Author Topic: danilobc BHO Infection (Read 3694 times)

danilobc · « **on:** January 09, 2008, 02:30:21 PM »

Hello,

Another case of BHO infection.

Please, anyone can help me?

The Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:51, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:6588
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06D23DEB-8297-493F-A554-E7F71E5DF420} - C:\WINDOWS\system32\CS.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?95ac7ef070d2456ca544a4b1ffc0a48e
O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?95ac7ef070d2456ca544a4b1ffc0a48e
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Enviar para &Bluetooth - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ovrscn - ovrscn.dll (file missing)
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

--
End of file - 8134 bytes

danilobc · « **Reply #1 on:** January 09, 2008, 02:33:26 PM »

ComboFix 08-01-03.4 - eloivaldo 2008-01-03 12:06:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.52 [GMT -2:00]
Executando de: C:\Documents and Settings\eloivaldo\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\bloggermessenger.exe
C:\WINDOWS\inf\infw.com
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\dhcp\spolsv.exe
C:\WINDOWS\traysssw.exe
C:\WINDOWS\userinit.exe

.
((((((((((((((((((((((( Ficheiros criados de 2007-12-03 to 2008-01-03 ))))))))))))))))))))))))))))))))
.

2008-01-03 12:05 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-12-11 14:47 . 2007-12-11 14:47   268   --ah-----   C:\sqmdata00.sqm
2007-12-11 14:47 . 2007-12-11 14:47   244   --ah-----   C:\sqmnoopt00.sqm

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 13:25   ---------   d-----w   C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin
2007-12-07 13:02   19,456   ----a-w   C:\WINDOWS\system32\drivers\fjusmgnw.dat
2007-12-06 19:51   ---------   d-----w   C:\Arquivos de programas\GbPlugin
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   -c--a-w   C:\WINDOWS\system32\AvastSS.scr
2007-03-14 12:50   92,064   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmmdm.sys
2007-03-14 12:50   9,232   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmmdfl.sys
2007-03-14 12:50   79,328   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmserd.sys
2007-03-14 12:50   66,656   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmbus.sys
2007-03-14 12:50   6,208   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmcmnt.sys
2007-03-14 12:50   5,936   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmwhnt.sys
2007-03-14 12:50   4,048   -c--a-w   C:\Documents and Settings\eloivaldo\mqdmcr.sys
2007-03-14 12:50   25,600   -c--a-w   C:\Documents and Settings\eloivaldo\usbsermptxp.sys
2007-03-14 12:50   22,768   -c--a-w   C:\Documents and Settings\eloivaldo\usbsermpt.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06D23DEB-8297-493F-A554-E7F71E5DF420}]
2004-09-17 14:55   94976   --a------   C:\WINDOWS\system32\CS.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 11:00 79224]
"Adobe Photo Downloader"="C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 16:09 57344]
"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:45 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [2006-10-16 17:32 226344]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [2007-10-30 16:43 339888]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-01-12 11:58 222376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ovrscn]
ovrscn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginAbn]
C:\Arquivos de programas\GbPlugin\gbiehabn.dll 2007-10-30 16:43 339888 C:\Arquivos de programas\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ovrscn.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ovwscn.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^BTTray.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^K-Lite2006.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\K-Lite2006.lnk
backup=C:\WINDOWS\pss\K-Lite2006.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^system32.exe]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\system32.exe
backup=C:\WINDOWS\pss\system32.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Utility Tray.lnk
backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-07-14 16:09   57344   --a------   C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51   39792   --a------   C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
         c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Codec]
         C:\WINDOWS\system32\dhcp\spoolsvs.exe

danilobc · « **Reply #2 on:** January 09, 2008, 02:35:20 PM »

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 01:45   15360   --a--c---   C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dllhost]
         C:\WINDOWS\inf\dllhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4100 Series]
         C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEL.EXE /P26 EPSON Stylus CX4100 Series /O6 USB001 /M Stylus CX4100

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2003-12-17 09:40   1241138   --a--c---   C:\Arquivos de programas\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
         C:\Arquivos de programas\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
         C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 09:50   155648   --a--c---   C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetFirewall]
         C:\WINDOWS\system\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
         C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
2004-05-12 17:22   249856   --a--c---   C:\WINDOWS\System32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
2002-07-12 08:15   106496   --a--c---   C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
         sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftInc]
         C:\WINDOWS\traysssw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
         SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOUNDMANN]
         C:\WINDOWS\system\spoolsv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
         VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsFirewall]
2004-08-04 01:45   13824   --a--c---   C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLogon]
         C:\WINDOWS\system32\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InCDsrv"=2 (0x2)
"GbpSv"=2 (0x2)
"btwdins"=2 (0x2)

R0 iccdfcuf;iccdfcuf;C:\WINDOWS\system32\drivers\fjusmgnw.dat []
R1 ovwscn;Memory SCN;C:\WINDOWS\system32\ovwscn.sys [2004-08-04 01:45]
S2 ovrscn;Memory SCN X1;C:\WINDOWS\system32\ovrscn.sys [2004-08-04 01:45]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 15:31]

*Newly Created Service* - PROCEXP90
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-01-03 14:08:05 C:\WINDOWS\Tasks\Verificar Atualizações para a Barra de Ferramentas do Windows Live.job"
- C:\Arquivos de programas\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 12:08:37
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

C:\WINDOWS\system32\ovrscn.sys 3696 bytes executable
C:\WINDOWS\system32\ovwscn.sys 19184 bytes executable
C:\WINDOWS\system32\qy.sys 3696 bytes executable
C:\WINDOWS\system32\qz.dll 35264 bytes executable
C:\WINDOWS\system32\qz.sys 19184 bytes executable

Varredura completada com sucesso
Ficheiros ocultos: 5

**************************************************************************
.
Tempo para conclusão: 2008-01-03 12:09:38
ComboFix-quarantined-files.txt 2008-01-03 14:09:22

oldman · « **Reply #3 on:** January 09, 2008, 02:57:18 PM »

Hi this will get you started. It will be a while till I can get back to you, but I will go over your logs more thouroghly.

Are you using a proxy?

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:6588

What was the name of the problem file?

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: ovrscn - ovrscn.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

Close all other browsers/windows, click fix, close HJT.

Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\WINDOWS\system32\drivers\fjusmgnw.dat

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

danilobc · « **Reply #4 on:** January 09, 2008, 04:18:45 PM »

Hi oldman,

The proxy key is old. I don't use proxy anymore.

The file was intected is C:\windows\system32\CS.DLL but I cannot delete or modify file or Registry key.

I tried to remove key manually on normal mode and safe mode without sucess.

Tks,
danilobc

New Hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17, on 2008-01-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com.br/0SEPTBR/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:6588
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06D23DEB-8297-493F-A554-E7F71E5DF420} - C:\WINDOWS\system32\CS.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/229?95ac7ef070d2456ca544a4b1ffc0a48e
O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Arquivos de programas\Windows Live Toolbar\Components\pt-br\msntabres.dll.mui/230?95ac7ef070d2456ca544a4b1ffc0a48e
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: Enviar para &Bluetooth - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe

--
End of file - 8084 bytes

oldman · « **Reply #5 on:** January 09, 2008, 04:40:59 PM »

HI danilobc

You have other problems, but I would like to take care of the BHO first. You can use the extra options button on the reply page to attach logs.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {06D23DEB-8297-493F-A554-E7F71E5DF420} -C:\WINDOWS\system32\CS.dll

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

File::
C:\windows\system32\CS.DLL

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .

Author Topic: danilobc BHO Infection (Read 3694 times)

danilobc

danilobc BHO Infection

danilobc

Re: danilobc BHO Infection

danilobc

Re: danilobc BHO Infection

oldman

Re: danilobc BHO Infection

danilobc

Re: danilobc BHO Infection

oldman

Re: danilobc BHO Infection