[Arquivado] Análise de log

[J_Alison 0]

Logfile of HijackThis v1.99.1

Scan saved at 11:48:37, on 9/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe

C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~3\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll

O2 - BHO: ContextProgram - {E4D1D56C-3EC9-2F5D-FAA3-4112CCDD61DC} - C:\Arquivos de programas\ContextProgram\ContextProgram-2.dll

O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: http://click.getmirar.com (HKLM)

O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{1EDCC955-FD4A-48CB-87C9-2C90D21DBE12}: NameServer = 200.165.132.155 200.149.55.140

O17 - HKLM\System\CS1\Services\Tcpip\..\{1EDCC955-FD4A-48CB-87C9-2C90D21DBE12}: NameServer = 200.165.132.155 200.149.55.140

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~3\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)

O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[jgarcia 1]

Opa J_Alison,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um novo log do HijackThis.

 

Abraços.

[J_Alison 0]

---------------------------

combofix

---------------------------

ComboFix 08-03-09.1 - JOAS 2008-03-09 20:55:25.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.32 [GMT -3:00]

Executando de: C:\Documents and Settings\JOAS\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\Cache

C:\WINDOWS\system32\service.exe

C:\WINDOWS\system32\winnb58.dll

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-02-10 to 2008-03-10 ))))))))))))))))))))))))))))))))

.

 

2008-03-09 13:06 . 2008-03-09 13:12 <DIR> d-------- C:\Documents and Settings\JOAS\Dados de aplicativos\AVG7

2008-03-09 13:00 . 2008-03-09 13:00 <DIR> d-------- C:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

2008-03-09 12:59 . 2008-03-09 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft

2008-03-09 12:59 . 2008-03-09 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\avg7

2008-03-09 12:30 . 2008-03-09 12:31 <DIR> d-------- C:\LinhaDefensiva

2008-03-09 10:32 . 2008-03-09 11:48 <DIR> d-------- C:\hijackthis

2008-03-08 18:49 . 2008-03-08 18:49 <DIR> d-------- C:\Arquivos de programas\FBrowserAdvisor

2008-03-07 23:23 . 2008-03-08 18:45 <DIR> d-------- C:\Documents and Settings\JOAS\Shared

2008-03-07 23:23 . 2008-03-08 18:56 <DIR> d-------- C:\Documents and Settings\JOAS\Incomplete

2008-03-07 23:23 . 2008-03-08 00:01 <DIR> d-------- C:\Documents and Settings\JOAS\Dados de aplicativos\LimeWire

2008-03-07 23:17 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-03-07 19:33 . 2008-03-07 19:42 <DIR> d-------- C:\Arquivos de programas\LimeWire

2008-03-06 12:49 . 2008-03-06 12:49 1,190 --a------ C:\WINDOWS\mozver.dat

2008-03-06 12:03 . 2008-03-06 12:03 0 --a------ C:\WINDOWS\nsreg.dat

2008-03-02 15:26 . 2001-10-25 03:00 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll

2008-02-28 13:13 . 2008-02-28 13:13 <DIR> d-------- C:\Arquivos de programas\IObit

2008-02-27 15:50 . 2008-02-27 15:50 244 --ah----- C:\sqmnoopt05.sqm

2008-02-27 15:50 . 2008-02-27 15:50 232 --ah----- C:\sqmdata05.sqm

2008-02-27 15:49 . 2008-02-27 15:49 244 --ah----- C:\sqmnoopt04.sqm

2008-02-27 15:49 . 2008-02-27 15:49 232 --ah----- C:\sqmdata04.sqm

2008-02-27 14:42 . 2008-02-27 14:42 <DIR> d-------- C:\IJ

2008-02-24 12:09 . 2005-06-28 09:21 22,752 --a--c--- C:\WINDOWS\system32\spupdsvc.exe

2008-02-23 22:41 . 2008-02-23 22:41 <DIR> d-------- C:\Documents and Settings\JOAS\.netbeans-registration

2008-02-23 21:58 . 2008-02-23 22:41 <DIR> d-------- C:\Arquivos de programas\NetBeans 6.0.1

2008-02-23 21:52 . 2008-02-23 21:52 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Java

2008-02-23 21:40 . 2008-02-23 22:06 <DIR> d-------- C:\Documents and Settings\JOAS\.nbi

2008-02-23 17:32 . 2008-02-27 12:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-02-21 10:48 . 2008-03-09 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-02-21 01:01 . 2008-02-21 01:01 0 --a------ C:\WINDOWS\system32\SQLDmpr0001.mdmp

2008-02-19 17:43 . 2008-02-19 17:43 <DIR> d-------- C:\Arquivos de programas\Alwil Software

2008-02-19 17:43 . 2003-03-18 17:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2008-02-19 16:38 . 2008-02-19 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avira

2008-02-19 16:18 . 2008-02-19 16:18 212,849 --a------ C:\hijackthis.zip

2008-02-19 15:32 . 2001-08-17 20:11 66,591 --a------ C:\WINDOWS\system32\drivers\el90xbc5.sys

2008-02-19 15:32 . 2001-08-17 20:11 66,591 --a--c--- C:\WINDOWS\system32\dllcache\el90xbc5.sys

2008-02-14 00:25 . 2008-02-14 00:25 <DIR> d-------- C:\Arquivos de programas\Xinox Software

2008-02-14 00:16 . 2002-02-18 07:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll

2008-02-14 00:16 . 2002-02-18 10:22 171,280 --a------ C:\WINDOWS\system32\jit.dll

2008-02-14 00:16 . 2002-02-18 10:22 139,536 --a------ C:\WINDOWS\system32\javaee.dll

2008-02-14 00:16 . 2002-02-18 10:23 46,352 --a------ C:\WINDOWS\setdebug.exe

2008-02-14 00:16 . 2002-02-18 07:55 7,315 --a------ C:\WINDOWS\system32\javasup.vxd

2008-02-14 00:16 . 2002-02-18 07:35 6,550 --a------ C:\WINDOWS\jautoexp.dat

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-09 15:09 --------- d-----w C:\Arquivos de programas\Ahead

2008-03-09 15:08 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Ahead

2008-03-09 15:03 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft Help

2008-03-08 02:17 --------- d-----w C:\Arquivos de programas\Java

2008-02-19 20:39 --------- d-----w C:\Arquivos de programas\XML Notepad 2007

2008-02-19 20:35 --------- d-----w C:\Arquivos de programas\Eset

2008-02-14 03:24 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-01-31 19:37 --------- d-----w C:\Arquivos de programas\Softick

2008-01-31 03:14 --------- d-----w C:\Arquivos de programas\Skype

2008-01-31 03:13 --------- d-----w C:\Arquivos de programas\ShopFactory V5 Demo

2008-01-31 03:11 --------- d-----w C:\Arquivos de programas\Arquivos comuns\PremierWebShop

2008-01-31 02:51 --------- d-----w C:\Arquivos de programas\EditPlus 2

2008-01-31 02:50 --------- d-----w C:\Arquivos de programas\DivX

2008-01-31 02:41 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-01-16 14:50 --------- d-----w C:\Documents and Settings\AJManson\Dados de aplicativos\Ahead

2008-01-14 23:34 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= "C:\WINDOWS\system32\WinNB58.dll" [ ]

 

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]

[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

 

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]

[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2008-03-09 12:59 579072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"AVG7_Run"="C:\ARQUIV~1\Grisoft\AVG7\avgw.exe" [2008-03-09 13:00 219136]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Monitor Apache Servers.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Monitor Apache Servers.lnk

backup=C:\WINDOWS\pss\Monitor Apache Servers.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

--a------ 2006-10-26 23:47 31016 C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

C:\Arquivos de programas\Skype\Phone\Skype.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual PDF Printer]

C:\Arquivos de programas\Virtual PDF Printer\VirtualPDFPrinter.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=

"C:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=

 

R2 MsDtsServer;SQL Server Integration Services;"C:\Arquivos de programas\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 02:45]

R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Arquivos de programas\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2005-10-14 02:44]

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 00:45]

R2 SQLWriter;SQL Server VSS Writer;"C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]

S3 {BADA9AEF-34DE-4790-83F5-2CFAC8FADB9C};{BADA9AEF-34DE-4790-83F5-2CFAC8FADB9C};C:\WINDOWS\system32\{BADA9AEF-34DE-4790-83F5-2CFAC8FADB9C} []

 

.

Conteúdo da pasta 'Tarefas Agendadas'

"2007-12-21 13:43:00 C:\WINDOWS\Tasks\despertador.job"

- C:\ARQUIV~1\WINDOW~2\wmplayer.exe

"2007-12-21 12:53:00 C:\WINDOWS\Tasks\Pinball.job"

- C:\ARQUIV~1\WINDOW~1\Pinball\PINBALL.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-09 21:19:27

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]

"ImagePath"="\"C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{BADA9AEF-34DE-4790-83F5-2CFAC8FADB9C}]

"ImagePath"="\??\C:\WINDOWS\system32\{BADA9AEF-34DE-4790-83F5-2CFAC8FADB9C}"

.

------------------------ Other Running Processes ------------------------

.

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wscntfy.exe

.

**************************************************************************

.

Tempo para conclusão: 2008-03-09 21:22:42 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-10 00:22:36

.

2008-02-28 13:25:50 --- E O F ---

 

 

 

---------------------------

hijackthis

--------------------------

Logfile of HijackThis v1.99.1

Scan saved at 21:38:10, on 9/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe

C:\Arquivos de programas\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe

C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\wscntfy.exe

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~3\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)

O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{1EDCC955-FD4A-48CB-87C9-2C90D21DBE12}: NameServer = 200.165.132.155 200.149.55.140

O17 - HKLM\System\CS1\Services\Tcpip\..\{1EDCC955-FD4A-48CB-87C9-2C90D21DBE12}: NameServer = 200.165.132.155 200.149.55.140

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~3\Office12\GR99D3~1.DLL

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\ARQUIV~1\ARQUIV~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Arquivos de programas\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)

O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[J_Alison 0]

o avg achou um trojan, passou um tempao tentando remover, mas no meio da remoção o pc travou!!

[J_Alison 0]

alguém pode me dar uma força aqui?

[jgarcia 1]

Opa J_Alison,

 

Vamos lá.

 

1. Clique em Iniciar > Executar.

 

2. Digite regedit > clique em OK.

 

3. Navegue até a seguinte subchave:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

4. No painel à direita, delete o valor:

 

"ToolbarInstall" = "MirarSetup.exe"

 

5. Navegue até as seguintes chaves:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

 

6. No painel à direita, delete o valor:

 

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = ""

 

7. Navegue até a seguinte chave:

 

HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

 

8. No painel à direita, delete os valores:

 

"C:\WINDOWS\Downloaded Program Files\MirarSetup.exe" = ""

"C:\WINDOWS\System32\WinDmy.dll" = ""

 

9. Navegue e delete as seguintes chaves do registro:

 

HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand.1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4035DE1B-D54A-411E-9EE7-923295D2E86E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{753B9349-7E46-4E5C-A27F-A60A6BF1EAB5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MirarSetup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinDmy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

 

10. Saia do Editor do Registro.

 

11. Execute o Killbox, clique em Delete on Reboot.

 

12. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\WINDOWS\system32\WinNB58.dll

 

13. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

14. Aperte em "X". Responda "não" à pergunta.

 

15. Reinicie em Modo Normal.

 

16. Delete o conteúdo da pasta C:\!Killbox.

 

17. Retorne com um novo log do ComboFix.

 

Um abraço.

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.