Logo Hardware.com.br
jrgiva
jrgiva Novo Membro Registrado
10 Mensagens 0 Curtidas

Analise Log (hijackthis e combofix)

#1 Por jrgiva 22/11/2010 - 14:07
Estou com um problema creio eu que seja virus.
Uso um servidor DHCP, e sempre funcionou perfeitamente, porém agora as maquinas de usuarios estão ficando mundando o IP de DNS. O meu servidor de DHCP e DNS é o IP 10.1.1.7, porém quando logamos em qualquer maquina XP (windows 7 não muda), o DNS fica 201.6.0.112 e DNS secundário 201.6.0.118, conforme a imagem Imagem http://twitpic.com/3962ij

Nesse meu sevidor de DNS, roda o AD, DHCP, WINS e o dominio.

Estou passando o Log do hijackthis

//////////////////////////////////////////////////////////////////////////////////////
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:12:43, on 22/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Arquivos de programas\NetSupport Manager\client32.exe
C:\Arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Arquivos de programas\Forefront TMG Client\FwcMgmt.exe
C:\Arquivos de programas\3M\PSNLite\PsnLite.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aecarros.com.br
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.logosveiculos.com.br/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://ferrari:8080/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ferrari:8080
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Forefront TMG Client.lnk = C:\Arquivos de programas\Forefront TMG Client\FwcMgmt.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Adicionar ao Anti-Banner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aecarros.com.br
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1290279468044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1290279454887
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = logosmanaus.com.br
O17 - HKLM\Software\..\Telephony: DomainName = logosmanaus.com.br
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = logosmanaus.com.br
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = logosmanaus.com.br
O17 - HKLM\System\CS2\Services\Tcpip\..\{2702C1D3-9118-4BB9-9E35-486B13214CCE}: NameServer = 10.1.1.7
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Client32 - NetSupport Ltd - C:\Arquivos de programas\NetSupport Manager\client32.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe

--
End of file - 4880 bytes

//////////////////////////////////////////////////////////////////////////////////////

Aqui o Log do ComboFix


ComboFix 10-11-20.01 - Administrador 22/11/2010 10:35:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.495.223 [GMT -4:00]
Executando de: C:\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-10-22 to 2010-11-22 ))))))))))))))))))))))))))))
.

2010-11-21 13:18 . 2010-11-21 18:26 -------- d-----w- C:\sol2006
2010-11-20 20:07 . 2010-11-20 20:45 -------- d-----w- C:\b6d5080ad9662a8c234b0ad440a54b
2010-11-20 20:05 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-20 19:38 . 2010-11-22 14:12 -------- d-----w- C:\HijackThis
2010-11-20 19:38 . 2010-11-20 19:54 -------- d-----w- C:\Atualização
2010-11-20 18:59 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-11-20 18:59 . 2009-08-06 23:24 18144 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-11-20 18:59 . 2009-08-06 23:24 15584 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-11-20 18:59 . 2009-08-06 23:23 23256 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-11-20 18:59 . 2009-08-06 23:24 15584 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-20 18:56 . 2010-11-20 18:56 -------- d-s---w- c:\documents and settings\administrador.LOGOSMANAUS\UserData
2010-11-20 18:33 . 2010-11-20 18:33 -------- d-----w- c:\documents and settings\administrador.LOGOSMANAUS\Configurações locais\Dados de aplicativos\Identities
2010-11-20 17:13 . 2007-06-19 16:57 229888 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1006S. DLL
2010-11-20 16:23 . 2010-11-20 16:23 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\3M

