[Resolvido!]analise de log do hijackthis

ze adauto · Novembro 2, 2007

Olá..aqui está o logo gerado........suspeito de malware pois a todo momento está abrindo páginas do IE...valew

Logfile of HijackThis v1.99.1

Scan saved at 16:15:48, on 2/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe

C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe

c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe

C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe

c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe

c:\ARQUIV~1\mcafee.com\agent\mcagent.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\MSN Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\uutamdpg.dll",sitypnow

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\ARQUIV~1\ARQUIV~1\McAfee\EmProxy\emproxy.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

DigRam · Novembro 2, 2007

Boa Tarde ze adauto!

>@< Faça o download do ComboFix.

>@< Baixe-o para o Desktop!

>@< Feche todas as janelas e execute a ferramenta!

>@< Para quem possui o Avast,surgirá um alerta de malware ( Win32 D adobra-EY[Trj] ),que deverá ser ignorado.

>@< Abrirá a janela Auto Scan. Aguarde!

>@< Digite a opção para continuar < Enter >

>@< Aguarde a conclusão!

>@< Poste o relatório: C:\ComboFix.txt,na sua resposta + Log do HJT,atualizado.

Abraços!

ze adauto · Novembro 2, 2007

Agora vai o relatório do combofix e um atualizado do hjt

Agradeço a ajuda

ComboFix 07-11-01.1** - Usuario 2007-11-02 16:51:35.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.20 [GMT -3:00]

Executando de: C:\Documents and Settings\Usuario\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\cookies.ini

C:\WINDOWS\system32\ajsualub.dll

C:\WINDOWS\system32\bawgolru.dll

C:\WINDOWS\system32\cfapnmhi.dll

C:\WINDOWS\system32\dkjqqwlu.dll

C:\WINDOWS\system32\edddudsp.ini

C:\WINDOWS\system32\etlfbnor.dll

C:\WINDOWS\system32\fjxrbehj.dll

C:\WINDOWS\system32\fomedqgj.dll

C:\WINDOWS\system32\gdnhohqo.dll

C:\WINDOWS\system32\geebc.dll

C:\WINDOWS\system32\gonjkfgi.dll

C:\WINDOWS\system32\gousfdlk.dll

C:\WINDOWS\system32\gpdmatuu.ini

C:\WINDOWS\system32\gpdqyeqm.dll

C:\WINDOWS\system32\haammrxq.dll

C:\WINDOWS\system32\htjckbhr.dll

C:\WINDOWS\system32\igfkjnog.ini

C:\WINDOWS\system32\jsseqmod.dll

C:\WINDOWS\system32\khruglvx.dll

C:\WINDOWS\system32\myweavvq.dll

C:\WINDOWS\system32\ojavthsi.dll

C:\WINDOWS\system32\psduddde.dll

C:\WINDOWS\system32\qhqcwcro.dll

C:\WINDOWS\system32\rwxmkvnm.dll

C:\WINDOWS\system32\snmgyqwx.dll

C:\WINDOWS\system32\tqqgrelv.dll

C:\WINDOWS\system32\udeaaqrc.dll

C:\WINDOWS\system32\uutamdpg.dll

C:\WINDOWS\system32\wbarslji.dll

C:\WINDOWS\system32\xvlgurhk.ini

C:\WINDOWS\system32\yeqveysu.dll

.

((((((((((((((((((((((( Ficheiros criados de 2007-10-02 to 2007-11-02 ))))))))))))))))))))))))))))))))

.

2007-11-02 16:48 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-02 16:14 <DIR> d-------- C:\Hijackthis

2007-10-15 19:04 <DIR> d-------- C:\Documents and Settings\Usuario\Dados de aplicativos\BSplayer Pro

2007-10-15 19:04 <DIR> d-------- C:\Documents and Settings\Usuario\Dados de aplicativos\BSplayer

2007-10-15 19:04 <DIR> d-------- C:\Arquivos de programas\Webteh

2007-10-09 18:55 <DIR> d-------- C:\Arquivos de programas\Guitar Pro 4 Demo

2007-10-09 15:42 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys

2007-10-09 15:42 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys

2007-10-09 15:42 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys

2007-10-09 15:42 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys

2007-10-09 15:42 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys

2007-10-09 15:42 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys

2007-10-09 15:40 <DIR> d-------- C:\Arquivos de programas\McAfee.com

2007-10-09 15:39 <DIR> d-------- C:\Arquivos de programas\McAfee

2007-10-09 15:39 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\McAfee

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-01 01:49 591,136 ----a-w C:\Arquivos de programas\DMSetup-Serial.exe

2008-09-01 01:30 7,939,032 ----a-w C:\Arquivos de programas\Windows-KB890830-V1.32.exe

2007-10-09 18:45 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\McAfee

2007-09-27 16:00 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2007-09-26 22:07 --------- d-----w C:\Arquivos de programas\Mafia

2007-09-19 16:33 --------- d-----w C:\Arquivos de programas\MSXML 4.0

2007-09-18 21:00 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\MAGIX

2007-09-18 20:56 --------- d-----w C:\Arquivos de programas\MAGIX

2007-09-18 20:56 --------- d-----w C:\Arquivos de programas\Arquivos comuns\MAGIX Shared

2007-09-15 02:44 --------- d-----w C:\Arquivos de programas\QuickTime

2007-09-02 18:03 --------- d-----w C:\Arquivos de programas\Cakewalk

2007-08-22 18:33 3,028,992 ----a-w C:\Arquivos de programas\theplayerT.exe

2007-08-06 20:16 18,176,512 ----a-w C:\Arquivos de programas\aaw2007.exe

2007-08-02 01:21 23,702,824 ----a-w C:\Arquivos de programas\SkypeSetup.exe

2007-07-28 20:41 16,381,000 ----a-w C:\Arquivos de programas\setupporpro.exe

2007-06-22 19:27 4,301,387 ----a-w C:\Arquivos de programas\Shareaza_2.2.5.0.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-09-14 23:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrolj]

rqrrolj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Arquivos de programas\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

"C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

"C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Arquivos de programas\Java\jre1.6.0\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

VTtrayp.exe

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-10-09 18:41:17 C:\WINDOWS\Tasks\McDefragTask.job"

- c:\ARQUIV~1\mcafee\mqc\QcConsol.exe

"2007-10-09 18:41:15 C:\WINDOWS\Tasks\McQcTask.job"

- c:\ARQUIV~1\mcafee\mqc\QcConsol.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-02 17:01:49

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

**************************************************************************

.

Tempo para conclusão: 2007-11-02 17:06:29 - machine was rebooted

.

--- E O F ---

Logfile of HijackThis v1.99.1

Scan saved at 17:07:50, on 2/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe

C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe

c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe

C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe

c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe

C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe

C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

c:\ARQUIV~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\notepad.exe

C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\ARQUIV~1\mcafee\VIRUSS~1\scriptcl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)