1. Este site usa cookies. Ao continuar a usar este site está a concordar com o nosso uso de cookies. Saber Mais.

[virus] Svhost email spam

Discussão em 'Dúvidas e Suporte—Internet, Redes, Segurança' iniciada por lsharkf, 6 de Maio de 2009. (Respostas: 14; Visualizações: 916)

  1. lsharkf

    lsharkf Power Member

    Viva,

    Acho que o processo Svhost anda a mandar mails...

    Fiz netstat... e verifiquei que há montes de ligaçoes smtp... e tipo no taskmenu estao praí abertos 6 processos svhost.exe .

    É no que dá ... deixar mulheres mexer num pc... fdx

    Código:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:35:53, on 06-05-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Programas\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programas\Conceptronic\Utility\WLANmon.exe
    C:\Programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
    C:\Programas\Adobe\Adobe Bridge CS4\Bridge.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programas\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Programas\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\taskmgr.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Conceptronic Conceptronic 300Mbps Wireless Utility] C:\Programas\Conceptronic\Utility\WLANmon.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [mssrv32] c:\windows\system32\mssrv32.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AdobeBridge] "C:\Programas\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Enviar para o OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O20 - Winlogon Notify: __c00EE250 - C:\WINDOWS\system32\__c00EE250.dat
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Serviço de transferência inteligente em fundo (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\programas\ficheiros comuns\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Actualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
    
    --
    End of file - 5656 bytes
    
     
  2. Blue Zee

    Blue Zee Power Member

    Última edição: 6 de Maio de 2009
  3. lsharkf

    lsharkf Power Member

    Lol...

    Neste caso o pc é da minha irma :) portanto... muito gostam de instalar jogos encontrados nao sei onde :D

    [​IMG]

    Vou tentar fazer o que disseste, obrigado!
     
  4. Blue Zee

    Blue Zee Power Member

    Como se costuma dizer... a excepção confirma a regra.:D

    Já agora, confirmo que há problemas no log.

    Eventualmente a limpeza que sugeri resolve, mas veremos no final com o novo log.

    Zee
     
  5. lsharkf

    lsharkf Power Member

    Viva,

    Código:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:45:46, on 06-05-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programas\Conceptronic\Utility\WLANmon.exe
    C:\Programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Programas\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
    C:\Programas\Adobe\Adobe Bridge CS4\Bridge.exe
    C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Programas\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Programas\Trend Micro\HijackThis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Conceptronic Conceptronic 300Mbps Wireless Utility] C:\Programas\Conceptronic\Utility\WLANmon.exe
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AdobeBridge] "C:\Programas\Adobe\Adobe Bridge CS4\Bridge.exe" -stealth
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Adicionar ao Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: Enviar para o OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Serviço de transferência inteligente em fundo (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\programas\ficheiros comuns\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Actualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
    
    --
    End of file - 6241 bytes
    
    
    Acho que finalmente parou o SPAM :) ...

    Já agora qual é o melhor antivirus gratuito?
     
  6. Blue Zee

    Blue Zee Power Member

    Parece estar em ordem.

    Faria um fix a estas entradas, apenas por usarem recursos desnecessariamente:
    Código:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" –atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    Como anti-vírus grátis de boa qualidade sugiro:

    Avira Antivir
    ou
    Avast Home Edition

    Boa sorte.

    Zee
     
  7. lsharkf

    lsharkf Power Member

    Viva...

    O problema continua... o svhost... está a spammar ... sao varias ligaçoes smtp a servidores aleatórios de email.

    Já fiz o processo que disseste mas continua tudo na mesma.

    Usei o programa fport
    Código:
    FPort v2.0 - TCP/IP Process to Port Mapper
    Copyright 2000 by Foundstone, Inc.
    http://www.foundstone.com
    
    Pid   Process            Port  Proto Path                          
    844                  ->  135   TCP                                 
    4     System         ->  139   TCP                                 
    4     System         ->  445   TCP                                 
    488                  ->  1032  TCP                                 
    2640  firefox        ->  1042  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  1043  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  1045  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  1046  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  1327  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  1328  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  1329  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    3172  svchost        ->  1597  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2053  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2239  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2256  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2274  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2280  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2306  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2360  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2474  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2530  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2546  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2552  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2578  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2581  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2592  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2606  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2646  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2647  TCP   C:\WINDOWS\System32\svchost.exe
    0     System         ->  2713  TCP                                 
    3132  svchost        ->  2718  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2735  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2738  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2747  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2767  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2768  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2769  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2772  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2776  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2777  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2778  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2779  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2788  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2789  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2791  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2793  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2799  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2811  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2820  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2824  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2831  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2832  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2833  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  2834  TCP   C:\WINDOWS\System32\svchost.exe
    2640  firefox        ->  2901  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  2906  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    0     System         ->  2915  TCP                                 
    3172  svchost        ->  2971  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2976  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2978  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2982  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2985  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2987  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2991  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2992  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2993  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  2994  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  3000  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  3001  TCP   C:\WINDOWS\System32\svchost.exe
    1980  SUPERAntiSpyware->  3002  TCP   C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
    3172  svchost        ->  3003  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  3004  TCP   C:\WINDOWS\System32\svchost.exe
    2676  svchost        ->  3205  TCP   C:\WINDOWS\System32\svchost.exe
    2676  svchost        ->  3206  TCP   C:\WINDOWS\System32\svchost.exe
    2676  svchost        ->  4318  TCP   C:\WINDOWS\System32\svchost.exe
    3172  svchost        ->  4576  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  4609  TCP   C:\WINDOWS\System32\svchost.exe
    3132  svchost        ->  4766  TCP   C:\WINDOWS\System32\svchost.exe
    2640  firefox        ->  4853  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  4868  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  4869  TCP   C:\Programas\Mozilla Firefox\firefox.exe
    
