[Resolvido!] Pc esta lento e travando demais.

leandro aislan · Maio 25, 2009

Meu pc esta ruim faz alguns dias..

Esta travando demais, e as vezes eu digito a letra e não sai, parece que trava bem na hora de digitar.....

Tirei um log do hijackThis e do malware.

Segue os logs.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:52:54, on 25/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

C:\Arquivos de programas\LogMeIn\x86\LMIGuardian.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\NX Client for Windows\bin\nxssh.exe

C:\ARQUIV~1\NXCLIE~1\bin\NXWin.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Asafer\Meus documentos\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 9326 bytes

Log do malware

Malwarebytes' Anti-Malware 1.28

Versão do banco de dados: 1141

Windows 5.1.2600 Service Pack 3

25/5/2009 10:54:52

mbam-log-2009-05-25 (10-54-52).txt

Tipo de Verificação: Rápida

Objetos verificados: 47374

Tempo decorrido: 3 minute(s), 44 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 2

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 0

Arquivos infectados: 1

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c41a1c0e-ea6c-11d4-b1b8-444553540003} (Trojan.BHO) -> Quarantined and deleted successfully.

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

Arquivos infectados:

C:\Arquivos de programas\GbPlugin\gbiehcef.dll (Trojan.BHO) -> Delete on reboot.

Agradeço dese ja

Abraçosssss

PedroN · Maio 25, 2009

Oi leandro aislan meu nome é Pedro Neto sou análista de segurança do fórum Imasters e vou ajudá-lo no seu caso, você estar infectado e quero que execute o Malwarebytes' Anti-Malware novamente e remova as infecções que forem apareçendo. Depois execute o combofix como descrito por mim abaixo, no final você verá que tudo vai ficar resolvido.

Faça o download do ComboFix de um destes locais:

Link 1.

Link 2.

Link 3.

Importante!

Você não deve usar Combofix a menos que você tenha sido instruído a fazê-lo por um análista de segurança.

Destina-se pelo seu criador para ser utilizado sob orientação e supervisão de um especialista, e não para uso privado.

Utilizando esta ferramenta incorreto poderia levar a desastrosa problemas com o seu sistema operacional.

Certifique-se de que você salvou ComboFix.exe para o seu desktop.

• Desabilite o seu Antivírus e AntiSpyware , geralmente através de um clique direito sobre o ícone da bandeja do sistema. Eles podem interferir na execução da ferramenta.

• Dê um duplo clique no ComboFix.exe & siga as instruções.

• Como parte de seu processo, ComboFix irá verificar se o Microsoft Windows Recovery Console está instalado. Como as infecções de malware são hoje, é fortemente recomendado que esteja pré-instalado em sua máquina antes de fazer qualquer remoção de malware. Ela permitirá que você arrancar em especial uma recuperação / reparação modo a permitir-nos-á mais fácil ajudá-lo a seu computador deve ter um problema após uma tentativa de remoção de malware.

• Siga as instruções para permitir ComboFix para baixar e instalar o Microsoft Windows Recovery Console e, quando for solicitado, concordar com o End-User License Agreement para instalar o Microsoft Windows Recovery Console.

-- Atenção: Se a consola de recuperação do Microsoft Windows já estiver instalado, ComboFix irá continuar a sua remoção malware procedimentos.

Uma vez que o Microsoft Windows Recovery Console é instalado usando o ComboFix, você deverá ver a seguinte mensagem:

Clique em Sim, para continuar a varredura de malware.

Quando terminar, ela deve produzir um log para você. Poste o relatorio do combofix que estar em C: \ ComboFix.txt junto com um log do hijackthis.

leandro aislan · Maio 26, 2009

Já rodei o anti malware e já foram para quarentena....

ComboFix 09-05-25.07 - Asafer 26/05/2009 8:15.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.524 [GMT -3:00]

Executando de: c:\documents and settings\Asafer\Meus documentos\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-26 to 2009-05-26 ))))))))))))))))))))))))))))

.

2009-05-26 10:37 . 2009-05-06 18:06 4784464 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Windows Defender\Definition Updates\{3FED1EC4-9010-47F0-9662-95E6C1A4E5C7}\mpengine.dll

2009-05-25 14:24 . 2009-05-25 14:24 2967799 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-25 14:02 . 2009-05-25 14:02 -------- d-----r c:\documents and settings\LocalService\Favoritos

2009-05-22 18:37 . 2009-05-22 18:37 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-05-22 16:28 . 2009-05-22 16:28 -------- d-sh--w c:\documents and settings\Asafer\IECompatCache

2009-05-22 16:26 . 2009-05-22 16:26 -------- d-sh--w c:\documents and settings\Asafer\PrivacIE

2009-05-22 14:56 . 2009-05-22 14:56 -------- d-sh--w c:\documents and settings\Asafer\IETldCache

2009-05-22 10:51 . 2009-05-22 10:51 -------- d-----w c:\windows\ie8updates

2009-05-22 10:51 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-05-22 10:49 . 2009-05-22 10:51 -------- dc-h--w c:\windows\ie8

2009-05-07 17:56 . 2008-10-16 23:35 83288 ----a-w c:\windows\system32\LMIRfsClientNP.dll

2009-05-07 17:56 . 2008-10-16 23:35 28984 ----a-w c:\windows\system32\LMIport.dll

2009-05-07 17:56 . 2008-07-24 21:46 47640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys

2009-05-07 17:56 . 2008-10-16 23:35 87352 ----a-w c:\windows\system32\LMIinit.dll

2009-05-07 17:56 . 2009-05-19 10:35 -------- d-----w c:\arquivos de programas\LogMeIn

2009-05-07 17:28 . 2009-05-07 17:28 -------- d-----w c:\documents and settings\Asafer\.ssh

2009-05-07 17:27 . 2009-05-25 17:14 -------- d-----w c:\documents and settings\Asafer\.nx

2009-05-07 17:24 . 2009-05-07 17:24 -------- d-----w c:\arquivos de programas\No-IP

2009-05-07 17:09 . 2009-05-07 17:43 -------- d-----w c:\arquivos de programas\NX Client for Windows

2009-05-07 17:06 . 2009-05-26 10:40 -------- d-----w c:\documents and settings\Asafer\Dados de aplicativos\Skype

2009-05-07 17:06 . 2009-05-07 17:06 -------- d-----w c:\arquivos de programas\Skype

2009-05-07 17:06 . 2009-05-07 17:06 -------- d-----w c:\arquivos de programas\Arquivos comuns\Skype

2009-05-07 17:06 . 2009-05-07 17:06 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Skype

2009-05-07 17:05 . 2002-02-01 10:00 620544 ----a-w c:\windows\system\stlpmt45.dll

2009-05-07 17:05 . 1999-02-05 12:57 426033 ----a-w c:\windows\system\RICHED20.DLL

2009-05-07 17:05 . 2002-02-01 10:00 1497088 ----a-w c:\windows\system\cc3260mt.dll

2009-05-07 17:05 . 2001-05-22 00:00 22016 ----a-w c:\windows\system\borlndmm.dll

2009-05-07 17:05 . 2009-05-07 17:05 -------- d-----w c:\documents and settings\Asafer\Dados de aplicativos\EditPlus 2

2009-05-07 17:05 . 2009-05-07 17:05 -------- d-----w c:\arquivos de programas\EditPlus 2

2009-05-07 17:03 . 2009-05-19 20:46 -------- d-----w C:\ncs

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-26 10:40 . 2007-06-13 14:09 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-05-25 19:53 . 2008-09-12 10:54 -------- d-----w c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-05-25 18:30 . 2007-05-29 19:25 -------- d-----w c:\arquivos de programas\Windows Live Safety Center

2009-05-25 14:31 . 2007-06-13 14:09 -------- d-----w c:\arquivos de programas\GbPlugin

2009-05-20 10:43 . 2008-09-11 11:20 -------- d-----w c:\arquivos de programas\MessengerDiscovery

2009-05-07 11:10 . 2008-09-01 11:44 -------- d-----w c:\arquivos de programas\eMule

2009-05-07 11:09 . 2009-01-09 17:31 -------- d-----w c:\arquivos de programas\PokerStars

2009-05-06 18:06 . 2007-05-29 20:10 4784464 -c--a-w c:\documents and settings\All Users\Dados de aplicativos\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2009-04-27 10:34 . 2009-04-20 12:24 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-04-27 10:34 . 2009-04-20 12:24 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-04-22 14:53 . 2008-09-17 17:32 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2009-04-20 12:34 . 2009-04-20 12:35 410984 ----a-w c:\windows\system32\deploytk.dll

2009-04-20 12:34 . 2007-06-13 11:24 -------- d-----w c:\arquivos de programas\Java

2009-04-20 12:34 . 2009-04-20 12:34 152576 ----a-w c:\documents and settings\Asafer\Dados de aplicativos\Sun\Java\jre1.6.0_13\lzma.dll

2009-04-20 12:24 . 2009-04-20 12:24 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira

2009-04-20 12:24 . 2009-04-20 12:24 -------- d-----w c:\arquivos de programas\Avira

2009-04-16 19:53 . 2009-04-16 19:53 -------- d-----w c:\arquivos de programas\CCleaner

2009-04-16 12:22 . 2001-10-28 15:07 62474 ----a-w c:\windows\system32\perfc016.dat

2009-04-16 12:22 . 2001-10-28 15:07 416384 ----a-w c:\windows\system32\perfh016.dat

2009-04-06 18:32 . 2008-09-12 10:55 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 18:32 . 2008-09-12 10:55 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-27 15:03 . 2009-02-02 16:30 26568 ----a-w c:\windows\system32\drivers\gbpkm.sys

2009-03-08 07:34 . 2004-08-04 03:45 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 07:34 . 2004-08-04 03:45 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 07:33 . 2004-08-04 03:45 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 07:33 . 2004-08-04 03:45 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 07:32 . 2004-08-04 03:45 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 07:32 . 2004-08-04 03:45 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 07:31 . 2004-08-04 03:45 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 07:31 . 2004-08-04 03:44 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 07:31 . 2004-08-04 03:45 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 07:22 . 2001-10-28 15:07 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:20 . 2004-08-04 03:45 286208 ----a-w c:\windows\system32\pdh.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"msnmsgr"="c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"Skype"="c:\arquivos de programas\Skype\Phone\Skype.exe" [2007-08-17 23120680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]

"LanguageShortcut"="c:\arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]

"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-04-20 148888]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"LogMeIn GUI"="c:\arquivos de programas\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\arquivos de programas\GBPLUGIN\gbiehcef.dll" [2009-03-27 264776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

2009-03-25 14:32 271152 ------w c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-03-27 14:22 264776 ----a-w c:\arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2008-10-16 23:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"RemoteControl"="c:\arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Arquivos de programas\\NX Client for Windows\\nxclient.exe"=

"c:\\Arquivos de programas\\NX Client for Windows\\bin\\nxssh.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2/2/2009 13:30 26568]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [20/4/2009 09:24 108289]

R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [13/6/2007 11:09 52808]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\arquivos de programas\LogMeIn\x86\rainfo.sys [24/7/2008 18:46 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [7/5/2009 14:56 47640]

R2 WinDefend;Windows Defender;c:\arquivos de programas\Windows Defender\MsMpEng.exe [3/11/2006 19:19 13592]

S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [9/8/2007 07:39 87824]

S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [9/8/2007 07:39 85696]

S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\drivers\z530bus.sys [2/4/2008 12:37 58288]

S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\drivers\z530mdfl.sys [2/4/2008 12:37 8336]

S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\drivers\z530mdm.sys [2/4/2008 12:37 94064]

S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\z530mgmt.sys [2/4/2008 12:37 85408]

S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\drivers\z530obex.sys [2/4/2008 12:37 83344]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-05-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\arquivos de programas\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-05-26 c:\windows\Tasks\User_Feed_Synchronization-{CA683917-B656-44F2-9D5E-06FFC81B47C9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 07:31]

.

- - - - ORFÃOS REMOVIDOS - - - -

SafeBoot-procexp90.Sys

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.terra.com.br/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

FF - ProfilePath - c:\documents and settings\Asafer\Dados de aplicativos\Mozilla\Firefox\Profiles\7tszqf0e.default\

FF - prefs.js: browser.startup.homepage - www.google.com.br

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-26 08:17

Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\arquivos de programas\GBPLUGIN\gbieh.dll

c:\arquivos de programas\GBPLUGIN\gbiehcef.dll

c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3092)

c:\windows\system32\ieframe.dll

c:\arquivos de programas\GBPLUGIN\gbieh.dll

c:\arquivos de programas\GBPLUGIN\gbiehcef.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Tempo para conclusão: 2009-05-26 8:19

ComboFix-quarantined-files.txt 2009-05-26 11:19

Pré-execução: 18 pasta(s) 36.277.387.264 bytes disponíveis

Pós execução: 17 pasta(s) 36.456.230.912 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

200 --- E O F --- 2009-05-26 10:37

----------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:36:58, on 26/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\ARQUIV~1\GbPlugin\GbpSv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\LogMeIn\x86\LogMeInSystray.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe

C:\Arquivos de programas\LogMeIn\x86\LMIGuardian.exe

C:\Arquivos de programas\Skype\Phone\Skype.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe

C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\explorer.exe