[Resolvido!] [Resolvido!] Análise de Log

Fábio Mesquita · Março 12, 2010

Bom dia pessoal,

Segue um log para análise. Trata-se do servidor aqui da empresa e gostaria de verificar se temos algum problema.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:11:12, on 12/03/2010

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\ARQUIV~1\EASYPH~1\Apache\apache.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

D:\WINDOWS\system32\Dfssvc.exe

D:\WINDOWS\System32\dns.exe

D:\WINDOWS\System32\svchost.exe

D:\ARQUIV~1\EASYPH~1\Apache\apache.exe

D:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe

D:\WINDOWS\system32\inetsrv\inetinfo.exe

D:\WINDOWS\System32\ismserv.exe

D:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\ARQUIV~1\EASYPH~1\MySql\bin\mysqld.exe

D:\Arquivos de programas\No-IP\DUC20.exe

D:\WINDOWS\system32\ntfrs.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

C:\Proxyplus\ProxyPlus.exe

d:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

D:\WINDOWS\system32\tcpsvcs.exe

D:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe

D:\WINDOWS\System32\svchost.exe

d:\windows\system32\inetsrv\w3wp.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\AhnRpta.exe

D:\Arquivos de programas\Ibersoft\IBBackup\ibbackup.exe

D:\Arquivos de programas\EasyPHP1-7\easyphp.exe

D:\Arquivos de programas\Java\jre6\bin\jusched.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

D:\WINDOWS\system32\ctfmon.exe

C:\Digistar\MesaPC\MesaPC.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Documents and Settings\Administrador\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.1.1:4480;https=192.168.1.1:4480;ftp=192.168.1.1:4480;gopher=192.168.1.1:4480;socks=192.168.1.1:1080

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [ibersoft IB Backup] D:\Arquivos de programas\Ibersoft\IBBackup\ibbackup.exe

O4 - HKLM\..\Run: [EasyPHP] "D:\Arquivos de programas\EasyPHP1-7\easyphp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVP] "D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe"

O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] D:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdoosoft] D:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\5\herss.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] D:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O14 - IERESET.INF: START_PAGE_URL=http:\\athaserver\workforce

O15 - ESC Trusted Zone: http://digistar2.locaweb.com.br

O15 - ESC Trusted Zone: http://ufpr.dl.sourceforge.net

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266575582546

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O17 - HKLM\Software\..\Telephony: DomainName = intranet.athalaia.com.br

O17 - HKLM\System\CCS\Services\Tcpip\..\{2788FC13-9A42-49E1-889F-1DECAD2E2EA7}: NameServer = 192.168.1.1,10.1.1.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{50AB2C0F-106A-4A56-B1D0-567CC8F5E821}: NameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{F73743B8-D6D2-4182-A56F-80FFAD52100D}: NameServer = 201.10.120.2,201.10.128.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intranet.athalaia.com.br

O23 - Service: Apache - Unknown owner - D:\ARQUIV~1\EASYPH~1\Apache\apache.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - D:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - D:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: MySQL - Unknown owner - D:\ARQUIV~1\EASYPH~1\MySql\bin\mysqld.exe

O23 - Service: NoIPDUCService - Vitalwerks LLC - D:\Arquivos de programas\No-IP\DUC20.exe

O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - C:\Proxyplus\ProxyPlus.exe

--

End of file - 7164 bytes

Grato pela ajuda!

wings · Março 13, 2010

Boa tarde....

*Baixe o MalwareBytes Anti-malware e salve-o no desktop:

*Instale o programa

*Se alguma atualização existir,o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as unidades (C:\ e D:\) a serem examinadas

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Selecione todos os resultados e clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

Fábio Mesquita · Março 15, 2010

Wings, segue o log:

Malwarebytes' Anti-Malware 1.44

Versão do banco de dados: 3869

Windows 5.2.3790 Service Pack 2

Internet Explorer 8.0.6001.18702

15/03/2010 10:56:21

mbam-log-2010-03-15 (10-56-21).txt

Tipo de Verificação: Completa (C:\|D:\|F:\|)

Objetos verificados: 574655

Tempo decorrido: 1 hour(s), 29 minute(s), 0 second(s)

Processos da Memória infectados: 1

Módulos de Memória Infectados: 1

Chaves do Registro infectadas: 3

Valores do Registro infectados: 2

Ítens do Registro infectados: 5

Pastas infectadas: 0

Arquivos infectados: 53

Processos da Memória infectados:

D:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Unloaded process successfully.

