[Resolvido!] Malware

jorgebaggio · Abril 28, 2008

Ola estou com o probelma de infecção, abriram no meu computador um email de torpedo.. ou foto. n sei direito.

Apartir disso tenho problemas no IE com o erro system error. Code : 1400 e uma tela com esse virus: GbiehBSB1

Li os topicos anteriores e tentei eliminar ele.. mas ta mt dificil...

por favor podem me enviar algumas dicas.. tenho arquivos muito importante no computador.

mt Obrigado

Jorge Baggio

ComboFix 08-04-27.3 - jorge 2008-04-28 13:42:28.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.936 [GMT -7:00]

Running from: C:\Documents and Settings\jorge\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\jorge\Desktop\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\dxdiag.exe

C:\WINDOWS\gbiehbsb.dll

C:\WINDOWS\mssnmsgr.dll

C:\WINDOWS\svchost

C:\WINDOWS\svcpool.dll

.

The following files were disabled during the run:

C:\Program Files\GbPluggin\gbplib.dll

C:\Program Files\GbPluggin\gbppdist.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\svchost

.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))

.

2008-04-28 12:17 . 2008-04-28 12:17 <DIR> d-------- C:\!KillBox

2008-04-28 11:03 . 2008-04-28 11:03 1,523 --a------ C:\WINDOWS\system32\MRT.INI

2008-04-28 11:00 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-04-28 10:52 . 2008-04-28 10:53 <DIR> d-------- C:\LinhaDefensiva

2008-04-28 10:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-04-28 10:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-04-28 10:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-04-28 10:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-04-28 09:56 . 2008-04-28 13:42 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS

2008-04-28 03:33 . 2008-04-28 04:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2008-04-28 03:33 . 2008-04-28 03:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2008-04-28 03:33 . 2008-04-28 03:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-04-28 03:33 . 2008-04-28 03:42 1,406 --a------ C:\WINDOWS\system32\Help.ico

2008-04-28 02:27 . 2008-04-28 02:27 <DIR> d-------- C:\Program Files\Lavasoft

2008-04-28 02:27 . 2008-04-28 02:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-28 02:26 . 2008-04-28 02:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-28 02:18 . 2008-04-28 12:09 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer

2008-04-28 02:18 . 2008-04-28 02:18 <DIR> d-------- C:\Documents and Settings\jorge\Application Data\Sammsoft

2008-04-27 19:56 . 2008-04-27 19:56 14,012 --ah----- C:\WINDOWS\system32\mlfcache.dat

2008-04-27 04:15 . 2008-04-28 13:46 <DIR> d-------- C:\Program Files\GbPluggin

2008-04-04 22:46 . 2008-04-28 04:43 <DIR> d-------- C:\Program Files\iTunes

2008-04-04 22:46 . 2008-04-04 22:46 <DIR> d-------- C:\Program Files\iPod

2008-03-29 16:08 . 2008-03-29 16:08 <DIR> d-------- C:\Program Files\Safari

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-28 20:46 --------- d-----w C:\Documents and Settings\jorge\Application Data\Skype

2008-04-28 20:33 --------- d-----w C:\Program Files\Symantec AntiVirus

2008-04-28 11:45 --------- d-----w C:\Program Files\MSN Messenger

2008-04-28 11:42 --------- d-----w C:\Program Files\GbPlugin

2008-04-28 11:42 --------- d-----w C:\Program Files\DVD Region+CSS Free

2008-04-28 11:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-04-28 09:09 --------- d-----w C:\Program Files\Google

2008-04-28 02:55 --------- d-----w C:\Documents and Settings\jorge\Application Data\Apple Computer

2008-04-27 07:15 --------- d-----w C:\Program Files\Windows Live Safety Center

2008-04-26 05:26 --------- d-----w C:\Program Files\Apple Software Update

2008-04-05 05:44 --------- d-----w C:\Program Files\QuickTime

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-18 10:16 --------- d-----w C:\Program Files\Java

2008-03-12 20:00 --------- d-----w C:\Program Files\AviSynth 2.5

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-03 05:31 65,536 ----a-w C:\WINDOWS\DUMP5dfe.tmp

2008-01-29 19:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

2005-04-01 06:17 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25 94208]

"PowerBar"="" []

"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-03-13 09:46 3610192]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-10 16:09 23395880]

"AROReminder"="C:\Program Files\Advanced Registry Optimizer\aro.exe" [2008-04-09 14:22 2135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06 7311360]

"nwiz"="nwiz.exe" [2005-12-10 04:06 1519616 C:\WINDOWS\system32\nwiz.exe]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 16:52 48752]

"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 13:30 85184]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 04:06 86016]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 18:35 32768]

"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-06-10 07:20 1397760]

"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:54 3735552]

"RemoveWGA"="E:\RemoveWGA.exe" [ ]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 13:48 439872]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe [2006-01-17 16:52:50 25214]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-10 17:45:25 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"gbieh.1"= rundll32 "C:\Program Files\GbPluggin\gbiehdst.dll" SpecialFunction

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 16:18 49152]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\PROGRA~1\GbPlugin\gbieh.dll [2007-12-03 16:30 347976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbiehAbn]

C:\PROGRA~1\GBPLUG~1\gbiehdst.dll 2008-04-27 04:18 763392 C:\PROGRA~1\GBPLUG~1\gbiehdst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\PROGRA~1\GbPlugin\gbieh.dll 2007-12-03 16:30 347976 C:\PROGRA~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.3iv2"= 3ivxVfWCodec.dll

"VIDC.HFYU"= huffyuv.dll

"VIDC.VP31"= vp31vfw.dll

"msacm.divxa32"= divxa32.acm

"VIDC.i263"= i263_32.drv

"msacm.imc"= imc32.acm

"vidc.3ivx"= 3ivxVfWCodec.dll

"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\eMule\\eMule.exe"=

"C:\\Program Files\\Soulseek\\slsk.exe"=

"C:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-04-15 05:00]

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 14:45]

.

Contents of the 'Scheduled Tasks' folder

"2008-04-27 02:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-28 13:46:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PowerBar = ????<???D??sh??????w????h???Z??w(???*??wt?@?l?@???o????????????????????????????????????????????????w????g??w0??w????*??w???w????D??s???????????w????l?@????????w????t?@???o?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\PROGRA~1\GBPLUG~1\gbiehdst.dll

-> C:\Program Files\GbPluggin\gbplib.dll

-> C:\Program Files\GbPluggin\gbppdist.dll

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\Program Files\GbPluggin\gbplib.dll

-> C:\Program Files\GbPluggin\gbppdist.dll

PROCESS: C:\WINDOWS\system32\csrss.exe

-> C:\Program Files\GbPluggin\gbplib.dll

-> C:\Program Files\GbPluggin\gbppdist.dll

.

Completion time: 2008-04-28 13:49:45

ComboFix-quarantined-files.txt 2008-04-28 20:48:39

ComboFix2.txt 2008-04-28 19:57:52

Pre-Run: 4,757,168,128 bytes free

Post-Run: 4,750,905,344 bytes free

172 --- E O F --- 2008-04-28 18:14:37

DigRam · Abril 29, 2008

Bom Dia! jorgebaggio

>@< Faça o download do HijackThis.

>@< Baixe-o para o Disco Local-C e estabeleça uma pasta própria para o programa.

>@< Temos como exemplo: < C:\HijackThis.exe > ou < C:\HijackThis\HijackThis.exe >

>@< Mas,não execute-o ainda!

>@< Para que o Log do HijackThis saia completo,vá em Iniciar >> Executar.

>@< Digite: msconfig >> Ok.

>@< Na guia Inicializar,marque tôdos os ítens e confirme!

>@< Reinicie o computador!

>@< Abra o HijackThis e clique em Do a system scan and save a logfile.

>@< Abrir-se-á um Bloco de Notas!

>@< Selecione e copie o seu conteúdo para este Tópico. Não crie outro!

Abraços!

jorgebaggio · Abril 29, 2008

Ok esta inglês inicializar é o Startup certo?

Não o boot.ini, no Startup todos ítens estão marcados..

vou reinicializar dessa forma..ok?

abraço e muito obrigado

jorgebaggio · Abril 29, 2008

Ai esta o logfile, o computador foi reiniciado com todos ítens do startup selecionados.

fico no aguardo

muito obrigado

email jorgebag@terra.com.br

Logfile of HijackThis v1.99.1

Scan saved at 14:08:57, on 29/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\GbPlugin\GbpSv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Pando Networks\Pando\Pando.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Safari\Safari.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\jorge\Desktop\Kijacksthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://waves.terra.com.br/novo/bodyboard/lista.asp?sessao=91

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\PROGRA~1\GbPlugin\gbieh.dll

O2 - BHO: Banco do Brasil S.A. - {FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB} - (no file)

O3 - Toolbar: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [RemoveWGA] E:\RemoveWGA.exe -startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local

O17 - HKLM\Software\..\Telephony: DomainName = local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = local

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbiehAbn - C:\PROGRA~1\GBPLUG~1\gbiehdst.dll

O20 - Winlogon Notify: GbPluginBb - C:\PROGRA~1\GbPlugin\gbieh.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cdamp0pwa - Symantec Corporation - (no file)

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

DigRam · Abril 29, 2008

Boa Tarde! jorgebaggio

<!> Delete:

C:\QooBox

C:\ComboFix.txt << Log anterior do ComboFix.

-------------------------

>@< Selecione e copie,todo o conteúdo que está na área do code,para o Bloco de Notas.

>@< Salve-o,no Desktop,com o nome: CFScript.txt

File::C:\Program Files\GbPluggin\gbplib.dllC:\Program Files\GbPluggin\gbppdist.dllRegistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FCAAAC14-BC46-40CA-9CB2-CBB12C6739EB}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PowerBar"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]"gbieh.1"=-Folder::C:\Program Files\GbPlugginC:\!KillBoxC:\LinhaDefensiva

>@< Arraste,com o Mouse,o CFScript.txt para o ícone do ComboFix.

>@< Veja a demonstração!

>@< Com esse procedimento,o ComboFix irá executar e,reiniciará o computador,automaticamente!

>@< Caso não reinicie,faça-o manualmente!

>@< Durante a execução,não utilize o teclado ou Mouse!

>@< Terminando,poste o relatório C:\ComboFix.txt + HJT,atualizado.

Abraços!

jorgebaggio · Abril 29, 2008

ComboFix 08-04-27.3 - jorge 2008-04-29 17:45:15.7 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.994 [GMT -7:00]

Running from: C:\Documents and Settings\jorge\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\jorge\Desktop\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\Program Files\GbPluggin\gbplib.dll

C:\Program Files\GbPluggin\gbppdist.dll

.

The following files were disabled during the run:

C:\Program Files\GbPluggin\gbplib.dll

C:\Program Files\GbPluggin\gbppdist.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\!KillBox

C:\!KillBox\gbiehdst.dll

C:\!KillBox\GbPluggin\gbiehdst.dll

C:\!KillBox\GbPluggin\gbiehdst.gmd

C:\!KillBox\GbPluggin\gbiehdt.gpc

C:\!KillBox\GbPluggin\gbplib.dll

C:\!KillBox\GbPluggin\gbppdist.dll

C:\!KillBox\GbPluggin\gbppsv.exe

C:\!KillBox\GbPluggin\svchost

C:\!KillBox\Logs\kb.log

C:\LinhaDefensiva

C:\LinhaDefensiva\backup.reg

C:\LinhaDefensiva\banker.bat

C:\LinhaDefensiva\bankerfix.vbs

C:\LinhaDefensiva\download.exe

C:\LinhaDefensiva\fx.reg

C:\LinhaDefensiva\Iniciar-BankerFix.vbs

C:\LinhaDefensiva\md5.exe

C:\LinhaDefensiva\pv.exe

C:\LinhaDefensiva\QUA\1\Tasks\startt.job

C:\LinhaDefensiva\QUA\1\WINDOWS\svchost

C:\LinhaDefensiva\ref-allu

C:\LinhaDefensiva\ref-commonfiles

C:\LinhaDefensiva\ref-hosts

C:\LinhaDefensiva\ref-md5

C:\LinhaDefensiva\ref-mydoc

C:\LinhaDefensiva\ref-profile

C:\LinhaDefensiva\ref-programfiles

C:\LinhaDefensiva\ref-reg

C:\LinhaDefensiva\ref-start

C:\LinhaDefensiva\ref-startup

C:\LinhaDefensiva\ref-sysdrive

C:\LinhaDefensiva\ref-system

C:\LinhaDefensiva\ref-system32

C:\LinhaDefensiva\ref-tasks

C:\LinhaDefensiva\ref-temp

C:\LinhaDefensiva\ref-wincommon

C:\LinhaDefensiva\ref-windows

C:\LinhaDefensiva\reft-startup

C:\LinhaDefensiva\RegKeys.txt

C:\LinhaDefensiva\regremove

C:\LinhaDefensiva\relatorio.txt

C:\LinhaDefensiva\unzip.exe

C:\LinhaDefensiva\VERSION

C:\LinhaDefensiva\webversion.info

C:\Program Files\GbPluggin

C:\Program Files\GbPluggin\gbiehdst.dll

C:\Program Files\GbPluggin\gbiehdst.gmd

C:\Program Files\GbPluggin\gbiehdt.gpc

C:\Program Files\GbPluggin\gbplib.dll

C:\Program Files\GbPluggin\gbppdist.dll

C:\Program Files\GbPluggin\gbppsv.exe

C:\Program Files\GbPluggin\svchost

.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))

.

2008-04-28 11:03 . 2008-04-28 11:03 1,523 --a------ C:\WINDOWS\system32\MRT.INI

2008-04-28 11:00 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-04-28 10:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-04-28 10:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-04-28 10:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-04-28 10:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-04-28 09:56 . 2008-04-29 17:45 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS