Publicado em 9 de jun.

[Resolvido!] Análise de Log - ComboFix

Pessoal da uma olhada aí fazendo favor:

ComboFix 09-06-08.05 - Dener 09/06/2009 11:13.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.2029.1548 [GMT -3:00]

Running from: c:\documents and settings\Dener\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1335 [VPS 090608-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\._xat-image-optimizer-5-10i.exe

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.hhdsoftware.com

((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))

2009-06-08 22:07 . 2009-06-08 22:07 3371383 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-08 22:01 . 2008-12-11 11:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-06-08 22:01 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-06-08 22:01 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-06-08 22:01 . 2009-06-08 22:01 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PC Tools

2009-06-08 22:01 . 2008-12-10 14:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-06-08 22:01 . 2009-06-08 22:01 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\PC Tools

2009-06-08 22:01 . 2009-06-08 22:01 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PC Tools

2009-06-08 22:01 . 2009-06-08 22:01 -------- d-----w- c:\arquivos de programas\Spyware Doctor

2009-06-08 20:42 . 2009-06-08 20:42 -------- d-----w- C:\Fraps

2009-06-08 20:30 . 2007-12-25 12:42 2372574 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\{3A7FD077-F0B4-4276-BE42-175DEF23CA39}\BB FlashBack.exe

2009-06-08 20:30 . 2009-06-08 20:30 -------- d-----w- c:\arquivos de programas\Blueberry Software

2009-06-08 20:30 . 2009-06-08 20:30 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Blueberry Software

2009-06-08 20:30 . 2009-06-08 20:30 -------- d--h--w- c:\documents and settings\All Users\Dados de aplicativos\{3A7FD077-F0B4-4276-BE42-175DEF23CA39}

2009-06-08 19:13 . 2009-06-08 19:13 -------- d-----w- c:\arquivos de programas\Metin2_UK

2009-06-08 17:08 . 2009-06-08 17:08 -------- d-----w- c:\arquivos de programas\HHD Software

2009-06-08 02:56 . 2009-06-08 02:56 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\Datarescue

2009-06-08 02:54 . 2009-06-08 02:54 -------- d-----w- c:\arquivos de programas\GB Research

2009-06-04 13:19 . 2009-06-04 13:19 -------- d-sh--w- C:\FOUND.004

2009-05-24 00:44 . 2009-05-24 00:44 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-05-24 00:44 . 2009-05-24 00:44 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\skypePM

2009-05-24 00:41 . 2009-05-24 00:41 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\Skype

2009-05-24 00:41 . 2009-05-24 00:41 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Skype

2009-05-24 00:41 . 2009-05-24 00:41 -------- d-----r- c:\arquivos de programas\Skype

2009-05-24 00:41 . 2009-05-24 00:41 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Skype

2009-05-23 01:00 . 2009-05-23 01:00 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\Audacity

2009-05-23 00:59 . 2009-05-23 00:59 -------- d-----w- c:\arquivos de programas\Audacity 1.3 Beta (Unicode)

2009-05-12 00:18 . 2009-05-12 00:18 -------- d-----w- C:\DVD_01_1

2009-05-12 00:16 . 2009-05-12 00:16 -------- d-----w- c:\windows\WinAVI Video Converter 9.0

2009-05-12 00:16 . 2009-05-12 00:16 -------- d-----w- c:\arquivos de programas\WinAVI Video Converter 9.0

2009-05-11 23:58 . 2009-05-11 23:58 -------- d-----w- C:\digitalvideoconverter

2009-05-11 23:22 . 2009-05-11 23:22 -------- d-----w- c:\windows\Nero Micro 9.2.6

2009-05-11 23:18 . 2008-05-29 06:03 37176 ----a-w- c:\documents and settings\Dener\Dados de aplicativos\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-06-09 02:26 . 2008-08-11 02:14 836 ----a-w- c:\windows\bthservsdp.dat

2009-06-08 20:30 . 2008-11-25 12:39 4608 ----a-w- c:\windows\system32\bbchlp.dll

2009-06-08 20:30 . 2008-11-25 12:39 2944 ----a-w- c:\windows\system32\drivers\bbcap.sys

2009-06-08 20:30 . 2008-11-25 12:39 27776 ----a-w- c:\windows\system32\bbcap.dll

2009-05-26 16:20 . 2009-04-24 20:56 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 16:19 . 2009-04-24 20:56 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-18 20:18 . 2009-03-02 23:27 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-05-13 13:12 . 2001-10-28 20:07 48512 ----a-w- c:\windows\system32\perfc016.dat

2009-05-13 13:12 . 2001-10-28 20:07 344036 ----a-w- c:\windows\system32\perfh016.dat

2009-05-07 13:29 . 2009-05-07 13:29 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!

2009-05-06 18:29 . 2009-05-06 18:29 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live

2009-04-30 17:06 . 2009-04-30 17:06 -------- d-----w- c:\arquivos de programas\Arquivos comuns\DVDVideoSoft

2009-04-30 16:52 . 2009-04-30 16:51 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\Any Video Converter

2009-04-30 16:51 . 2009-04-30 16:51 -------- d-----w- c:\arquivos de programas\Any Video Converter

2009-04-30 16:36 . 2009-04-30 16:36 -------- d-----w- c:\documents and settings\Dener\Dados de aplicativos\Apple Computer

2009-03-02 23:27 . 2009-03-02 23:27 8 --sh--r- c:\windows\system32\636A4C6EA0.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Google Update"="c:\documents and settings\Dener\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" [2009-04-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apple_KbdMgr"="c:\arquivos de programas\Boot Camp\KbdMgr.exe" [2008-02-08 423216]

"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"ISUSPM Startup"="c:\arquiv~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]

"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-01-05 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\arquivos de programas\GbPlugin\gbiehcef.dll" [2009-01-27 404032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-01-27 16:40 404032 ----a-w- c:\arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@="Driver Group"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=

"c:\\Arquivos de programas\\FlashFXP\\FlashFXP.exe"=

"c:\\Arquivos de programas\\ONGAME\\Metin2\\metin2.bin"=

"c:\\AppServ\\Apache2.2\\bin\\httpd.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\Metin2_Portugal2\\metin2.bin"=

"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

"c:\\Arquivos de programas\\Metin2_UK\\metin2.bin"=

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [3/3/2009 13:33 31296]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/6/2009 19:01 130936]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18/11/2008 15:04 114768]

R1 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [25/11/2008 09:39 2944]

R2 Apache2.2;Apache2.2;c:\appserv\Apache2.2\bin\httpd.exe [17/1/2008 15:37 24635]

R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [8/2/2008 11:14 132400]

R2 AppleTimeSrv;Serviço de Tempo da Apple;c:\windows\system32\AppleTimeSrv.exe [8/2/2008 11:14 99632]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/11/2008 15:04 20560]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [3/3/2009 13:33 52808]

R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [8/2/2008 10:56 5504]

R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [8/2/2008 10:55 6528]

R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [10/8/2008 23:12 16512]

R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [10/8/2008 23:13 18944]

S3 sdAuxService;PC Tools Auxiliary Service;c:\arquivos de programas\Spyware Doctor\pctsAuxs.exe [8/6/2009 19:01 348752]

Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

.

- - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

------- Supplementary Scan -------

uStart Page = hxxp://www.dufpy.com

uInternet Settings,ProxyOverride = *.local

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://imagem.caixa.gov.br/cab/gbpdist.cab

FF - ProfilePath - c:\documents and settings\Dener\Dados de aplicativos\Mozilla\Firefox\Profiles\102uvvwv.default\

FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - plugin: c:\arquivos de programas\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-09 11:16

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]

"ImagePath"="c:\appserv\MySQL\bin\mysqld-nt --defaults-file=c:\appserv\MySQL\my.ini mysql"

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - > 'winlogon.exe'(756)

c:\arquivos de programas\GbPlugin\gbiehcef.dll

c:\windows\system32\Ati2evxx.dll

Completion time: 2009-06-09 11:17

ComboFix-quarantined-files.txt 2009-06-09 14:17

Pre-Run: 4.642.258.944 bytes disponíveis

Post-Run: 7.016.349.696 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

177 --- E O F --- 2009-05-14 12:22

Discussão (6)

Entre ou cadastre-se para participar da discussão

Entrar Criar conta

Carregando comentários...