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-20_18.44.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 16:08 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-20 18:59 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\Ser viceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 03:45 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 03:45 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 209624 c:\windows\system32\wuweb.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-20 18:59 . 2009-08-06 23:23 575704 c:\windows\system32\SoftwareDistribution\Setup\Ser viceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-08-06 23:23 . 2009-08-06 23:23 215904 c:\windows\system32\muweb.dll
+ 2009-06-15 14:44 . 2010-11-22 14:41 317472 c:\windows\system32\drivers\fidbox2.dat
+ 2009-04-18 16:08 . 2009-08-06 23:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-11-20 19:51 . 2010-11-02 20:47 35758536 c:\windows\system32\MRT.exe
+ 2009-06-15 14:44 . 2010-11-22 14:41 14586912 c:\windows\system32\drivers\fidbox.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-03-11 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Forefront TMG Client.lnk - c:\arquivos de programas\Forefront TMG Client\FwcMgmt.exe [2009-11-9 240944]
Post-it© Software Notes Lite.lnk - c:\arquivos de programas\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1126\Scripts\Logon\0\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1126\Scripts\Logon\1\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1137\Scripts\Logon\0\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1137\Scripts\Logon\1\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-3824\Scripts\Logon\0\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-3824\Scripts\Logon\1\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-500\Scripts\Logon\0\0]
"Script"=f:\atalhos\Atalhos.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-500\Scripts\Logon\0\1]
"Script"=sol2006.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 04:56 1667584 ------w- c:\arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86 \\3\ \HP2014MC.EXE"=
"c:\\Arquivos de programas\\NetSupport Manager\\client32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
"1745:UDP"= 1745:UDP:Client Notification Channel
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 FwcAgent;Forefront TMG Client Agent;c:\arquivos de programas\Forefront TMG Client\FwcAgent.exe [09/11/2009 10:53 275440]
R2 klnagent;Kaspersky Network Agent;c:\arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe [22/09/2008 19:12 94544]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/05/2007 18:49 24344]
S2 lrtswdg;Boot System;c:\windows\system32\svchost.exe -k netsvcs [03/08/2004 23:45 14336]
S2 milja;Network Task;c:\windows\system32\svchost.exe -k netsvcs [03/08/2004 23:45 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
milja
lrtswdg
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.aecarros.com.br
uInternet Connection Wizard,ShellNext = hxxp://www.logosveiculos.com.br/
uInternet Settings,ProxyServer = ferrari:8080
uInternet Settings,ProxyOverride =
IE: Adicionar ao Anti-Banner - c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
LSP: c:\arquivos de programas\Forefront TMG Client\FwcWsp.dll
FF - ProfilePath - c:\documents and settings\administrador.LOGOSMANAUS\Dados de aplicativos\Mozilla\Firefox\Profiles\vx3ahrz7.defa ult\

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 10:41
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\l rtswdg]
"ServiceDll"="c:\windows\system32\tthztwdk.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m ilja]
"ServiceDll"="c:\windows\system32\tthztwdk.dll "
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\klogon.dll
c:\windows\system32\ac3acm.acm
c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll

- - - - - - - > 'csrss.exe'(988)
c:\arquivos de programas\NetSupport Manager\pcihooks.dll
.
Tempo para conclusão: 2010-11-22 10:44:22
ComboFix-quarantined-files.txt 2010-11-22 14:44
ComboFix2.txt 2010-11-20 19:48
ComboFix3.txt 2010-11-20 18:46

Pré-execução: 12 pasta(s) 35.253.784.576 bytes disponíveis
Pós execução: 13 pasta(s) 35.252.125.696 bytes disponíveis

- - End Of File - - 2593F4F227DEE9AAAFB8AF6F7F2A2955
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#2 Por Wings
22/11/2010 - 14:22
*Abra o bloco de notas e cole nele o código abaixo:

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lrtswdg]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\milja]
Driver::
milja
lrtswdg
NetSvc::
milja
lrtswdg

*Salve o arquivo no desktop como CFScript.txt
*Arraste o arquivo para o Combofix conforme ilustração abaixo:

b2ea2c6367.gif

*Importante: enquanto o combofix estiver em execução, não use o mouse e o teclado!!..para interromper o processo tecle N ou 2.

*Cole o relatório C:\combofix.txt
jrgiva
jrgiva Novo Membro Registrado
10 Mensagens 0 Curtidas
#3 Por jrgiva
22/11/2010 - 16:38
ComboFix 10-11-20.01 - Administrador 22/11/2010 13:19:36.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.495.260 [GMT -4:00]
Executando de: c:\documents and settings\administrador.LOGOSMANAUS\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\administrador.LOGOSMANAUS\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LRTSWDG
-------\Legacy_MILJA
-------\Service_lrtswdg
-------\Service_milja


(((((((((((((((( Arquivos/Ficheiros criados de 2010-10-22 to 2010-11-22 ))))))))))))))))))))))))))))
.

2010-11-22 17:30 . 2010-11-22 17:30 -------- d-----w- c:\windows\LastGood
2010-11-22 17:09 . 2005-02-25 03:34 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2010-11-22 17:09 . 2010-11-22 17:34 -------- d--h--w- c:\windows\$hf_mig$
2010-11-21 13:18 . 2010-11-22 15:57 -------- d-----w- C:\sol2006
2010-11-20 20:07 . 2010-11-20 20:45 -------- d-----w- C:\b6d5080ad9662a8c234b0ad440a54b
2010-11-20 20:05 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-20 19:38 . 2010-11-22 14:12 -------- d-----w- C:\HijackThis
2010-11-20 19:38 . 2010-11-20 19:54 -------- d-----w- C:\Atualização
2010-11-20 18:59 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-11-20 18:59 . 2009-08-06 23:24 18144 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-11-20 18:59 . 2009-08-06 23:24 15584 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-11-20 18:59 . 2009-08-06 23:23 23256 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-11-20 18:59 . 2009-08-06 23:24 15584 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-20 18:56 . 2010-11-20 18:56 -------- d-s---w- c:\documents and settings\administrador.LOGOSMANAUS\UserData
2010-11-20 18:33 . 2010-11-20 18:33 -------- d-----w- c:\documents and settings\administrador.LOGOSMANAUS\Configurações locais\Dados de aplicativos\Identities
2010-11-20 17:13 . 2007-06-19 16:57 229888 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1006S.DLL
2010-11-20 16:23 . 2010-11-20 16:23 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\3M

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-20_18.44.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 16:08 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2009-04-22 15:26 . 2005-02-25 03:34 15072 c:\windows\system32\spmsg.dll
+ 2010-11-20 18:59 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 03:45 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 03:45 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 209624 c:\windows\system32\wuweb.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-20 18:59 . 2009-08-06 23:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-08-06 23:23 . 2009-08-06 23:23 215904 c:\windows\system32\muweb.dll
+ 2009-06-15 14:44 . 2010-11-22 17:33 326176 c:\windows\system32\drivers\fidbox2.dat
+ 2009-04-18 16:08 . 2009-08-06 23:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-11-20 19:51 . 2010-11-02 20:47 35758536 c:\windows\system32\MRT.exe
+ 2009-06-15 14:44 . 2010-11-22 17:35 14685472 c:\windows\system32\drivers\fidbox.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-03-11 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Forefront TMG Client.lnk - c:\arquivos de programas\Forefront TMG Client\FwcMgmt.exe [2009-11-9 240944]
Post-it© Software Notes Lite.lnk - c:\arquivos de programas\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1126\Scripts\Logon\0\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1126\Scripts\Logon\1\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1137\Scripts\Logon\0\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1137\Scripts\Logon\1\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-3824\Scripts\Logon\0\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-3824\Scripts\Logon\1\0]
"Script"=data.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-500\Scripts\Logon\0\0]
"Script"=f:\atalhos\Atalhos.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-500\Scripts\Logon\0\1]
"Script"=sol2006.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 04:56 1667584 ------w- c:\arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP2014MC.EXE"=
"c:\\Arquivos de programas\\NetSupport Manager\\client32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
"1745:UDP"= 1745:UDP:Client Notification Channel
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 FwcAgent;Forefront TMG Client Agent;c:\arquivos de programas\Forefront TMG Client\FwcAgent.exe [09/11/2009 10:53 275440]
R2 klnagent;Kaspersky Network Agent;c:\arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe [22/09/2008 19:12 94544]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/05/2007 18:49 24344]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.aecarros.com.br
uInternet Connection Wizard,ShellNext = hxxp://www.logosveiculos.com.br/
uInternet Settings,ProxyServer = ferrari:8080
uInternet Settings,ProxyOverride =
LSP: c:\arquivos de programas\Forefront TMG Client\FwcWsp.dll
FF - ProfilePath - c:\documents and settings\administrador.LOGOSMANAUS\Dados de aplicativos\Mozilla\Firefox\Profiles\vx3ahrz7.default\

