EDSSX 0 Denunciar post Postado Agosto 21, 2009 Bom dia ! Porque sai a opção editar ? Este software gera o log assim em duas varreduras/partes . Segue o log completo do RemoveIT Pro v7 Enterprise : RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log. Generated at: 19/08/2009 on 22:06:38 Microsoft Windows XP Professional Service Pack 3 (Build 2600) 22:06:38: Scanning, please wait... 22:13:51: Infected file (Sys32.eempty) D:\WINDOWS\system32\eempty.exe -> No action taken. 22:15:11: Infected file (Sys32.langdll) D:\WINDOWS\system32\langdll.dll -> No action taken. 22:18:12: Infected file (Sys32.xceedbkp) D:\WINDOWS\system32\xceedbkp.dll -> No action taken. 22:19:00: Infected file (Sys32.msajt200) D:\WINDOWS\system\msajt200.dll -> No action taken. 22:19:04: Infected file (Sys32.pev) D:\WINDOWS\pev.exe -> No action taken. 22:19:12: Infected file (Sys32.syssd) D:\WINDOWS\system\syssd.dll -> No action taken. 22:19:15: Infected file (Sys32.vbajet) D:\WINDOWS\system\vbajet.dll -> No action taken. 22:19:48: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken. 22:19:49: Infected file (Sys32.gbpdist) D:\Arquivos de programas\GbPlugin\gbpdist.dll -> No action taken. 22:19:49: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken. 22:19:51: 10 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. 22:20:13: Scanning, please wait... 22:50:10: Infected file (Sys32.vbajet) C:\WINXP\system\VBAJET.DLL -> No action taken. 22:50:10: Infected file (Sys32.msajt200) C:\WINXP\system\MSAJT200.DLL -> No action taken. 22:51:39: Infected file (Sys32.pev) D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe -> No action taken. 22:51:40: Infected file (Sys32.pev) D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe -> No action taken. 22:51:43: Infected file (Sys32.pev) D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe -> No action taken. 22:59:46: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135402-251.dll -> No action taken. 22:59:46: Infected file (Sys32.gbpdist) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135403-769.dll -> No action taken. 22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll -> No action taken. 22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll -> No action taken. 22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll -> No action taken. 23:04:40: 20 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. Finished... Grato Compartilhar este post Link para o post Compartilhar em outros sites
Silas Martins 0 Denunciar post Postado Agosto 21, 2009 Olha posso criar aqui um script em bat para remover esses arquivos mas devo avisar que entre eles existem alguns arquivos de back-up que não sei se realmente estão infectados. Ai fica a seu critério. Aguardo sua resposta Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Bom dia ! Tudo bem pode postar o script em bat; inclusive os back-up´s sei quais são/são recentes e estão infectados, pois ja confirmei no virus total . Todos os resultados constam assim : Arquivo A0077916.exe recebido em 2009.08.21 14:11:34 (UTC) Andamento: Carregando ... na fila aguardando analisando terminado NÃO ENCONTRADO PARADO Resultado: 4/41 (9.76%) Carregando informação do servidor... O seu arquivo está na posição: ___. Tempo estimado de início é entre ___ e ___ . Não feche a janela até que a análise esteja completa. O mecanismo que estava processando o arquivo parou, nós esperaremos alguns segundos para tentar recuperar o resultado. Se estiver esperando por mais de cinco minutos, você terá que reenviar o arquivo. O seu arquivo está sendo analisado por VirusTotal no momento, os resultados serão exibidos assim que forem gerados. Modo compacto Modo compacto Imprimir resultados Imprimir resultados O seu arquivo expirou ou não existe. O serviço está parado no momento, o seu arquivo está esperando para ser analisado (posição: ) por tempo indeterminado. Você pode aguardar por resposta na página (atualização automática) ou digite o seu email no campo abaixo e clique em "enviar" para que o sistema envie uma notificação quando a análise terminar. Email: Antivírus Versão Última Atualização Resultado a-squared 