[Resolvido] &nbspNovo Log para analise

Edvan · Junho 5, 2012

Pessoal esse log é de outra maquina, sei que já tenho outro tópico aberto, mais como nao posso postar outros logs no mesmo tópico, então estou criando mais um aqui.

BankerFix 3.1 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2012-06-04 - 11:05

-------------------------------------------------------

Lista de Definição: 2012-03-19-1 | CORE: 2012-01-27-1

=======================================================

Arquivo infectado detectado: C:\WINDOWS\inf\asynceql.inf

Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\Media\mssmtp.wav

Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system\mkp.dll

Arquivo infectado removido com sucesso!

Arquivo infectado detectado: C:\WINDOWS\system32\drwtsn32.dll

Arquivo infectado removido com sucesso!

----- Fim -------------------------

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Versão da Base de Dados: v2012.06.04.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

f003204 :: FUN0044 [limitado]

04/06/2012 14:28:26

mbam-log-2012-06-04 (14-28-26).txt

Tipo de Verificação: Verificação Completa

Opções de verificação desativadas: P2P

Objetos escaneados: 351640

Tempo decorrido: 3 hora(s), 15 minuto(s), 46 segundo(s)

Processos de Memória Detectados: 0

(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0

(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 17

HKLM\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Enviado para a Quarentena e deletado com sucesso.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__GbPluginBb (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\Interface\{5C350402-AD9A-41E7-A303-C49F6C520000} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\Gbieh.GbIehObj.1 (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\Gbieh.GbIehObj (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C41A1C0E-EA6C-11D4-B1B8-444553540000} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C41A1C0E-EA6C-11D4-B1B8-444553540000} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginBb (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\Gbieh.GbPluginObj.1 (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCR\Gbieh.GbPluginObj (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{E37CB5F0-51F5-4395-A808-5FA49E399F83} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E37CB5F0-51F5-4395-A808-5FA49E399F83} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E37CB5F0-51F5-4395-A808-5FA49E399F83} (Trojan.Vundo) -> Enviado para a Quarentena e deletado com sucesso.

Valores de Registro Detectadas: 2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{E37CB5F0-51F5-4395-A808-5FA49E399F83} (Trojan.Vundo) -> Data: GbPlugin ShlObj -> Enviado para a Quarentena e deletado com sucesso.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{E37CB5F0-51F5-4395-A808-5FA49E399F83} (Trojan.Vundo) -> Data: GbPlugin ShlObj -> Enviado para a Quarentena e deletado com sucesso.

Itens de Dados no Registro Detectadas: 0

(Não foram detectados ítens maliciosos)

Pastas Detectadas: 1

C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Enviado para a Quarentena e deletado com sucesso.

Arquivos Detectados: 2

C:\Arquivos de programas\GbPlugin\gbieh.dll (Trojan.Vundo) -> Será deletado na próxima inicialização.

C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Enviado para a Quarentena e deletado com sucesso.

(fim)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 08:54:21, on 05/06/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Canon\DIAS\CnxDIAS.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

c:\windows\system32\SpyPrinter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.funpec.br/ponto_online/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Arquivos de programas\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Arquivos de programas\Alwil Software\Avast5\aswWebRepIE.dll

O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O15 - Trusted Zone: www.bancobrasil.com.br

O15 - Trusted Zone: www14.bancobrasil.com.br

O15 - Trusted Zone: www2.bancobrasil.com.br

O15 - Trusted Zone: www.bb.com.br

O15 - Trusted Zone: www.bancobrasil.com.br

O15 - Trusted Zone: www.bb.com.br

O15 - Trusted Zone: www14.bancobrasil.com.br

O15 - Trusted Zone: www2.bancobrasil.com.br

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = funpec.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = funpec.br

O17 - HKLM\System\CS2\Services\Tcpip\..\{476E693C-7351-4FB7-A72B-D3F4BA50A9FF}: NameServer = 10.4.65.16

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = funpec.br

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = funpec.br

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Arquivos de programas\Canon\DIAS\CnxDIAS.exe

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Serviço do Google Update (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SpyPrinterD - Unknown owner - c:\windows\system32\SpyPrinter.exe

--

End of file - 5981 bytes

DigRam · Junho 5, 2012

Bom Dia! Edvan

|- Baixe: < > ( ... by sUBs )

|- Salve-o no desktop! ( Área de trabalho! )

|- Ps: Desabilite seu antivírus,antispywares e/ou firewall. ( Menos o do Windows! )

|- Feche algum programa/arquivo que esteja aberto.

|- Feche,também,seu navegador! ( IE,Firefox,Opera ou Google Chrome )

|- Ps: Esteja conectado(a) à Internet. <- Importante!

|- Execute ComboFix.exe,com um duplo clique.

|- Para Windows Vista e/ou 7,dê clique direito em ComboFix.exe e execute-o como administrador.

|- Ps: Instale o "Console de Recuperação",caso seja solicitado!

|- Ps: Ficará,portanto,à seu critério optar por sua instalação.

|- Surgindo alguma mensagem de erro,execute ComboFix.exe em Modo de Segurança com rede.

|- Ps: Para completar as remoções,talvez haja necessidade da ferramenta reiniciar o computador.

|- Abrir-se-á a janela Auto Scan.

|- Aguarde a finalização de todas as Etapas.

|- Durante o scan,evite utilizar o mouse ou teclado!

|- Concluindo,poste: C:\ComboFix.txt

|- "ComboFix é uma ferramenta que pode danificar o sistema. Utilize-o,somente,sob supervisão de analistas de segurança."

|- Poste,também,HijackThis atualizado!

Abraços!

Edvan · Junho 5, 2012

ComboFix 12-06-05.03 - f003204 05/06/2012 14:28:15.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.991.515 [GMT -3:00]

Executando de: c:\documents and settings\f003204\Desktop\60329_combofix_123123.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}

AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00C8-0D24-347CA8A3377C}

.

ADS - system32: deleted 2 bytes in 1 streams.

ADS - drivers: deleted 216 bytes in 2 streams.

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrador.PROMOCAO\WINDOWS

c:\documents and settings\f003204\WINDOWS

c:\documents and settings\Niomar.PROMOCAO\WINDOWS

C:\restore

c:\windows\IsUn0416.exe

c:\windows\Media\_tmp

c:\windows\system\chron32.dll

c:\windows\system32\SET3F8.tmp

c:\windows\system32\SET3F9.tmp

c:\windows\system32\SET3FA.tmp

c:\windows\system32\SET3FB.tmp

c:\windows\system32\SET400.tmp

c:\windows\system32\SETB1.tmp

c:\windows\system32\SETBD.tmp

.

(((((((((((((((( Arquivos/Ficheiros criados de 2012-05-05 to 2012-06-05 ))))))))))))))))))))))))))))

.

2012-06-05 11:53 . 2012-06-05 11:53 388608 ----a-w- C:\HiJackThis.exe

2012-06-04 20:44 . 2012-06-04 20:44 54016 ----a-w- c:\windows\system32\drivers\fmhuptxw.sys

2012-05-24 16:55 . 2012-05-24 16:55 -------- d-----w- c:\arquivos de programas\Mozilla Maintenance Service

2012-05-24 16:55 . 2012-05-24 16:55 157352 ----a-w- c:\arquivos de programas\Mozilla Firefox\maintenanceservice_installer.exe

2012-05-24 16:55 . 2012-05-24 16:55 129976 ----a-w- c:\arquivos de programas\Mozilla Firefox\maintenanceservice.exe

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-04 17:07 . 2012-04-18 19:57 28880 ----a-w- c:\windows\system32\drivers\GbpNdisrd.sys

2012-04-18 20:25 . 2012-04-18 20:26 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-18 20:25 . 2010-10-22 17:00 472808 -c--a-w- c:\windows\system32\deployJava1.dll

2012-04-05 12:34 . 2009-10-27 20:08 46408 ----a-w- c:\windows\system32\drivers\gbpkm.sys

2012-05-24 16:55 . 2011-10-21 17:39 97208 ----a-w- c:\arquivos de programas\mozilla firefox\components\browsercomps.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por padrão não são apresentadas.

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-07 00:15 123536 ----a-w- c:\arquivos de programas\Alwil Software\Avast5\ashShell.dll

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4waxx.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Acrobat Assistant.lnk]

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

path=c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\Acrobat Assistant.lnk

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

path=c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^hp psc 2000 Series.lnk]

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Iniciar^Programas^Inicializar^Post-it® Software Notes Lite.lnk]

path=c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Inicializar\Post-it® Software Notes Lite.lnk

backup=c:\windows\pss\Post-it® Software Notes Lite.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Niomar.PROMOCAO^Menu Iniciar^Programas^Inicializar^Reboot.exe]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-05-11 06:06 40048 ----a-w- c:\arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-13 22:20 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-13 22:21 1695232 ------w- c:\arquivos de programas\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]

2003-12-05 06:36 249856 -c--a-w- c:\windows\system32\Keyhook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]

2002-07-12 10:15 106496 -c--a-w- c:\windows\SiSUSBrg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2003-12-19 09:53 65024 -c--a-w- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-18 17:02 254696 ----a-w- c:\arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"GbpSv"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Fortes Informática\\RemProtDeamon.exe"=

"c:\\WINDOWS\\system32\\DWRCS.EXE"=

"c:\\Arquivos de programas\\Canon\\DIAS\\CnxDIAS.exe"=

"c:\\Arquivos de programas\\NetMeeting\\conf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"14674:TCP"= 14674:TCP:NortonAV

"18245:TCP"= 18245:TCP:NortonAV

"17860:TCP"= 17860:TCP:NortonAV

"15603:TCP"= 15603:TCP:NortonAV

"18163:TCP"= 18163:TCP:NortonAV

"15280:TCP"= 15280:TCP:NortonAV

"15693:TCP"= 15693:TCP:NortonAV

"14644:TCP"= 14644:TCP:NortonAV

"17233:TCP"= 17233:TCP:NortonAV

"16774:TCP"= 16774:TCP:NortonAV

"14545:TCP"= 14545:TCP:NortonAV

"18857:TCP"= 18857:TCP:NortonAV

"18019:TCP"= 18019:TCP:NortonAV

"16171:TCP"= 16171:TCP:NortonAV

"16282:TCP"= 16282:TCP:NortonAV

"12432:TCP"= 12432:TCP:NortonAV

"14298:TCP"= 14298:TCP:NortonAV

.

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [27/10/2009 17:08 46408]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [20/06/2011 08:09 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/01/2009 15:05 337880]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/01/2009 15:05 20696]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [27/10/2009 17:10 214088]

R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\GbpNdisrd.sys [18/04/2012 16:57 28880]

S0 ati4waxx;ati4waxx;c:\windows\system32\Drivers\ati4waxx.sys --> c:\windows\system32\Drivers\ati4waxx.sys [?]

S2 gupdate;Serviço do Google Update (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [26/03/2012 10:49 136176]

S2 SpyPrinterD;SpyPrinterD;c:\windows\system32\SpyPrinter.exe [21/05/2008 16:53 1406464]

S3 gupdatem;Serviço do Google Update (gupdatem);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [26/03/2012 10:49 136176]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\arquivos de programas\Mozilla Maintenance Service\maintenanceservice.exe [24/05/2012 13:55 129976]

S3 Ndisrd;GAS Tecnologia Service;c:\windows\system32\drivers\GbpNdisrd.sys [18/04/2012 16:57 28880]

S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\arquivos de programas\FireBird\FireBird_1_5\bin\fbguard.exe -s --> c:\arquivos de programas\FireBird\FireBird_1_5\bin\fbguard.exe -s [?]

S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\arquivos de programas\FireBird\FireBird_1_5\bin\fbserver.exe -s --> c:\arquivos de programas\FireBird\FireBird_1_5\bin\fbserver.exe -s [?]

.

Conteúdo da pasta 'Tarefas Agendadas'

.

2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-03-26 13:49]

.

2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2012-03-26 13:49]

.

2012-06-05 c:\windows\Tasks\User_Feed_Synchronization-{668266AB-0776-4FD7-9148-F25E864810DC}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 07:31]

.

2012-06-05 c:\windows\Tasks\User_Feed_Synchronization-{D95DE79C-3FA9-4A9D-AA9C-D039CBFC4D35}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 07:31]

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.funpec.br/ponto_online/

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: bancobrasil.com.br\www

Trusted Zone: bancobrasil.com.br\www14

Trusted Zone: bancobrasil.com.br\www2

Trusted Zone: bb.com.br\www

Trusted Zone: com.br\www.bancobrasil

Trusted Zone: com.br\www.bb

Trusted Zone: com.br\www14.bancobrasil

Trusted Zone: com.br\www2.bancobrasil

TCP: DhcpNameServer = 10.4.65.16

FF - ProfilePath - c:\documents and settings\f003204\Dados de aplicativos\Mozilla\Firefox\Profiles\yxt23its.default\

FF - prefs.js: browser.startup.homepage - hxxp://funpec.br/

.

- - - - ORFÃOS REMOVIDOS - - - -

.

MSConfigStartUp-Cmaudio - cmicnfg.cpl

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-05 14:36

Windows 5.1.2600 Service Pack 3 NTFS

.

Procurando processos ocultos ...

.

Procurando entradas auto inicializáveis ocultas ...

.

Procurando ficheiros/arquivos ocultos ...

.

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

.

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

.

[HKEY_USERS\S-1-5-21-2586132527-314635491-3328972525-21318\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$*¨*%\OpenWithList]

@Class="Shell"

"a"="shimgvw.dll"

"MRUList"="ab"

"b"="mspaint.exe"

.

[HKEY_USERS\S-1-5-21-2586132527-314635491-3328972525-21318\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*$*¨*%\OpenWithProgids]

"$¨+_auto_file"=hex(0):

.

[HKEY_LOCAL_MACHINE\software\Adobe\CommonFiles\{AC76BA86-1033-0000-7760-000000000001}\ColorProfiles]

@DACL=(02 0000)

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\AdobeRGB1998.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\AppleRGB.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Color Management Off.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\ColorMatchRGB.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Emulate Acrobat 4.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Emulate Photoshop 4.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Europe Prepress Defaults.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\EuroscaleCoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\EuroscaleUncoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Japan Color Prepress.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\JapanColor2001Coated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\JapanColor2001Uncoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\JapanWebCoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\BlackWhite.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\CIERGB.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\JapanStandard.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\NTSC1953.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\PAL_SECAM.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Photoshop4DefaultCMYK.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Photoshop5DefaultCMYK.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\SMPTE-C.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\WideGamutRGB.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Photoshop 5 Default Spaces.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\sRGB Color Space Profile.icm"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\US Prepress Defaults.csf"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\USSheetfedCoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\USSheetfedUncoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\USWebCoatedSWOP.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Profiles\\Recommended\\USWebUncoated.icc"=dword:00000001

"c:\\Arquivos de programas\\Arquivos comuns\\Adobe\\Color\\Settings\\Web Graphics Defaults.csf"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\000021599B0090400000000000F01FEC\SourceList\Media]

@DACL=(02 0000)

"DiskPrompt"="Microsoft Application Error Reporting"

"1"="OFFICE12;1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\68AB67CA7DA76401B7448A0100000030\SourceList\Media]

@DACL=(02 0000)

"DiskPrompt"="[1]"

"1"="READER8;[1]"

.

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media]

@DACL=(02 0000)

"DiskPrompt"="[1]"

"1"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"2"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"3"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"4"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"5"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"6"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"7"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"8"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"9"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"10"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

"11"=";Microsoft Visual C++ 2005 Redistributable [Disk 1]"

.

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\C1B24092317057547BACC5E8B780994D\SourceList\Media]

@DACL=(02 0000)

"MediaPackage"="\\"

"1"="WILTON - VB;"

.

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98\SourceList\Media]

@DACL=(02 0000)

"DiskPrompt"="[1]"

"1"=";1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Products\D6461317C3DC4F04799BDCE9E42626FE\SourceList\Media]

@DACL=(02 0000)

"DiskPrompt"="[1]"

"1"=";Microsoft .NET Framework 2.0 [Disk 1]"

"2"=";Microsoft .NET Framework 2.0 [Disk 1]"

"3"=";Microsoft .NET Framework 2.0 [Disk 1]"

"4"=";Microsoft .NET Framework 2.0 [Disk 1]"

"5"=";Microsoft .NET Framework 2.0 [Disk 1]"

"6"=";Microsoft .NET Framework 2.0 [Disk 1]"

"7"=";Microsoft .NET Framework 2.0 [Disk 1]"

"8"=";Microsoft .NET Framework 2.0 [Disk 1]"

"9"=";Microsoft .NET Framework 2.0 [Disk 1]"

"10"=";Microsoft .NET Framework 2.0 [Disk 1]"

"11"=";Microsoft .NET Framework 2.0 [Disk 1]"

"12"=";Microsoft .NET Framework 2.0 [Disk 1]"

"13"=";Microsoft .NET Framework 2.0 [Disk 1]"

.

Tempo para conclusão: 2012-06-05 14:38:30

ComboFix-quarantined-files.txt 2012-06-05 17:38

.

Pré-execução: 5.872.652.288 bytes disponíveis

Pós execução: 6.229.417.984 bytes disponíveis

.

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 109FCDB303BB445B4E9458B3D0CE68C8

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:42:53, on 05/06/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Canon\DIAS\CnxDIAS.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\svchost.exe

C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe