Jump to content

Archived

This topic is now archived and is closed to further replies.

EDSSX

[Resolvido] Chave de registro bloqueia o msn ?

Recommended Posts

Bom dia !

 

Porque sai a opção editar ?

 

Este software gera o log assim em duas varreduras/partes .

 

Segue o log completo do RemoveIT Pro v7 Enterprise :

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 19/08/2009 on 22:06:38

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

22:06:38: Scanning, please wait...

22:13:51: Infected file (Sys32.eempty) D:\WINDOWS\system32\eempty.exe -> No action taken.

22:15:11: Infected file (Sys32.langdll) D:\WINDOWS\system32\langdll.dll -> No action taken.

22:18:12: Infected file (Sys32.xceedbkp) D:\WINDOWS\system32\xceedbkp.dll -> No action taken.

22:19:00: Infected file (Sys32.msajt200) D:\WINDOWS\system\msajt200.dll -> No action taken.

22:19:04: Infected file (Sys32.pev) D:\WINDOWS\pev.exe -> No action taken.

22:19:12: Infected file (Sys32.syssd) D:\WINDOWS\system\syssd.dll -> No action taken.

22:19:15: Infected file (Sys32.vbajet) D:\WINDOWS\system\vbajet.dll -> No action taken.

22:19:48: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

22:19:49: Infected file (Sys32.gbpdist) D:\Arquivos de programas\GbPlugin\gbpdist.dll -> No action taken.

22:19:49: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

22:19:51: 10 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

22:20:13: Scanning, please wait...

22:50:10: Infected file (Sys32.vbajet) C:\WINXP\system\VBAJET.DLL -> No action taken.

22:50:10: Infected file (Sys32.msajt200) C:\WINXP\system\MSAJT200.DLL -> No action taken.

22:51:39: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe -> No action taken.

22:51:40: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe -> No action taken.

22:51:43: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe -> No action taken.

22:59:46: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135402-251.dll -> No action taken.

22:59:46: Infected file (Sys32.gbpdist) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135403-769.dll -> No action taken.

22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll -> No action taken.

22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll -> No action taken.

22:59:47: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll -> No action taken.

23:04:40: 20 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

Grato

Share this post


Link to post
Share on other sites

Olha posso criar aqui um script em bat para remover esses arquivos mas devo avisar que entre eles existem alguns arquivos de back-up que não sei se realmente estão infectados.

Ai fica a seu critério.

Aguardo sua resposta

Share this post


Link to post
Share on other sites

Bom dia !

 

 

Tudo bem pode postar o script em bat; inclusive os back-up´s sei quais são/são recentes e estão infectados, pois ja confirmei no virus total . Todos os resultados constam assim :

 

Arquivo A0077916.exe recebido em 2009.08.21 14:11:34 (UTC)

Andamento: Carregando ... na fila aguardando analisando terminado NÃO ENCONTRADO PARADO

Resultado: 4/41 (9.76%)

Carregando informação do servidor...

O seu arquivo está na posição: ___.

Tempo estimado de início é entre ___ e ___ .

Não feche a janela até que a análise esteja completa.

O mecanismo que estava processando o arquivo parou, nós esperaremos alguns segundos para tentar recuperar o resultado.

Se estiver esperando por mais de cinco minutos, você terá que reenviar o arquivo.

O seu arquivo está sendo analisado por VirusTotal no momento,

os resultados serão exibidos assim que forem gerados.

Modo compacto Modo compacto

Imprimir resultados Imprimir resultados

O seu arquivo expirou ou não existe.

O serviço está parado no momento, o seu arquivo está esperando para ser analisado (posição: ) por tempo indeterminado.

 

Você pode aguardar por resposta na página (atualização automática) ou digite o seu email no campo abaixo e clique em "enviar" para que o sistema envie uma notificação quando a análise terminar.

Email:

 

Antivírus Versão Última Atualização Resultado

a-squared 4.5.0.24 2009.08.21 -

AhnLab-V3 5.0.0.2 2009.08.20 -

AntiVir 7.9.1.3 2009.08.21 -

Antiy-AVL 2.0.3.7 2009.08.21 -

Authentium 5.1.2.4 2009.08.20 -

Avast 4.8.1335.0 2009.08.20 -

AVG 8.5.0.406 2009.08.21 -

BitDefender 7.2 2009.08.21 -

CAT-QuickHeal 10.00 2009.08.21 (Suspicious) - DNAScan

ClamAV 0.94.1 2009.08.21 -

Comodo 2045 2009.08.21 -

DrWeb 5.0.0.12182 2009.08.21 -

eSafe 7.0.17.0 2009.08.20 Suspicious File

eTrust-Vet 31.6.6693 2009.08.21 -

F-Prot 4.4.4.56 2009.08.20 -

F-Secure 8.0.14470.0 2009.08.21 -

Fortinet 3.120.0.0 2009.08.21 PossibleThreat

GData 19 2009.08.21 -

Ikarus T3.1.1.68.0 2009.08.21 -

Jiangmin 11.0.800 2009.08.21 -

K7AntiVirus 7.10.824 2009.08.21 -

Kaspersky 7.0.0.125 2009.08.21 -

McAfee 5715 2009.08.20 -

McAfee+Artemis 5715 2009.08.20 -

McAfee-GW-Edition 6.8.5 2009.08.21 Heuristic.LooksLike.Win32.Backdoor.C

Microsoft 1.4903 2009.08.21 -

NOD32 4355 2009.08.21 -

Norman 6.01.09 2009.08.20 -

nProtect 2009.1.8.0 2009.08.21 -

Panda 10.0.0.14 2009.08.21 -

PCTools 4.4.2.0 2009.08.21 -

Prevx 3.0 2009.08.21 -

Rising 21.43.44.00 2009.08.21 -

Sophos 4.44.0 2009.08.21 -

Sunbelt 3.2.1858.2 2009.08.21 -

Symantec 1.4.4.12 2009.08.21 -

TheHacker 6.3.4.3.384 2009.08.21 -

TrendMicro 8.950.0.1094 2009.08.21 -

VBA32 3.12.10.9 2009.08.20 -

ViRobot 2009.8.21.1895 2009.08.21 -

VirusBuster 4.6.5.0 2009.08.20 -

 

 

Em relação aos itens de restauração do sistema idem supra e cfe. log ( uma parte ) do dds infra :

 

 

==== Event Viewer Messages From Past Week ========

 

14/08/2009 19:08:27, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0804.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:50, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0411.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:42, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0404.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

 

 

 

Obrigado desde já .

Share this post


Link to post
Share on other sites

Bom dia !

 

Em relação aos itens de restauração do sistema supra e cfe. log ( uma parte ) do dds infra ;

 

==== Event Viewer Messages From Past Week ========

 

14/08/2009 19:08:27, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0804.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:50, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0411.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

14/08/2009 19:07:42, Informações: Windows File Protection [64001] - Tentativa de substituição do arquivo no arquivo do sistema protegido agt0404.dll. Esse arquivo foi restaurado para a versão original para manter a estabilidade do sistema. A versão do arquivo inválido é 2.0.0.2115, a versão do arquivo do sistema é 2.0.0.3422.

 

 

 

Equipara - se ao log ( uma parte ) infra do RemoveIT Pro v7 Enterprise :

 

 

 

22:51:39: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe -> No action taken.

22:51:40: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe -> No action taken.

22:51:43: Infected file (Sys32.pev) D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe -> No action taken.

 

 

 

Grato

Share this post


Link to post
Share on other sites

Abra o bloco de notas e cole lá dentro:

@echo off

DEL /A /F /Q D:\WINDOWS\system32\eempty.exe

DEL /A /F /Q D:\WINDOWS\system32\langdll.dll

DEL /A /F /Q D:\WINDOWS\system32\xceedbkp.dll

DEL /A /F /Q D:\WINDOWS\system\msajt200.dll

DEL /A /F /Q D:\WINDOWS\pev.exe

DEL /A /F /Q D:\WINDOWS\system\syssd.dll

DEL /A /F /Q D:\WINDOWS\system\vbajet.dll

DEL /A /F /Q D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077852.exe

DEL /A /F /Q D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP826\A0077916.exe

DEL /A /F /Q D:\System Volume

Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP830\A0079912.exe

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135402-251.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135403-769.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll

DEL /A /F /Q D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll

Salve com nome de Remove.bat

altere o formato de txt para todos os arquivos, como mostra a imagem abaixo:

Imagem Postada

Após salvar, clique duas vezes sobre o arquivo, para que a remoção se dê por completo.

O bat vai agir de forma silenciosa ou seja não irá sugir nenhum log, ou tela de confirmação.

Após executar o remove.bat aguarde alguns instantes e reinicie o pc, depis de reiniciado execute um scan com o seu antivirus e veja se consta algun virus.

Share this post


Link to post
Share on other sites

Boa Tarde !

 

Quais ficheiros infra são legitimos ?

 

Apenas isto :

 

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

D:\WINDOWS\system32\mstask.dll

D:\WINDOWS\system32\ntshrui.dll

Share this post


Link to post
Share on other sites

Boa Tarde !

 

 

Constam agora apenas isto :

 

D:\Arquivos de programas\GbPlugin\gbiehcef.dll

D:\Arquivos de programas\GbPlugin\gbpsv.exe

D:\!KillBox\GbpSv.exe -

D:\!KillBox\backup-20090424-135402-251.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

D:\WINDOWS\system32\mstask.dll

D:\WINDOWS\system32\ntshrui.dll

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 21/08/2009 on 13:21:36

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

13:21:36: Scanning, please wait...

13:36:59: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

13:37:00: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

13:37:02: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

13:37:12: Scanning, please wait...

13:44:33: Infected file (Sys32.gbpsv) D:\!KillBox\GbpSv.exe -> No action taken.

13:44:33: Infected file (Sys32.gbiehcef) D:\!KillBox\backup-20090424-135402-251.dll -> No action taken.

13:47:09: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll -> No action taken.

13:48:34: 7 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

Grato

Share this post


Link to post
Share on other sites

Boa Tarde !

 

Constam agora apenas isto :

 

D:\Arquivos de programas\GbPlugin\gbiehcef.dll

D:\Arquivos de programas\GbPlugin\gbpsv.exe

D:\!KillBox\GbpSv.exe -

D:\!KillBox\backup-20090424-135402-251.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135520-468.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135554-845.dll

D:\Documents and Settings\edsom luis\Meus documentos\backups\backup-20090424-135626-168.dll

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

D:\WINDOWS\system32\mstask.dll

D:\WINDOWS\system32\ntshrui.dll

 

 

 

Segue log do AVZ Antiviral Toolkit :

 

Attention !!! Database was last updated 08/02/2009 it is necessary to update the bases using automatic updates (File/Database update)

AVZ Antiviral Toolkit log; AVZ version is 4.30

Scanning started at 21/08/2009 13:35:54

Database loaded: signatures - 209302, NN profile(s) - 2, microprograms of healing - 56, signature database released 08.02.2009 18:56

Heuristic microprograms loaded: 372

SPV microprograms loaded: 9

Digital signatures of system files loaded: 91560

Heuristic analyzer mode: Maximum heuristics level

Healing mode: disabled

Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights

System Restore: enabled

1. Searching for Rootkits and programs intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=083220)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 8055A220

KiST = 804E26A8 (284)

Functions checked: 284, intercepted: 0, restored: 0

1.3 Checking IDT and SYSENTER

Analysis for CPU 1

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking of IRP handlers

Checking - complete

2. Scanning memory

Number of processes found: 31

Analyzer: process under analysis is 936 D:\WINDOWS\system32\winlogon.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Located in system folder

Analyzer: process under analysis is 1180 D:\ARQUIV~1\GbPlugin\GbpSv.exe

[ES]:Application has no visible windows

[ES]:EXE runtime packer ?

Analyzer: process under analysis is 196 D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 320 D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

[ES]:Contains network functionality

[ES]:Listens on TCP ports !

[ES]:Listens on HTTP ports !

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 336 D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Process d:\arquivos de programas\windows live\messenger\msnmsgr.exe Contains network functionality (inetres.dll)

Analyzer: process under analysis is 364 D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

[ES]:Application has no visible windows

[ES]:Registered in autoruns !!

Analyzer: process under analysis is 768 D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

Analyzer: process under analysis is 892 D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

[ES]:Application has no visible windows

[ES]:EXE runtime packer ?

Analyzer: process under analysis is 1648 D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

[ES]:Contains network functionality

[ES]:Application has no visible windows

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 2224 D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

[ES]:Contains network functionality

[ES]:Listens on HTTP ports !

[ES]:Loads RASAPI DLL - may use dialing ?

Analyzer: process under analysis is 3736 D:\WINDOWS\system32\notepad.exe

[ES]:Located in system folder

Number of modules loaded: 394

Scanning memory - complete

3. Scanning disks

C:\WINDOWS\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINDOWS\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINXP\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINXP\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

C:\WINXP\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

D:\WINDOWS\system32\mstask.dll --> Suspicion for Keylogger or Trojan DLL

D:\WINDOWS\system32\mstask.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

D:\WINDOWS\system32\ntshrui.dll --> Suspicion for Keylogger or Trojan DLL

D:\WINDOWS\system32\ntshrui.dll>>> Behavioural analysis

Behaviour typical for keyloggers not detected

Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

6. Searching for opened TCP/UDP ports used by malicious programs

Checking disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

>> HDD autorun are allowed

>> Autorun from network drives are allowed

>> Removable media autorun are allowed

Checking - complete

Files scanned: 110107, extracted from archives: 85568, malicious software found 0, suspicions - 0

Scanning finished at 21/08/2009 14:40:12

Time of scanning: 01:05:43

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

 

Segue log do RemoveIT Pro v7 Enterprise :

 

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 21/08/2009 on 13:21:36

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

13:21:36: Scanning, please wait...

13:36:59: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

13:37:00: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

13:37:02: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

13:37:12: Scanning, please wait...

13:44:33: Infected file (Sys32.gbpsv) D:\!KillBox\GbpSv.exe -> No action taken.

13:44:33: Infected file (Sys32.gbiehcef) D:\!KillBox\backup-20090424-135402-251.dll -> No action taken.

13:47:09: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135520-468.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135554-845.dll -> No action taken.

13:47:10: Infected file (Sys32.gbiehcef) D:\Documents and Settings\edsom luis\Meus

documentos\backups\backup-20090424-135626-168.dll -> No action taken.

13:48:34: 7 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

 

 

 

Grato

Share this post


Link to post
Share on other sites

São arquivos do sistema:

C:\WINDOWS\system32\more.com

C:\WINDOWS\system32\format.com

C:\WINDOWS\system32\tree.com

C:\WINXP\system32\format.com

C:\WINXP\system32\more.com

C:\WINXP\system32\tree.com

Quanto aos demais arquivos realize uam pesquina no Google e você verá quais são legítimos.

Outro detalhe você abriu tópico no linha defensiva e pc fórum, sendo assim meu suporte a voc~e termina aqui.

Share this post


Link to post
Share on other sites

Boa Tarde !

 

 

Não seriam tópicos antigos a respeito de rootkits pandex ( em remoção de malwares ) ?

Enquanto a este assunto no linha tudo bem , mas no pc fórum não abri não .

 

 

 

 

Bom ja me ajudou muito e muito. Obrigado pela ampla atenção de vcs .

Share this post


Link to post
Share on other sites

Boa Tarde !

 

 

Como já tinha confirmado e agredeçido supra, já foi bastante conclusivo o final deste tópico e cfe. o log atual abaixo do RemoveIT Pro v7 Enterprise já deu uma boa limpeza .

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 21/08/2009 on 17:23:49

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

17:23:49: Scanning, please wait...

