Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Elu

[Arquivado] a me livrar de trojans!

Por , em Tópicos Arquivados (Seguranca & Malwares)

Recommended Posts

Elu    0

Elu
Postado

Pessoal,

Estou precisando de uma grande ajuda, tenho percebido um comportamento estranho do meu micro, instalei o AVG Anti-Spyware, ele encontrou um baita trojan (polifórmico), eliminei-o, mas suspeito que tem mais coisa ainda. O AVG não fica mais residente na bandeja, já desinstalei e instalei novamente, contudo, ele não habilita. Outra coisa, instalei o anti-vírus AVS, e agora começou a acontecer a mesma coisa, ou seja, a proteção residente consta como habilitada, mas não roda, para scanear os arquivos tenho que fazer manualmente.

Gostaria de saber também, se é possível alguém simular um processo mal intencionado para acessar o micro através de processos legítimos, como internet explorer, svchost...etc, e como faço para confirmar a autenticidade do processo quando o firewall solicitar a liberação para eles.

Passei o Kaspersky Virus Scan On Line, e ele encontrou uma série de arquivos bloqueados, os quais posto abaixo:

 

Infected Object Name Virus Name Last Action

C:\Arquivos de programas\Finjan Secure Browsing\logs\SecureBrowsingBho.log Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Histórico\History.IE5\MSHist012007050820070509\index.dat Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Temp\~DF6AB0.tmp Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Temp\~DF99EE.tmp Object is locked skipped

C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrador\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\cert8.db Object is locked skipped

C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\history.dat Object is locked skipped

C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\key3.db Object is locked skipped

C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\parent.lock Object is locked skipped

C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\7swvjel1.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Administrador\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrador\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Dados de aplicativos\AOL\AVP6\Report10f_File_Monitoring_eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dados de aplicativos\AOL\AVP6\Report\detected.idx Object is locked skipped

C:\Documents and Settings\All Users\Dados de aplicativos\AOL\AVP6\Report\detected.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dados de aplicativos\AOL\AVP6\Report\eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dados de aplicativos\AOL\AVP6\Report\report.rpt Object is locked skipped C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6DEAB8FC-E2F8-481A-BEC2-99C71F7232CE}\RP19\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{E5F4D760-9266-4013-90B4-EFAC212A16AB}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\lqoe89kr.lwp Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\~DFC498.tmp Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Abaixo segue o laudo do HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 17:02:05, on 9/5/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\aaksrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\AOL\Active Virus Shield\avp.exe

C:\Arquivos de programas\Comodo\Firewall\cmdagent.exe

C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

C:\Arquivos de programas\Marcos Velasco Security\MV AntiSpy 4.0\ANTISPY.EXE

C:\Arquivos de programas\AOL\Active Virus Shield\avp.exe

C:\Arquivos de programas\Ahead\InCD\InCD.exe

C:\Arquivos de programas\Comodo\Firewall\CPF.exe

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Advanced Anti Keylogger\aak.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\Rar$EX00.424\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - C:\Arquivos de programas\AOL Security Toolbar\AOL_security_toolbar.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SecureBrowsingBho Helper - {7632ABCA-B104-4fbc-9C70-419C4147061B} - C:\Arquivos de programas\Finjan Secure Browsing\bho.dll

O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - C:\Arquivos de programas\AOL Security Toolbar\AOL_security_toolbar.dll

O3 - Toolbar: GuardedID - {CB7DC2DA-D8C9-4004-8548-1E24AA7D46DE} - C:\Arquivos de programas\SFT\GuardedID\GIDTB.dll

O3 - Toolbar: Finjan Secure Browsing - {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - C:\Arquivos de programas\Finjan Secure Browsing\bho.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [MVAntiSpy] "C:\Arquivos de programas\Marcos Velasco Security\MV AntiSpy 4.0\ANTISPY.EXE" /TRAY

O4 - HKLM\..\Run: [aol] "C:\Arquivos de programas\AOL\Active Virus Shield\avp.exe"

O4 - HKLM\..\Run: [inCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Arquivos de programas\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [AAK] C:\Arquivos de programas\Advanced Anti Keylogger\aak.exe /silent

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7F7EBB33-119D-40A4-BD5B-77A8D4F109BC}: NameServer = 200.195.192.10,201.10.128.5

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: system32\aakah.dll

O20 - Winlogon Notify: GIDNotify - C:\WINDOWS\SYSTEM32\GIDNotify.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O23 - Service: aaksrv - Spydex, Inc. - C:\WINDOWS\system32\aaksrv.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Arquivos de programas\AOL\Active Virus Shield\avp.exe" -r (file missing)

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Arquivos de programas\Comodo\Firewall\cmdagent.exe

O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe

 

Ah, gostaria de saber porque consta estes arquivos como faltando:

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Arquivos de programas\AOL\Active Virus Shield\avp.exe" -r (file missing)

 

E para que serve o GIDNotify.dll e o klogon.dll?

 

Obrigada, agradeço muitíssimo a ajuda!

Compartilhar este post

Link para o post
Compartilhar em outros sites

Shine    0

Shine
Postado

TÓPICO ARQUIVADO

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada

para um moderador da área juntamente com o link para este tópico e explique

o motivo da reabertura.

Compartilhar este post

Link para o post
Compartilhar em outros sites
Ir para a lista de tópicos Tópicos Arquivados (Seguranca & Malwares)
×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.

  Aceito