Ir para conteúdo

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

EDSSX

[Resolvido] Chave de registro bloqueia o msn ?

Recommended Posts

Bom dia !

 

Porque sai a opção editar ?

 

Este software gera o log assim em duas varreduras/partes .

 

Segue o log completo do RemoveIT Pro v7 Enterprise :

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 19/08/2009 on 22:06:38

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

22:06:38: Scanning, please wait...

22:13:51: Infected file (Sys32.eempty) D:\WINDOWS\system32\eempty.exe -> No action taken.

22:15:11: Infected file (Sys32.langdll) D:\WINDOWS\system32\langdll.dll -> No action taken.

22:18:12: Infected file (Sys32.xceedbkp) D:\WINDOWS\system32\xceedbkp.dll -> No action taken.

22:19:00: Infected file (Sys32.msajt200) D:\WINDOWS\system\msajt200.dll -> No action taken.

22:19:04: Infected file (Sys32.pev) D:\WINDOWS\pev.exe -> No action taken.

22:19:12: Infected file (Sys32.syssd) D:\WINDOWS\system\syssd.dll -> No action taken.

22:19:15: Infected file (Sys32.vbajet) D:\WINDOWS\system\vbajet.dll -> No action taken.

22:19:48: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

22:19:49: Infected file (Sys32.gbpdist) D:\Arquivos de programas\GbPlugin\gbpdist.dll -> No action taken.

22:19:49: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

22:19:51: 10 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

22:20:13: Scanning, please wait...

22:50:10: Infected file (Sys32.vbajet) C:\WINXP\system\VBAJET.DLL -> No action taken.

22:50:10: Infected file (Sys32.msajt200) C:\WINXP\system\MSAJT200.DLL -> No action taken.

22:51:39: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe -> No action taken.

22:51:40: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe -> No action taken.

22:51:43: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe -> No action taken.

22:59:46: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135402-251.dll -> No action taken.

22:59:46: Infected file (Sys32.gbpdist) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135403-769.dll -> No action taken.

22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll -> No action taken.

22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll -> No action taken.

22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll -> No action taken.

23:04:40: 20 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

Grato

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olha posso criar aqui um script em bat para remover esses arquivos mas devo avisar que entre eles existem alguns arquivos de back-up que não sei se realmente estão infectados.

Ai fica a seu critério.

Aguardo sua resposta

Compartilhar este post


Link para o post
Compartilhar em outros sites

Bom dia !

 

 

Tudo bem pode postar o script em bat; inclusive os back-up´s sei quais são/são recentes e estão infectados, pois ja confirmei no virus total . Todos os resultados constam assim :

 

Arquivo A0077916.exe recebido em 2009.08.21 14:11:34 (UTC)

Andamento: Carregando ... na fila aguardando analisando terminado NÃO ENCONTRADO PARADO

Resultado: 4/41 (9.76%)

Carregando informação do servidor...

O seu arquivo está na posição: ___.

Tempo estimado de início é entre ___ e ___ .

Não feche a janela até que a análise esteja completa.

O mecanismo que estava processando o arquivo parou, nós esperaremos alguns segundos para tentar recuperar o resultado.

Se estiver esperando por mais de cinco minutos, você terá que reenviar o arquivo.

O seu arquivo está sendo analisado por VirusTotal no momento,

os resultados serão exibidos assim que forem gerados.

Modo compacto Modo compacto

Imprimir resultados Imprimir resultados

O seu arquivo expirou ou não existe.

O serviço está parado no momento, o seu arquivo está esperando para ser analisado (posição: ) por tempo indeterminado.

 

Você pode aguardar por resposta na página (atualização automática) ou digite o seu email no campo abaixo e clique em "enviar" para que o sistema envie uma notificação quando a análise terminar.

Email:

 

Antivírus Versão Última Atualização Resultado

a-squared 4.5.0.24 2009.08.21 -

AhnLab-V3 5.0.0.2 2009.08.20 -

AntiVir 7.9.1.3 2009.08.21 -

Antiy-AVL 2.0.3.7 2009.08.21 -

Authentium 5.1.2.4 2009.08.20 -

Avast 4.8.1335.0 2009.08.20 -

AVG 8.5.0.406 2009.08.21 -

BitDefender 7.2 2009.08.21 -

CAT-QuickHeal 10.00 2009.08.21 (Suspicious) - DNAScan

ClamAV 0.94.1 2009.08.21 -

Comodo 2045 2009.08.21 -

DrWeb 5.0.0.12182 2009.08.21 -

eSafe 7.0.17.0 2009.08.20 Suspicious File

eTrust-Vet 31.6.6693 2009.08.21 -

F-Prot 4.4.4.56 2009.08.20 -

F-Secure 8.0.14470.0 2009.08.21 -

Fortinet 3.120.0.0 2009.08.21 PossibleThreat

GData 19 2009.08.21 -

Ikarus T3.1.1.68.0 2009.08.21 -

Jiangmin 11.0.800 2009.08.21 -

K7AntiVirus 7.10.824 2009.08.21 -

Kaspersky 7.0.0.125 2009.08.21 -

McAfee 5715 2009.08.20 -

McAfee+Artemis 5715 2009.08.20 -

McAfee-GW-Edition 6.8.5 2009.08.21 Heuristic.LooksLike.Win32.Backdoor.C

Microsoft 1.4903 2009.08.21 -

NOD32 4355 2009.08.21 -

Norman 6.01.09 2009.08.20 -

nProtect 2009.1.8.0 2009.08.21 -

Panda 10.0.0.14 2009.08.21 -

PCTools 4.4.2.0 2009.08.21 -

Prevx 3.0 2009.08.21 -

Rising 21.43.44.00 2009.08.21 -

Sophos 4.44.0 2009.08.21 -

Sunbelt 3.2.1858.2 2009.08.21 -

Symantec 1.4.4.12 2009.08.21 -

TheHacker 6.3.4.3.384 2009.08.21 -

TrendMicro 8.950.0.1094 2009.08.21 -

VBA32 3.12.10.9 2009.08.20 -

ViRobot 2009.8.21.1895 2009.08.21 -

VirusBuster 4.6.5.0 2009.08.20 -

 

 

Em relação aos itens de restauração do sistema idem supra e cfe. log ( uma parte ) do dds infra :

 

 

==== Event Viewer Messages From Past Week ========

 

14/08/2009 19:08:27, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0804.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:50, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0411.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:42, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0404.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

 

 

 

Obrigado desde já .

Compartilhar este post


Link para o post
Compartilhar em outros sites

Bom dia !

 

Em relação aos itens de restauração do sistema supra e cfe. log ( uma parte ) do dds infra ;

 

==== Event Viewer Messages From Past Week ========

 

14/08/2009 19:08:27, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0804.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:50, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0411.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:42, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0404.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

 

 

 

Equipara - se ao log ( uma parte ) infra do RemoveIT Pro v7 Enterprise :

 

 

 

22:51:39: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe -> No action taken.

22:51:40: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe -> No action taken.

22:51:43: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe -> No action taken.

 

 

 

Grato

Compartilhar este post


Link para o post
Compartilhar em outros sites

Abra o bloco de notas e cole lá dentro:

@echo off

DEL /A /F /Q D:\WINDOWS\system32\eempty.exe

DEL /A /F /Q D:\WINDOWS\system32\langdll.dll

DEL /A /F /Q D:\WINDOWS\system32\xceedbkp.dll

DEL /A /F /Q D:\WINDOWS\system\msajt200.dll

DEL /A /F /Q D:\WINDOWS\pev.exe

DEL /A /F /Q D:\WINDOWS\system\syssd.dll

DEL /A /F /Q D:\WINDOWS\system\vbajet.dll

DEL /A /F /Q D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe

DEL /A /F /Q D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe

DEL /A /F /Q D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135402-251.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135403-769.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll

Salve com nome de Remove.bat

altere o formato de txt para todos os arquivos, como mostra a imagem abaixo:

Imagem Postada

Após salvar, clique duas vezes sobre o arquivo, para que a remoção se dê por completo.

O bat vai agir de forma silenciosa ou seja não irá sugir nenhum log, ou tela de confirmação.

Após executar o remove.bat aguarde alguns instantes e reinicie o pc, depis de reiniciado execute um scan com o seu antivirus e veja se consta algun virus.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde !

 

Quais ficheiros infra são legitimos ?

 

Apenas isto :

 

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

D:\WINDOWS\system32\mstask.dll

D:\WINDOWS\system32\ntshrui.dll

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde !

 

 

Constam agora apenas isto :

 

D:\Arquivos de programas\GbPlugin\gbiehcef.dll

D:\Arquivos de programas\GbPlugin\gbpsv.exe

D:\!KillBox\GbpSv.exe -

D:\!KillBox\backup-20090424-135402-251.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

D:\WINDOWS\system32\mstask.dll

D:\WINDOWS\system32\ntshrui.dll

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 21/08/2009 on 13:21:36

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

13:21:36: Scanning, please wait...

13:36:59: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

13:37:00: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

13:37:02: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

13:37:12: Scanning, please wait...

13:44:33: Infected file (Sys32.gbpsv) D:\!KillBox\GbpSv.exe -> No action taken.

13:44:33: Infected file (Sys32.gbiehcef) D:\!KillBox\backup-20090424-135402-251.dll -> No action taken.

13:47:09: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll -> No action taken.

13:48:34: 7 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

Grato

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde !

 

Constam agora apenas isto :

 

D:\Arquivos de programas\GbPlugin\gbiehcef.dll

D:\Arquivos de programas\GbPlugin\gbpsv.exe

D:\!KillBox\GbpSv.exe -

D:\!KillBox\backup-20090424-135402-251.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

D:\WINDOWS\system32\mstask.dll

D:\WINDOWS\system32\ntshrui.dll

 

 

 

Segue log do AVZ Antiviral Toolkit :

 

Attention !!! Database was last updated 08/02/2009 it is necessary to update the bases using automatic updates (File/Database update)

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 21/08/2009 13:35:54

Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56

Heuristic microprograms loaded: 372

SPV microprograms loaded: 9

Digital signatures of system files loaded: 91560

Heuristic analyzer mode: Maximum heuristics level

Healing mode: disabled

Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=083220)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 8055A220

KiST = 804E26A8 (284)

Functions checked: 284, intercepted: 0, restored: 0

1.3 Checking IDT and SYSENTER

Analysis for CPU 1

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 31

Analyzer: process under analysis is 936 D:\WINDOWS\system32\winlogon.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Located in system folder

Analyzer: process under analysis is 1180 D:\ARQUIV~1\GbPlugin\GbpSv.exe

[ES]:Application has no visible windows

[ES]:EXE runtime packer ?

Analyzer: process under analysis is 196 D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 320 D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

[ES]:Contains network functionality

[ES]:Listens on TCP ports !

[ES]:Listens on HTTP ports !

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 336 D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Process d:\arquivos de programas\windows live\messenger\msnmsgr.exe Contains network functionality (inetres.dll)

Analyzer: process under analysis is 364 D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Analyzer: process under analysis is 768 D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

Analyzer: process under analysis is 892 D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

[ES]:Application has no visible windows

[ES]:EXE runtime packer ?

Analyzer: process under analysis is 1648 D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 2224 D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

[ES]:Contains network functionality

[ES]:Listens on HTTP ports !

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 3736 D:\WINDOWS\system32\notepad.exe

[ES]:Located in system folder

Number of modules loaded: 394

Scanning memory - complete

3. Scanning disks

C:\WINDOWS\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINXP\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINXP\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINXP\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

D:\WINDOWS\system32\mstask.dll --> Suspicion for Keylogger or Trojan DLL

D:\WINDOWS\system32\mstask.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

D:\WINDOWS\system32\ntshrui.dll --> Suspicion for Keylogger or Trojan DLL

D:\WINDOWS\system32\ntshrui.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

>> HDD autorun are allowed

>> Autorun from network drives are allowed

>> Removable media autorun are allowed

Checking - complete

Files scanned: 110107, extracted from archives: 85568, malicious software found 0, suspicions - 0

Scanning finished at 21/08/2009 14:40:12

Time of scanning: 01:05:43

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

 

Segue log do RemoveIT Pro v7 Enterprise :

 

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 21/08/2009 on 13:21:36

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

13:21:36: Scanning, please wait...

13:36:59: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

13:37:00: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

13:37:02: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

13:37:12: Scanning, please wait...

13:44:33: Infected file (Sys32.gbpsv) D:\!KillBox\GbpSv.exe -> No action taken.

13:44:33: Infected file (Sys32.gbiehcef) D:\!KillBox\backup-20090424-135402-251.dll -> No action taken.

13:47:09: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll -> No action taken.

13:48:34: 7 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

 

 

 

Grato

Compartilhar este post


Link para o post
Compartilhar em outros sites

São arquivos do sistema:

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

Quanto aos demais arquivos realize uam pesquina no Google e você verá quais são legítimos.

Outro detalhe você abriu tópico no linha defensiva e pc fórum, sendo assim meu suporte a voc~e termina aqui.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde !

 

 

Não seriam tópicos antigos a respeito de rootkits pandex ( em remoção de malwares ) ?

Enquanto a este assunto no linha tudo bem , mas no pc fórum não abri não .

 

 

 

 

Bom ja me ajudou muito e muito. Obrigado pela ampla atenção de vcs .

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde !

 

 

Como já tinha confirmado e agredeçido supra, já foi bastante conclusivo o final deste tópico e cfe. o log atual abaixo do RemoveIT Pro v7 Enterprise já deu uma boa limpeza .

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 21/08/2009 on 17:23:49

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

17:23:49: Scanning, please wait...

17:38:43: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

17:38:43: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

17:38:46: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

17:38:54: Scanning, please wait...

17:51:05: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

Fineza encerrar este tópico . Caso resolvido .

 

 

Obrigado pela ampla atenção de vcs e pelo espaço aqui conçedido .

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Noite !

 

 

Cfe. log atual do AVZ Antiviral Toolkit limpinha de trojans .

 

 

AVZ Antiviral Toolkit log; AVZ version is 4.32

Scanning started at 21/08/2009 18:10:43

Database loaded: signatures - 237871, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.08.2009 14:23

Heuristic microprograms loaded: 374

PVS microprograms loaded: 9

Digital signatures of system files loaded: 135524

Heuristic analyzer mode: Medium heuristics mode

Malware removal mode: disabled

Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights

System Restore: enabled

1. Searching for Rootkits and other software intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=083220)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 8055A220

KiST = 804E26A8 (284)

Function NtClose (19) intercepted (805678DD->EBC79FFC), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtCreateFile (25) intercepted (8056CDC0->EBC7DC14), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtCreateKey (29) intercepted (8057065D->F8377826), hook not defined

Function NtCreateSection (32) intercepted (805652B3->EBC7EBF6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtCreateThread (35) intercepted (8058E64B->F837781C), hook not defined

Function NtDebugActiveProcess (39) intercepted (8065B1B9->EBC7F282), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtDeleteFile (3E) intercepted (805D801B->EBC7DF8A), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtDeleteKey (3F) intercepted (805952CA->F837782B), hook not defined

Function NtDeleteValueKey (41) intercepted (80592D5C->F8377835), hook not defined

Function NtDeviceIoControlFile (42) intercepted (8058EFB9->EBC7A1FE), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtDuplicateObject (44) intercepted (805715E0->EBC7D58E), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtFsControlFile (54) intercepted (8057AAB5->EBC7A036), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtInitiatePowerAction (5D) intercepted (8062BF67->EBC79D74), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtLoadDriver (61) intercepted (805A3B01->EBC7CF84), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtLoadKey (62) intercepted (805AED6D->F837783A), hook not defined

Function NtMakeTemporaryObject (69) intercepted (8059F8D2->EBC79EC4), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtOpenFile (74) intercepted (8056CD5B->EBC7DA46), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtOpenProcess (7A) intercepted (805717C7->F8377808), hook not defined

Function NtOpenSection (7D) intercepted (80570FD7->EBC7A3C6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtOpenThread (80) intercepted (8058A1C9->F837780D), hook not defined

Function NtProtectVirtualMemory (89) intercepted (80571CB1->EBC8004A), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtQueueApcThread (B4) intercepted (80591097->EBC7F950), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtReadVirtualMemory (BA) intercepted (8057E2D8->EBC7A570), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtRenameKey (C0) intercepted (8064E77C->EBC7B5CC), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtReplaceKey (C1) intercepted (8064F0DC->F8377844), hook not defined

Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->EBC7D3A0), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtRestoreKey (CC) intercepted (8064EC71->F837783F), hook not defined

Function NtSetContextThread (D5) intercepted (8062DD17->EBC7FDF6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetInformationFile (E0) intercepted (8057494A->EBC7E42C), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetInformationProcess (E4) intercepted (8056DC01->EBC7F36C), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetSystemInformation (F0) intercepted (805A7BED->EBC7D0E6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetSystemPowerState (F1) intercepted (8066768B->EBC79E1E), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetSystemTime (F2) intercepted (80647A2B->EBC79C24), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetValueKey (F7) intercepted (80572889->F8377830), hook not defined

Function NtShutdownSystem (F9) intercepted (80647177->EBC79CF4), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSuspendProcess (FD) intercepted (8062F8F9->EBC7F19C), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSuspendThread (FE) intercepted (805E046E->EBC7FCDA), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSystemDebugControl (FF) intercepted (80649CD9->EBC79B86), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtTerminateProcess (101) intercepted (805822EC->F8377817), hook not defined

Function NtTerminateThread (102) intercepted (8057B88F->EBC7FB9E), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtUnmapViewOfSection (10B) intercepted (805736E6->EBC7EACA), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtWriteFile (112) intercepted (80574BF5->EBC7E104), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtWriteFileGather (113) intercepted (805DA475->EBC7E298), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtWriteVirtualMemory (115) intercepted (8057E42A->EBC7FF12), hook d:\windows\system32\drivers\lgalcafo.sys

Functions checked: 284, intercepted: 44, restored: 0

1.3 Checking IDT and SYSENTER

Analyzing CPU 1

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking IRP handlers

Checking - complete

2. Scanning RAM

Number of processes found: 30

Number of modules loaded: 377

Scanning RAM - complete

3. Scanning disks

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

6. Searching for opened TCP/UDP ports used by malicious software

Checking - disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

Checking - complete

Files scanned: 110081, extracted from archives: 85568, malicious software found 0, suspicions - 0

Scanning finished at 21/08/2009 18:54:24

Time of scanning: 00:43:42

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

 

Muito obrigado. Caso resolvido

Compartilhar este post


Link para o post
Compartilhar em outros sites

Bom dia !

 

 

Porque sempre não consta mais a opção editar ?

 

 

Log do RemoveIT Pro v7 Enterprise limpinho, sem plugin bancarios e trojans .

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 22/08/2009 on 01:48:35

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

01:48:35: Scanning, please wait...

02:05:07: Your computer is clean!

Finished...

 

Imagem Postada

 

 

 

 

Grato

Compartilhar este post


Link para o post
Compartilhar em outros sites

EDSSX, o tópico esta resolvido ?

Em alguns posts você diz que está resolvido, mas depois volta a postar dúvida !

 

Caso a dúvida esteja relacionado a infecções, poste em Segurança e Malwares.

 

Obrigado

Compartilhar este post


Link para o post
Compartilhar em outros sites

Boa Tarde !

 

 

Tópico resolvido ! Postei os logs supra para ratificar que esta tudo limpo em relação com manifesto claro perante o inicio .

 

 

Obrigado

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.