4.5.0.24 2009.08.21 - AhnLab-V3 5.0.0.2 2009.08.20 - AntiVir 7.9.1.3 2009.08.21 - Antiy-AVL 2.0.3.7 2009.08.21 - Authentium 5.1.2.4 2009.08.20 - Avast 4.8.1335.0 2009.08.20 - AVG 8.5.0.406 2009.08.21 - BitDefender 7.2 2009.08.21 - CAT-QuickHeal 10.00 2009.08.21 (Suspicious) - DNAScan ClamAV 0.94.1 2009.08.21 - Comodo 2045 2009.08.21 - DrWeb 5.0.0.12182 2009.08.21 - eSafe 7.0.17.0 2009.08.20 Suspicious File eTrust-Vet 31.6.6693 2009.08.21 - F-Prot 4.4.4.56 2009.08.20 - F-Secure 8.0.14470.0 2009.08.21 - Fortinet 3.120.0.0 2009.08.21 PossibleThreat GData 19 2009.08.21 - Ikarus T3.1.1.68.0 2009.08.21 - Jiangmin 11.0.800 2009.08.21 - K7AntiVirus 7.10.824 2009.08.21 - Kaspersky 7.0.0.125 2009.08.21 - McAfee 5715 2009.08.20 - McAfee+Artemis 5715 2009.08.20 - McAfee-GW-Edition 6.8.5 2009.08.21 Heuristic.LooksLike.Win32.Backdoor.C Microsoft 1.4903 2009.08.21 - NOD32 4355 2009.08.21 - Norman 6.01.09 2009.08.20 - nProtect 2009.1.8.0 2009.08.21 - Panda 10.0.0.14 2009.08.21 - PCTools 4.4.2.0 2009.08.21 - Prevx 3.0 2009.08.21 - Rising 21.43.44.00 2009.08.21 - Sophos 4.44.0 2009.08.21 - Sunbelt 3.2.1858.2 2009.08.21 - Symantec 1.4.4.12 2009.08.21 - TheHacker 6.3.4.3.384 2009.08.21 - TrendMicro 8.950.0.1094 2009.08.21 - VBA32 3.12.10.9 2009.08.20 - ViRobot 2009.8.21.1895 2009.08.21 - VirusBuster 4.6.5.0 2009.08.20 - Em relação aos itens de restauração do sistema idem supra e cfe. log ( uma parte ) do dds infra : ==== Event Viewer Messages From Past Week ======== 14/08/2009 19:08:27, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0804.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422. 14/08/2009 19:07:50, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0411.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422. 14/08/2009 19:07:42, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0404.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422. Obrigado desde já . Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Bom dia ! Em relação aos itens de restauração do sistema supra e cfe. log ( uma parte ) do dds infra ; ==== Event Viewer Messages From Past Week ======== 14/08/2009 19:08:27, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0804.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422. 14/08/2009 19:07:50, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0411.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422. 14/08/2009 19:07:42, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0404.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422. Equipara - se ao log ( uma parte ) infra do RemoveIT Pro v7 Enterprise : 22:51:39: Infected file (Sys32.pev) D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe -> No action taken. 22:51:40: Infected file (Sys32.pev) D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe -> No action taken. 22:51:43: Infected file (Sys32.pev) D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe -> No action taken. Grato Compartilhar este post Link para o post Compartilhar em outros sites
Silas Martins 0 Denunciar post Postado Agosto 21, 2009 Abra o bloco de notas e cole lá dentro: @echo off DEL /A /F /Q D:\WINDOWS\system32\eempty.exe DEL /A /F /Q D:\WINDOWS\system32\langdll.dll DEL /A /F /Q D:\WINDOWS\system32\xceedbkp.dll DEL /A /F /Q D:\WINDOWS\system\msajt200.dll DEL /A /F /Q D:\WINDOWS\pev.exe DEL /A /F /Q D:\WINDOWS\system\syssd.dll DEL /A /F /Q D:\WINDOWS\system\vbajet.dll DEL /A /F /Q D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe DEL /A /F /Q D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe DEL /A /F /Q D:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135402-251.dll DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135403-769.dll DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll Salve com nome de Remove.bat altere o formato de txt para todos os arquivos, como mostra a imagem abaixo: Após salvar, clique duas vezes sobre o arquivo, para que a remoção se dê por completo. O bat vai agir de forma silenciosa ou seja não irá sugir nenhum log, ou tela de confirmação. Após executar o remove.bat aguarde alguns instantes e reinicie o pc, depis de reiniciado execute um scan com o seu antivirus e veja se consta algun virus. Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Boa Tarde ! Quais ficheiros infra são legitimos ? Apenas isto : C:\WINDOWS\system32\more.com C:\WINDOWS\system32\format.com C:\WINDOWS\system32\tree.com C:\WINXP\system32\format.com C:\WINXP\system32\more.com C:\WINXP\system32\tree.com D:\WINDOWS\system32\mstask.dll D:\WINDOWS\system32\ntshrui.dll Compartilhar este post Link para o post Compartilhar em outros sites
RafaelSonyLock 18 Denunciar post Postado Agosto 21, 2009 Resolvido Retirado ! O tópico ainda não está resolvido ! Avisem quando tiver resolvido ! Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Boa Tarde ! Constam agora apenas isto : D:\Arquivos de programas\GbPlugin\gbiehcef.dll D:\Arquivos de programas\GbPlugin\gbpsv.exe D:\!KillBox\GbpSv.exe - D:\!KillBox\backup-20090424-135402-251.dll D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll C:\WINDOWS\system32\more.com C:\WINDOWS\system32\format.com C:\WINDOWS\system32\tree.com C:\WINXP\system32\format.com C:\WINXP\system32\more.com C:\WINXP\system32\tree.com D:\WINDOWS\system32\mstask.dll D:\WINDOWS\system32\ntshrui.dll RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log. Generated at: 21/08/2009 on 13:21:36 Microsoft Windows XP Professional Service Pack 3 (Build 2600) 13:21:36: Scanning, please wait... 13:36:59: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken. 13:37:00: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken. 13:37:02: 2 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. 13:37:12: Scanning, please wait... 13:44:33: Infected file (Sys32.gbpsv) D:\!KillBox\GbpSv.exe -> No action taken. 13:44:33: Infected file (Sys32.gbiehcef) D:\!KillBox\backup-20090424-135402-251.dll -> No action taken. 13:47:09: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll -> No action taken. 13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll -> No action taken. 13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll -> No action taken. 13:48:34: 7 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. Finished... Grato Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Boa Tarde ! Constam agora apenas isto : D:\Arquivos de programas\GbPlugin\gbiehcef.dll D:\Arquivos de programas\GbPlugin\gbpsv.exe D:\!KillBox\GbpSv.exe - D:\!KillBox\backup-20090424-135402-251.dll D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll C:\WINDOWS\system32\more.com C:\WINDOWS\system32\format.com C:\WINDOWS\system32\tree.com C:\WINXP\system32\format.com C:\WINXP\system32\more.com C:\WINXP\system32\tree.com D:\WINDOWS\system32\mstask.dll D:\WINDOWS\system32\ntshrui.dll Segue log do AVZ Antiviral Toolkit : Attention !!! Database was last updated 08/02/2009 it is necessary to update the bases using automatic updates (File/Database update) AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 21/08/2009 13:35:54 Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56 Heuristic microprograms loaded: 372 SPV microprograms loaded: 9 Digital signatures of system files loaded: 91560 Heuristic analyzer mode: Maximum heuristics level Healing mode: disabled Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights System Restore: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26A8 (284) Functions checked: 284, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers Checking - complete 2. Scanning memory Number of processes found: 31 Analyzer: process under analysis is 936 D:\WINDOWS\system32\winlogon.exe [ES]:Contains network functionality [ES]:Application has no visible windows [ES]:Located in system folder Analyzer: process under analysis is 1180 D:\ARQUIV~1\GbPlugin\GbpSv.exe [ES]:Application has no visible windows [ES]:EXE runtime packer ? Analyzer: process under analysis is 196 D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe [ES]:Contains network functionality [ES]:Application has no visible windows [ES]:Loads RASAPI DLL - may use dialing ? Analyzer: process under analysis is 320 D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe [ES]:Contains network functionality [ES]:Listens on TCP ports ! [ES]:Listens on