gbiehuni.dll resolvido

Question

[COLOR=black]Oi, Preciso de ajuda.[/COLOR]
[COLOR=black]Tem uma m&aacute;quina onde trabalho que o antiv&iacute;rus McAfee detecta gbiehuni.dll como v&iacute;rus ap&oacute;s usu&aacute;rio entrar em conta de Banco e deixando a m&aacute;quina lenta, mas j&aacute; entrei no Google para pesquisar se &eacute; ou n&atilde;o &eacute; v&iacute;rus, e as respostas foram n&atilde;o, que ele &eacute; uma ferramenta de anti-trojan dos Bancos principalmente do Bradesco, entrei no site virustotal e de acordo com as pesquisas tamb&eacute;m n&atilde;o &eacute; v&iacute;rus. Gostaria de ajuda para saber se &eacute; realmente v&iacute;rus e se n&atilde;o for ajuda para que o McAfee para de identific&aacute;-lo como v&iacute;rus e deixando a m&aacute;quina lenta.:nao_sei: [/COLOR]

Answer

Poste um log do HijackThis aqui.

N&atilde;o &eacute; virus se estiver nesta pasta C:\Arquivos de Programas\GbPlugin.

Mas tem um malware que se passa por este plugin com o mesmo nome e cria a mesma pasta.

Answer

[COLOR=#22229c]Logfile of HijackThis v1.99.1
Scan saved at 17:10:20, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)[/COLOR]
[COLOR=#22229c]Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe
C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe
C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe
C:\ARQUIV~1\NETWOR~1\COMMON~1
aPrdMgr.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Arquivos de programas\ORL\VNC\WinVNC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE
C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe
C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\hijackthis\HijackThis.exe[/COLOR]
[COLOR=#22229c]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O4 - HKLM\..\Run: [WinVNC] C:\Arquivos de programas\ORL\VNC\WinVNC.exe -servicehelper
O4 - HKLM\..\Run: [Kerio VPN Client] C:\Arquivos de programas\Kerio\VPN Client\kvpnclient.exe /tryauto
O4 - HKLM\..\Run: [ShStatEXE] C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] C:\Arquivos de programas\MSN Messenger\msnmsgr.exe /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Readereader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {9EC30204-384D-11D3-9CA3-00A024F0AF03} (ValidaUsuario Class) - https://cpne.bradesco.com.br/certifexp.cab
O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/ne/CA.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = saphyr.ltda
O17 - HKLM\Software\..\Telephony: DomainName = saphyr.ltda
O17 - HKLM\System\CCS\Services\Tcpip\..\{4773A648-7939-44AD-B89E-E21018D8FA48}: NameServer = 172.74.0.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = saphyr.ltda
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = saphyr.ltda
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify:  GbPluginUni - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: eortwggg - C:\WINDOWS\SYSTEM32\eortwggg.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Servi&ccedil;o McAfee Framework (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\ORL\VNC\WinVNC.exe -service (file missing)[/COLOR]
[COLOR=#22229c][/COLOR][EMAIL=S@sct3c][/EMAIL]

Answer

Eu fico muito P da vida com esses plugins, o do bradesco eu sarto fora dele e n&atilde;o instalo, ele acaba abrindo, o itau nao usa, o teclado virtual dele valendo 2 numeros resolve, j&aacute; a caixa n&atilde;o tem jeito de acessar sem ele instalado. Morro de raiva
 
O plugin deixa o IE lento, &eacute; carregado junto com o servi&ccedil;o winlogon, e n&atilde;o sai nem por reza brava, ele fica checando o tempo todo se o servi&ccedil;o ta parado se a chave do registro t&aacute; l&aacute; e etc. Meu PC demora uns 40 segundos a mais para desligar quanto ele t&aacute; instalado.
 
A gente que paga o pato por usuarios leigos cheio de virus no PC que permitem que sejam capturados seus dados, os banco levam a fama de inseguros. E na verdade a culpa &eacute; do conhecimento quase nulo de alguns em info. :bravo: 
 
O amigo vai te instruir a analisar o log, mas eu acho que esse aqui &eacute; v&iacute;rus: (C:\WINDOWS\SYSTEM32\eortwggg.dll).

Answer

Baixe o Malwarebytes Anti-Malware:
http://www.besttechie.net/tools/mbam-setup.exe

- Duplo clique em mbam-setup.exe;
- Marque Atualizar Malwarebytes Anti-Malware e Executar Malwarebytes Anti-Malware, e clique em concluir;
- Marque Verifica&ccedil;&atilde;o Completa e depois clique em Verificar. Selecione sua Unidade C: e clique em Iniciar Verifica&ccedil;&atilde;o;
- Quando o scan terminar, clique em Ok e em Mostrar Resultados para ver o log;
- Se algo for detectado, veja se tudo est&aacute; marcado e clique em Remover;
- O log &eacute; automaticamente gravado e pode ser consultado clicando em Logs do menu principal;
- Copie e cole o conte&uacute;do desse log na sua pr&oacute;xima resposta.

E tamb&eacute;m gere novo log do HijackThis e cole na sua resposta junto com o do Malwarebytes.

Answer

Resultado do Malwarebytes Anti-Malware
 
Malwarebytes' Anti-Malware 1.28
Vers&atilde;o do banco de dados: 1240
Windows 5.1.2600 Service Pack 2
07/10/2008 18:04:50
mbam-log-2008-10-07 (18-04-50).txt
Tipo de Verifica&ccedil;&atilde;o: Completa (C:\|)
Objetos verificados: 90638
Tempo decorrido: 29 minute(s), 26 second(s)
Processos da Mem&oacute;ria infectados: 0
M&oacute;dulos de Mem&oacute;ria Infectados: 1
Chaves do Registro infectadas: 9
Valores do Registro infectados: 3
&Iacute;tens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 5
Processos da Mem&oacute;ria infectados:
(Nenhum &iacute;tem malicioso foi detectado)
M&oacute;dulos de Mem&oacute;ria Infectados:
C:\WINDOWS\system32\eortwggg.dll (Trojan.FakeAlert) -> Delete on reboot.
Chaves do Registro infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eortwggg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/system32/logof.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{9ec301f7-384d-11d3-9ca3-00a024f0af03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{59eae925-6127-11d3-9ca9-00a024f0af03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9ec30203-384d-11d3-9ca3-00a024f0af03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ec30204-384d-11d3-9ca3-00a024f0af03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9ec30204-384d-11d3-9ca3-00a024f0af03} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uni.gpc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services	cpsr (Rootkit.Agent) -> Quarantined and deleted successfully.
Valores do Registro infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionhcgclj0eg8a (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\Logof.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\uni.gpc (Trojan.Agent) -> Quarantined and deleted successfully.
&Iacute;tens do Registro infectados:
(Nenhum &iacute;tem malicioso foi detectado)
Pastas infectadas:
(Nenhum &iacute;tem malicioso foi detectado)
Arquivos infectados:
C:\WINDOWS\system32\eortwggg.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\QooBox\Quarantine\C\WINDOWS\system32\eortwggg.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Logof.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\uni.gpc (Trojan.Agent) -> Delete on reboot.

Resultado do HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 18:14:04, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe
C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe
C:\ARQUIV~1\NETWOR~1\COMMON~1
aPrdMgr.exe
C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Arquivos de programas\ORL\VNC\WinVNC.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE
C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe
C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O4 - HKLM\..\Run: [WinVNC] C:\Arquivos de programas\ORL\VNC\WinVNC.exe -servicehelper
O4 - HKLM\..\Run: [Kerio VPN Client] C:\Arquivos de programas\Kerio\VPN Client\kvpnclient.exe /tryauto
O4 - HKLM\..\Run: [ShStatEXE] C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] C:\Arquivos de programas\MSN Messenger\msnmsgr.exe /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Readereader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/ne/CA.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = saphyr.ltda
O17 - HKLM\Software\..\Telephony: DomainName = saphyr.ltda
O17 - HKLM\System\CCS\Services\Tcpip\..\{4773A648-7939-44AD-B89E-E21018D8FA48}: NameServer = 172.74.0.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = saphyr.ltda
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = saphyr.ltda
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify:  GbPluginUni - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Servi&ccedil;o McAfee Framework (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Arquivos de programas\ORL\VNC\WinVNC.exe -service (file missing)

Answer

Baixe o ComboFix e salve-o em seu desktop (&aacute;rea de trabalho);

Desative o antivirus temporariamente, feche as janelas abertas.
V&aacute; em Iniciar > Executar, digite %userprofile%\desktop\combofix.exe /killall e clique em Ok como na imagem:

http://img181.imageshack.us/img181/5825/combofixejr8.gif

Na pr&oacute;xima janela clique em Executar, caso pe&ccedil;a para pressionar alguma tecla, pressione 1 e d&ecirc; um Enter. Aguarde o t&eacute;rmino do scan.
O ComboFix talvez reiniciar&aacute; seu PC automaticamente para completar o processo de remo&ccedil;&atilde;o.
Quando terminar, ser&aacute; gerado um log, que estar&aacute; em C:\ComboFix.txt.
N&atilde;o mova o mouse ou use o teclado na hora em que a ferramenta estiver rodando.
Para parar ou sair do ComboFix, tecle N.

Cole o log do ComboFix em sua resposta.

Answer

[COLOR=black][FONT=Times New Roman][size=5]Mateus esta m&aacute;quina que n&oacute;s estamos falando, antes de acontecer este problema com o arquivo gbiehuni.dll ela adquiriu um v&iacute;rus chamado: Anti-vurus do Microsoft Windows XP, ent&atilde;o procurei no Google e encontrei atrav&eacute;s de F&oacute;runs essa ferramenta e passei na m&aacute;quina, o v&iacute;rus foi retirado. Percebi que o perfil da usu&aacute;ria estava super lento ent&atilde;o achei que o v&iacute;rus tinha ferrado o perfil e exclui o perfil e fiz outro. A partir dai come&ccedil;ou esse problema com o McAfee X gbiehuni.dll. Desculpe n&atilde;o informar sobre o V&iacute;rus que a m&aacute;quina tinha adquirido, pois para mim o problema est&aacute; solucionado.[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5][/SIZE][/FONT][/COLOR] 
[COLOR=black][FONT=Times New Roman][size=5]Segue o resultado do combofix que eu tinha feito:[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5]ComboFix 08-09-30.03 - Administrador 2008-10-01 15:19:12.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1046.18.310 [GMT -3:00]
Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5][color=red]ATEN&Ccedil;AO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERA&Ccedil;&Atilde;O INSTALADA !![/color]
.[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5](((((((((((((((((((((((((((((((((((((   Outras Exclus&otilde;es   )))))))))))))))))))))))))))))))))))))))))))))))))))
.[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5]C:\Arquivos de programashcgclj0eg8a
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Antivirus XP 2008
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\patricia.santos\Cookies\patricia.santos@ad.adnetwork.com[2].txt
C:\Documents and Settings\patricia.santos\Cookies\patricia.santos@ehg-discoverynetwork.hitbox[2].txt
C:\Documents and Settings\patricia.santos\Cookies\patricia.santos@specificclick[1].txt
C:\Documents and Settings\patricia.santos\Cookies\patricia.santos@statcounter[1].txt
C:\Documents and Settings\patricia.santos\Cookies\patricia.santos@zap.com[2].txt
C:\Documents and Settings\patricia.santos\Dados de aplicativos\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\patricia.santos\Dados de aplicativoshcgclj0eg8a
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\blphclclj0eg8a.scr
C:\WINDOWS\system32\dflgh8jkd2q1.exe
C:\WINDOWS\system32\dflgh8jkd2q2.exe
C:\WINDOWS\system32\dflgh8jkd2q5.exe
C:\WINDOWS\system32\dflgh8jkd2q6.exe
C:\WINDOWS\system32\dflgh8jkd2q7.exe
C:\WINDOWS\system32\dflgh8jkd2q8.exe
C:\WINDOWS\system32\eortwggg.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\lphclclj0eg8a.exe
C:\WINDOWS\system32\phclclj0eg8a.bmp
C:\WINDOWS\system32s32net.exe
C:\WINDOWS\system32\vedxg3am1et3.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga4m1et4.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\winds32.exe
C:\WINDOWS\system32\wpv407.cpx
C:\WINDOWS\wiaservb.log
C:\WINDOWS\winhelp.ini[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5].
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5]-------\Legacy_TCPSR
-------\Legacy_THEMESBROWSER
-------\Service_tcpsr
-------\Service_ThemesBrowser[/SIZE][/FONT][/COLOR]
[COLOR=black][FONT=Times New Roman][size=5]
(((((((((((((((((((((((   Ficheiros criados de 2008-09-01 to 2008-10-01  ))))))))))))))))))))))))))))))))
.
2008-10-01 15:12 . 2008-10-01 15:12 244 --ah----- C:\sqmnoopt02.sqm
2008-10-01 15:12 . 2008-10-01 15:12 232 --ah----- C:\sqmdata02.sqm
2008-10-01 14:56 . 2008-10-01 15:06  d-------- C:\quarantine
2008-10-01 14:46 . 2008-10-01 14:46  d---s---- C:\WINDOWS\system32\config\systemprofile\UserData
2008-10-01 14:26 . 2008-10-01 14:26  dr------- C:\Documents and Settings\NetworkService\Favoritos
2008-10-01 13:14 . 2008-10-01 13:14 29 --a------ C:\WINDOWS\system32\gaootqee.tmp
2008-10-01 13:13 . 2008-10-01 13:13 20,480 --ahs---- C:\WINDOWS\system32\alrsvcz.dll
2008-10-01 13:12 . 2008-10-01 15:25 32,256 --a------ C:\WINDOWS\system32\drivers\ati2xqxx.sys
2008-10-01 13:12 . 2008-10-01 14:41 131 --a-s---- C:\WINDOWS\system32\130616014.dat
2008-10-01 12:06 . 2008-10-01 12:06  d-------- C:\INTEL
2008-09-30 11:36 . 2008-09-30 11:36  d-------- C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin
2008-09-29 10:23 . 2008-09-29 10:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-09-29 10:23 . 2008-09-29 10:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-09-29 10:23 . 2008-09-29 10:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-09-29 10:23 . 2008-09-29 10:23 749 -rah----- C:\WINDOWS\system32
wc.cpl.manifest
2008-09-29 10:23 . 2008-09-29 10:23 749 -rah----- C:\WINDOWS\system32
cpa.cpl.manifest
2008-09-29 10:23 . 2008-09-29 10:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-09-19 15:46 . 2008-09-19 18:50  d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-03 15:27 . 2008-09-03 15:27  d-------- C:\kgp2
.
(((((((((((((((((((((((((((((((((((((   Relat&oacute;rio Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
------- Sigcheck -------
2007-10-30 13:53  360832  64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE	cpip.sys
2008-06-20 07:44  360960  744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE	cpip.sys
2008-06-20 08:51  361600  9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR	cpip.sys
2008-06-20 08:59  361600  ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE	cpip.sys
2008-04-13 16:20  361344  93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\SoftwareDistribution\Download\ab328c51d3f122e9b4346fc25ad3082e	cpip.sys
2004-08-04 09:00  359040  1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers	cpip.sys
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias & leg&iacute;timas por defeito n&atilde;o s&atilde;o mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
msnmsgr=C:\Arquivos de programas\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinVNC=C:\Arquivos de programas\ORL\VNC\WinVNC.exe [2001-03-16 208896]
Kerio VPN Client=C:\Arquivos de programas\Kerio\VPN Client\kvpnclient.exe [2006-07-26 2506752]
ShStatEXE=C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE [2004-09-22 94208]
McAfeeUpdaterUI=C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe [2004-08-06 139320]
Network Associates Error Reporting Service=C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe [2003-10-07 147514]
SiSPower=SiSPower.dll [2005-01-04 C:\WINDOWS\system32\SiSPower.dll]
SoundMan=SOUNDMAN.EXE [2004-11-15 C:\WINDOWS\SOUNDMAN.EXE]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Readereader_sl.exe [2005-09-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
DisableCAD= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
{E37CB5F0-51F5-4395-A808-5FA49E399008}= C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2008-08-29 378784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ GbPluginUni]
2008-08-29 14:33 378784 C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ckpNotify]
2003-04-08 17:45 24666 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-746137067-1677128483-839522115-1003\Scripts\Logon\0\0]
Script=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-746137067-1677128483-839522115-1639\Scripts\Logon\0\0]
Script=logon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2xqxx.sys]
@=Driver
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
AntiVirusDisableNotify=dword:00000001
UpdatesDisableNotify=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
EnableFirewall= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe=
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe=
C:\Arquivos de programas\MSN Messenger\livecall.exe=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
3389:TCP= 3389:TCP:@xpsp2res.dll,-22009
R0 ati2xqxx;ati2xqxx;C:\WINDOWS\system32\Drivers\ati2xqxx.sys [2008-10-01 32256]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2003-04-08 17232]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2003-04-08 628560]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2003-04-08 1882800]
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys [2006-03-29 59392]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-04-08 14924]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e647e43e-22ad-11dd-9fb5-0013d46129a7}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs
*Newly Created Service* - TCPSR
.
- - - - ORFAOS REMOVIDOS - - - -
HKLM-Run-lphclclj0eg8a - C:\WINDOWS\system32\lphclclj0eg8a.exe
HKLM-Run-rs32net - C:\WINDOWS\System32s32net.exe
HKLM-Run-GKMHAHVJ - C:\WINDOWS\GKMHAHVJ.exe
HKLM-Run-SMrhcgclj0eg8a - C:\Arquivos de programashcgclj0eg8ahcgclj0eg8a.exe

.
------- Ccan Suplementar -------
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{4773A648-7939-44AD-B89E-E21018D8FA48}: NameServer = 172.74.0.90
O16 -: {9EC30204-384D-11D3-9CA3-00A024F0AF03} - hxxps://cpne.bradesco.com.br/certifexp.cab
C:\WINDOWS\Downloaded Program Files\CertifExp.inf
C:\WINDOWS\system32\Logof.dll
O16 -: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} - hxxps://bradesconetempresa.com.br/ne/CA.cab
C:\WINDOWS\Downloaded Program Files\CA.inf
C:\WINDOWS\system32\dllreq.dll
C:\WINDOWS\system32\GerOf.dll
O16 -: {E37CB5F0-51F5-4395-A808-5FA49E399008} - hxxps://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
C:\WINDOWS\Downloaded Program Files\GbPluginuni.inf
C:\WINDOWS\Downloaded Program Files\uni.gpc
C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 15:26:25
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ&aacute;veis ocultas ...
Procurando ficheiros ocultos ...

C:\WINDOWS\system32\drivers\TXXTHTDX.sys 179712 bytes executable
Varredura completada com sucesso
Ficheiros ocultos: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TXXTHTDX]
ImagePath=\??\C:\WINDOWS\system32\drivers\TXXTHTDX.sys
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]
.
------------------------ Outros Processos em Execu&ccedil;&atilde;o ------------------------
.
C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe
C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe
C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe
C:\ARQUIV~1\NETWOR~1\COMMON~1
aPrdMgr.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Arquivos de programas\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32undll32.exe
.
**************************************************************************
.
Tempo para conclus&atilde;o: 2008-10-01 15:29:29 - Maquina reiniciou [patricia.santos]
ComboFix-quarantined-files.txt  2008-10-01 18:29:18
Pre-Run: 2.168.287.232 bytes dispon&iexcl;veis
Post-Run: 3,134,169,088 bytes dispon&iexcl;veis
206 --- E O F --- 2008-09-12 17:28:38
[/SIZE][/FONT][/COLOR]

Answer

Mateus esta m&aacute;quina que n&oacute;s estamos falando, antes de acontecer este problema com o arquivo gbiehuni.dll ela adquiriu um v&iacute;rus chamado: Anti-vurus do Microsoft Windows XP, ent&atilde;o procurei no Google e encontrei atrav&eacute;s de F&oacute;runs essa ferramenta e passei na m&aacute;quina, o v&iacute;rus foi retirado.Eu j&aacute; tinha visto no seu log o rogue Microsoft antivirus.

Quanto ao programa do banco que o McAfee est&aacute; detectando, creio que seja um falso-positivo. Mas mande o plugin do banco para o VirusTotal. Copie o link do resultado e cole-o aqui.

Bom continuando...

Delete a pasta Qoobox em C:\[COLOR=Red]Qoobox[/COLOR]. Em seguida, selecione e copie o conte&uacute;do aqui abaixo. Abra o Bloco de Notas do computador e cole este conte&uacute;do copiado dentro dele. Salve-o em sua &aacute;rea de trabalho com o nome de CFScript.txt

[COLOR=black]File::
C:\sqmnoopt02.sqm
C:\sqmdata02.sqm[/COLOR][COLOR=black]
C:\WINDOWS\system32\gaootqee.tmp
C:\WINDOWS\system32\alrsvcz.dll
C:\WINDOWS\system32\130616014.dat[/COLOR][COLOR=black]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
AntiVirusDisableNotify=-
UpdatesDisableNotify=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e647e43e-22ad-11dd-9fb5-0013d46129a7}][/COLOR]   Arraste o CFScript para o ComboFix. Veja:

https://www.hardware.com.br/static/c/m/ab4ef12fda6a9f36076601f8ba01d696

O ComboFix ser&aacute; executado automaticamente. N&atilde;o mova o mouse ou use o teclado durante o processo. O ComboFix talvez reiniciar&aacute; seu PC automaticamente.

Ser&aacute; gerado um log em C:\ComboFix.txt. Cole este log do ComboFix e um novo log do HijackThis na sua pr&oacute;xima resposta.

Answer

Esse plugin &eacute; do Unibanco ,n&atilde;o &eacute; facil desintalar ,tive que retirar na unha e a proposito n&atilde;o &eacute; malware.No Xp fica na pasta C:\windows\downloaded program files

Answer

Boa neneko. e lembrando este plug &eacute; plug de seguran&ccedil;a do banco. para que seus clientes possam fazer suas tranferencias bancarias pela internet.

N&atilde;o delete ele. caso voc&ecirc; use o banco pela internet.

abra&ccedil;os.

Answer

[quote=gustavo.m.m, post: 4013378]Boa neneko. e lembrando este plug &eacute; plug de seguran&ccedil;a do banco. para que seus clientes possam fazer suas tranferencias bancarias pela internet.

N&atilde;o delete ele. caso voc&ecirc; use o banco pela internet.

abra&ccedil;os.[/quote]
N&atilde;o &eacute; por a&iacute; n&atilde;o.

Existe um plugin com esse mesmo nome e cria a mesma pasta que &eacute; um Banker. Portanto, n&atilde;o diga para n&atilde;o deletar. Primeiramente saiba se o plugin &eacute; leg&iacute;tmo ou n&atilde;o para ent&atilde;o depois passar algum procedimento dr&aacute;stico de remo&ccedil;&atilde;o.

Vamos supor que seja um Banker, voc&ecirc; n&atilde;o o deletaria porque &eacute; um plugin de seguran&ccedil;a?

Pesquise antes de responder.

Answer

Se voc&ecirc; acha que &eacute; um banker. delete-o

Answer

[quote=gustavo.m.m, post: 4013609]Se voc&ecirc; acha que &eacute; um banker. delete-o[/quote]
Veja o que eu disse ao amigo Rafa:

Quanto ao programa do banco que o McAfee est&aacute; detectando, creio que seja um falso-positivo. Mas mande o plugin do banco para o VirusTotal. Copie o link do resultado e cole-o aqui.Portanto, n&atilde;o disse que &Eacute; um Banker. N&atilde;o sei onde voc&ecirc; ouvir eu dizer que o plugin que est&aacute; no computador do amigo &eacute; um Banker.

Mas sim que existe um Banker com mesmo nome. Se n&atilde;o acredita, pesquise e me diga depois!

Ali&aacute;s, se entende tanto de seguran&ccedil;a assim, deveria saber disso j&aacute;...

Answer

Amigo .  eu duvido muito que seja um banker. mas cada um cada um . 
at&eacute; hoje nunca tive problemas com o tal plug.agora bom servi&ccedil;o . fui 
tenho mais coisas para fazer. do que fica aqui perdendo tempo . descutindo por um plug