    2640  firefox        ->  123   UDP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  137   UDP   C:\Programas\Mozilla Firefox\firefox.exe
    3172  svchost        ->  138   UDP   C:\WINDOWS\System32\svchost.exe
    844                  ->  445   UDP                                 
    4     System         ->  500   UDP                                 
    4     System         ->  1900  UDP                                 
    3172  svchost        ->  1900  UDP   C:\WINDOWS\System32\svchost.exe
    2640  firefox        ->  3540  UDP   C:\Programas\Mozilla Firefox\firefox.exe
    488                  ->  3878  UDP                                 
    2640  firefox        ->  3879  UDP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  3882  UDP   C:\Programas\Mozilla Firefox\firefox.exe
    2640  firefox        ->  4500  UDP   C:\Programas\Mozilla Firefox\firefox.exe
    
    A quantidade de ligaçoes o servico svchost ...
     
  8. Blue Zee

    Blue Zee Power Member

    Faça isto e no final teste.

    De seguida faça um novo log do HJT, coloque aqui e comente a situação do momento.
     
  9. lsharkf

    lsharkf Power Member

    Viva, desde já obrigado pela atenção.

    SDFIX
    Código:
    
    [b]SDFix: Version 1.240 [/b]
    Run by Administrador on 07-05-2009 at 21:52
    
    Microsoft Windows XP [VersÆo 5.1.2600]
    Running From: C:\SDFIX
    
    [b]Checking Services [/b]:
    
    
    Restoring Default Security Values
    Restoring Default Hosts File
    
    Rebooting
    
    
    [b]Checking Files [/b]: 
    
    No Trojan Files Found
    
    
    
    
    
    
    Removing Temp Files
    
    [b]ADS Check [/b]:
     
    
    
                                     [b]Final Check [/b]:
    
    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-07 22:10:31
    Windows 5.1.2600 Service Pack 3 NTFS
    
    scanning hidden processes ...
    
    scanning hidden services & system hive ...
    
    scanning hidden registry entries ...
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
    "]%ð?À?ó?<%Ú? ?(?T?r?u?e?T?y?p?e?)?"="KAIU.TTF"
    "\x201c%Ë?\xae?\xb7?<%Ú? ?&? ?À?s?\x201c%Ë?\xae?\xb7?<%Ú? ?(?T?r?u?e?T?y?p?e?)?"="MINGLIU.TTC"
    
    scanning hidden files ...
    
    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0
    
    
    [b]Remaining Services [/b]:
    
    
    
    
    Authorized Application Key Export:
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\Brazilian\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\Brazilian\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
    "C:\\Programas\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"="C:\\Programas\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe:*:Enabled:Adobe Dreamweaver CS4"
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    
    [b]Remaining Files [/b]:
    
    
    
    [b]Files with Hidden Attributes [/b]:
    
    Wed  9 May 2007            88 ..SHR --- "C:\WINDOWS\system32\4A2C25F26E.sys"
    Wed  9 May 2007         3,506 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
    Sat 25 Apr 2009       407,040 ...H. --- "C:\Documents and Settings\operador\Os meus documentos\Os meus ficheiros recebidos\~WRL2382.tmp"
    Tue 17 Feb 2009    16,000,000 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL0211.tmp"
    Tue 17 Feb 2009    15,004,160 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL1556.tmp"
    Tue 17 Feb 2009    15,385,088 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL1643.tmp"
    Tue 17 Feb 2009    16,037,376 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL2826.tmp"
    Tue 17 Feb 2009    15,999,488 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL2833.tmp"
    Tue 17 Feb 2009    15,157,760 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL3488.tmp"
    Tue 17 Feb 2009    15,004,160 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL3615.tmp"
    Tue 17 Feb 2009    16,000,512 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL3809.tmp"
    Tue 17 Feb 2009    15,998,464 A..H. --- "C:\Documents and Settings\operador\Ambiente de trabalho\Nocas\Mestrado\gra‡a\documentos\~WRL3954.tmp"
    
    [b]Finished![/b]
    
    Hijackthis
    Código:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:20:13, on 07-05-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Programas\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
    C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Programas\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Programas\Trend Micro\HijackThis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programas\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programas\Ficheiros comuns\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Enviar para o OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programas\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Serviço de transferência inteligente em fundo (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\programas\ficheiros comuns\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Actualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
    
    --
    End of file - 4752 bytes
    
    Ao ligar tenta sempre ligar a este servidor ( akamaitechnologies )
    Código:
    
      Proto  Endere‡o local          Endere‡o externo        Estado
      TCP    INTERNO1:1221          a195-8-10-7.deploy.akamaitechnologies.com:http  TIME_WAIT
      TCP    INTERNO1:1250          a195-8-10-7.deploy.akamaitechnologies.com:http  TIME_WAIT
      TCP    INTERNO1:2869          192.168.10.1:1820      CLOSE_WAIT
    
     
  10. Blue Zee

    Blue Zee Power Member

    Faça um scan com o HJT e seleccione as seguintes entradas para limpar (clique no quadradinho à esquerda de cada uma):
    Código:
    O23 - Service: Serviço de transferência inteligente em fundo (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: Actualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\
    Faça a limpeza clicando em Fix checked, confirme se necessário e encerre o HJT.

    Reinicie o sistema.

    Agora faça

    Iniciar > Executar > digite
    services.msc > Enter

    Localize o serviço:

    FLEXnet Licensing Service

    Faça duplo-clique e altere o arranque de automático para manual. Confirme.

    Reinicie o PC, teste e comente.

    Zee
     
  11. lsharkf

    lsharkf Power Member

    Viva,

    Nada feito.
    Acho que vou formatar isto... continua a spammar fortinho através do svchost ... os processos que tinhas dito para "limpar"

    Código:
    [FONT=Verdana][SIZE=2]O23 - Service: Serviço de transferência inteligente em fundo (BITS) - Unknown owner - C:\WINDOWS\
    O23 - Service: Actualizações automáticas (wuauserv) - Unknown owner - C:\WINDOWS\[/SIZE][/FONT]
    voltam a aparecer mal faça novo scanner.

    Quanto a desactivaçao do modo automatico para manual.. ja estava em modo manual.
     
  12. Blue Zee

    Blue Zee Power Member

    Talvez valha a pena usar o Process Explorer para tentar localizar o serviço ou processo que está a usar o SVCHOST.

    Zee
     
  13. DavidJamez

    DavidJamez Power Member

    se nao tiveres uma firewall instalada, usa esta Sygate para bloqueares o acesso do svchost.exe à internet.
    em 2º lugar, fazes download disto e mandas fazer um scan. com sorte é um rootkit que tens aí metido
     
  14. lsharkf

    lsharkf Power Member

    Viva,

    Instalei e corri este programa que indicaram num outro forum.
    http://www.besttechie.net/tools/mbam-setup.exe

    Detectou 15 objectos
    Código:
    Malwarebytes' Anti-Malware 1.36
    Versão do banco de dados: 2099
    Windows 5.1.2600 Service Pack 3
    
    09-05-2009 19:43:08
    mbam-log-2009-05-09 (19-43-08).txt
    
    Tipo de Verificação: Completa (C:\|D:\|)
    Objetos verificados: 302728
    Tempo decorrido: 57 minute(s), 21 second(s)
    
    Processos da Memória infectados: 0
    Módulos de Memória Infectados: 0
    Chaves do Registo infectadas: 1
    Valores do Registo infectados: 0
    Ítens do Registo infectados: 0
    Pastas infectadas: 0
    Ficheiros infectados: 15
    
    Processos da Memória infectados:
    (Nenhum item malicioso foi detectado)
    
    Módulos de Memória Infectados:
    (Nenhum item malicioso foi detectado)
    
    Chaves do Registo infectadas:
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
    
    Valores do Registo infectados:
    (Nenhum item malicioso foi detectado)
    
    Ítens do Registo infectados:
    (Nenhum item malicioso foi detectado)
    
    Pastas infectadas:
    (Nenhum item malicioso foi detectado)
    
    Ficheiros infectados:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0024892.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c004ED.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0057294.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c006ED1C.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0082A71.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00964C8.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0096E10.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00A02D0.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00CEEED.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00E9384.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00EE250.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\6d48508e.sys.vir (Rootkit.Rustock) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\8f03ccb7.sys.vir (Rootkit.Rustok) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4EF46661-5C7A-4696-8954-E7710261F280}\RP88\A0056761.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4EF46661-5C7A-4696-8954-E7710261F280}\RP88\A0056762.sys (Rootkit.Rustok) -> Quarantined and deleted successfully.
    
    Aparentemente os processos terminaram.

    Ps: seria este Rootkit.Rustok nao?
     
  15. DavidJamez

    DavidJamez Power Member

    por via das duvidas eu fazia um scan com o GMER...
     

Partilhar esta Página