[Arquivado] Analise de log win vista

Fabrici0 · Abril 18, 2008

Segue o log do combofix:

ComboFix 08-04-16.5 - Fabrício 2008-04-18  1:13:15.2 - NTFSx86Microsoft® Windows Vista™ Ultimate   6.0.6000.0.1252.1.1046.18.1451 [GMT -3:00]Executando de: C:\infra\ComboFix.exe.(((((((((((((((((((((((   Ficheiros criados de 2008-03-18 to 2008-04-18  )))))))))))))))))))))))))))))))).2008-04-18 00:46 . 2008-04-18 00:59	<DIR>	d--------	C:\infra2008-04-18 00:44 . 2008-04-18 00:45	<DIR>	d--------	C:\LinhaDefensiva2008-04-17 20:23 . 2008-04-17 20:23	<DIR>	d--------	C:\Program Files\No-IP2008-04-17 20:11 . 2008-04-17 20:11	<DIR>	d--------	C:\Program Files\UltraVNC2008-04-17 20:11 . 2005-06-10 22:02	12,800	--a------	C:\Windows\System32\vncdrv.dll2008-04-17 20:11 . 2004-06-26 13:22	6,016	--a------	C:\Windows\System32\drivers\vnccom.SYS2008-04-17 20:11 . 2004-06-26 13:21	5,760	--a------	C:\Windows\System32\vnchelp.dll2008-04-17 20:11 . 2004-06-26 13:22	4,736	--a------	C:\Windows\System32\drivers\vncdrv.sys2008-04-17 20:11 . 2008-04-17 20:11	38	--a------	C:\Windows\System32\'2008-04-14 23:26 . 2008-04-14 23:26	170,949,151	--a------	C:\Windows\MEMORY.DMP2008-04-14 22:48 . 2008-04-14 22:48	<DIR>	d--------	C:\Program Files\Alcohol Soft2008-04-14 22:18 . 2008-04-14 22:18	<DIR>	d--------	C:\Program Files\Free Create-Burn ISO Image2008-04-14 22:18 . 2002-07-17 10:03	45,056	--a------	C:\Windows\System32\WNASPI32.DLL2008-04-14 22:18 . 2002-07-17 08:53	16,877	--a------	C:\Windows\System32\drivers\ASPI32.SYS2008-04-14 20:18 . 2008-04-14 20:49	<DIR>	d--------	C:\ESCRITORIO CARITA2008-04-14 15:43 . 2008-04-16 21:42	<DIR>	d--------	C:\A lênda de Beowulf2008-04-14 11:49 . 2008-04-14 20:31	<DIR>	d--------	C:\PARANÓIA - FILME2008-04-13 20:02 . 2008-04-13 20:02	<DIR>	d--------	C:\Users\All Users\Google2008-04-13 19:12 . 2008-04-13 19:13	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\Good Keywords v22008-04-13 18:33 . 2008-04-13 19:12	<DIR>	d--------	C:\Program Files\Softnik Technologies2008-04-12 19:46 . 2008-04-12 19:46	<DIR>	d--------	C:\Program Files\CCleaner2008-04-09 22:23 . 2008-04-09 22:23	<DIR>	d--------	C:\Program Files\A4K12  JoyPad Driver2008-04-09 20:21 . 2008-04-09 20:21	<DIR>	d--------	C:\Program Files\uTorrent2008-04-09 20:20 . 2008-04-13 22:36	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\uTorrent2008-04-05 15:18 . 2008-04-05 15:21	<DIR>	d--------	C:\Program Files\Ubi Soft2008-04-04 22:17 . 2008-04-04 22:17	<DIR>	d--------	C:\Program Files\Phun2008-04-02 20:46 . 2008-04-02 20:46	<DIR>	d--------	C:\Program Files\EA GAMES2008-04-02 19:56 . 2008-04-12 00:23	<DIR>	d--------	C:\Program Files\Tales of Pirates2008-04-02 19:49 . 2008-04-02 20:42	48	---hs----	C:\Windows\S12A897D7.tmp2008-04-02 02:31 . 2008-04-02 02:31	<DIR>	d--------	C:\Program Files\Maxis2008-04-02 02:31 . 1998-07-30 18:43	306,688	--a------	C:\Windows\IsUn0416.exe2008-04-02 01:02 . 2005-05-26 15:34	2,297,552	--a------	C:\Windows\System32\d3dx9_26.dll2008-04-02 00:56 . 2008-04-02 00:56	<DIR>	d--------	C:\Program Files\Elaborate Bytes2008-04-02 00:35 . 2008-04-02 00:35	<DIR>	d--------	C:\Program Files\Electronic Arts2008-03-31 21:21 . 2008-03-31 21:21	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\Notepad++2008-03-31 21:21 . 2008-03-31 21:21	<DIR>	d--------	C:\Program Files\Notepad++2008-03-31 20:51 . 2008-03-31 20:51	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\WinRAR2008-03-31 20:46 . 2008-03-31 20:46	<DIR>	d--------	C:\work2008-03-30 22:38 . 2008-03-30 22:38	<DIR>	d--------	C:\Windows\PCHEALTH2008-03-30 22:10 . 2008-03-30 22:38	<DIR>	d--------	C:\Program Files\Windows Live2008-03-30 22:10 . 2008-03-30 22:38	<DIR>	d--hsc---	C:\Program Files\Common Files\WindowsLiveInstaller2008-03-30 22:09 . 2008-03-30 22:09	<DIR>	d--------	C:\Users\All Users\WLInstaller2008-03-30 22:09 . 2008-03-30 22:09	<DIR>	d--------	C:\ProgramData\WLInstaller2008-03-30 19:32 . 2008-03-30 19:32	<DIR>	d--------	C:\Users\All Users\FLEXnet2008-03-30 19:32 . 2008-03-30 19:32	<DIR>	d--------	C:\ProgramData\FLEXnet2008-03-30 19:27 . 2008-03-30 19:27	<DIR>	d--------	C:\Users\All Users\ALM2008-03-30 19:27 . 2008-03-30 19:27	<DIR>	d--------	C:\ProgramData\ALM2008-03-30 19:22 . 2008-03-30 19:22	<DIR>	d--------	C:\Program Files\QuickTime2008-03-30 19:20 . 2006-09-29 06:56	28,248	-ra------	C:\Windows\System32\AdobePDF.dll2008-03-30 19:19 . 2007-02-20 16:04	2,463,976	--a------	C:\Windows\System32\NPSWF32.dll2008-03-30 19:19 . 2007-02-20 16:04	190,696	--a------	C:\Windows\System32\NPSWF32_FlashUtil.exe2008-03-30 19:16 . 2008-03-30 19:16	<DIR>	d--------	C:\Program Files\Bonjour2008-03-30 19:13 . 2008-03-30 19:13	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared2008-03-30 19:10 . 2008-03-30 19:28	<DIR>	d--------	C:\Program Files\Common Files\Adobe2008-03-30 01:52 . 2008-03-30 20:13	<DIR>	d--------	C:\Users\All Users\Adobe2008-03-30 01:49 . 2008-03-30 01:51	<DIR>	d--h-----	C:\Program Files\Zero G Registry2008-03-30 01:47 . 2008-03-30 01:47	<DIR>	d--h-----	C:\Users\Fabrício\InstallAnywhere2008-03-30 01:47 . 2008-03-30 01:47	<DIR>	d--h-----	C:\Users\Fabrício\InstallAnywhere2008-03-30 01:24 . 2008-03-30 01:24	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\DAEMON Tools2008-03-30 01:24 . 2008-03-30 01:24	<DIR>	d--------	C:\Program Files\DAEMON Tools Lite2008-03-30 01:19 . 2008-03-30 01:19	716,272	--a------	C:\Windows\System32\drivers\sptd.sys2008-03-30 00:31 . 2008-03-30 00:31	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\Mozilla2008-03-30 00:31 . 2008-03-30 00:31	0	--a------	C:\Windows\nsreg.dat2008-03-30 00:13 . 2008-03-30 00:17	<DIR>	d--------	C:\Users\Fabrício\.VirtualBox2008-03-30 00:13 . 2008-03-30 00:17	<DIR>	d--------	C:\Users\Fabrício\.VirtualBox2008-03-30 00:12 . 2008-03-30 00:12	<DIR>	d----c---	C:\Windows\System32\DRVSTORE2008-03-30 00:12 . 2008-03-30 00:12	<DIR>	d--------	C:\Program Files\innotek VirtualBox2008-03-30 00:12 . 2008-02-20 20:17	40,928	--a------	C:\Windows\System32\drivers\VBoxDrv.sys2008-03-30 00:12 . 2008-02-20 20:17	27,776	--a------	C:\Windows\System32\drivers\VBoxUSBMon.sys2008-03-29 23:17 . 2008-03-29 23:16	1,953,792	--a------	C:\Windows\System32\JMRaidSetup.exe2008-03-29 23:17 . 2008-03-29 23:16	319,984	--a------	C:\Windows\System32\DifxApi.dll2008-03-29 23:16 . 2008-03-29 23:16	44,416	--a------	C:\Windows\System32\drivers\jraid.sys2008-03-29 23:15 . 2008-03-29 23:15	<DIR>	d--------	C:\Program Files\Codecs2008-03-29 23:01 . 2006-12-29 18:11	4,317,184	--a------	C:\Windows\RtHDVCpl.exe2008-03-29 23:01 . 2006-12-29 15:03	1,814,016	--a------	C:\Windows\System32\RtkAPO.dll2008-03-29 23:01 . 2007-01-02 20:41	1,668,456	--a------	C:\Windows\System32\drivers\RTKVHDA.sys2008-03-29 23:01 . 2006-12-16 20:10	1,191,936	--a------	C:\Windows\RtlUpd.exe2008-03-29 23:01 . 2006-10-20 22:56	532,480	--a------	C:\Windows\System32\RTSndMgr.cpl2008-03-29 23:01 . 2006-12-29 14:59	489,472	--a------	C:\Windows\System32\RtkPgExt.dll2008-03-29 23:01 . 2006-12-13 17:30	339,968	--a------	C:\Windows\System32\SRSTSXT.dll2008-03-29 23:01 . 2008-03-29 23:01	319,456	--a------	C:\Windows\DIFxAPI.dll2008-03-29 23:01 . 2006-11-30 01:47	135,168	--a------	C:\Windows\System32\SRSWOW.dll2008-03-29 23:01 . 2006-12-28 03:01	17,408	--a------	C:\Windows\System32\RtkCoInst.dll2008-03-29 22:47 . 2008-03-29 22:47	<DIR>	d--------	C:\Windows\System32\Macromed2008-03-29 22:47 . 2008-03-29 22:47	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\Macromedia2008-03-29 22:47 . 2008-04-03 21:04	<DIR>	d--------	C:\Users\Fabrício\AppData\Roaming\Adobe2008-03-29 22:20 . 2008-03-29 22:27	<DIR>	d--------	C:\imagens2008-03-29 22:17 . 2008-03-29 22:20	<DIR>	d--------	C:\Fontes2008-03-29 21:21 . 2008-03-29 23:17	<DIR>	d--------	C:\Windows\JM2008-03-29 21:21 . 2006-07-12 06:47	352,256	-r-------	C:\Windows\System32\JMRaidTool.exe2008-03-29 21:21 . 2008-03-29 23:16	139,264	--a------	C:\Windows\System32\JMRaidAPI.dll2008-03-29 21:21 . 2006-02-07 08:52	6,912	--a------	C:\Windows\System32\drivers\JGOGO.sys2008-03-29 21:19 . 2008-03-29 23:01	<DIR>	d--------	C:\Windows\System32\RTCOM2008-03-29 21:19 . 2005-10-31 07:17	135,168	-r-------	C:\Windows\System32\RtlCPAPI.dll2008-03-29 21:19 . 2006-08-01 04:02	49,152	-r-------	C:\Windows\System32\ChCfg.exe2008-03-29 21:17 . 2008-03-29 21:17	<DIR>	d--------	C:\Windows\OPTIONS2008-03-29 21:17 . 2008-03-29 23:01	<DIR>	d--------	C:\Program Files\Realtek2008-03-29 21:17 . 2006-08-11 05:32	1,660,992	--a------	C:\Windows\System32\drivers\RtkHDAud.sys2008-03-29 21:17 . 2006-12-16 18:29	499,712	--a------	C:\Windows\RtlExUpd.dll2008-03-29 21:16 . 2008-04-12 00:24	<DIR>	d--------	C:\Program Files\Common Files\InstallShield.(((((((((((((((((((((((((((((((((((((   Relatório Find3M   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-04-18 04:16	1,310,720	--sha-w	C:\Users\Fabrício\NTUSER.DAT2008-04-18 04:16	1,310,720	--sha-w	C:\Users\Fabrício\NTUSER.DAT2008-04-14 01:36	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\uTorrent2008-04-13 22:13	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\Good Keywords v22008-04-05 18:42	---------	d-s---w	C:\Users\Fabrício\AppData\Roaming\Microsoft2008-04-04 00:04	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\Adobe2008-04-01 00:21	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\Notepad++2008-03-31 23:51	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\WinRAR2008-03-30 04:24	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\DAEMON Tools2008-03-30 03:31	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\Mozilla2008-03-30 01:47	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\Macromedia2008-03-29 17:59	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\ATI2008-03-29 16:30	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\InstallShield2008-03-29 11:06	---------	d-----w	C:\Users\Fabrício\AppData\Roaming\Identities2008-02-26 05:53	3,520,512	----a-w	C:\Windows\system32\drivers\atikmdag.sys2008-02-26 02:14	49,152	----a-w	C:\Windows\system32\drivers\ati2erec.dll2008-02-20 23:17	30,656	----a-w	C:\Windows\system32\drivers\VBoxUSB.sys2006-11-02 12:49	174	--sha-w	C:\Program Files\desktop.ini.(((((((((((((((((((((((((((((   snapshot@2008-04-18_ 1.04.31,04   ))))))))))))))))))))))))))))))))))))))))).- 2008-04-17 22:47:53	67,584	--s-a-w	C:\Windows\bootstat.dat+ 2008-04-18 04:10:06	67,584	--s-a-w	C:\Windows\bootstat.dat- 2008-04-17 22:47:53	2,048	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat+ 2008-04-18 04:10:06	2,048	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat- 2008-04-17 22:47:53	2,048	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat+ 2008-04-18 04:10:06	2,048	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat- 2008-04-17 22:50:01	262,144	--sha-w	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT+ 2008-04-18 04:14:46	262,144	--sha-w	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT+ 2008-04-18 04:14:46	262,144	---ha-w	C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1- 2008-04-17 22:49:56	262,144	--sha-w	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT+ 2008-04-18 04:14:41	262,144	--sha-w	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT+ 2008-04-18 04:14:41	262,144	---ha-w	C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1- 2008-04-17 22:50:22	4,746	----a-w	C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2095728884-3493582990-151779916-1000_UserData.bin+ 2008-04-18 04:14:40	4,746	----a-w	C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2095728884-3493582990-151779916-1000_UserData.bin- 2008-04-17 22:50:22	58,776	----a-w	C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin+ 2008-04-18 04:14:40	60,398	----a-w	C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin- 2008-04-17 22:50:21	24,156	----a-w	C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin+ 2008-04-18 04:14:33	24,476	----a-w	C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin.((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))..REGEDIT4*Nota* entradas vazias & legítimas por defeito não são mostradas.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 09:33 1196032]"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 09:34 125440]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 13:46 217544][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 09:32 1004136]"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]"RtHDVCpl"="RtHDVCpl.exe" [2006-12-29 18:11 4317184 C:\Windows\RtHDVCpl.exe]"JMB36X Configure"="C:\Windows\system32\JMRaidTool.exe" [2006-07-12 06:47 352256]"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2008-03-29 23:16 36864]"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]C:\Users\Fabr¡cio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2008-04-17 20:23:48 1172992]start WampServer.lnk - C:\work\bin\wamp\wampmanager.exe [2008-03-31 20:46:02 1152512][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableLUA"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]--a------ 2008-01-17 13:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]"{B35FA173-F01B-4590-B6B0-13CE8DA0596C}"= UDP:3703:Adobe Version Cue CS3 Server"{075625E2-7942-453A-8639-C20C86FC2654}"= UDP:3704:Adobe Version Cue CS3 Server"{138B0D21-1F63-4963-99EB-D5B49A0D83AA}"= UDP:50900:Adobe Version Cue CS3 Server"{4404DDFE-A0C0-49E1-BD65-53D39A361D01}"= UDP:50901:Adobe Version Cue CS3 Server"{61BF20F3-D2FA-4EC4-8D9B-32F60E7D2E02}"= UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server"{23A09131-CD82-4BE9-B806-746C1556D968}"= TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server"{B56A19C7-3ABB-4286-9611-5E5A3FAAE725}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)"TCP Query User{9C147AED-4F1D-4B89-A508-E08A707F9FF0}C:\\work\\bin\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= UDP:C:\work\bin\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server"UDP Query User{3A18F62A-8347-4D42-B358-BE34E234F89E}C:\\work\\bin\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= TCP:C:\work\bin\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server"{60CF90F0-A6CF-4FCD-A80C-DAF992CE246A}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2"{199C15B9-A0D2-46B7-BF90-FEDA8B042240}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2"TCP Query User{19AFD8F0-362E-429B-AD78-3AEAE0024093}C:\\program files\\ea games\\medal of honor pacific assault(tm)\\mohpa.exe"= UDP:C:\program files\ea games\medal of honor pacific assault(tm)\mohpa.exe:Medal of Honor Pacific Assault(tm)"UDP Query User{78E724E5-89BE-4CFE-B817-F65EAA4D8607}C:\\program files\\ea games\\medal of honor pacific assault(tm)\\mohpa.exe"= TCP:C:\program files\ea games\medal of honor pacific assault(tm)\mohpa.exe:Medal of Honor Pacific Assault(tm)"TCP Query User{3CCCD165-2841-4B93-941A-9025CBF77A7C}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent"UDP Query User{B7131859-788F-4932-906C-CA6B069DAC8A}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent"TCP Query User{A4113DD0-D6BF-44A4-806C-DFF762690B17}C:\\program files\\ultravnc\\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32"UDP Query User{280E84A0-ECCE-4F45-A4CE-10D85B9B5B11}C:\\program files\\ultravnc\\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|R1 VBoxDrv;VirtualBox Service;C:\Windows\system32\DRIVERS\VBoxDrv.sys [2008-02-20 20:17]R1 VBoxUSBMon;VirtualBox USB Monitor Driver;C:\Windows\system32\DRIVERS\VBoxUSBMon.sys [2008-02-20 20:17]R2 vnccom;vnccom;C:\Windows\system32\Drivers\vnccom.SYS [2004-06-26 13:22]R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-26 02:53]R3 wampapache;wampapache;"c:\work\bin\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice []R3 wampmysqld;wampmysqld;c:\work\bin\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe wampmysqld []R3 ys893vxm;S893v USB Data Modem Driver;C:\Windows\system32\DRIVERS\ys893vxm.sys [2006-09-25 11:24]R3 ys893vxs;S893v GUI Port;C:\Windows\system32\DRIVERS\ys893vxs.sys [2006-09-25 11:24]S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2008-03-29 13:43]S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-26 02:53]S3 VBoxUSB;VirtualBox USB;C:\Windows\system32\Drivers\VBoxUSB.sys [2008-02-20 20:17][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5fda751-fe10-11dc-8755-001a92317f7c}]\shell\AutoRun\command - G:\Launcher\LAUNCHER.EXE.**************************************************************************catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-18 01:16:47Windows 6.0.6000  NTFSProcurando processos ocultos ...Procurando entradas auto inicializáveis ocultas ...Procurando ficheiros ocultos ...Varredura completada com sucessoFicheiros ocultos: 0**************************************************************************.Tempo para conclusão: 2008-04-18  1:18:07ComboFix-quarantined-files.txt  2008-04-18 04:17:18ComboFix2.txt  2008-04-18 04:05:18Pre-Run: 70,649,942,016 bytes disponíveisPost-Run: 70,608,224,256 bytes disponíveis

Hijack this :

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 01:19:46, on 18/04/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16386)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\No-IP\DUC20.exeC:\work\bin\wamp\wampmanager.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\conime.exeC:\Windows\Explorer.exeC:\infra\HiJackThis\HijackThis.exeC:\Windows\system32\DllHost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [JMB36X Configure] C:\Windows\system32\JMRaidTool.exe bootO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exeO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exeO4 - Startup: start WampServer.lnk = C:\work\bin\wamp\wampmanager.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeO23 - Service: wampapache - Apache Software Foundation - c:\work\bin\wamp\bin\apache\apache2.2.8\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\work\bin\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe--End of file - 6110 bytesLogfile of Trend Micro HijackThis v2.0.2Scan saved at 01:19:46, on 18/04/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16386)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\No-IP\DUC20.exeC:\work\bin\wamp\wampmanager.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\conime.exeC:\Windows\Explorer.exeC:\infra\HiJackThis\HijackThis.exeC:\Windows\system32\DllHost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [JMB36X Configure] C:\Windows\system32\JMRaidTool.exe bootO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exeO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exeO4 - Startup: start WampServer.lnk = C:\work\bin\wamp\wampmanager.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeO23 - Service: wampapache - Apache Software Foundation - c:\work\bin\wamp\bin\apache\apache2.2.8\bin\httpd.exeO23 - Service: wampmysqld - Unknown owner - c:\work\bin\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe--End of file - 6110 bytes

Muito obrigado.

[ ] ´s

Silas Martins · Abril 18, 2008

Siga as intruções abaixo:

Baixe o Bankerfix

Aviso: O Bankerfix vai finalizar o Internet Explorer.

Execute o bankerfix.exe

Clique em OK quando aparecer as caixas de mensagem. Caso você já tenha executado o BankerFix , ele irá pedir para verificar por uma atualização. Responda Sim e depois clique em ok.

Vai aparecer uma tela preta enquanto ele estiver executando, pedindo ´para que você confirme clicando em Enter, Aguarde o termino do processo.

Terminando, leia a mensagem na tela e prescione Enter novamente. Ao termino do processo, poste o arquivo relatorio.txt localizado em: C:\LinhaDefensiva\relatorio.txt

Poste juntamente um novo log do HijackThis.

Caso queira após executar e postar o relatorio você pode deletar, Vá em

C:\LinhaDefensiva e delete

Aguardo o Retorno.

Fabrici0 · Abril 18, 2008

Não estou em casa no momento. Mas havia realizado o procedimento. Bankerfix, Combofix e hijackthis. No banker diz: que não encontrou ameaças. O resultado do hijack é o mesmo acima.

BankerFix 2.5b - Removedor de Bankers Linha Defensiva - http://www.linhadefensiva.org http://www.linhadefensiva.org/bankerfix/ Data: 18/4/2008 - 01:15-------------------------------------------------------Lista de Definição: 2008-02-22-1======================================================= Killando arquivos em Help -----------------------------------    Killing '*' Removendo Arquivos em Help -----------------------------------    ----- Fim -------------------------

Mário Monteiro · Junho 13, 2008

Tópico Arquivado

Como o autor não respondeu por mais de 20 dias, o tópico foi arquivado.

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Entrar

Arquivado

[Arquivado] Analise de log win vista

Recommended Posts

Fabrici0 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

Silas Martins 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

Fabrici0 0

Compartilhar este post

Link para o post

Compartilhar em outros sites

Mário Monteiro 179

Compartilhar este post

Link para o post

Compartilhar em outros sites

Fixar div até atingir uma certa altura

Ajuda com Extends e envio para o banco

PHP+Codeginiter - Orientação para Impressão

Este projeto é apoiado pelas empresas

Fóruns

Tempo Real

Informação importante