17:38:43: Infected file (Sys32.gbiehcef) D:\Arquivos de programas\GbPlugin\gbiehcef.dll -> No action taken.

17:38:43: Infected file (Sys32.gbpsv) D:\Arquivos de programas\GbPlugin\gbpsv.exe -> No action taken.

17:38:46: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

17:38:54: Scanning, please wait...

17:51:05: 2 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

 

 

Fineza encerrar este tópico . Caso resolvido .

 

 

Obrigado pela ampla atenção de vcs e pelo espaço aqui conçedido .

Share this post


Link to post
Share on other sites

Boa Noite !

 

 

Cfe. log atual do AVZ Antiviral Toolkit limpinha de trojans .

 

 

AVZ Antiviral Toolkit log; AVZ version is 4.32

Scanning started at 21/08/2009 18:10:43

Database loaded: signatures - 237871, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.08.2009 14:23

Heuristic microprograms loaded: 374

PVS microprograms loaded: 9

Digital signatures of system files loaded: 135524

Heuristic analyzer mode: Medium heuristics mode

Malware removal mode: disabled

Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights

System Restore: enabled

1. Searching for Rootkits and other software intercepting API functions

1.1 Searching for user-mode API hooks

Analysis: kernel32.dll, export table found in section .text

Analysis: ntdll.dll, export table found in section .text

Analysis: user32.dll, export table found in section .text

Analysis: advapi32.dll, export table found in section .text

Analysis: ws2_32.dll, export table found in section .text

Analysis: wininet.dll, export table found in section .text

Analysis: rasapi32.dll, export table found in section .text

Analysis: urlmon.dll, export table found in section .text

Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks

Driver loaded successfully

SDT found (RVA=083220)

Kernel ntoskrnl.exe found in memory at address 804D7000

SDT = 8055A220

KiST = 804E26A8 (284)

Function NtClose (19) intercepted (805678DD->EBC79FFC), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtCreateFile (25) intercepted (8056CDC0->EBC7DC14), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtCreateKey (29) intercepted (8057065D->F8377826), hook not defined

Function NtCreateSection (32) intercepted (805652B3->EBC7EBF6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtCreateThread (35) intercepted (8058E64B->F837781C), hook not defined

Function NtDebugActiveProcess (39) intercepted (8065B1B9->EBC7F282), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtDeleteFile (3E) intercepted (805D801B->EBC7DF8A), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtDeleteKey (3F) intercepted (805952CA->F837782B), hook not defined

Function NtDeleteValueKey (41) intercepted (80592D5C->F8377835), hook not defined

Function NtDeviceIoControlFile (42) intercepted (8058EFB9->EBC7A1FE), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtDuplicateObject (44) intercepted (805715E0->EBC7D58E), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtFsControlFile (54) intercepted (8057AAB5->EBC7A036), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtInitiatePowerAction (5D) intercepted (8062BF67->EBC79D74), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtLoadDriver (61) intercepted (805A3B01->EBC7CF84), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtLoadKey (62) intercepted (805AED6D->F837783A), hook not defined

Function NtMakeTemporaryObject (69) intercepted (8059F8D2->EBC79EC4), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtOpenFile (74) intercepted (8056CD5B->EBC7DA46), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtOpenProcess (7A) intercepted (805717C7->F8377808), hook not defined

Function NtOpenSection (7D) intercepted (80570FD7->EBC7A3C6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtOpenThread (80) intercepted (8058A1C9->F837780D), hook not defined

Function NtProtectVirtualMemory (89) intercepted (80571CB1->EBC8004A), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtQueueApcThread (B4) intercepted (80591097->EBC7F950), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtReadVirtualMemory (BA) intercepted (8057E2D8->EBC7A570), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtRenameKey (C0) intercepted (8064E77C->EBC7B5CC), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtReplaceKey (C1) intercepted (8064F0DC->F8377844), hook not defined

Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->EBC7D3A0), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtRestoreKey (CC) intercepted (8064EC71->F837783F), hook not defined

Function NtSetContextThread (D5) intercepted (8062DD17->EBC7FDF6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetInformationFile (E0) intercepted (8057494A->EBC7E42C), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetInformationProcess (E4) intercepted (8056DC01->EBC7F36C), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetSystemInformation (F0) intercepted (805A7BED->EBC7D0E6), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetSystemPowerState (F1) intercepted (8066768B->EBC79E1E), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetSystemTime (F2) intercepted (80647A2B->EBC79C24), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSetValueKey (F7) intercepted (80572889->F8377830), hook not defined

Function NtShutdownSystem (F9) intercepted (80647177->EBC79CF4), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSuspendProcess (FD) intercepted (8062F8F9->EBC7F19C), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSuspendThread (FE) intercepted (805E046E->EBC7FCDA), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtSystemDebugControl (FF) intercepted (80649CD9->EBC79B86), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtTerminateProcess (101) intercepted (805822EC->F8377817), hook not defined

Function NtTerminateThread (102) intercepted (8057B88F->EBC7FB9E), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtUnmapViewOfSection (10B) intercepted (805736E6->EBC7EACA), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtWriteFile (112) intercepted (80574BF5->EBC7E104), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtWriteFileGather (113) intercepted (805DA475->EBC7E298), hook d:\windows\system32\drivers\lgalcafo.sys

Function NtWriteVirtualMemory (115) intercepted (8057E42A->EBC7FF12), hook d:\windows\system32\drivers\lgalcafo.sys

Functions checked: 284, intercepted: 44, restored: 0

1.3 Checking IDT and SYSENTER

Analyzing CPU 1

Checking IDT and SYSENTER - complete

1.4 Searching for masking processes and drivers

Checking not performed: extended monitoring driver (AVZPM) is not installed

Driver loaded successfully

1.5 Checking IRP handlers

Checking - complete

2. Scanning RAM

Number of processes found: 30

Number of modules loaded: 377

Scanning RAM - complete

3. Scanning disks

4. Checking Winsock Layered Service Provider (SPI/LSP)

LSP settings checked. No errors detected

5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)

6. Searching for opened TCP/UDP ports used by malicious software

Checking - disabled by user

7. Heuristic system check

Checking - complete

8. Searching for vulnerabilities

>> Services: potentially dangerous service allowed: TermService (Serviços de terminal)

>> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)

>> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)

>> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)

> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!

>> Security: disk drives' autorun is enabled

>> Security: administrative shares (C$, D$ ...) are enabled

>> Security: anonymous user access is enabled

>> Security: sending Remote Assistant queries is enabled

Checking - complete

9. Troubleshooting wizard

Checking - complete

Files scanned: 110081, extracted from archives: 85568, malicious software found 0, suspicions - 0

Scanning finished at 21/08/2009 18:54:24

Time of scanning: 00:43:42

If you have a suspicion on presence of viruses or questions on the suspected objects,

you can address http://virusinfo.info conference

 

 

Muito obrigado. Caso resolvido

Share this post


Link to post
Share on other sites

Bom dia !

 

 

Porque sempre não consta mais a opção editar ?

 

 

Log do RemoveIT Pro v7 Enterprise limpinho, sem plugin bancarios e trojans .

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 22/08/2009 on 01:48:35

Microsoft Windows XP Professional Service Pack 3 (Build 2600)

 

01:48:35: Scanning, please wait...

02:05:07: Your computer is clean!

Finished...

 

Imagem Postada

 

 

 

 

Grato

Share this post


Link to post
Share on other sites

EDSSX, o tópico esta resolvido ?

Em alguns posts você diz que está resolvido, mas depois volta a postar dúvida !

 

Caso a dúvida esteja relacionado a infecções, poste em Segurança e Malwares.

 

Obrigado

Share this post


Link to post
Share on other sites

Boa Tarde !

 

 

Tópico resolvido ! Postei os logs supra para ratificar que esta tudo limpo em relação com manifesto claro perante o inicio .

 

 

Obrigado

Share this post


Link to post
Share on other sites

×

Important Information

Ao usar o fórum, você concorda com nossos Terms of Use.