Uso um servidor DHCP, e sempre funcionou perfeitamente, porém agora as maquinas de usuarios estão ficando mundando o IP de DNS. O meu servidor de DHCP e DNS é o IP 10.1.1.7, porém quando logamos em qualquer maquina XP (windows 7 não muda), o DNS fica 201.6.0.112 e DNS secundário 201.6.0.118, conforme a imagem
Nesse meu sevidor de DNS, roda o AD, DHCP, WINS e o dominio.
Estou passando o Log do hijackthis
//////////////////////////////////////////////////////////////////////////////////////
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:12:43, on 22/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Arquivos de programas\NetSupport Manager\client32.exe
C:\Arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Arquivos de programas\Forefront TMG Client\FwcMgmt.exe
C:\Arquivos de programas\3M\PSNLite\PsnLite.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aecarros.com.br
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.logosveiculos.com.br/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://ferrari:8080/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ferrari:8080
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Forefront TMG Client.lnk = C:\Arquivos de programas\Forefront TMG Client\FwcMgmt.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Adicionar ao Anti-Banner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aecarros.com.br
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1290279468044
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1290279454887
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = logosmanaus.com.br
O17 - HKLM\Software\..\Telephony: DomainName = logosmanaus.com.br
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = logosmanaus.com.br
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = logosmanaus.com.br
O17 - HKLM\System\CS2\Services\Tcpip\..\{2702C1D3-9118-4BB9-9E35-486B13214CCE}: NameServer = 10.1.1.7
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Client32 - NetSupport Ltd - C:\Arquivos de programas\NetSupport Manager\client32.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe
--
End of file - 4880 bytes
//////////////////////////////////////////////////////////////////////////////////////
Aqui o Log do ComboFix
ComboFix 10-11-20.01 - Administrador 22/11/2010 10:35:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.495.223 [GMT -4:00]
Executando de: C:\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-10-22 to 2010-11-22 ))))))))))))))))))))))))))))
.
2010-11-21 13:18 . 2010-11-21 18:26 -------- d-----w- C:\sol2006
2010-11-20 20:07 . 2010-11-20 20:45 -------- d-----w- C:\b6d5080ad9662a8c234b0ad440a54b
2010-11-20 20:05 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-20 19:38 . 2010-11-22 14:12 -------- d-----w- C:\HijackThis
2010-11-20 19:38 . 2010-11-20 19:54 -------- d-----w- C:\Atualização
2010-11-20 18:59 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-11-20 18:59 . 2009-08-06 23:24 18144 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-11-20 18:59 . 2009-08-06 23:24 15584 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-11-20 18:59 . 2009-08-06 23:23 23256 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-11-20 18:59 . 2009-08-06 23:24 15584 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-20 18:56 . 2010-11-20 18:56 -------- d-s---w- c:\documents and settings\administrador.LOGOSMANAUS\UserData
2010-11-20 18:33 . 2010-11-20 18:33 -------- d-----w- c:\documents and settings\administrador.LOGOSMANAUS\Configurações locais\Dados de aplicativos\Identities
2010-11-20 17:13 . 2007-06-19 16:57 229888 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HP1006S. DLL
2010-11-20 16:23 . 2010-11-20 16:23 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\3M
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
.
((((((((((((((((((((((((((((( SnapShot@2010-11-20_18.44.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 16:08 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-20 18:59 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\Ser viceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 03:45 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 03:45 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 209624 c:\windows\system32\wuweb.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-20 18:59 . 2009-08-06 23:23 575704 c:\windows\system32\SoftwareDistribution\Setup\Ser viceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-08-06 23:23 . 2009-08-06 23:23 215904 c:\windows\system32\muweb.dll
+ 2009-06-15 14:44 . 2010-11-22 14:41 317472 c:\windows\system32\drivers\fidbox2.dat
+ 2009-04-18 16:08 . 2009-08-06 23:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2009-04-18 16:08 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2009-04-18 16:08 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-11-20 19:51 . 2010-11-02 20:47 35758536 c:\windows\system32\MRT.exe
+ 2009-06-15 14:44 . 2010-11-22 14:41 14586912 c:\windows\system32\drivers\fidbox.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-03-11 147456]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Forefront TMG Client.lnk - c:\arquivos de programas\Forefront TMG Client\FwcMgmt.exe [2009-11-9 240944]
Post-it© Software Notes Lite.lnk - c:\arquivos de programas\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1126\Scripts\Logon\0\0]
"Script"=data.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1126\Scripts\Logon\1\0]
"Script"=data.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1137\Scripts\Logon\0\0]
"Script"=data.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-1137\Scripts\Logon\1\0]
"Script"=data.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-3824\Scripts\Logon\0\0]
"Script"=data.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-3824\Scripts\Logon\1\0]
"Script"=data.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-500\Scripts\Logon\0\0]
"Script"=f:\atalhos\Atalhos.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3381741387-157248392-2993918416-500\Scripts\Logon\0\1]
"Script"=sol2006.vbs
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 04:56 1667584 ------w- c:\arquivos de programas\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86 \\3\ \HP2014MC.EXE"=
"c:\\Arquivos de programas\\NetSupport Manager\\client32.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
"1745:UDP"= 1745:UDP:Client Notification Channel
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 FwcAgent;Forefront TMG Client Agent;c:\arquivos de programas\Forefront TMG Client\FwcAgent.exe [09/11/2009 10:53 275440]
R2 klnagent;Kaspersky Network Agent;c:\arquivos de programas\Kaspersky Lab\NetworkAgent\klnagent.exe [22/09/2008 19:12 94544]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/05/2007 18:49 24344]
S2 lrtswdg;Boot System;c:\windows\system32\svchost.exe -k netsvcs [03/08/2004 23:45 14336]
S2 milja;Network Task;c:\windows\system32\svchost.exe -k netsvcs [03/08/2004 23:45 14336]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
milja
lrtswdg
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.aecarros.com.br
uInternet Connection Wizard,ShellNext = hxxp://www.logosveiculos.com.br/
uInternet Settings,ProxyServer = ferrari:8080
uInternet Settings,ProxyOverride =
IE: Adicionar ao Anti-Banner - c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
LSP: c:\arquivos de programas\Forefront TMG Client\FwcWsp.dll
FF - ProfilePath - c:\documents and settings\administrador.LOGOSMANAUS\Dados de aplicativos\Mozilla\Firefox\Profiles\vx3ahrz7.defa ult\
---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 10:41
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\l rtswdg]
"ServiceDll"="c:\windows\system32\tthztwdk.dll "
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m ilja]
"ServiceDll"="c:\windows\system32\tthztwdk.dll "
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\klogon.dll
c:\windows\system32\ac3acm.acm
c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll
- - - - - - - > 'csrss.exe'(988)
c:\arquivos de programas\NetSupport Manager\pcihooks.dll
.
Tempo para conclusão: 2010-11-22 10:44:22
ComboFix-quarantined-files.txt 2010-11-22 14:44
ComboFix2.txt 2010-11-20 19:48
ComboFix3.txt 2010-11-20 18:46
Pré-execução: 12 pasta(s) 35.253.784.576 bytes disponíveis
Pós execução: 13 pasta(s) 35.252.125.696 bytes disponíveis
- - End Of File - - 2593F4F227DEE9AAAFB8AF6F7F2A2955