log hijack + log combofix

likeastone88 · Outubro 25, 2008

Aí estão meus dois logs:

-O primeiro do hijack, o segundo do combofix (após sua execução)

Agradeço a Atenção !

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:36:43, on 25/10/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Arquivos de programas\QuickTime\qttask.exe

C:\Arquivos de programas\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\Flashy.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Arquivos de programas\Winamp\winampa.exe

C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWlan.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\iPod\bin\iPodService.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.MSN.com/0SEENUS/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.MSN.com/?v=msgrv75

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp

O2 - BHO: IbestBHO Class - {7E6CDC1C-3B90-47D7-B2A8-24438CA96075} - C:\Arquivos de programas\Discador Digerati\bho.dll (file missing)

O2 - BHO: Alive MP3 WAV Converter Toolbar Helper - {C12D2216-6A10-4c7d-A38F-D801D9CF9D03} - C:\Arquivos de programas\Alive MP3 WAV Converter Toolbar\v2.0.0.2\Alive_MP3_WAV_Converter_Toolbar.dll (file missing)

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Alive MP3 WAV Converter Toolbar - {50D31413-8B14-4158-94A5-80BE78E23058} - C:\Arquivos de programas\Alive MP3 WAV Converter Toolbar\v2.0.0.2\Alive_MP3_WAV_Converter_Toolbar.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Flashy Bot] C:\WINDOWS\System32\Flashy.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"

O4 - HKCU\..\Run: [Discador Digerati] "C:\Arquivos de programas\Discador Digerati\autoupdate.exe"

O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\System32\

O4 - Startup: palmOne Registration.lnk = C:\Arquivos de programas\palmOne\register.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe

O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM\System\CCS\Services\Tcpip\..\{091BEFE6-A14C-4BA2-9240-7AC5B68D777D}: NameServer = 10.1.1.1,200.199.241.17

O17 - HKLM\System\CS1\Services\Tcpip\..\{091BEFE6-A14C-4BA2-9240-7AC5B68D777D}: NameServer = 10.1.1.1,200.199.241.17

O22 - SharedTaskScheduler: bloodthirst - {f85e05f5-667e-41b0-ab8a-147337a99e65} - (no file)

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\hpdj.exe (file missing)

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 5307 bytes

ComboFix 08-10-24.02 - Administrador 2008-10-25 7:43:41.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1046.18.63 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

* Criado um novo ponto de restauro

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Menu Iniciar\Online Security Guide.url

C:\Documents and Settings\All Users\Menu Iniciar\Security Troubleshooting.url

C:\WINDOWS\Downloaded Program Files\UERSZ_0001_N69M0703NetInstaller.exe

C:\WINDOWS\system32\atmclk.exe

C:\WINDOWS\system32\dcomcfg.exe

C:\WINDOWS\system32\Flashy.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\regperf.exe

C:\WINDOWS\system32\xuefh.dll

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-25 to 2008-10-25 ))))))))))))))))))))))))))))

.

2008-10-24 22:02 . 2008-10-24 22:02 <DIR> d-------- C:\Arquivos de programas\Trend Micro

2008-10-07 10:34 . 2008-10-07 10:34 <DIR> d--hs---- C:\FOUND.000

2008-10-07 00:05 . 2008-10-07 00:05 <DIR> d-------- C:\Arquivos de programas\VDOWNLOADER

2008-10-05 11:03 . 2008-10-05 11:03 <DIR> d-------- C:\Arquivos de programas\Johnny Castaway

2008-10-05 11:03 . 2008-10-05 11:05 720,896 --a------ C:\WINDOWS\iun6002ev.exe

2008-10-05 11:03 . 2008-10-05 11:05 36 --a------ C:\WINDOWS\johncast.bat

2008-10-03 11:26 . 2008-10-03 11:26 <DIR> d-------- C:\Arquivos de programas\CoolSMS

2008-09-29 13:02 . 2008-09-29 13:02 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Winamp

2008-09-29 13:02 . 2008-09-29 13:02 <DIR> d-------- C:\Arquivos de programas\Winamp

2008-09-29 12:27 . 2007-03-07 20:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2008-09-29 12:27 . 2007-03-07 20:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-09-29 12:27 . 2007-03-07 20:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-09-29 11:23 . 2008-09-29 11:23 <DIR> d-------- C:\Arquivos de programas\eMule

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-08 14:06 62,952 ----a-w C:\Documents and Settings\Administrador\Dados de aplicativos\GDIPFONTCACHEV1.DAT

2008-09-18 03:35 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys

2008-09-18 03:35 --------- d-----w C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 5033984]

"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 155648]

"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]

"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2001-10-28 77891]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2006-10-25 282624]

"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2006-10-30 256576]

"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2008-08-03 36352]

"nwiz"="nwiz.exe" [2003-09-24 C:\WINDOWS\system32\nwiz.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2003-05-22 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

AutoCAD Startup Accelerator.lnk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\acstart16.exe [2005-03-05 10872]

REALTEK RTL8185 Wireless LAN Utility.lnk - C:\Arquivos de programas\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWlan.exe [2008-09-18 675840]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]

--a------ 2003-05-05 08:57 143360 C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]

--a------ 2001-10-28 18:06 77891 C:\WINDOWS\system32\usrmlnka.exe

R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 13532]

R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys [2001-08-17 113762]

S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

.

Conteúdo da pasta 'Tarefas Agendadas'

2008-06-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Discador Digerati - C:\Arquivos de programas\Discador Digerati\autoupdate.exe

HKCU-Run-CoolSMS - (no file)

SharedTaskScheduler-{f85e05f5-667e-41b0-ab8a-147337a99e65} - (no file)

MSConfigStartUp-CloneCDTray - C:\Arquivos de programas\Elaborate Bytes\CloneCD\CloneCDTray.exe

MSConfigStartUp-Run - c:\windows\winfig.exe

.

------- Scan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\3dy6o3ic.default\

FF -: plugin - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-25 07:46:49

Windows 5.1.2600 Service Pack 1 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\catchme]

"ImagePath"="\??\C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\catchme]

"ImagePath"="\??\C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\catchme.sys"

.

------------------------ Outros Processos em Execução ------------------------

.

C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\WINDOWS\SYSTEM32\USRSHUTA.EXE

C:\ARQUIVOS DE PROGRAMAS\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE

C:\WINDOWS\SYSTEM32\WDFMGR.EXE

C:\ARQUIVOS DE PROGRAMAS\IPOD\BIN\IPODSERVICE.EXE

.

**************************************************************************

.

Tempo para conclusão: 2008-10-25 7:48:07 - Máquina reiniciou

ComboFix-quarantined-files.txt 2008-10-25 10:48:04

Pré-execução: 1.695.055.872 bytes disponíveis

Pós execução: 2,212,298,752 bytes disponíveis

winxpsp1_br_pro_bf.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

122

JackSSA · Outubro 25, 2008

Nota: Por favor, Não utilize o ComboFix por conta própria. O uso incorreto poderá danificar o seu computador. A ferramenta apenas deve ser utilizada sob supervisão de Analistas de remoção de malware.

Sugiro que imprima ou salve os procedimentos abaixo, e não use a internet até terminado o procedimento.

Selecione e copie o texto dentro do CODE (caixa cinza) abaixo. Abra o Bloco de notas e cole o que copiou. Salve então, na área de trabalho, com o nome de CFScript.txt.

File::
C:\WINDOWS\System32\hp100.tmp
C:\WINDOWS\System32\Flashy.exe
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{686a161d-5bd1-4999-8832-6393f41e564c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Flashy Bot"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"kernel32.dll"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
[-HKEY_CLASSES_ROOT\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]

Arraste agora o CFScript.txt para o ComboFix conforme a demonstração abaixo.

(Imagem ilustrativa)

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

IMPORTANTE: Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando acabar, será gerado um log, que estará em C:\ComboFix.txt.

Poste o novo Log ComboFix.txt à sua resposta.

Poste também um novo Log do Hijackthis.

likeastone88 · Outubro 25, 2008

Aí estão o log do combofix + log do hijack

VLW ! (y)

ComboFix 08-10-24.02 - Administrador 2008-10-25 20:07:17.2 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1046.18.99 [GMT -3:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: C:\Documents and Settings\Administrador\Desktop\CFScript.txt.txt

* Criado um novo ponto de restauro

FILE ::

C:\WINDOWS\System32\Flashy.exe

C:\WINDOWS\System32\hp100.tmp