locked
problemas com o Windows 2000 - processo serivices.exe com 100% de processamento

    Pergunta

  •  

    Boa Tarde,


    No PC do trabalho, o processo services fica atingindo rotineiramente 100% de processamento...Já passei o Avast, o avg anti-spyware, o a-squared free e o spybot, mas não resolveu...A minha última alternativa é buscar ajuda aqui com vocês...Somente vou poder proceder às sugestões indicadas amanhã, mas procurarei tirar qualquer dúvida ainda hoje...

    Eu fiz os procedimentos do Hijack This lá e mandei o log por e-mail pra eu poder postá-lo aqui...Então, segue o log abaixo...Um abraço e um ótimo fim de semana a todos.

     

     

     

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:27:31, on 18/9/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Documents and Settings\Paulo\Meus documentos\Roberto\PROGRAMAS\a-squared Free\a2service.exe
    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    C:\Documents and Settings\Paulo\Meus documentos\Roberto\PASTA PESSOAL\AVG Anti-Spyware 7.5\guard.exe
    C:\WINNT\System32\svchost.exe
    C:\Arquivos de programas\GbPlugin\GbpSv.exe
    C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    C:\WINNT\Explorer.EXE
    C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe
    C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe
    C:\Arquivos de programas\QuickTime\qttask.exe
    C:\Documents and Settings\Paulo\Meus documentos\Roberto\PASTA PESSOAL\AVG Anti-Spyware 7.5\avgas.exe
    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\taskmgr.exe
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
    C:\Arquivos de programas\Microsoft Office\Office\WINWORD.EXE
    G:\Abacus.exe
    C:\Documents and Settings\Paulo\Meus documentos\Roberto\PROGRAMAS\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Paulo\MEUSDO~1\Roberto\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
    O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\WINNT\Downloaded Program Files\gbiehCef.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Paulo\Meus documentos\Roberto\PASTA PESSOAL\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Arquivos de programas\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Paulo\MEUSDO~1\Roberto\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\Paulo\MEUSDO~1\Roberto\PROGRA~1\SPYBOT~1\SDHelper.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
    O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399003} (GbPluginObj Class) - https://imagem.caixa.gov.br/cab/GbPluginCef.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F36AAA80-6F28-499A-AFDC-BA994E5C52F7}: NameServer = 10.1.1.1
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Documents and Settings\Paulo\Meus documentos\Roberto\PROGRAMAS\a-squared Free\a2service.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Paulo\Meus documentos\Roberto\PASTA PESSOAL\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
    O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe
    O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

    --
    End of file - 6878 bytes

    terça-feira, 18 de setembro de 2007 13:26

Todas as Respostas

  •  

    Veja se ele link te ajuda.

     

    http://support.microsoft.com/kb/328885/

     

    Se resolver por favor indique como resposta.

    terça-feira, 25 de setembro de 2007 16:08
  • Solução: G-Buster Browser Defense, analysis and removal Internet Banking is a primary target of phishing attacks. That's no wonder financial institutions have come up with a myriad of solutions to protect their customers. Nevertheless, some banks in Brazil force them to install a piece of software which I find at least questionable in the way it affects the operating system. The software under consideration is called G-Buster Browser Defense, developed by GAS Tecnologia, and is currently used by Banco do Brasil, Caixa Econômica Federal, Banco Real ABN AMRO, among others†. It offers protection against malicious programs, keyloggers, site forgery etc. Here I'll describe how the component installs on your computer and how to remove it while still been able to use Internet Banking. Since all institutions use the same software I've just picked one, Caixa Econômica Federal, hoping the exact same procedures apply to the others. Analysis of installation So, let's put our hands on it. After opening the bank's home page and clicking on the top right button ("Acessar") we arrive at the first screen of Internet Banking (Figure 1), where we enter our username. If it's not been installed yet, we'll be asked now to install the security module ("Módulo de Segurança") (Figure 2). At this stage you might have already noticed how the window title is marred with punctuation characters as we move across pages (more on this later). We then allow the component to install, taking us to the second screen, which presents the virtual keyboard (Figure 3). Figure 1 Figure 2 Figure 3 The software is now installed. Whenever I install something on my computer I like to know whether anything has been configured to execute on system start-up, because that's what makes your computer slow. And that was what caused my first bad impression about G-Buster Browser Defense. If we launch Autoruns it shows us three new entries in the registry. Figure 4 and Figure 5 contains the non-Microsoft entries before and after installing G-Buster Browser Defense on my computer. The main component is Gbieh Module, or gbiehCef.dll‡, a file under "%WINDIR%\Downloaded Program Files". Figure 4 Figure 5 What really frightened me the most was to discover that gbiehCef.dll is injected into the Winlogon process: Process Explorer comes to our help (Figure 6). Being loaded by Winlogon means the software survives logoffs, and will be running even when we don't need it, possibly eating valuable CPU cycles. It's even worse: if a computer has many users and only one needs the Internet Banking service every user must pay the price for it. Figure 6 Just to be sure my ranting isn't totally reasonless, let's take Process Monitor and see how G-Buster performs. If we leave it running for some seconds with no filters set we note that some kind of polling is screamingly taking place. And you should know that polling kills. Every 5 seconds a thread in Winlogon reads a number of registry entries, checking for its values. Figure 7 illustrates the polling of the PendingFileRenameOperations key. Process Explorer brings out the culprit (Figure 8), gbiehCef.dll, when we search it for the thread id shown in Process Monitor. Figure 7 Figure 8 Observing the polled registry entries is enough to guess what the security component is doing: check any attempt of its removal. That's likely to prevent malicious programs from disabling it. But that leaves the average user with no option to uninstall it. Deleting the auto-run entries has no effect because they will be recreated. Trying to delete or move the file containing the component is impossible. Scheduling the removal to the next reboot is also not possible, as the results of Process Monitor already suggested us. Rebooting into safe mode doesn't help either. We are left with the Recovery Console, which lets us delete the offending file and, an easier way, Process Explorer. G-Buster removal In the same screen we found the polling thread we can kill it (the "Kill" button). Now that nothing is polling the registry anymore we may open Autoruns and delete all related entries (those three whose description reads "Gbieh Module"). We can't delete the file because it's still in use (we don't need to, as you'll see in a while). Now, since we have killed a thread from a System process, we'd better reboot the computer, otherwise we may leave the operating system unstable (the component might have left a lock open inside Winlogon before we killed it). Upon rebooting we may inspect with Process Explorer and Autoruns and make sure G-Buster is not there anymore. However, the component will attempt to install itself again in the auto-run entries if we hit the Internet Banking site (we are safe if we just open the bank's home page) because the Internet Explorer component is still installed and the browser will not ask our permission to execute it. Now the cool part: if you have a Limited User Account, as I do, you'll be able to use the Internet Banking service without the hassle of installing G-Buster. The site will open and the component will be executed by Internet Explorer, but it will fail to change the start-up entries or inject the library into Winlogon (Figure 9). Fortunately, it doesn't attempt to modify the per-user start-up entries either. Logging on and off is enough to get rid of G-Buster, and we are back with a clean system (gbiehCef.dll will be kept loaded by Explorer until we log off). Figure 9 If, by accident, you visit the Internet Banking site under an account with administrator privileges, you'll need to repeat the steps to identify the Winlogon thread and the auto-run entries. You'll notice that on the second install an additional Windows service (gbpsv.exe, G-Buster Browser Defense - Service) will be registered: that could be to a bug in the install process. The same steps apply, though. Conclusions I understand the purpose of G-Buster Browser Defense. It monitors registry keys (hooking would be a better solution than polling, however) to prevent a specially crafted software to disable it. It scrambles characters on the Internet Baking page title maybe in an attempt to slip away from the eyes of a keylogger looking for a certain page. Perhaps it monitors your Internet usage trying to identity suspects of forgery. It's not clear whether it sends personal information or downloads anything. There's no agreement or consent dialog. What I don't understand is how that solution is better than an "on demand" scanner. It could scan the system just before the customers enter their information, and not full time. Sure, a trojan can be built to hide itself from an outdated scanner but, as demonstrated here, it's as easy to disable an outdated real-time scanner and bypass any security checks. Changing the title is also pointless if the trojan looks for the window's content. And there is still another problem: G-Buster Browser Defense is a component used by more than one bank. That makes it a more interesting target of hackers because a single trojan solution can defeat the defenses of many banks. By the way, what looks like a poor design issue: if the component is the same for many sites, why does it need a separate installation for each one? It scans and polls the system twice! Finally, what can bother much more users, even those not worried about performance, is the need for an ActiveX component, locking them into Internet Explorer. Regarding anti-phishing solutions, I like the one adopted by the Brazilian HSBC bank. You're presented with a box containing 9 lines of 4 characters each. To enter the password you must locate the line which contains the first character of your password and click the arrow next to it. Repeat for the second character and so on. A spying program can't guess which character you thought about when you clicked the arrow. Heck, neither does a person sitting on your side! It's not the perfect solution, since the careful analysis of the clicks of many logins may reveal the password, but I find it a lot less obtrusive than G-Buster and as effective as. No ActiveX, cross-browser and cross-platform. Note: I should say that I made many assumptions in the analysis here and thus could be totally wrong in some points. I had nothing at hand, though. As stated previously, it's not clear anywhere what the component does nor how it does it. Footnotes † The footnote below names some of the other banks. ‡ Gbieh Module has a different filename depending on the bank:
    sexta-feira, 18 de janeiro de 2008 22:01
  • Sorry!

     

    Agora com figuras

     

     

    http://insanebits.blogspot.com/2007/04/g-buster-browser-defense-analysis-and.html

     

    Avacina nãp funciona, precisa remover com as ferramentas indicadas.

     

    Sorte

    sexta-feira, 18 de janeiro de 2008 22:06
  • Bom Dia:

    GBuster or gbplugin is a horrible program that is heavily defended by the Brazilian banking developers.  It is purposely designed to avoid removal numerous ways, uses files in program files/gbplugin and a system32/driver, my version was called gbpkm.sys

    I tried all the canned reponses, no virus checker or malware program stood a chance.  Restoring from before life existed on earth didn't work, upgrading the OS didn't work, using Avenger to weed out root-kits and bad stuff long before windows starts was the best shot but it didn't work and the Brazilian banks have successfully wiped out specialized related programs designed to kill it.  (of course reformatting your harddrive and starting with a blank disk would work.)  Arg.  This link gave me most information but the initial solution documented near the top did not work, but the hundred comments below show numerous perspectives, including from one of the original developers, and the fix I found is short and buried in the middle:
    http://insanebits.blogspot.com/2007/04/g-buster-browser-defense-analysis-and.html

    I have it fixed on my computer now.  Much to my displeasure, I used a free Linux based tool found at the link below, and followed directions to a T, (see their docs for Noobies and Getting Started taught me how to navigate the disk drives), created a Linux boot CD and used Linux commands to navigate to the offending files, then rebooting in Windows, then editing the Register to remove the dozen or so entries:

    http://trinityhome.org/Home/index.php?pid=1&wpid=5&p_node=1&edit_pid=5&front_id=12

    For my Brazilian bank, Caixi Economica, the bad files are:
    c:\Program Files\GbPlugin\cef.gpc
    c:\Program Files\GbPlugin\gbidh.gmd
    c:\Program Files\GbPlugin\gbiehCef.dll
    c:\Program Files\GbPlugin\gbpdist.dll
    c:\Program Files\GbPlugin\gbpsv.exe
    c:\Windows\System32\drivers\gbpkm.sys

    I found registry keys by searching for "gbplugin" and removing ones closely named too, for my pc:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\GblehObjClass
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginCef
    HKLM\Software\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}
    HKLM\Software\Classes\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}
    HKLM\Software\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}
    HKLM\Software\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}
    HKLM\Software\Classes\GbiehCef.GbPluginObj
    HKLM\Software\Classes\GbiehCef.GbPluginObj.1
    HKLM\Software\Classes\GbiehCef.GbIehObj
    HKLM\Software\Classes\GbiehCef.GbIehObj.1
    HKLM\Software\Classes\GbpDist.GbpDistObj
    HKLM\Software\Classes\GbpDist.GbpDistObj.1
    HKLM\Software\Classes\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}
    HKLM\Software\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E37CB5F0-51F5-4395-A808-5FA49E399003}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved\{E37CB5F0-51F5-4395-A808-5FA49E399003}
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef
    HKLM\SYSTEM\ControlSet001\Servces\GbpKm
    HKLM\SYSTEM\ControlSet001\Servces\GbpSv
    HKLM\SYSTEM\ControlSet002\Servces\GbpKm
    HKLM\SYSTEM\ControlSet002\Servces\GbpSv

    sábado, 22 de janeiro de 2011 19:05