINNT\system32\csrs.exe

C:\WINNT\system32\lssas.exe

Abra o KillBox e marque a função Delete on Reboot. Abra o Bloco de notas, selecione e copie as linhas salvas. No KillBox, clique em File, depois em Paste from Clipboard, Clique no botão All Files e clique no botão X. Depois clique em Não.

Abra o Hijackthis, clique em Do scan a system only, marque as entradas abaixo e clique no botão Fix Checked.

O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\lssas.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Reinicie e poste um novo Log do Hijackthis feito em Modo Normal.

Diogo Flammarion · Fevereiro 25, 2007

Ow mano deu um erro aqui quando eu vou abrir esse killbox, aparece essa mensagem

"Component 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid"

RenatoMejias · Fevereiro 25, 2007

Baixe essa ferramenta e coloque no seu desktop:

http://www.javacoolsoftware.net/downloads/...ngfilesetup.exe

Execute e reinicie e veja se o killbox funciona, se sim, prossiga com os procedimentos indicados acima.

Diogo Flammarion · Fevereiro 25, 2007

deu certo o killbox funcionou, dai segui os procedimentos, eis aqui o log do hijackthis que acabei d fazer

Logfile of HijackThis v1.99.1

Scan saved at 13:20:45, on 25/2/2007

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Arquivos de programas\Winamp\winampa.exe

C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe

C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe

C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.MSN.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Arquivos de programas\GetRight\xx2gr.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Barra de Ferramentas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Toolbar1.01.2607.0\pt-br\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater1.02.0002.1001\pt-br\msnappau.exe"

O4 - HKLM\..\Run: [services] C:\WINNT\system32\iexploler.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [CaAvTray] "C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O8 - Extra context menu item: Abrir com o GetRight Browser - C:\ARQUIV~1\GetRight\GRbrowse.htm

O8 - Extra context menu item: Download com o GetRight - C:\ARQUIV~1\GetRight\GRdownload.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Arquivos de programas\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

RenatoMejias · Fevereiro 25, 2007

Abra o Bloco de Notas, copie estas linhas e salve.

C:\WINNT\system32\iexploler.exe

Abra o KillBox e marque a função Delete on Reboot. Abra o Bloco de notas, selecione e copie as linhas salvas. No KillBox, clique em File, depois em Paste from Clipboard, Clique no botão All Files e clique no botão X. Depois clique em Não.

Abra o Hijackthis, clique em Do scan a system only, marque as entradas abaixo e clique no botão Fix Checked.

O4 - HKLM\..\Run: [services] C:\WINNT\system32\iexploler.exe

Reinicie e poste um novo Log do Hijackthis feito em Modo Normal.

Diogo Flammarion · Fevereiro 25, 2007

procedimentos feitos... novo log do hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 13:39:31, on 25/2/2007