[Arquivado] Uso de 100% da CPU

[alexgodoy 0]

Meu computador no modo normal aparece com uso de 100% do CPU e está muito lento, inclusive não abrindo alguns programas. Segue log do hijack.

Obrigado

Já passei o Malwarebytes e tinha detectado o "backdoor.bot" coloquei na quarentena sõ que não adiantou.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:34:06, on 13-12-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - Default URLSearchHook is missing

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\RunOnce: [ GbPluginCef] RunDll32.exe C:\ARQUIV~1\GbPlugin\gbiehCef.dll,Gbieh

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: siszyd32.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://geovision.dipmap.com/cab/OCXChecker_8198.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O20 - Winlogon Notify: wamregps32 - wamregps32.dll (file missing)

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MySQL5 - Unknown owner - C:\Arquivos.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe

O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE

O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe

O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Arquivos de programas\Photodex\ProShowProducer\ScsiAccess.exe

O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

 

--

End of file - 7613 bytes

[wings 22]

Bom dia alexgodoy

 

Cole um novo log do hijack em Modo Normal.

[alexgodoy 0]

Bom dia alexgodoy

 

Cole um novo log do hijack em Modo Normal.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:53:40, on 13-12-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\a-squared Free\a2service.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Photodex\ProShowProducer\ScsiAccess.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - Default URLSearchHook is missing

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: siszyd32.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing)

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://geovision.dipmap.com/cab/OCXChecker_8198.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll (file missing)

O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehCef.dll

O20 - Winlogon Notify: wamregps32 - wamregps32.dll (file missing)

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\a-squared Free\a2service.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MySQL5 - Unknown owner - C:\Arquivos.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Arquivos de programas\Photodex\ProShowProducer\ScsiAccess.exe

O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - C:\Arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe

 

--

End of file - 7961 bytes

[wings 22]

1.

Abra o Spybot

No menu superior, clique em [Modo] > [Avançado] e confirme.

Clique em [Ferramentas] > [Residente]

Desmarque a opção Ativar "TeaTimer" do Residente (proteção geral das configurações de sistema).

Feche o programa.

 

2.

*Desative temporariamente seu antivírus

 

Clique com o botão direito do mouse no ícone do Avira ao lado do relógio > clique na opção "AntiVir Guard enable".

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix irá continuar o processo automaticamente. Caso não esteja uma janela, conforme abaixo, será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

 

*Após a instalação, clique em [sIM] para continuar.

 

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente

 

*Cole o relatório criado em C:\combofix.txt

[alexgodoy 0]

Segue relatóri combofix:

 

ComboFix 09-09-25.01 - Alexandre 13/12/2009 14:43.4.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.2559.2064 [GMT -2:00]

Executando de: e:\download\combofix\combofix\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

- MODO DE FUNCIONALIDADE REDUZIDA -

.

ADS - drivers: deleted 208 bytes in 1 streams.

 

(((((((((((((((( Arquivos/Ficheiros criados de 2009-11-13 to 2009-12-13 ))))))))))))))))))))))))))))

.

 

2009-12-13 12:55 . 2009-10-22 17:40 30504 ----a-w- c:\windows\system32\drivers\GbpKm.sys

2009-12-13 01:53 . 2009-12-13 13:18 -------- d-----w- C:\ToolBar SD

2009-12-13 01:33 . 2009-12-13 01:33 -------- d-----w- c:\arquivos de programas\Trend Micro

2009-12-13 01:16 . 2009-12-13 01:16 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\Malwarebytes

2009-12-13 01:16 . 2009-12-03 18:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-13 01:16 . 2009-12-13 01:16 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-12-13 01:16 . 2009-12-13 01:16 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-12-13 01:16 . 2009-12-03 18:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-12 20:37 . 2009-12-12 20:37 -------- d-sh--w- c:\documents and settings\Alexandre\IECompatCache

2009-12-12 20:21 . 2009-12-12 20:21 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\FreeFixer

2009-12-12 20:20 . 2009-12-12 20:20 -------- d-----w- c:\arquivos de programas\FreeFixer

2009-12-12 18:15 . 2009-12-13 16:44 697856 ----a-w- c:\windows\system32\drivers\bceyjm.sys

2009-12-12 18:15 . 2009-12-12 19:44 164 ----a-w- c:\windows\system32\fjhdyfhsn.bat

2009-12-10 22:39 . 2009-12-10 23:19 -------- d-----w- c:\documents and settings\Alexandre\.ireport

2009-12-10 22:38 . 2009-12-10 23:18 -------- d-----w- c:\arquivos de programas\Jaspersoft

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-13 14:58 . 2009-12-12 18:14 8 ----a-w- c:\documents and settings\Alexandre\Dados de aplicativos\avdrn.dat

2009-12-13 12:55 . 2007-09-15 23:22 -------- d-----w- c:\arquivos de programas\GbPlugin

2009-12-13 02:08 . 2008-05-24 00:40 -------- d-----w- c:\arquivos de programas\MemoriesOnTV4

2009-12-13 02:08 . 2009-06-07 17:19 -------- d--h--w- c:\arquivos de programas\InstallJammer Registry

2009-12-13 01:31 . 2009-08-30 21:06 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help

2009-12-13 00:39 . 2009-08-29 00:26 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\Skype

2009-12-12 20:15 . 2007-12-01 14:04 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy

2009-12-12 19:45 . 2009-12-12 19:44 16 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\fvgqad.dat

2009-12-12 16:04 . 2007-09-15 23:21 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin

2009-12-10 23:30 . 2009-10-09 00:33 -------- d-----w- c:\arquivos de programas\NetBeans 6.7.1

2009-12-10 23:08 . 2009-04-09 00:06 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\SQLyog

2009-12-10 22:51 . 2009-04-08 23:22 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\MySQL

2009-12-07 22:11 . 2009-10-04 18:15 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-01 11:52 . 2009-01-22 23:15 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-11-12 01:59 . 2009-11-12 01:59 -------- d-----w- c:\arquivos de programas\Apache Software Foundation

2009-11-12 00:17 . 2009-11-12 00:15 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\MySQL-Front

2009-11-08 21:13 . 2009-11-08 21:13 -------- d-----w- c:\arquivos de programas\Orban

2009-11-01 20:34 . 2009-11-01 20:34 -------- d-----w- c:\documents and settings\Alexandre\Dados de aplicativos\Myfreecomm

2009-11-01 17:25 . 2009-11-01 17:25 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Software FX Shared

2009-11-01 17:25 . 2009-11-01 17:25 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Myfreecomm

2009-11-01 17:25 . 2009-11-01 17:25 -------- d-----w- c:\arquivos de programas\Myfreecomm

2009-10-29 07:42 . 2004-08-04 03:45 916480 ------w- c:\windows\system32\wininet.dll

2009-10-18 15:07 . 2006-08-04 01:17 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Adobe

2009-10-18 14:54 . 2001-10-28 12:07 48628 ----a-w- c:\windows\system32\perfc016.dat

2009-10-18 14:54 . 2001-10-28 12:07 344380 ----a-w- c:\windows\system32\perfh016.dat

2009-10-17 01:15 . 2009-07-18 16:28 -------- d-----w- c:\arquivos de programas\BrainTrainAge

2009-10-13 10:34 . 2004-08-04 03:45 271360 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:39 . 2004-08-04 03:45 150016 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:39 . 2004-08-04 03:45 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-09 00:14 . 2009-10-09 00:15 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-26 23:34 . 2009-09-26 23:31 286720 ------w- c:\windows\Setup1.exe

2009-09-26 23:34 . 2009-09-26 23:31 73216 ----a-w- c:\windows\ST6UNST.EXE

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-10-09 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoPopUpsOnBoot"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoSMMyPictures"= 01000000

"NoNetworkConnections"= 01000000

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= "c:\arquivos de programas\GbPlugin\gbiehcef.dll" [2009-05-13 286792]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

c:\arquiv~1\GBPLUGIN\gbieh.dll [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]

2009-05-13 12:19 286792 ----a-w- c:\arquivos de programas\GbPlugin\gbiehcef.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^Alexandre^Menu Iniciar^Programas^Inicializar^BrOffice.org 2.4.lnk]

path=c:\documents and settings\Alexandre\Menu Iniciar\Programas\Inicializar\BrOffice.org 2.4.lnk

backup=c:\windows\pss\BrOffice.org 2.4.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^Alexandre^Menu Iniciar^Programas^Inicializar^siszyd32.exe]

path=c:\documents and settings\Alexandre\Menu Iniciar\Programas\Inicializar\siszyd32.exe

backup=c:\windows\pss\siszyd32.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Orbit.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Orbit.lnk

backup=c:\windows\pss\Orbit.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Remote Control.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Remote Control.lnk

backup=c:\windows\pss\Remote Control.lnkCommon Startup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"c:\\Arquivos de programas\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=

"c:\\Arquivos de programas\\Java\\jdk1.5.0_07\\jre\\bin\\java.exe"=

"c:\\Arquivos de programas\\Java\\jre1.6.0_05\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Arquivos de programas\\Java\\jdk1.6.0_16\\bin\\java.exe"=

"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18893:TCP"= 18893:TCP:BitComet 18893 TCP

"18893:UDP"= 18893:UDP:BitComet 18893 UDP

 

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [13/12/2009 10:55 30504]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [04/10/2009 16:15 108289]

R2 CX88Tune;Conexant 2388x TvTuner;c:\windows\system32\drivers\CX88Tune.sys [17/08/2006 03:59 66176]

R2 CX88VCap;Conexant 2388x Capture;c:\windows\system32\drivers\CX88Vid.sys [17/08/2006 02:03 167040]

R3 CX88XBAR;Conexant 2388x Crossbar;c:\windows\system32\drivers\CX88XBar.sys [18/05/2006 07:52 10496]

S1 oreans32;oreans32;\??\c:\windows\system32\drivers\oreans32.sys --> c:\windows\system32\drivers\oreans32.sys [?]

S2 WinService;WinService;c:\windows\system32\drivers\lssas.exe [20/07/2009 20:07 60136]

S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [04/08/2004 01:45 14336]

S3 MySQL5;MySQL5;"c:\arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\arquivos de programas\MySQL\MySQL Server 5.0\my.ini" "MySQL5" --> c:\arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]

S3 Tomcat6;Apache Tomcat 6;c:\arquivos de programas\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [13/05/2009 21:15 57344]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

S4 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

S4 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [02/02/2006 01:49 204800]

S4 VFILT;Outpost Firewall Kernel Driver;\??\c:\arquiv~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS --> c:\arquiv~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [?]

 

--- =Outros Serviços/Drivers Na Memória ---

 

*Deregistered* - bceyjm

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

mWindow Title =

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: bancobrasil.com.br\www2

DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://geovision.dipmap.com/cab/OCXChecker_8198.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab

DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab

DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} - hxxps://imagem.caixa.gov.br/cab/GbPluginCef.cab

FF - ProfilePath - c:\documents and settings\Alexandre\Dados de aplicativos\Mozilla\Firefox\Profiles\sjvcx622.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - component: c:\documents and settings\Alexandre\Dados de aplicativos\Mozilla\Firefox\Profiles\sjvcx622.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll

FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\documents and settings\Alexandre\Dados de aplicativos\Mozilla\Firefox\Profiles\sjvcx622.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\Alexandre\Dados de aplicativos\Mozilla\plugins\npPxPlay.dll

FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-13 14:44

Windows 5.1.2600 Service Pack 3 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL5]

"ImagePath"="\"c:\arquivos de programas\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\arquivos de programas\MySQL\MySQL Server 5.0\my.ini\" \"MySQL5\""

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bceyjm]

 

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GbpSv]

"ImagePath"="c:\arquiv~1\GbPlugin\GbpSv.exe"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2fac7a08-8211-4186-becb-530ef980749f}]

@Denied: (Full) (Everyone)

"Model"=dword:00000081

"Therad"=dword:0000001c

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{39981127-C287-11D0-8D8C-00C04FD6202B}\InprocServer32]

@Ace=(Denied: NO_PROPAGATE_INHERIT_ACE) (Full) (Everyone)

@Ace=(Denied: NO_PROPAGATE_INHERIT_ACE) (Full) (LocalSystem)

@=expand:"%SystemRoot%\\system32\\msoeacct.dll"

"ThreadingModel"="Apartment"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):9e,4c,21,92,37,8e,cb,6b,77,ad,91,98,ef,7b,c3,48,b8,13,86,99,56,

c4,2e,50,cf,55,c0,9c,1a,71,c0,27,14,66,7c,10,16,e7,60,fa,00,00,00,00,00,00,\

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GbpSv]

@Ace=(Denied: NO_PROPAGATE_INHERIT_ACE) (Full) (Everyone)

@Ace=(Denied: NO_PROPAGATE_INHERIT_ACE) (Full) (LocalSystem)

@Allowed: (Read) (Administrators)

"Type"=dword:00000010

"Start"=dword:00000002

"ErrorControl"=dword:00000000

"ImagePath"="c:\\ARQUIV~1\\GbPlugin\\GbpSv.exe"

"DisplayName"="Gbp Service"

"Group"="GbPlugin Group"

"ObjectName"="LocalSystem"

"Description"="Service for G-Buster Browser Defense"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(744)

c:\arquivos de programas\GbPlugin\gbiehCef.dll

c:\windows\system32\Ati2evxx.dll

 

- - - - - - - > 'explorer.exe'(3080)

c:\windows\system32\WININET.dll

c:\arquivos de programas\GbPlugin\gbiehCef.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Tempo para conclusão: 2009-12-13 14:47

ComboFix-quarantined-files.txt 2009-12-13 16:47

ComboFix2.txt 2009-12-13 16:38

 

Pré-execução: 31 pasta(s) 25.712.259.072 bytes disponíveis

Pós execução: 32 pasta(s) 25.675.907.072 bytes disponíveis

 

213 --- E O F --- 2009-12-11 00:05

[wings 22]

1.

*Execute o hijack, clique em [Do a system scan only], selecione a entrada abaixo e clique em [Fix checked]

 

O4 - Startup: siszyd32.exe

*Feche o hijack

 

2.

*Abra o bloco de notas, selecione, copie e cole nele todo o conteúdo do código abaixo:

 

File::

c:\documents and settings\Alexandre\Dados de aplicativos\avdrn.dat

c:\windows\system32\fjhdyfhsn.bat

c:\documents and settings\NetworkService\Dados de aplicativos\fvgqad.dat

FileLook::

c:\windows\system32\drivers\bceyjm.sys

*Salve o arquivo no desktop como CFScript.txt

*Arraste o arquivo para o Combofix conforme ilustração abaixo:

 

 

*Importante: enquanto o combofix estiver em execução, não use o mouse nem o teclado!!..para interromper o processo tecle N ou 2.

 

*Cole o relatório criado em C:\combofix.txt

[wings 22]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.