HTTP ports ! [ES]:Application has no visible windows [ES]:Registered in autoruns !! [ES]:Loads RASAPI DLL - may use dialing ? Analyzer: process under analysis is 336 D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe [ES]:Application has no visible windows [ES]:Registered in autoruns !! Process d:\arquivos de programas\windows live\messenger\msnmsgr.exe Contains network functionality (inetres.dll) Analyzer: process under analysis is 364 D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe [ES]:Application has no visible windows [ES]:Registered in autoruns !! Analyzer: process under analysis is 768 D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe [ES]:Contains network functionality [ES]:Application has no visible windows Analyzer: process under analysis is 892 D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe [ES]:Application has no visible windows [ES]:EXE runtime packer ? Analyzer: process under analysis is 1648 D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [ES]:Contains network functionality [ES]:Application has no visible windows [ES]:Loads RASAPI DLL - may use dialing ? Analyzer: process under analysis is 2224 D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe [ES]:Contains network functionality [ES]:Listens on HTTP ports ! [ES]:Loads RASAPI DLL - may use dialing ? Analyzer: process under analysis is 3736 D:\WINDOWS\system32\notepad.exe [ES]:Located in system folder Number of modules loaded: 394 Scanning memory - complete 3. Scanning disks C:\WINDOWS\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%) C:\WINDOWS\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%) C:\WINDOWS\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%) C:\WINXP\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%) C:\WINXP\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%) C:\WINXP\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%) 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) D:\WINDOWS\system32\mstask.dll --> Suspicion for Keylogger or Trojan DLL D:\WINDOWS\system32\mstask.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected D:\WINDOWS\system32\ntshrui.dll --> Suspicion for Keylogger or Trojan DLL D:\WINDOWS\system32\ntshrui.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Serviços de terminal) >> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP) >> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas) >> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun are allowed >> Autorun from network drives are allowed >> Removable media autorun are allowed Checking - complete Files scanned: 110107, extracted from archives: 85568, malicious software found 0, suspicions - 0 Scanning finished at 21/08/2009 14:40:12 Time of scanning: 01:05:43 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Segue log do RemoveIT Pro v7 Enterprise : RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log. Generated at: 21/08/2009 on 13:21:36 Microsoft Windows XP Professional Service Pack 3 (Build 2600) 13:21:36: Scanning, please wait... 13:36:59: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken. 13:37:00: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken. 13:37:02: 2 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. 13:37:12: Scanning, please wait... 13:44:33: Infected file (Sys32.gbpsv) D:\!KillBox\GbpSv.exe -> No action taken. 13:44:33: Infected file (Sys32.gbiehcef) D:\!KillBox\backup-20090424-135402-251.dll -> No action taken. 13:47:09: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll -> No action taken. 13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll -> No action taken. 13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll -> No action taken. 13:48:34: 7 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. Finished... Grato Compartilhar este post Link para o post Compartilhar em outros sites
Silas Martins 0 Denunciar post Postado Agosto 21, 2009 São arquivos do sistema: C:\WINDOWS\system32\more.com C:\WINDOWS\system32\format.com C:\WINDOWS\system32\tree.com C:\WINXP\system32\format.com C:\WINXP\system32\more.com C:\WINXP\system32\tree.com Quanto aos demais arquivos realize uam pesquina no Google e você verá quais são legítimos.Outro detalhe você abriu tópico no linha defensiva e pc fórum, sendo assim meu suporte a voc~e termina aqui. Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Boa Tarde ! Não seriam tópicos antigos a respeito de rootkits pandex ( em remoção de malwares ) ? Enquanto a este assunto no linha tudo bem , mas no pc fórum não abri não . Bom ja me ajudou muito e muito. Obrigado pela ampla atenção de vcs . Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Boa Tarde ! Como já tinha confirmado e agredeçido supra, já foi bastante conclusivo o final deste tópico e cfe. o log atual abaixo do RemoveIT Pro v7 Enterprise já deu uma boa limpeza . RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log. Generated at: 21/08/2009 on 17:23:49 Microsoft Windows XP Professional Service Pack 3 (Build 2600) 17:23:49: Scanning, please wait... 17:38:43: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken. 17:38:43: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken. 17:38:46: 2 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. 17:38:54: Scanning, please wait... 17:51:05: 2 Dangerous files has been found on your computer. Click on "Fix" button to fix selected tasks. Finished... Fineza encerrar este tópico . Caso resolvido . Obrigado pela ampla atenção de vcs e pelo espaço aqui conçedido . Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 21, 2009 Boa Noite ! Cfe. log atual do AVZ Antiviral Toolkit limpinha de trojans . AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 21/08/2009 18:10:43 Database loaded: signatures - 237871, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.08.2009 14:23 Heuristic microprograms loaded: 374 PVS microprograms loaded: 9 Digital signatures of system files loaded: 135524 Heuristic analyzer mode: Medium heuristics mode Malware removal mode: disabled Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26A8 (284) Function NtClose (19) intercepted (805678DD->EBC79FFC), hook d:\windows\system32\drivers\lgalcafo.sys Function NtCreateFile (25) intercepted (8056CDC0->EBC7DC14), hook d:\windows\system32\drivers\lgalcafo.sys Function NtCreateKey (29) intercepted (8057065D->F8377826), hook not defined Function NtCreateSection (32) intercepted (805652B3->EBC7EBF6), hook d:\windows\system32\drivers\lgalcafo.sys Function NtCreateThread (35) intercepted (8058E64B->F837781C), hook not defined Function NtDebugActiveProcess (39) intercepted (8065B1B9->EBC7F282), hook d:\windows\system32\drivers\lgalcafo.sys Function NtDeleteFile (3E) intercepted (805D801B->EBC7DF8A), hook d:\windows\system32\drivers\lgalcafo.sys Function NtDeleteKey (3F) intercepted (805952CA->F837782B), hook not defined Function NtDeleteValueKey (41) intercepted (80592D5C->F8377835), hook not defined Function NtDeviceIoControlFile (42) intercepted (8058EFB9->EBC7A1FE), hook d:\windows\system32\drivers\lgalcafo.sys Function NtDuplicateObject (44) intercepted (805715E0->EBC7D58E), hook d:\windows\system32\drivers\lgalcafo.sys Function NtFsControlFile (54) intercepted (8057AAB5->EBC7A036), hook d:\windows\system32\drivers\lgalcafo.sys Function NtInitiatePowerAction (5D) intercepted (8062BF67->EBC79D74), hook d:\windows\system32\drivers\lgalcafo.sys Function NtLoadDriver (61) intercepted (805A3B01->EBC7CF84), hook d:\windows\system32\drivers\lgalcafo.sys Function NtLoadKey (62) intercepted (805AED6D->F837783A), hook not defined Function NtMakeTemporaryObject (69) intercepted (8059F8D2->EBC79EC4), hook d:\windows\system32\drivers\lgalcafo.sys Function NtOpenFile (74) intercepted (8056CD5B->EBC7DA46), hook d:\windows\system32\drivers\lgalcafo.sys Function NtOpenProcess (7A) intercepted (805717C7->F8377808), hook not defined Function NtOpenSection (7D) intercepted (80570FD7->EBC7A3C6), hook d:\windows\system32\drivers\lgalcafo.sys Function NtOpenThread (80) intercepted (8058A1C9->F837780D), hook not defined Function NtProtectVirtualMemory (89) intercepted (80571CB1->EBC8004A), hook d:\windows\system32\drivers\lgalcafo.sys Function NtQueueApcThread (B4) intercepted (80591097->EBC7F950), hook d:\windows\system32\drivers\lgalcafo.sys Function NtReadVirtualMemory (BA) intercepted (8057E2D8->EBC7A570), hook d:\windows\system32\drivers\lgalcafo.sys Function NtRenameKey (C0) intercepted (8064E77C->EBC7B5CC), hook d:\windows\system32\drivers\lgalcafo.sys Function NtReplaceKey (C1) intercepted (8064F0DC->F8377844), hook not defined Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->EBC7D3A0), hook d:\windows\system32\drivers\lgalcafo.sys Function NtRestoreKey (CC) intercepted (8064EC71->F837783F), hook not defined Function NtSetContextThread (D5) intercepted (8062DD17->EBC7FDF6), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSetInformationFile (E0) intercepted (8057494A->EBC7E42C), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSetInformationProcess (E4) intercepted (8056DC01->EBC7F36C), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSetSystemInformation (F0) intercepted (805A7BED->EBC7D0E6), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSetSystemPowerState (F1) intercepted (8066768B->EBC79E1E), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSetSystemTime (F2) intercepted (80647A2B->EBC79C24), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSetValueKey (F7) intercepted (80572889->F8377830), hook not defined Function NtShutdownSystem (F9) intercepted (80647177->EBC79CF4), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSuspendProcess (FD) intercepted (8062F8F9->EBC7F19C), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSuspendThread (FE) intercepted (805E046E->EBC7FCDA), hook d:\windows\system32\drivers\lgalcafo.sys Function NtSystemDebugControl (FF) intercepted (80649CD9->EBC79B86), hook d:\windows\system32\drivers\lgalcafo.sys Function NtTerminateProcess (101) intercepted (805822EC->F8377817), hook not defined Function NtTerminateThread (102) intercepted (8057B88F->EBC7FB9E), hook d:\windows\system32\drivers\lgalcafo.sys Function NtUnmapViewOfSection (10B) intercepted (805736E6->EBC7EACA), hook d:\windows\system32\drivers\lgalcafo.sys Function NtWriteFile (112) intercepted (80574BF5->EBC7E104), hook d:\windows\system32\drivers\lgalcafo.sys Function NtWriteFileGather (113) intercepted (805DA475->EBC7E298), hook d:\windows\system32\drivers\lgalcafo.sys Function NtWriteVirtualMemory (115) intercepted (8057E42A->EBC7FF12), hook d:\windows\system32\drivers\lgalcafo.sys Functions checked: 284, intercepted: 44, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers Checking - complete 2. Scanning RAM Number of processes found: 30 Number of modules loaded: 377 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Serviços de terminal) >> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP) >> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas) >> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard Checking - complete Files scanned: 110081, extracted from archives: 85568, malicious software found 0, suspicions - 0 Scanning finished at 21/08/2009 18:54:24 Time of scanning: 00:43:42 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Muito obrigado. Caso resolvido Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 22, 2009 Bom dia ! Porque sempre não consta mais a opção editar ? Log do RemoveIT Pro v7 Enterprise limpinho, sem plugin bancarios e trojans . RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log. Generated at: 22/08/2009 on 01:48:35 Microsoft Windows XP Professional Service Pack 3 (Build 2600) 01:48:35: Scanning, please wait... 02:05:07: Your computer is clean! Finished... Grato Compartilhar este post Link para o post Compartilhar em outros sites
RafaelSonyLock 18 Denunciar post Postado Agosto 22, 2009 EDSSX, o tópico esta resolvido ? Em alguns posts você diz que está resolvido, mas depois volta a postar dúvida ! Caso a dúvida esteja relacionado a infecções, poste em Segurança e Malwares. Obrigado Compartilhar este post Link para o post Compartilhar em outros sites
EDSSX 0 Denunciar post Postado Agosto 22, 2009 Boa Tarde ! Tópico resolvido ! Postei os logs supra para ratificar que esta tudo limpo em relação com manifesto claro perante o inicio . Obrigado Compartilhar este post Link para o post Compartilhar em outros sites