[Resolvido]Pagina Falsa

Março 27, 2007

se alguém puder me ajudar eu agradeço.

ao entrar na pagina do itibank um spaw aparece com a cara da pagina onde devo digitar a senha e o login so que tenho certesa que não é do banco, mas não consigo remover de jeito nenhum, aqui vai o registro.

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\CA\eTrust Antivirus\InoRpc.exe

C:\Arquivos de programas\CA\eTrust Antivirus\InoRT.exe

C:\Arquivos de programas\CA\eTrust Antivirus\InoTask.exe

C:\WINDOWS\System32\srvany.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\Autmgr32.exe

C:\WINDOWS\RCSERV.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Program Files\Babylon\Babylon.exe

C:\Arquivos de programas\Arquivos comuns\PestPatrol\ppmcactivedetection.exe

C:\WINDOWS\System32\systen32.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

C:\WINDOWS\System32\taskmgr.exe

I:\GLOBOPAR\CARMEN\antMalwares\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://viaglobal/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://viaglobal/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://128.1.0.20/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://viaglobal/proxypac/proxy_wan.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.1.0.29:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 128

O1 - Hosts: 128.1.0.20 caixaunico

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [DrvLsnr] C:\Arquivos de programas\Analog Devices\SoundMAX\DrvLsnr.exe

O4 - HKLM\..\Run: [Realtime Monitor] C:\ARQUIV~1\CA\ETRUST~1\realmon.exe -s

O4 - HKLM\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKLM\..\Run: [wallpaper] c:\windows\regedit.exe /s c:\windows\WP9X.reg

O4 - HKLM\..\Run: [date] c:\windows\regedit.exe /s c:\windows\date.reg

O4 - HKLM\..\Run: [printer] c:\windows\regedit.exe /s c:\windows\printer.reg

O4 - HKLM\..\Run: [babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart

O4 - HKLM\..\Run: [swdisUsrPCN.AC017026] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"

O4 - HKLM\..\Run: [PPMCActiveDetection] C:\Arquivos de programas\Arquivos comuns\PestPatrol\ppmcactivedetection.exe "-ini:C:\Arquivos de programas\Arquivos comuns\PestPatrol\ppmcad.ini"

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe

O4 - HKLM\..\Run: [systen32] C:\WINDOWS\System32\systen32.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\ARQUIV~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: systen32.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Arquivos de programas\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Arquivos de programas\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Arquivos de programas\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Arquivos de programas\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Arquivos de programas\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Arquivos de programas\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://viaglobal/

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102684086764

O16 - DPF: {aa44da02-7f61-11d4-a3e1-00c04fa32518} -

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://128.1.0.20/viewer/activeXViewer/activexviewer.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.tvglobo.com.br

O17 - HKLM\Software\..\Telephony: DomainName = corp.tvglobo.com.br

O17 - HKLM\System\CCS\Services\Tcpip\..\{4D58C9EA-29D3-4B59-940C-278A48DB2713}: Domain = corp.tvglobo.com.br

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.tvglobo.com.br

O20 - AppInit_DLLs:

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Arquivos de programas\CA\eTrust Antivirus\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Arquivos de programas\CA\eTrust Antivirus\InoRT.exe

O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Arquivos de programas\CA\eTrust Antivirus\InoTask.exe

O23 - Service: OracleORACLE81ClientCache - Unknown owner - C:\Oracle\ora81\BIN\ONRSD.EXE

O23 - Service: Sispro Automation Manager (SisproAutMgr) - Unknown owner - C:\WINDOWS\System32\srvany.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Tivoli Remote Control Service (TME10RC) - IBM Corporation - C:\WINDOWS\RCSERV.EXE

RenatoMejias · Março 27, 2007

Baixe o Pocket KillBox

Salve em uma pasta em C:\

Abra o Bloco de Notas, copie estas linhas e salve.

C:\WINDOWS\System32\lsasss.exe

C:\WINDOWS\System32\systen32.exe

Abra o KillBox e marque a função Delete on Reboot. Abra o Bloco de notas, selecione e copie as linhas salvas. No KillBox, clique em File, depois em Paste from Clipboard, Clique no botão All Files e clique no botão X . Depois clique em Não.

Abra o Hijackthis, clique em Do scan a system only, marque as entradas abaixo e clique no botão Fix Checked.

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe

O4 - HKLM\..\Run: [systen32] C:\WINDOWS\System32\systen32.exe

O4 - Global Startup: systen32.exe

O16 - DPF: {aa44da02-7f61-11d4-a3e1-00c04fa32518} -

Reinicie e poste um novo Log do Hijackthis feito em Modo Normal.

Você está conectado através de um proxy?

Março 29, 2007

Baixe o Pocket KillBox
Salve em uma pasta em C:\
Abra o Bloco de Notas, copie estas linhas e salve.
C:\WINDOWS\System32\lsasss.exe
C:\WINDOWS\System32\systen32.exe

Abra o KillBox e marque a função Delete on Reboot. Abra o Bloco de notas, selecione e copie as linhas salvas. No KillBox, clique em File, depois em Paste from Clipboard, Clique no botão All Files e clique no botão X . Depois clique em Não.
Abra o Hijackthis, clique em Do scan a system only, marque as entradas abaixo e clique no botão Fix Checked.
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [systen32] C:\WINDOWS\System32\systen32.exe
O4 - Global Startup: systen32.exe
O16 - DPF: {aa44da02-7f61-11d4-a3e1-00c04fa32518} -
Reinicie e poste um novo Log do Hijackthis feito em Modo Normal.
Você está conectado através de um proxy?

Março 29, 2007

Obrigado por responder e desculpe pela cunfusão que estou fazendo nas respostas, mas nunca trabalhei com este tipo de ferramenta estou me adaptando.

sim, eu uso um proxy.

Logfile of HijackThis v1.99.1

Scan saved at 13:23:36, on 29/03/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\CA\eTrust Antivirus\InoRpc.exe

C:\Arquivos de programas\CA\eTrust Antivirus\InoRT.exe

C:\Arquivos de programas\CA\eTrust Antivirus\InoTask.exe

C:\WINDOWS\System32\srvany.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RCSERV.EXE

C:\Arquivos de programas\Arquivos comuns\PestPatrol\ppmcactivedetection.exe

C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Babylon\Babylon.exe

C:\ARQUIV~1\CA\ETRUST~1\realmon.exe

C:\Arquivos de programas\Spyware Terminator\SpywareTerminatorShield.exe

c:\arquivos de programas\internet explorer\iexplore.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe

C:\Arquivos de programas\3M\PSN2Lite\Psn2Lite.exe

C:\ARQUIV~1\3M\PSN2Lite\PSNGive.exe

C:\WINDOWS\System32\wuauclt.exe

F:\GLOBOPAR\CARMEN\antMalwares\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://viaglobal/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://viaglobal/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://128.1.0.20/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://viaglobal/proxypac/proxy_wan.pac

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.1.0.29:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 128

O1 - Hosts: 128.1.0.20 caixaunico

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll