[Resolvido!] Algumas infecções!

Edvan · Julho 29, 2008

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:39:03, on 28/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: hamachi.lnk = C:\Arquivos de programas\Hamachi\hamachi.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Arquivos de programas\LingoCom\Translator.lnk

O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Arquivos de programas\LingoCom\Translator.lnk

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: snss - Unknown owner - C:\WINDOWS\system32\snss.exe (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

--

End of file - 4267 bytes

ComboFix 08-07-28.4 - Edvan 2008-07-28 23:25:28.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.175 [GMT -3:00]Executando de: C:\Documents and Settings\Edvan\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\d3doutf.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_NPF

((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-29 ))))))))))))))))))))))))))))))))

.

2008-07-27 23:09 . 2008-07-27 23:09 <DIR> d-------- C:\Arquivos de programas\RealVNC

2008-07-27 23:08 . 2008-07-27 23:09 <DIR> d-------- C:\Arquivos de programas\Hamachi

2008-07-27 22:38 . 2008-07-27 22:38 <DIR> d-------- C:\Documents and Settings\Edvan\Dados de aplicativos\Symantec

2008-07-27 22:38 . 1999-06-10 14:50 437,528 --a------ C:\WINDOWS\system32\401COMUPD.EXE

2008-07-27 22:37 . 2008-07-28 01:08 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Symantec

2008-07-27 22:37 . 2008-07-28 01:08 <DIR> d-------- C:\Arquivos de programas\Symantec

2008-07-27 22:37 . 2008-07-28 01:08 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Symantec Shared

2008-06-30 22:21 . 2008-06-30 22:21 <DIR> d-------- C:\Documents and Settings\Edvan\Dados de aplicativos\InstallShield

2008-06-30 10:01 . 2008-06-30 10:01 21,419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

2008-06-30 02:56 . 2008-07-26 18:56 <DIR> d-------- C:\Arquivos de programas\RALINK

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-29 02:31 --------- d-----w C:\Documents and Settings\Edvan\Dados de aplicativos\Hamachi

2008-07-28 02:08 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2008-07-11 00:33 --------- d-----w C:\Arquivos de programas\Arquivos comuns\InstallShield

2008-06-29 15:19 --------- d-----w C:\Documents and Settings\Edvan\Dados de aplicativos\Orbit

2008-06-20 17:41 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-19 02:43 --------- d-----w C:\Documents and Settings\Edvan\Dados de aplicativos\Watchtower

2008-06-19 00:36 --------- d-----w C:\Arquivos de programas\Watchtower

2008-06-14 17:59 272,384 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-14 01:56 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-06-07 16:11 --------- d-----w C:\Arquivos de programas\MSN Messenger

2008-06-07 16:06 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-06-06 03:23 --------- d-----w C:\Arquivos de programas\Trend Micro

2008-06-06 03:22 812,344 ----a-w C:\HJTInstall.exe

2008-06-04 12:09 --------- d-----w C:\Arquivos de programas\Messenger Plus! Live

2008-06-02 15:14 --------- d-----w C:\Arquivos de programas\LingoCom

2008-05-07 05:15 1,292,288 -c--a-w C:\WINDOWS\system32\quartz.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\Documents and Settings\Edvan\Menu Iniciar\Programas\Inicializar\

hamachi.lnk - C:\Arquivos de programas\Hamachi\hamachi.exe [2008-07-27 23:08:22 624416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Hamachi\\hamachi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 11:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 11:37]

R3 TNET1130;IEEE 802.11g Wireless Cardbus/PCI Adapter;C:\WINDOWS\system32\DRIVERS\tnet1130.sys [2004-06-17 23:41]

S2 snss;snss;C:\WINDOWS\system32\snss.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20b55103-2b7d-11dd-9ddb-000ee8eb8ec4}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f51ba30-196d-11dd-b047-806d6172696f}]

\Shell\AutoRun\command - D:\CDSAMPLE\AUTORUN\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a520388a-61ae-11d6-a4e4-000795308f87}]

\Shell\AutoRun\command - E:\ino6.com

\Shell\explore\Command - E:\ino6.com

\Shell\open\Command - E:\ino6.com

.

------- Ccan Suplementar -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.com.br/

R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-28 23:31:13

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

------------------------ Outros Processos em Execu‡Æo ------------------------

.

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\RealVNC\VNC4\winvnc4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-07-28 23:38:01 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-07-29 02:37:36

Pre-Run: 8 pasta(s) 14,206,410,752 bytes disponíveis

Post-Run: 12 pasta(s) 14,211,608,576 bytes dispon¡veis

114 --- E O F --- 2008-07-27 14:11:22

Espero ajuda... :thumbsup: :thumbsup:

PedroN · Julho 29, 2008

Opa Edvan,

<!> Antes de qualquer medida, faça a instalação do RC!

---------------------------------------

• Vá ao site da Microsoft: < Link >

• Selecione o download, que seja adequado, ao seu Sistema Operacional!

• Faça o download, do arquivo, e salve-o no seu desktop.

• Feche todos os programas, que estejam abertos!

• Feche, também, seus programas de proteção! ( Antivírus,Antispywares e Firewall )

• Arraste o setup, baixado do site da Microsoft, para o interior do ComboFix.exe

• Veja, abaixo, a demonstração!

• Siga as mensagens que aparecem na tela,para iniciar o ComboFix.

• Aceite o contrato da Microsoft, para instalar o "Console de Recuperação da Microsoft".

• Na próxima mensagem, clique em "Yes", para realizar um scan com o ComboFix.

• Terminando, poste os relatórios:

• C:\ComboFix.txt mais o log do HijackThis, atualizado.

Abraços

Edvan · Julho 29, 2008

Baixei o arquivo vou fazer os procedimentos volto em 5 minutos..

Edvan · Julho 29, 2008

Olha eu aqui novamente!!

Log atualizado do HijackThis..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:25:48, on 29/7/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe