Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon.exe Make My Pc Slowing Down


  • This topic is locked This topic is locked
18 replies to this topic

#1 ceolin

ceolin

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 May 2008 - 12:43 PM

In the last couple days I've noticed my computer slowing down, when I look in task manager, winlogon.exe takes 99% of my cpu. It happens from time to time.

This is my Deckard's System Scanner Log:


Deckard's System Scanner v20071014.68
Run by bruno ceolin on 2008-05-09 14:41:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.81 GiB (less than 15%) free.


-- HijackThis (run as bruno ceolin.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:41:04, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe
C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\arquiv~1\micros~2\office11\outlook.exe
C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Arquivos de programas\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\arquiv~1\avantb~1\avant.exe
C:\Instaladores\dss.exe
C:\INSTAL~1\bruno ceolin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www2/portal/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www2/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NewCom Brasil
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.3.2.81:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Arquivos de programas\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Arquivos de programas\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AbreIE] http://www2/portal
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: SQL Prompt.lnk = C:\Arquivos de programas\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: ADVFN 4v4 - http://br.advfn.com/p.php?pid=loadercab
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174582330396
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195762673980
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-350553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://newcom-prm01/ReportServer2005/Reser...OpType=PrintCab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcombrasil.com.br
O17 - HKLM\Software\..\Telephony: DomainName = newcombrasil.com.br
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcombrasil.com.br
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = newcombrasil.com.br
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Eraser Service (EraserSvc10734) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Arquivos de programas\Symantec AntiVirus\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 11346 bytes

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-09 13:39:32 0 d-------- U:\Deckard
2008-05-09 11:48:08 69632 -----n--- C:\WINDOWS\erase_SR.exe
2008-05-09 11:12:24 0 d-------- C:\Arquivos de programas\CCleaner
2008-05-07 15:50:52 0 d-------- C:\WINDOWS\pss
2008-04-14 09:34:11 0 d-------- U:\Telemar
2008-04-14 09:29:43 0 d-------- U:\Contax
2008-04-14 09:29:33 0 d-------- U:\Projetos


-- Find3M Report ---------------------------------------------------------------

2008-05-09 11:57:57 0 d-------- C:\Arquivos de programas\CheckPoint
2008-05-09 11:50:12 0 d-------- C:\Arquivos de programas\PowerISO
2008-05-09 11:46:59 0 d-------- C:\Arquivos de programas\Google
2008-05-09 11:43:27 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-05-08 10:28:59 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\AdobeUM
2008-05-08 10:20:34 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-05-07 08:26:18 0 d-------- C:\Arquivos de programas\GbPlugin
2008-04-10 11:32:10 0 d-------- C:\Arquivos de programas\SAP
2008-04-09 08:36:19 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Nokia Multimedia Player
2008-04-09 08:26:09 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Nokia
2008-04-08 17:21:22 535220 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-08 17:21:22 102574 --a------ C:\WINDOWS\system32\perfc016.dat
2008-04-08 17:19:39 0 d-------- C:\Arquivos de programas\Reference Assemblies
2008-04-08 16:48:18 0 d-------- C:\Arquivos de programas\Microsoft Enterprise Library 3.1 - May 2007
2008-04-07 17:45:38 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Adobe
2008-04-07 15:37:40 0 d-------- C:\Arquivos de programas\Microsoft Silverlight
2008-04-04 10:28:23 0 d-------- C:\Arquivos de programas\Motorola Phone Tools
2008-04-04 09:44:56 0 d-------- C:\Arquivos de programas\Avanquest update
2008-04-04 09:44:48 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\InstallShield
2008-04-01 09:30:07 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\NUnit
2008-03-27 09:27:07 0 d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-03-27 09:18:00 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-03-27 09:18:00 0 d-------- C:\Arquivos de programas\Arquivos comuns\Infragistics
2008-03-27 09:17:59 0 d-------- C:\Arquivos de programas\Infragistics
2008-03-26 11:59:12 0 d-------- C:\Arquivos de programas\Developer Express .NET v8.1


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [09/07/2003 17:25]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [09/07/2003 17:13]
"WheelMouse"="C:\Arquivos de programas\A4Tech\Mouse\Amoumain.exe" [10/02/2007 22:07]
"SoundMan"="SOUNDMAN.EXE" [16/04/2007 15:28 C:\WINDOWS\soundman.exe]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [06/08/2007 03:08]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe" [15/07/2005 18:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:45]
"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54]
"AbreIE"="http://www2/portal" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\bruno ceolin\Menu Iniciar\Programas\Inicializar\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE [17/3/2005 14:06:14]
Stardock ObjectDock.lnk - C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe [20/12/2007 15:08:28]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
SQL Prompt.lnk - C:\Arquivos de programas\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe [17/5/2006 16:28:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\ARQUIV~1\GbPlugin\gbiehabn.dll [23/04/2008 17:25 373672]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [22/02/2007 15:00 228392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
C:\ARQUIV~1\GbPlugin\gbiehabn.dll 23/04/2008 17:25 373672 C:\ARQUIV~1\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 15/11/2007 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginAbn]
C:\Arquivos de programas\GbPlugin\gbiehabn.dll 23/04/2008 17:25 373672 C:\Arquivos de programas\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AbreIE]
http://www2/portal

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asrcs]
"C:\Arquivos de programas\Automatos\Secure Remote Control\Server\asrcsti.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutomatosControl]
C:\Arquivos de programas\Automatos\Desktop Agent\adacontrol.exe -nac -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SWMailService"=3 (0x3)
"SR_WatchDog"=2 (0x2)
"SR_Service"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"asrcs"=2 (0x2)
"AutomatosDesktopAgent"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\Install_Windows.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{087311c6-4998-11dc-9da0-00111111b91b}]
AutoRun\command- RavMon.exe
explore\Command- RavMon.exe -e
open\Command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb25f336-dfb3-11dc-9e20-00111111b91b}]
AutoRun\command- E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe
open\command- E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe



-- End of Deckard's System Scanner: finished at 2008-05-09 14:41:36 ------------

Thanks for any help!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 09 May 2008 - 02:48 PM

Hi,

I'm pretty sure the cause is G-Buster Browser Defense here, since it loads under Winlogon.exe and you installed the Plugin recently.
So I suggest you to uninstall it, reboot and see if that fixes your problem.

I also see some malware related leftovers present here, so to get rid of the leftovers..
Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{087311c6-4998-11dc-9da0-00111111b91b}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb25f336-dfb3-11dc-9e20-00111111b91b}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AbreIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AbreIE"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, after performing above steps, rescan with Deckard system scanner and post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ceolin

ceolin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 May 2008 - 03:13 PM

miekiemoes, thanks for help so fast!

I've tried to uninstall G-Buster Browser Defense, but I don't have success. In the IE add-ons, I tried to make it disabled, but it turns enabled again.... and the buton for exclude is disabled. Can you help me?

Anyway, follow the log again after run the fix.reg:

Deckard's System Scanner v20071014.68
Run by bruno ceolin on 2008-05-09 17:14:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.81 GiB (less than 15%) free.


-- HijackThis (run as bruno ceolin.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14:08, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe
C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\arquiv~1\micros~2\office11\outlook.exe
C:\Arquivos de programas\Microsoft Office\OFFICE11\WINWORD.EXE
C:\arquiv~1\avantb~1\avant.exe
C:\Instaladores\dss.exe
C:\INSTAL~1\BRUNOC~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www2/portal/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www2/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NewCom Brasil
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.3.2.81:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Arquivos de programas\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Arquivos de programas\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: SQL Prompt.lnk = C:\Arquivos de programas\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: ADVFN 4v4 - http://br.advfn.com/p.php?pid=loadercab
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174582330396
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195762673980
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://newcom-prm01/ReportServer2005/Reser...OpType=PrintCab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = newcombrasil.com.br
O17 - HKLM\Software\..\Telephony: DomainName = newcombrasil.com.br
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = newcombrasil.com.br
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = newcombrasil.com.br
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Eraser Service (EraserSvc10734) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Arquivos de programas\Symantec AntiVirus\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Arquivos de programas\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 10086 bytes

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-09 13:39:32 0 d-------- U:\Deckard
2008-05-09 11:48:08 69632 -----n--- C:\WINDOWS\erase_SR.exe
2008-05-09 11:12:24 0 d-------- C:\Arquivos de programas\CCleaner
2008-05-07 15:50:52 0 d-------- C:\WINDOWS\pss
2008-04-14 09:34:11 0 d-------- U:\Telemar
2008-04-14 09:29:43 0 d-------- U:\Contax
2008-04-14 09:29:33 0 d-------- U:\Projetos


-- Find3M Report ---------------------------------------------------------------

2008-05-09 11:57:57 0 d-------- C:\Arquivos de programas\CheckPoint
2008-05-09 11:50:12 0 d-------- C:\Arquivos de programas\PowerISO
2008-05-09 11:46:59 0 d-------- C:\Arquivos de programas\Google
2008-05-09 11:43:27 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-05-08 10:28:59 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\AdobeUM
2008-05-08 10:20:34 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-05-07 08:26:18 0 d-------- C:\Arquivos de programas\GbPlugin
2008-04-10 11:32:10 0 d-------- C:\Arquivos de programas\SAP
2008-04-09 08:36:19 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Nokia Multimedia Player
2008-04-09 08:26:09 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Nokia
2008-04-08 17:21:22 535220 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-08 17:21:22 102574 --a------ C:\WINDOWS\system32\perfc016.dat
2008-04-08 17:19:39 0 d-------- C:\Arquivos de programas\Reference Assemblies
2008-04-08 16:48:18 0 d-------- C:\Arquivos de programas\Microsoft Enterprise Library 3.1 - May 2007
2008-04-07 17:45:38 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Adobe
2008-04-07 15:37:40 0 d-------- C:\Arquivos de programas\Microsoft Silverlight
2008-04-04 10:28:23 0 d-------- C:\Arquivos de programas\Motorola Phone Tools
2008-04-04 09:44:56 0 d-------- C:\Arquivos de programas\Avanquest update
2008-04-04 09:44:48 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\InstallShield
2008-04-01 09:30:07 0 d-------- C:\Documents and Settings\bruno ceolin\Dados de aplicativos\NUnit
2008-03-27 09:27:07 0 d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-03-27 09:18:00 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-03-27 09:18:00 0 d-------- C:\Arquivos de programas\Arquivos comuns\Infragistics
2008-03-27 09:17:59 0 d-------- C:\Arquivos de programas\Infragistics
2008-03-26 11:59:12 0 d-------- C:\Arquivos de programas\Developer Express .NET v8.1


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [09/07/2003 17:25]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [09/07/2003 17:13]
"WheelMouse"="C:\Arquivos de programas\A4Tech\Mouse\Amoumain.exe" [10/02/2007 22:07]
"SoundMan"="SOUNDMAN.EXE" [16/04/2007 15:28 C:\WINDOWS\soundman.exe]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [06/08/2007 03:08]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe" [15/07/2005 18:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:45]
"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54]

C:\Documents and Settings\bruno ceolin\Menu Iniciar\Programas\Inicializar\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Arquivos de programas\Microsoft Office\OFFICE11\ONENOTEM.EXE [17/3/2005 14:06:14]
Stardock ObjectDock.lnk - C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe [20/12/2007 15:08:28]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
SQL Prompt.lnk - C:\Arquivos de programas\Red Gate\SQL Prompt\RedGate.SQLPrompt.exe [17/5/2006 16:28:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\ARQUIV~1\GbPlugin\gbiehabn.dll [23/04/2008 17:25 373672]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\WINDOWS\Downloaded Program Files\gbieh.dll [22/02/2007 15:00 228392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
C:\ARQUIV~1\GbPlugin\gbiehabn.dll 23/04/2008 17:25 373672 C:\ARQUIV~1\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 15/11/2007 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SWMailService"=3 (0x3)
"SR_WatchDog"=2 (0x2)
"SR_Service"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"asrcs"=2 (0x2)
"AutomatosDesktopAgent"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\Install_Windows.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe



-- End of Deckard's System Scanner: finished at 2008-05-09 17:14:39 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 09 May 2008 - 03:23 PM

I've tried to uninstall G-Buster Browser Defense, but I don't have success. In the IE add-ons, I tried to make it disabled, but it turns enabled again.... and the buton for exclude is disabled. Can you help me?

Hi,

You need to uninstall it - not disable it, because disabling won't make a difference, since it's has many different loading points which you cannot just "disable" like that. That's why you should uninstall it - it's the only way to properly troubleshoot if it's indeed causing your issue.
Uninstalling a program goes via start > controlpanel > software > add & remove programs.
In that list, search for GBuster and uninstall it.

Then reboot.

Let me know if that worked.

Edited by miekiemoes, 09 May 2008 - 03:23 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 09 May 2008 - 03:29 PM

Also, Since you were dealing with an IRCBot previously, I want you to run an extra tool to make sure leftovers are removed..

This tool will also remove this reference:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe

So, * Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 ceolin

ceolin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 12 May 2008 - 08:22 AM

Hello,

Sorry for the lack time. It's my office pc and I don't access this in the weekend.

So, I can't do the uninstall of the GBPlugin. It's not on the list of the uninstall tool of Add & Remove Programs.
In this post I send an attachment with the print of the Internet Explorer Add Ons.

Follow the log of SDFix:


SDFix: Version 1.181
Run by bruno on seg 12/05/2008 at 09:06

Microsoft Windows XP [versÆo 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sys32.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 09:35:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\Arquivos de programas\GbPlugin\GbpSv.exe"
"DisplayName"="Gbp Service"
"Group"="GbPlugin Group"
"ObjectName"="LocalSystem"
"Description"="Service for G-Buster Browser Defense"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv\Security]
"Security"=hex:01,00,14,80,88,00,00,00,94,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:c5,bb,67,1c,2e,28,0d,04,cd,ab,cb,88,d7,b4,3d,33,ba,ba,35,5b,b2,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,8a,36,5f,28,13,d6,ff,59,9e,c5,95,5f,7a,8f,6a,ae,ac,..
"khjeh"=hex:09,ef,b2,79,b2,48,53,15,87,15,95,8b,96,51,13,69,2e,f7,82,c5,77,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b5,3c,31,c6,2b,b8,2e,c5,49,06,a8,50,ba,fa,d2,8a,1a,1c,37,2f,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\Arquivos de programas\GbPlugin\GbpSv.exe"
"DisplayName"="Gbp Service"
"Group"="GbPlugin Group"
"ObjectName"="LocalSystem"
"Description"="Service for G-Buster Browser Defense"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv\Security]
"Security"=hex:01,00,14,80,88,00,00,00,94,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:c5,bb,67,1c,2e,28,0d,04,cd,ab,cb,88,d7,b4,3d,33,ba,ba,35,5b,b2,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,8a,36,5f,28,13,d6,ff,59,9e,c5,95,5f,7a,8f,6a,ae,ac,..
"khjeh"=hex:09,ef,b2,79,b2,48,53,15,87,15,95,8b,96,51,13,69,2e,f7,82,c5,77,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:b5,3c,31,c6,2b,b8,2e,c5,49,06,a8,50,ba,fa,d2,8a,1a,1c,37,2f,59,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\03E4A8BF51994184DA9F240ED0F9CDD3\Usage]
"Core"=dword:38acf9be

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\MSN Messenger\\msncall.exe"="C:\\Arquivos de programas\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Arquivos de programas\\Avant Browser\\avant.exe"="C:\\Arquivos de programas\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"C:\\Arquivos de programas\\AR System\\User\\alert.exe"="C:\\Arquivos de programas\\AR System\\User\\alert.exe:*:Enabled:Remedy Alert for Windows"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\MSN Messenger\\msncall.exe"="C:\\Arquivos de programas\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Arquivos de programas\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Arquivos de programas\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:winvnc4"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Arquivos de programas\\SAP\\FrontEnd\\SapGui\\saplogon.exe"="C:\\Arquivos de programas\\SAP\\FrontEnd\\SapGui\\saplogon.exe:*:Enabled:SAP Logon for Windows"
"C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe"="C:\\Arquivos de programas\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Arquivos de programas\\Avant Browser\\avant.exe"="C:\\Arquivos de programas\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"C:\\Arquivos de programas\\AR System\\User\\alert.exe"="C:\\Arquivos de programas\\AR System\\User\\alert.exe:*:Enabled:Remedy Alert for Windows"
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"="C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Java\\j2sdk1.4.1_01\\jre\\bin\\javaw.exe"="C:\\Java\\j2sdk1.4.1_01\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Java\\j2sdk1.4.1_01\\bin\\java.exe"="C:\\Java\\j2sdk1.4.1_01\\bin\\java.exe:*:Enabled:java"
"C:\\Borland\\JBuilder2005\\jdk1.4\\bin\\javaw.exe"="C:\\Borland\\JBuilder2005\\jdk1.4\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Borland\\JBuilder2005\\bin\\JBuilderw.exe"="C:\\Borland\\JBuilder2005\\bin\\JBuilderw.exe:*:Enabled:JBuilderw"
"C:\\Arquivos de programas\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"="C:\\Arquivos de programas\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe:*:Enabled:SR_GUI"
"C:\\Java\\j2sdk1.4.1_01\\bin\\javaw.exe"="C:\\Java\\j2sdk1.4.1_01\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Arquivos de programas\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\Arquivos de programas\\Symantec\\Symantec Endpoint Protection\\Smc.exe:*:Enabled:SMC Service"
"C:\\Arquivos de programas\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\\Arquivos de programas\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE:*:Enabled:SNAC Service"
"C:\\Arquivos de programas\\Arquivos comuns\\Symantec Shared\\ccApp.exe"="C:\\Arquivos de programas\\Arquivos comuns\\Symantec Shared\\ccApp.exe:*:Enabled:Symantec Email"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 28 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 8 Aug 2007 407 A..H. --- "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 400 A..H. --- "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\COH\COHDLU.reg"
Fri 21 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Mon 12 May 2008 0 A..H. --- "C:\Documents and Settings\bruno ceolin\Configura‡äes locais\Temp\BITE.tmp"
Thu 27 Sep 2007 83,456 ...H. --- "C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Microsoft\Modelos\~WRL3415.tmp"
Wed 16 Apr 2008 100,352 ...H. --- "C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Microsoft\Word\~WRL1286.tmp"
Tue 9 Oct 2007 93,184 ...H. --- "C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Microsoft\Word\~WRL2148.tmp"
Tue 7 Aug 2007 64,000 ...H. --- "C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Microsoft\Word\~WRL3578.tmp"
Tue 7 Aug 2007 64,512 ...H. --- "C:\Documents and Settings\bruno ceolin\Dados de aplicativos\Microsoft\Word\~WRL3632.tmp"
Tue 22 May 2007 60,380 A..H. --- "C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\visualstudio\7.1\vs000223.tmp"

Finished!

Attached Files



#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 12 May 2008 - 01:51 PM

Hi,

This is what I posted previously:

You need to uninstall it - not disable it, because disabling won't make a difference, since it's has many different loading points which you cannot just "disable" like that. That's why you should uninstall it - it's the only way to properly troubleshoot if it's indeed causing your issue.
Uninstalling a program goes via start > controlpanel > software > add & remove programs.
In that list, search for GBuster and uninstall it.


I see it's still up and running.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 ceolin

ceolin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 12 May 2008 - 02:00 PM

Hi,

This is what I posted previously:

So, I can't do the uninstall of the GBPlugin. It's not on the list of the uninstall tool of Add & Remove Programs.
In this post I send an attachment with the print of the Internet Explorer Add Ons.


Can you help me to uninstall it?

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 12 May 2008 - 02:12 PM

Hi,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 12 May 2008 - 02:15 PM

By the way - I also found this blogpost: http://insanebits.blogspot.com/2007/04/g-b...alysis-and.html
Interesting read - you'll also see that it is the cause of your problems.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ceolin

ceolin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 12 May 2008 - 02:21 PM

I can't find the plugin in this list:

4U WMA MP3 Converter 5.9.3
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player ActiveX
Adobe Reader 7.0.9 - Português
Adobe Shockwave Player 11
Apyon Studio Client
Atualização de Segurança para o Windows Media Player (KB911564)
Atualização de Segurança para o Windows Media Player 11 (KB936782)
Atualização de Segurança para o Windows Media Player 6.4 (KB925398)
Atualização de Segurança para Windows Internet Explorer 7 (KB929969)
Atualização de Segurança para Windows Internet Explorer 7 (KB933566)
Atualização de Segurança para Windows Internet Explorer 7 (KB937143)
Atualização de Segurança para Windows Internet Explorer 7 (KB938127)
Atualização de Segurança para Windows Internet Explorer 7 (KB939653)
Atualização de Segurança para Windows Internet Explorer 7 (KB942615)
Atualização de Segurança para Windows Internet Explorer 7 (KB944533)
Atualização de Segurança para Windows XP (KB890046)
Atualização de Segurança para Windows XP (KB893756)
Atualização de Segurança para Windows XP (KB896358)
Atualização de Segurança para Windows XP (KB896423)
Atualização de Segurança para Windows XP (KB896428)
Atualização de Segurança para Windows XP (KB899587)
Atualização de Segurança para Windows XP (KB899591)
Atualização de Segurança para Windows XP (KB900725)
Atualização de Segurança para Windows XP (KB901017)
Atualização de Segurança para Windows XP (KB901214)
Atualização de Segurança para Windows XP (KB902400)
Atualização de Segurança para Windows XP (KB904706)
Atualização de Segurança para Windows XP (KB905414)
Atualização de Segurança para Windows XP (KB905749)
Atualização de Segurança para Windows XP (KB908519)
Atualização de Segurança para Windows XP (KB911562)
Atualização de Segurança para Windows XP (KB911927)
Atualização de Segurança para Windows XP (KB913580)
Atualização de Segurança para Windows XP (KB914388)
Atualização de Segurança para Windows XP (KB914389)
Atualização de Segurança para Windows XP (KB917537)
Atualização de Segurança para Windows XP (KB917953)
Atualização de Segurança para Windows XP (KB918118)
Atualização de Segurança para Windows XP (KB918439)
Atualização de Segurança para Windows XP (KB919007)
Atualização de Segurança para Windows XP (KB920213)
Atualização de Segurança para Windows XP (KB920670)
Atualização de Segurança para Windows XP (KB920683)
Atualização de Segurança para Windows XP (KB920685)
Atualização de Segurança para Windows XP (KB921503)
Atualização de Segurança para Windows XP (KB922819)
Atualização de Segurança para Windows XP (KB923191)
Atualização de Segurança para Windows XP (KB923414)
Atualização de Segurança para Windows XP (KB923980)
Atualização de Segurança para Windows XP (KB924191)
Atualização de Segurança para Windows XP (KB924270)
Atualização de Segurança para Windows XP (KB924667)
Atualização de Segurança para Windows XP (KB925902)
Atualização de Segurança para Windows XP (KB926255)
Atualização de Segurança para Windows XP (KB926436)
Atualização de Segurança para Windows XP (KB927779)
Atualização de Segurança para Windows XP (KB927802)
Atualização de Segurança para Windows XP (KB928255)
Atualização de Segurança para Windows XP (KB928843)
Atualização de Segurança para Windows XP (KB929123)
Atualização de Segurança para Windows XP (KB930178)
Atualização de Segurança para Windows XP (KB931261)
Atualização de Segurança para Windows XP (KB931784)
Atualização de Segurança para Windows XP (KB932168)
Atualização de Segurança para Windows XP (KB933729)
Atualização de Segurança para Windows XP (KB935839)
Atualização de Segurança para Windows XP (KB935840)
Atualização de Segurança para Windows XP (KB936021)
Atualização de Segurança para Windows XP (KB937894)
Atualização de Segurança para Windows XP (KB938829)
Atualização de Segurança para Windows XP (KB939373)
Atualização de Segurança para Windows XP (KB941202)
Atualização de Segurança para Windows XP (KB941568)
Atualização de Segurança para Windows XP (KB941569)
Atualização de Segurança para Windows XP (KB941644)
Atualização de Segurança para Windows XP (KB942830)
Atualização de Segurança para Windows XP (KB942831)
Atualização de Segurança para Windows XP (KB943055)
Atualização de Segurança para Windows XP (KB943460)
Atualização de Segurança para Windows XP (KB943485)
Atualização de Segurança para Windows XP (KB944653)
Atualização de Segurança para Windows XP (KB946026)
Atualização para Windows XP (KB894391)
Atualização para Windows XP (KB898461)
Atualização para Windows XP (KB900485)
Atualização para Windows XP (KB904942)
Atualização para Windows XP (KB908531)
Atualização para Windows XP (KB910437)
Atualização para Windows XP (KB911280)
Atualização para Windows XP (KB916595)
Atualização para Windows XP (KB920342)
Atualização para Windows XP (KB920872)
Atualização para Windows XP (KB922582)
Atualização para Windows XP (KB925876)
Atualização para Windows XP (KB927891)
Atualização para Windows XP (KB930916)
Atualização para Windows XP (KB931836)
Atualização para Windows XP (KB933360)
Atualização para Windows XP (KB936357)
Atualização para Windows XP (KB938828)
Atualização para Windows XP (KB942763)
Avanquest update
Avant Browser (remove only)
BSPlayer
CCleaner (remove only)
Cisco IP Communicator
Compare and Merge 2.3
Desinstalar o software da impressora Lexmark
Developer Express .NET v8.1
Enterprise Architect 5.0 - 30 Day Trial
Enterprise Library 3.1 - May 2007
Google Earth
Google Gmail Notifier
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix para o Windows Media Player 11 (KB939683)
Hotfix para Windows XP (KB914440)
Hotfix para Windows XP (KB924867)
Iceows V4.20b
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
iOfficeWorks 7.80
Java 2 Platform, Enterprise Edition 1.4 SDK
Java 2 SDK, SE v1.4.1_01
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
LiveUpdate 3.3 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Fireworks MX
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - PTB
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - PTB
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Language Pack - ptb
Microsoft .NET Framework 3.5 Language Pack - ptb
Microsoft ASP.NET 2.0 AJAX Extensions 1.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Firewall Client
Microsoft Firewall Client Update KB905662
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office OneNote 2003
Microsoft Office Professional Edição 2003
Microsoft Office Project Professional 2003
Microsoft Silverlight
Microsoft SQL Server 2000 Reporting Services Enterprise Edition
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual SourceSafe 6.0
Microsoft Visual Studio .NET Enterprise Architect 2003 - English
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Motorola Phone Tools
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
ObjectDock
Pacote de Driver do Windows - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Pacote de Driver do Windows - Nokia Modem (02/15/2007 3.1)
Pacote de Driver do Windows - Nokia Modem (02/15/2007 3.1)
Pacote de Driver do Windows - Nokia Modem (05/24/2007 6.84.0.1)
Pacote de Driver do Windows - Nokia Modem (08/03/2007 6.84.0.2)
Pacote de Driver do Windows - Nokia Modem (08/08/2007 3.3)
PC Connectivity Solution
PDF reDirect (remove only)
PL/SQL Developer
PL-2303 USB-to-Serial
PowerISO
Realtek AC'97 Audio
Remedy User 6.3
SAP Front End
SAP NetWeaver Developer Studio 2.0.9
SAP Tutor
Skype 3.1
Skype Plugin Manager
SQL Prompt
SQL Server Setup Support Package
Sybase PowerDesigner 9.5.2 Evaluation
Symantec Endpoint Protection
TextPad 4.7
Whizlabs SCJP 1.4 Preparation Kit version 6.0.1
Whizlabs SCJP 5.0 Preparation Kit version 6.0.1
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip 11.1
XML Paper Specification Shared Components Language Pack 1.0
XP Codec Pack

Edited by ceolin, 12 May 2008 - 02:24 PM.


#12 ceolin

ceolin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 12 May 2008 - 02:30 PM

By the way - I also found this blogpost: http://insanebits.blogspot.com/2007/04/g-b...alysis-and.html
Interesting read - you'll also see that it is the cause of your problems.


In my office, the blogspot.com is blocked by the proxy. Can you put the information here?

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 12 May 2008 - 02:33 PM

From the blogpost I posted in my previous reply, I've read that, even if we remove it manually, that it will redownload and reinstall itself automatically again when you want to use Banco Real ABN AMRO. Unless you use Banco Real ABN AMRO on a restricted account, so no admin account.

Also, from the same blogpost and the comments below, you see that GBuster interferes with a lot of other programs as well, causing crashes, BSODs etc.. and one of these is Objectdock which you also have installed.

A quote from the comments:

Bluntly, I'm fed up with that security tool. It has caused many problems here and, I'D LIKE TO POINT OUT, considering several fresh installations of XP SP2 (properly updated), my headaches have nothing to do with spyware, malware or something alike.

Gbpsv.exe, everytime I load the bank page, slows down the browser and sometimes closes windows suddenly. In some cases the pc seems to hang completely while that damn tool performs its operations.

At this moment the "security" tool is causing errors when my display software (Samsung Magicttune) is closing (during shutting off or restart processes) and, also, I can't use softwares like RocketDock or Stardock Objectdesktop.

Adding up, I must say sometimes Kaspersky Internet Security works in a crazy way because of the tool.

Taking all of said into account, I do really think the G-Buster Service is usefull; it's usefull to bother the average and advanced users. There are times when I think having a Core 2 Quad and 4G of Ram is pointeless... that tool really makes my system works like my old K6-II 500Mhz.


So, let me know if you want to proceed with its removal or not, because it's clearly here that it is the cause of all your issues, but it's up to you if you want to delete it or not. Remember, it will reinstall itself again if you visit the site again from an account with administrator privileges.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:46 AM

Posted 12 May 2008 - 02:35 PM

In my office, the blogspot.com is blocked by the proxy. Can you put the information here?


ooh, so this is a computer from the Office?
In that case, please discuss this with your superiors if it's OK to remove it - because after all, it's still a legitimate application/security tool - however, it causes a LOT of issues.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ceolin

ceolin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 12 May 2008 - 02:44 PM

In my office, the blogspot.com is blocked by the proxy. Can you put the information here?


ooh, so this is a computer from the Office?
In that case, please discuss this with your superiors if it's OK to remove it - because after all, it's still a legitimate application/security tool - however, it causes a LOT of issues.


It's ok about the remove. The Banco Real ABN AMRO is my personal bank.
This plugin works fine in the othes computers of my office. I don't know why only my computer is slow.
But I want to try the remove to see if after this the computer works fine.

Can you continue to help me?

Edited by ceolin, 12 May 2008 - 02:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users