Módulos de Memória Infectados:

D:\WINDOWS\system32\ahndoor0.dll (Spyware.OnlineGames) -> Delete on reboot.

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\CLSID\{bd344af4-67ab-4e19-a630-7435587d320b} (Spyware.OnlineGames) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Valores do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bd344af4-67ab-4e19-a630-7435587d320b} (Spyware.OnlineGames) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Ítens do Registro infectados:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

Arquivos infectados:

D:\WINDOWS\system32\ahndoor0.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\1di1w.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\2sm66r.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\62.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\6ruaqx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\9d6tpg.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\9g86.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\a2g21.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\anoataly.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\l61yyp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\mbdm.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\mbvd.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\pcxis.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\s1.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\vb0hsoay.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\vlvtdflx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\wu1n.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\cs6phv6d.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\1di1w.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\2sm66r.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\62.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\6ruaqx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\9d6tpg.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\9g86.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\a2g21.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\anoataly.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\cs6phv6d.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\l61yyp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\mbdm.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\mbvd.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\pcxis.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\q3kku.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\s1.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\vb0hsoay.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\vlvtdflx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\wu1n.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\Documents and Settings\Administrador\Configurações locais\Temp\cvasds2.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\Documents and Settings\Administrador\Configurações locais\Temp\cvasds3.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

F:\cs6phv6d.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

F:\62.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

F:\s1.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

F:\pcxis.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

F:\bkpathafiles\programas\Adobe Acrobat 8 Professional with keygen\Crack\keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

F:\bkpathafiles\programas\ADOBE CS3 PC\Crack\XF-AdobeMasterCS3-KG.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

F:\bkpathafiles\programas\ADOBE CS4 PC\Crack\adobe-master-cs4-keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

F:\BACK_UP_DELL_RAID\raid\PROGRAMAS\Adobe CS3_PC\Adobe CS3\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.

F:\BACK_UP_DELL_RAID\raid\PROGRAMAS\Adobe CS3_PC\adobe cs3 novo\Crack\XF-AdobeMasterCS3-KG.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

D:\0qw6vege.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\nds0q.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\mje12tni.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\Documents and Settings\Administrador\Configurações locais\Temp\cvasds1.dll (Spyware.OnlineGames) -> Delete on reboot.

D:\Documents and Settings\Administrador\Configurações locais\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

D:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

uma dúvida, estes procedimentos podem ser realizados remotamente?

Obrigado!

Fábio Mesquita

wings · Março 15, 2010

1.

*Reinicie o PC

2.

*Novo log do hijack

Fábio Mesquita · Março 15, 2010

Segue o log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:11:49, on 15/03/2010

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\ARQUIV~1\EASYPH~1\Apache\apache.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

D:\ARQUIV~1\EASYPH~1\Apache\apache.exe

D:\WINDOWS\system32\Dfssvc.exe

D:\WINDOWS\System32\dns.exe

D:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe

D:\WINDOWS\system32\inetsrv\inetinfo.exe

D:\WINDOWS\System32\ismserv.exe

D:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\ARQUIV~1\EASYPH~1\MySql\bin\mysqld.exe

D:\Arquivos de programas\No-IP\DUC20.exe

D:\WINDOWS\system32\ntfrs.exe

C:\Proxyplus\ProxyPlus.exe

d:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

D:\WINDOWS\system32\tcpsvcs.exe

D:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe

D:\WINDOWS\System32\svchost.exe

d:\windows\system32\inetsrv\w3wp.exe

D:\WINDOWS\system32\userinit.exe

D:\WINDOWS\Explorer.EXE

D:\Arquivos de programas\Ibersoft\IBBackup\ibbackup.exe

D:\Arquivos de programas\EasyPHP1-7\easyphp.exe

D:\Arquivos de programas\Java\jre6\bin\jusched.exe

D:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe