Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

atrantica

[Arquivado]virus ilha da fantasia

Por , em Tópicos Arquivados (Seguranca & Malwares)

Recommended Posts

atrantica    0

atrantica
Postado

Olá pessoal do fórum,

 

vou lhes enviar o log a seguir:

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:47:57 PM, on 11/1/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\WINNT\TEMP\DME047.EXE

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINNT\system32\system32.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\wwtask.exe

C:\hajadisk\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlantida.com.br/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlantida.com.br

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf.rbs.com.br/index.html

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [system32] C:\WINNT\system32\system32.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [rqqsnd] C:\WINNT\rqqsnd.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Program Files\K-LiteNitro\K-LiteNitro.exe /hide

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RBS.NET

O17 - HKLM\System\CCS\Services\Tcpip\..\{82708951-3645-4102-9E28-BE2FDD3F300C}: NameServer = 172.17.96.2,192.168.50.145

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RBS.NET

O17 - HKLM\System\CS1\Services\Tcpip\..\{82708951-3645-4102-9E28-BE2FDD3F300C}: NameServer = 172.17.96.2,192.168.50.145

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RBS.NET

O17 - HKLM\System\CS2\Services\Tcpip\..\{82708951-3645-4102-9E28-BE2FDD3F300C}: NameServer = 172.17.96.2,192.168.50.145

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Network Agent Driver Tz0 (NetworkAgent) - Unknown owner - C:\WINNT\system32\agexec.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

 

 

 

aguardo ajuda dos analisadore junto com a continuaidade do processo de remoção do virus/spyware!!!

 

 

abraço a tods, valeu pela atenção

Compartilhar este post

Link para o post
Compartilhar em outros sites

Sam Spade    2

Sam Spade
Postado

Olá atrantica! Há uma infecção por um trojan banker. Este trojan captura senhas e as envia para um hacker. É recomendável que troque as mesmas.

 

Baixe > BankerFix

 

Desative o seu anti vírus temporariamente, para não haver conflitos.

 

Dê um duplo-clique no bankerfix.exe, dê o Enter e espere ele terminar. Ao terminar, leia a mensagem na tela e aperte Enter novamente.

 

Habilite o seu anti vírus.

 

Faça também um novo log do HijackThis para colocar na sua resposta, junto com o relatorio.txt do BankerFix. Está em C:\LinhaDefensiva\relatorio.txt

 

Depois de fazer sua resposta você pode apagar a pasta LinhaDefensiva que está em C:\

Compartilhar este post

Link para o post
Compartilhar em outros sites

atrantica    0

atrantica
Postado

Sam Spade,muito obrigado pela atenção, somente na seguna feira 06/11, vou poder realizar as operações, pois estou ajudando um amigo. Se este tópico puder ficar aberto até lá, obrigado!valeu pela atenção, até breve.

Compartilhar este post

Link para o post
Compartilhar em outros sites

atrantica    0

atrantica
Postado

valeu samspade, valeupela atenção

 

la vai o log do hijadisk e na sequencia o do banker fix!

 

 

valeu

 

 

Logfile of HijackThis v1.99.1

Scan saved at 6:21:09 PM, on 11/10/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\wwtask.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINNT\TEMP\WS8CEB.EXE

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\pccntmon.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\hajadisk\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlantida.com.br/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlantida.com.br

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf.rbs.com.br/index.html

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [K-Lite Nitro BETA] C:\Program Files\K-LiteNitro\K-LiteNitro.exe /hide

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RBS.NET

O17 - HKLM\System\CCS\Services\Tcpip\..\{82708951-3645-4102-9E28-BE2FDD3F300C}: NameServer = 172.17.96.2,192.168.50.145

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RBS.NET

O17 - HKLM\System\CS1\Services\Tcpip\..\{82708951-3645-4102-9E28-BE2FDD3F300C}: NameServer = 172.17.96.2,192.168.50.145

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RBS.NET

O17 - HKLM\System\CS2\Services\Tcpip\..\{82708951-3645-4102-9E28-BE2FDD3F300C}: NameServer = 172.17.96.2,192.168.50.145

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Network Agent Driver Tz0 (NetworkAgent) - Unknown owner - C:\WINNT\system32\agexec.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

 

 

 

 

 

 

bankerfix:

 

 

 

INICIANDO BANKER FIX

=======================================================

 

Arquivo infectado detectado: C:\WINNT\rqqsnd.exe

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINNT\system32\system32.exe

Arquivo infectado removido com sucesso!

 

 

INICIANDO FOX FIX

=======================================================

Iniciando Log do PV

-----------------------------------

 

Killing '*'

 

Arquivos a remover

-----------------------------------

 

 

Arquivos ruins restantes

-----------------------------------

 

 

Reg Importado

-----------------------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

 

 

 

é isso ae,desculpaa demora,

pbrigado!!!

Compartilhar este post

Link para o post
Compartilhar em outros sites

Sam Spade    2

Sam Spade
Postado

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post

Link para o post
Compartilhar em outros sites
Ir para a lista de tópicos Tópicos Arquivados (Seguranca & Malwares)
×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.

  Aceito