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 13:35
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\klogon.dll
c:\windows\system32\ac3acm.acm

- - - - - - - > 'winlogon.exe'(1416)
c:\windows\system32\klogon.dll

- - - - - - - > 'csrss.exe'(948)
c:\arquivos de programas\NetSupport Manager\pcihooks.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\arquivos de programas\NetSupport Manager\client32.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\VTTimer.exe
c:\arquiv~1\3M\PSNLite\PSNGive.exe
.
**************************************************************************
.
Tempo para conclusão: 2010-11-22 13:38:30 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-11-22 17:38
ComboFix2.txt 2010-11-22 14:45
ComboFix3.txt 2010-11-20 19:48
ComboFix4.txt 2010-11-20 18:46

Pré-execução: 12 pasta(s) 35.254.071.296 bytes disponíveis
Pós execução: 13 pasta(s) 35.222.790.144 bytes disponíveis

- - End Of File - - F27A4B85D63826330CB9FF21B6AD9050
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#7 Por Wings
23/11/2010 - 19:49
*Baixe o MalwareBytes Anti-malware e salve-o no desktop

*Instale o programa e aguarde a atualização
*O programa será aberto automaticamente
*Na aba [Verificação], selecione [Verificação completa]
*Clique [Verificar] e selecione a partição onde o Windows está instalado
*Ao finalizar o scan, clique [SIM] > [OK] > [Ver Resultados]
*Clique [Remover Selecionados]
*Cole o relatório apresentado
jrgiva
jrgiva Novo Membro Registrado
10 Mensagens 0 Curtidas
#8 Por jrgiva
24/11/2010 - 10:53
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versão da Base de Dados: 5181

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

24/11/2010 08:48:29
mbam-log-2010-11-24 (08-48-29).txt

Tipo de Verificação: Verificação Completa (C:\|)
Objetos escaneados: 182585
Tempo decorrido: 20 minuto(s), 19 segundo(s)

Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 0
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 0

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
(Não foram detectados ítens maliciosos)
jrgiva
jrgiva Novo Membro Registrado
10 Mensagens 0 Curtidas
#10 Por jrgiva
24/11/2010 - 12:11
Tenho um servidor de firewall que usa o ForeFront da microsoft, e tem proxy sim. Porem somente as maquinas com XP que ficam assim, as que tem windows 7 naum tem esse problema. Ela ficou assim depois que eu instalei o WSUS aqui no meu servidor de dominio, onde tb ta o DNS e DHCP, porem eu desistalei, não sei se aletou algo, eu estava com duvida se fosse alguma configuração de DHCP ou DNS, porem verifiquei eles e estavam normais, por isso pensei que algum virus tenha alterado o registro do windows para que mude o DNS. O que você me recomendaria?
Grato
Wings
Wings Cyber Highlander Registrado
20.3K Mensagens 1.2K Curtidas
#13 Por Wings
24/11/2010 - 12:41
1.
*No Internet Explorer, clique em [Ferramentas] > [Opções da Internet] > [Segurança] > [Sites Confiáveis] > [Sites], no campo "Adicionar este site à zona" selecione: http://lop.com e clique [Remover]
*Marque a opção: "Exigir Verificação do Servidor(https)" e clique [Ok] em todas as janelas.

2.
*Clique [Iniciar] > [Executar] > copie e cole: Combofix /uninstall

9c7dcf5090.jpg

*Clique [OK] > [Executar]
*Aguarde surgir a mensagem: "ComboFix está desinstalado"
*Clique [OK]


Um abraço.
© 1999-2025 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal