[Resolvido!]trojan horse generic3

Djan · Julho 18, 2007

já execcutei o killbox, e o atf cleaner

ao tentar eliminar o registro pelo hijackthis

li no artigo que deveria ser apagado a linha

04-HKCU .........

e o q aparece no meu log é

04 HKLM ........

segue abaixo o log para apareciação ... aguardo ! obrigado !

Logfile of HijackThis v1.99.1

Scan saved at 11:46:18, on 17/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WgaTray.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\ptrms.exe

C:\WINDOWS\SMSS.EXE

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com

R3 - URLSearchHook: Yahoo! Barra de Ferramentas - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: Yahoo! Barra de Ferramentas - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [iE21] c:\windows\system32\ie21.exe

O4 - HKLM\..\Run: [xsmsn] C:\WINDOWS\ptrms.exe

O4 - HKLM\..\Run: [winlsmss] C:\WINDOWS\SMSS.EXE %1

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [VoipDiscount] "C:\Arquivos de programas\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimized

O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\ARQUIV~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab

O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab

O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{854D7639-6256-457F-A417-BACEA3A49450}: NameServer = 192.168.100.1

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

jgarcia · Julho 19, 2007

Opa Djan,

Baixe o ComboFix em:

ComboFix

1) Dê um duplo-clique no combofix.exe e tecle "Y" para prosseguir. O processo vai durar, em média, 10 minutos;

2) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

3) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

4) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

5) Para parar ou sair do ComboFix, tecle "N";

6) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta.

Abraços.

Djan · Julho 20, 2007

"Usuario" - 2007-07-20 10:16:02 - ComboFix 07-07-17.8 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\smss.exe

C:\WINDOWS\system32\_000110_.tmp.dll

((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))

2007-07-20 10:14 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-17 11:23 <DIR> d-------- C:\!KillBox

2007-07-17 11:21 <DIR> d-------- C:\HijackThis

2007-07-17 09:43 <DIR> d-------- C:\Windows_XP_Original_Serial

2007-07-17 09:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\Lavasoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-13 11:22:48 -------- d-----w C:\Arquivos de programas\Google

2007-07-11 14:00:48 67,450 ----a-w C:\WINDOWS\system32\perfc016.dat

2007-07-11 14:00:48 425,426 ----a-w C:\WINDOWS\system32\perfh016.dat

2007-07-04 12:52:17 -------- d-----w C:\Arquivos de programas\Hanoi

2007-06-22 18:39:08 -------- d-----w C:\Arquivos de programas\Windows Live Toolbar

2007-05-31 12:57:22 -------- d-----w C:\Arquivos de programas\Messenger

2007-05-28 13:55:22 -------- d-----w C:\Arquivos de programas\MSN Messenger

2007-05-22 19:02:10 -------- d-----w C:\Arquivos de programas\Winamp

2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]

2006-10-26 11:28 440384 --a------ C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2001-04-16 18:06 37808 --a------ C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NWEReboot"="" []

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-04-23 08:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2006-01-24 20:31]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24]

"VoipDiscount"="C:\Arquivos de programas\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" []

"Nero PhotoShow Media Manager"="C:\ARQUIV~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" []

C:\DOCUME~1\ALLUSE~1\MENUIN~1\PROGRA~1\INICIA~1

Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-20 10:18:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-20 10:19:59

C:\ComboFix-quarantined-files.txt ... 2007-07-20 10:19

--- E O F ---

jgarcia · Julho 20, 2007

Opa Djan,

Poste um novo log do HijackThis.

Abraços.

Djan · Agosto 3, 2007

O Problema foi resolvido !! Valeu !!!

segue o log

Logfile of HijackThis v1.99.1

Scan saved at 09:06:00, on 3/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\System32\svchost.exe

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.yahoo.com

R3 - URLSearchHook: Yahoo! Barra de Ferramentas - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll