Ir ao conteúdo
  • Cadastre-se
Entre para seguir isso  
hugomuller

System error code: 1400 - virus GbiehBSB1

Recommended Posts

Esses dias meu pc passou a apresentar esse problema quando clico em algumas opções do ie, só que ele passou a mandar email para todos os meus amigos da lista, ja estou ciente de alguns procedimentos a ser tomados como o log do combofix e do hijack ..gostaria q me ajudassem porque eu ja ficando digamos q um pouco p*** com esse virus heheheh

Logfile of HijackThis v1.99.1

Scan saved at 11:12:03, on 6/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\NavNT\defwatch.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\NavNT\rtvscan.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\NavNT\vptray.exe

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\ARQUIV~1\GBPLUG~1\gbppsv.exe

C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe

C:\Documents and Settings\EU.INFO\Desktop\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: Banco do Brasil S.A. - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll

O4 - HKLM\..\Run: [vptray] C:\Arquivos de programas\NavNT\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0CFCBB91-6678-475E-BFC9-21FB44DB79DA} (TAxFormMP8 Class) - http://microsiga.pronep.com.br:9080/ap8/mpremoteax.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197920262678

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbiehCef - C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O20 - Winlogon Notify: GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: __GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O23 - Service: DefWatch - Symantec Corporation - C:\Arquivos de programas\NavNT\defwatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Arquivos de programas\NavNT\rtvscan.exe

O23 - Service: OracleOraHome92TNSListener - Unknown owner - F:\oracle\ora92\BIN\TNSLSNR.exe (file missing)

O23 - Service: OracleServiceOEMREP - Unknown owner - f:\oracle\ora92\bin\ORACLE.EXE (file missing)

O23 - Service: OracleServiceORCL - Unknown owner - f:\oracle\ora92\bin\ORACLE.EXE (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

-------------------------------------------------------------------------

ComboFix 08-04-04.1 - EU 2008-04-06 12:08:40.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.222 [GMT -3:00]

Executando de: C:\Documents and Settings\EU.INFO\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

The following files were disabled during the run:

C:\ARQUIV~1\GBPLUG~1\gbpdist.dll

((((((((((((((((((((((( Ficheiros criados de 2008-03-06 to 2008-04-06 ))))))))))))))))))))))))))))))))

.

2008-04-05 17:30 . 2008-04-06 11:31 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS

2008-04-04 21:03 . 2008-04-06 11:40 <DIR> d-------- C:\Arquivos de programas\GbPluggin

2008-04-03 20:58 . 2007-12-16 10:16 <DIR> d--h----- C:\Documents and Settings\Administrador.INFO\Modelos

2008-04-03 20:58 . 2007-12-16 07:59 <DIR> d-------- C:\Documents and Settings\Administrador.INFO\Meus documentos

2008-04-03 20:58 . 2007-12-16 07:59 <DIR> dr------- C:\Documents and Settings\Administrador.INFO\Menu Iniciar

2008-04-03 20:58 . 2007-12-16 07:59 <DIR> d-------- C:\Documents and Settings\Administrador.INFO\Favoritos

2008-04-03 20:58 . 2007-12-16 07:59 <DIR> dr-h----- C:\Documents and Settings\Administrador.INFO\Dados de aplicativos

2008-04-03 20:58 . 2008-04-06 12:04 <DIR> d--h----- C:\Documents and Settings\Administrador.INFO\Configurações locais

2008-04-03 20:58 . 2007-12-16 07:59 <DIR> d--h----- C:\Documents and Settings\Administrador.INFO\Ambiente de rede

2008-04-03 20:58 . 2007-12-16 07:59 <DIR> d--h----- C:\Documents and Settings\Administrador.INFO\Ambiente de impressão

2008-03-20 07:52 . 2008-04-06 11:11 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\TEMP

2008-03-20 07:52 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-03-20 07:52 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-03-20 07:52 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-03-20 07:52 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-03-20 07:51 . 2008-03-20 07:51 <DIR> d-------- C:\Documents and Settings\EU.INFO\Dados de aplicativos\PC Tools

2008-03-20 07:51 . 2008-04-06 09:51 <DIR> d-------- C:\Arquivos de programas\Spyware Doctor

2008-03-20 07:50 . 2008-03-20 07:50 <DIR> d-------- C:\Arquivos de programas\CCleaner

2008-03-19 07:53 . 2008-03-19 07:53 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\McAfee

2008-03-19 07:13 . 2008-04-04 07:20 <DIR> d-------- C:\Documents and Settings\EU.INFO\Dados de aplicativos\U3

2008-03-18 08:37 . 2008-03-18 08:37 <DIR> d-------- C:\Arquivos de programas\Ahead

2008-03-18 08:37 . 2001-07-06 14:41 569,344 --------- C:\WINDOWS\system32\imagr5.dll

2008-03-18 08:37 . 2001-07-06 12:44 544,768 --------- C:\WINDOWS\system32\imagx5.dll

2008-03-18 08:37 . 2001-07-06 18:24 283,920 --------- C:\WINDOWS\system32\ImagXpr5.dll

2008-03-18 08:37 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2008-03-18 08:37 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2008-03-18 08:37 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll

2008-03-16 14:09 . 2008-03-16 14:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-03-16 14:09 . 2008-03-16 14:09 1,409 --a------ C:\WINDOWS\QTFont.for

2008-03-12 20:03 . 2008-03-11 15:46 82,432 --a------ C:\WINDOWS\system\despacho-054.exe

2008-03-12 20:02 . 2008-04-06 10:36 2,592 --a------ C:\WINDOWS\svchost

2008-03-12 19:00 . 2008-03-12 19:00 268 --ah----- C:\sqmdata18.sqm

2008-03-12 19:00 . 2008-03-12 19:00 244 --ah----- C:\sqmnoopt18.sqm

2008-03-12 18:47 . 2008-03-12 18:47 268 --ah----- C:\sqmdata17.sqm

2008-03-12 18:47 . 2008-03-12 18:47 244 --ah----- C:\sqmnoopt17.sqm

2008-03-12 01:18 . 2008-03-12 01:18 268 --ah----- C:\sqmdata16.sqm

2008-03-12 01:18 . 2008-03-12 01:18 244 --ah----- C:\sqmnoopt16.sqm

2008-03-12 00:47 . 2008-03-12 00:47 <DIR> d-------- C:\Documents and Settings\EU.INFO\.receitanet

2008-03-12 00:47 . 2008-04-03 21:19 0 --a------ C:\WINDOWS\vpd.properties

2008-03-09 19:12 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll

2008-03-09 19:12 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll

2008-03-09 19:12 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll

2008-03-09 19:12 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll

2008-03-09 19:12 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll

2008-03-09 19:12 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll

2008-03-09 19:12 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll

2008-03-09 19:12 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-05 00:14 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Dados de aplicativos\GbPlugin

2008-04-05 00:14 --------- d-----w C:\Arquivos de programas\GbPlugin

2008-04-03 22:56 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-03-20 01:00 --------- d-----w C:\Arquivos de programas\eMule

2008-03-18 11:42 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Ahead

2008-03-12 03:46 --------- d-----w C:\Arquivos de programas\Programas RFB

2008-02-27 01:09 --------- d-----w C:\Arquivos de programas\Avi

2008-02-22 21:57 --------- d-----w C:\Arquivos de programas\Google

2004-10-01 17:00 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe

2000-08-08 16:44 340 ----a-w C:\Arquivos de programas\setup.bat

2000-08-08 16:18 34 ----a-w C:\Arquivos de programas\fonts.bat

2000-08-08 16:17 0 ----a-w C:\Arquivos de programas\STPENUX.DLL

2000-06-13 02:09 339,968 ------w C:\Arquivos de programas\language_x1.dll

2000-06-13 01:59 53,299 ------w C:\Arquivos de programas\ebueulax.dll

2000-03-31 23:47 301,568 ----a-w C:\Arquivos de programas\myth.acm

1999-11-17 14:00 32,768 ----a-w C:\Arquivos de programas\SETUPENU.DLL

1999-09-22 04:32 53,304 ------w C:\Arquivos de programas\EBUEula.dll

1999-09-22 04:32 499,712 ------w C:\Arquivos de programas\language.dll

1999-09-22 04:32 365,568 ------w C:\Arquivos de programas\HA312W32.DLL

1999-09-22 04:32 158,902 ------w C:\Arquivos de programas\scenariobkg.bmp

1999-09-22 04:32 112,688 ------w C:\Arquivos de programas\SHW32.DLL

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"K-Lite Nitro"="C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe" [ ]

"MsnMsgr"="C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 14:25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="C:\Arquivos de programas\NavNT\vptray.exe" [2001-10-22 09:39 73728]

"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2007-12-17 17:17 180269]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-12-11 09:56 286720]

"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"gbieh.1"= rundll32 "C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll" SpecialFunction

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= C:\Arquivos de programas\GbPlugin\gbiehuni.dll [ ]

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\ARQUIV~1\GbPlugin\gbiehabn.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbiehCef]

C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll 2008-04-04 21:03 739840 C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]

C:\ARQUIV~1\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]

C:\Arquivos de programas\GbPlugin\gbiehuni.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginAbn]

C:\ARQUIV~1\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---hs---- 2004-10-13 13:24 1694208 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-10-18 10:34 5724184 C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\AoE\\empires2.exe"=

"C:\\Arquivos de programas\\AoE\\age2_x1.exe"=

"C:\\Documents and Settings\\EU.INFO\\Meus documentos\\Meus arquivos recebidos\\MIRC\\MIRC\\mIRC 6.3 + Keygen\\mIRC - English.exe"=

"C:\\Arquivos de programas\\eMule\\eMule.exe"=

"F:\\AP8\\bin\\server\\mp8srvwin.exe"=

"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"C:\\Arquivos de programas\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\Arquivos de programas\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

S2 OracleServiceOEMREP;OracleServiceOEMREP;f:\oracle\ora92\bin\ORACLE.EXE OEMREP []

S2 OracleServiceORCL;OracleServiceORCL;f:\oracle\ora92\bin\ORACLE.EXE ORCL []

S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-09-05 20:08]

S4 top4;TOPConnect 4.0 Server;"F:\TOPConnect 4.0\topconnect.exe" [2007-08-03 15:54]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{990B770D-62AE-5421-DA6D-16033B76258C}]

%SystemRoot%\system32\ssmicrco.scr

.

Conteúdo da pasta 'Tarefas Agendadas'

"2008-04-06 01:17:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

??

???\- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-06 12:17:03

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92TNSListener]

"ImagePath"="F:\oracle\ora92\BIN\TNSLSNR "

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll

-> C:\ARQUIV~1\GBPLUG~1\gbpdist.dll

-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\ARQUIV~1\GBPLUG~1\gbpdist.dll

PROCESS: C:\WINDOWS\explorer.exe

-> C:\ARQUIV~1\GBPLUG~1\gbpdist.dll

PROCESS: C:\WINDOWS\system32\csrss.exe

-> C:\ARQUIV~1\GBPLUG~1\gbpdist.dll

.

Tempo para conclusão: 2008-04-06 12:20:35

ComboFix-quarantined-files.txt 2008-04-06 15:20:20

ComboFix2.txt 2008-04-06 15:04:36

ComboFix3.txt 2008-04-06 14:36:52

ComboFix4.txt 2008-04-05 22:10:41

ComboFix5.txt 2008-04-05 20:35:44

Pre-Run: 5,443,301,376 bytes disponíveis

Post-Run: 5,436,739,584 bytes disponíveis

.

2008-03-20 11:23:17 --- E O F ---

desde ja agradeço a ajuda de vocês !

abraços e uma boa tarde

Compartilhar este post


Link para o post
Compartilhar em outros sites

- Selecione o texto abaixo e copie para o bloco de notas. Salve-o como CFScript.txt;

Folder::
C:\Arquivos de programas\GbPluggin
File::
C:\WINDOWS\system\despacho-054.exe
C:\WINDOWS\svchost
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbiehCef]

- Arraste o CFScript.txt para o ComboFix conforme a imagem abaixo:

CF_Script.gif

O ComboFix irá rodar e reiniciará o PC automaticamente para completar o processo de remoção.

Não use o mouse nem o teclado quando o ComboFix estiver rodando.

Quando terminar, será gerado um log, que estará em C:\ComboFix.txt.

Obs: Se o Combofix não reiniciar seu computador automaticamente, faça-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Caro Josemelo

obrigado pelo seu retorno em meu topico, fiz tudo o que você disse, só que quando eu inicio o windows agora aparece dois erros

rundll.exe

O aplicativo ou a DLL c:\arquiv~1\gbplug~1\gbiehcef.dll não é um aplicativo para o windows.Compare o disco de instalação.

rundll

erro ao carregar

c:arquiv~1\gbplug~1\cbiehcef.dll

%1 não é um aplicativo win32 valido

obs: e foi gerado um arquivos um catchme.rar

agora aqui vai os logs ..só que o combofix nao mostrou muita coisa

ComboFix 08-04-04.1 - EU 2008-04-07 17:24:22.8 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.341 [GMT -3:00]

Executando de: C:\Documents and Settings\EU.INFO\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\EU.INFO\Desktop\CFScript.txt

* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\svchost

C:\WINDOWS\system\despacho-054.exe

.

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 17:33, on 2008-04-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Arquivos de programas\NavNT\vptray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\EU.INFO\Desktop\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Banco do Brasil S.A. - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll (file missing)

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll (file missing)

O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Arquivos de programas\NavNT\vptray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [K-Lite Nitro] C:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0CFCBB91-6678-475E-BFC9-21FB44DB79DA} (TAxFormMP8 Class) - http://microsiga.pronep.com.br:9080/ap8/mpremoteax.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/você/bin/AvSniff.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197920262678

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O20 - Winlogon Notify: GbiehCef - C:\ARQUIV~1\GBPLUG~1\gbiehcef.dll (file missing)

O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O20 - Winlogon Notify: GbPluginUni - C:\Arquivos de programas\GbPlugin\gbiehuni.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: __GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll (file missing)

O23 - Service: OracleOraHome92TNSListener - Unknown owner - F:\oracle\ora92\BIN\TNSLSNR.exe (file missing)

O23 - Service: OracleServiceOEMREP - Unknown owner - f:\oracle\ora92\bin\ORACLE.EXE (file missing)

O23 - Service: OracleServiceORCL - Unknown owner - f:\oracle\ora92\bin\ORACLE.EXE (file missing)

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

aguardo seu retorno !

abraços e uma boa tarde

Compartilhar este post


Link para o post
Compartilhar em outros sites
Entre para seguir isso  





Sobre o Clube do Hardware

No ar desde 1996, o Clube do Hardware é uma das maiores, mais antigas e mais respeitadas publicações sobre tecnologia do Brasil. Leia mais

Direitos autorais

Não permitimos a cópia ou reprodução do conteúdo do nosso site, fórum, newsletters e redes sociais, mesmo citando-se a fonte. Leia mais

×