Viviane Tavares Postado Julho 2, 2008 Denunciar Share Postado Julho 2, 2008 Link para o comentário Compartilhar em outros sites More sharing options...
0 JackSSA Postado Julho 2, 2008 Denunciar Share Postado Julho 2, 2008 Faça download do Kaspersky Removal Tool (Certifique-se de sempre usar o último link que aparece na lista para baixar a versão mais atual do software). Salve no seu desktop (área de trabalho).Instale o programa normalmente seguindo todos os seus passos.Na tela principal do programa clique na opção "Meu computador" e depois clique no botão "Scan".Seja paciente, o scan pode demorarSe ele encontrar alguma infecção clique em "skip".Após completar tudo clique na aba Events, desmarque a caixa de seleção "Show all events" e depois em "Save to file".Dê um nome para o arquivo e salve numa pasta de sua preferênciaPoste o conteúdo desse arquivo em sua próxima resposta. Link para o comentário Compartilhar em outros sites More sharing options...
0 Viviane Tavares Postado Julho 13, 2008 Autor Denunciar Share Postado Julho 13, 2008 finalmente consegui passar o scan o resultado foi este:Scan----Scanned: 370079Detected: 7Untreated: 7Start time: 11/7/2008 11:10:36Duration: 17:46:36Finish time: 12/7/2008 04:57:12Detected--------Status Object------ ------detected: Trojan program Trojan-Downloader.Win32.Banload.quando File: c:\windows\system\system.exedetected: riskware not-a-virus:Downloader.Win32.PopCap.b File: c:\windows\downloaded program files\popcaploader.dlldetected: Trojan program Trojan-Downloader.Win32.Agent.vvt File: C:\Documents and Settings\Administrador\Configurações locais\Temp\javatmp15759.php//PE_Patch.UPX//UPXdetected: Trojan program Trojan-Downloader.Win32.Banload.quando File: C:\Documents and Settings\Administrador\Configurações locais\Temporary Internet Files\Content.IE5\NXGDZ51Y\win[1].jpgdetected: Trojan program Exploit.PHP.Userpic.a File: C:\Documents and Settings\All Users\Dados de aplicativos\MumboJumbo\MJOLauncher\Zone\luxor_ar_web\locale\english\data\bitmaps\fonts\score.jpgdetected: Trojan program Exploit.PHP.Userpic.a File: C:\Documents and Settings\All Users\Dados de aplicativos\MumboJumbo\MJOLauncher\Zone\luxor_web\locale\english\data\bitmaps\fonts\score.jpgdetected: riskware not-a-virus:PSWTool.Win32.MailPassView.130 File: C:\WINDOWS\system\outlok.exe//PE_Patch//NiceProtect//PE_Patch.UPX//UPX(...)11/7/2008 21:12:29 File: c:\windows\system\system.exe detected Trojan program 'Trojan-Downloader.Win32.Banload.quando' 12/7/2008 04:56:57 File: c:\windows\system\system.exe not disinfected skipped by user12/7/2008 04:56:57 File: c:\windows\downloaded program files\popcaploader.dll detected riskware 'not-a-virus:Downloader.Win32.PopCap.b' 12/7/2008 04:57:06 File: c:\windows\downloaded program files\popcaploader.dll not disinfected skipped by user12/7/2008 04:57:07 File: c:\documents and settings\administrador\configurações locais\temp\javatmp15759.php packed file PE_Patch.UPX 12/7/2008 04:57:07 File: c:\documents and settings\administrador\configurações locais\temp\javatmp15759.php//PE_Patch.UPX packed file UPX 12/7/2008 04:57:07 File: c:\documents and settings\administrador\configurações locais\temp\javatmp15759.php//PE_Patch.UPX//UPX detected Trojan program 'Trojan-Downloader.Win32.Agent.vvt' 12/7/2008 04:57:08 File: c:\documents and settings\administrador\configurações locais\temp\javatmp15759.php//PE_Patch.UPX//UPX not disinfected skipped by user12/7/2008 04:57:08 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\nxgdz51y\win[1].jpg detected Trojan program 'Trojan-Downloader.Win32.Banload.quando' 12/7/2008 04:57:08 File: c:\documents and settings\administrador\configurações locais\temporary internet files\content.ie5\nxgdz51y\win[1].jpg not disinfected skipped by user12/7/2008 04:57:09 File: c:\documents and settings\all users\dados de aplicativos\mumbojumbo\mjolauncher\zone\luxor_ar_web\locale\english\data\bitmaps\fonts\score.jpg detected Trojan program 'Exploit.PHP.Userpic.a' 12/7/2008 04:57:09 File: c:\documents and settings\all users\dados de aplicativos\mumbojumbo\mjolauncher\zone\luxor_ar_web\locale\english\data\bitmaps\fonts\score.jpg not disinfected skipped by user12/7/2008 04:57:09 File: c:\documents and settings\all users\dados de aplicativos\mumbojumbo\mjolauncher\zone\luxor_web\locale\english\data\bitmaps\fonts\score.jpg detected Trojan program 'Exploit.PHP.Userpic.a' 12/7/2008 04:57:09 File: c:\documents and settings\all users\dados de aplicativos\mumbojumbo\mjolauncher\zone\luxor_web\locale\english\data\bitmaps\fonts\score.jpg not disinfected skipped by user12/7/2008 04:57:09 File: c:\windows\system\outlok.exe packed file PE_Patch 12/7/2008 04:57:09 File: c:\windows\system\outlok.exe//PE_Patch packed file NiceProtect 12/7/2008 04:57:10 File: c:\windows\system\outlok.exe//PE_Patch//NiceProtect packed file PE_Patch.UPX 12/7/2008 04:57:10 File: c:\windows\system\outlok.exe//PE_Patch//NiceProtect//PE_Patch.UPX packed file UPX 12/7/2008 04:57:10 File: c:\windows\system\outlok.exe//PE_Patch//NiceProtect//PE_Patch.UPX//UPX detected riskware 'not-a-virus:PSWTool.Win32.MailPassView.130' 12/7/2008 04:57:12 File: c:\windows\system\outlok.exe//PE_Patch//NiceProtect//PE_Patch.UPX//UPX not disinfected skipped by userStatistics----------Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------All objects 347264 7 7 0 0 7391 6078 40 12System memory 175 0 0 0 0 0 1 0 0meu computador 347089 7 7 0 0 7391 6077 40 12Settings--------Parameter Value--------- -----Security Level RecommendedAction Prompt for action when the scan is completeRun mode ManuallyFile types Scan all filesScan only new and changed files NoScan archives AllScan embedded OLE objects AllSkip if object is larger than NoSkip if scan takes longer than NoParse email formats NoScan password-protected archives NoEnable iChecker technology NoEnable iSwift technology NoShow detected threats on "Detected" tab YesRootkits search YesDeep rootkits search NoUse heuristic analyzer YesQuarantine----------Status Object Size Added------ ------ ---- -----Backup------Status Object Size------ ------ ----preciso postar todo o resto dos eventos???desde já agradeço a ajuda!!!!oi, quando liguei o pc gerou estes dados abaixo, não se vai ajudar, mas achei melhor postar aqui. :)<AVZ_CollectSysInfo>--------------------Start time: 12/7/2008 11:02:16Duration: 00:05:02Finish time: 12/7/2008 11:07:18<AVZ_CollectSysInfo>--------------------Time Event---- -----12/7/2008 11:02:27 1.1 Searching for user-mode API hooks12/7/2008 11:02:28 Analysis: kernel32.dll, export table found in section .text12/7/2008 11:02:28 Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F4212/7/2008 11:02:28 Hook kernel32.dll:CreateProcessA (99) blocked12/7/2008 11:02:28 Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F0404012/7/2008 11:02:28 Hook kernel32.dll:CreateProcessW (103) blocked12/7/2008 11:02:28 Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC12/7/2008 11:02:28 Hook kernel32.dll:FreeLibrary (241) blocked12/7/2008 11:02:28 Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB12/7/2008 11:02:28 Hook kernel32.dll:GetModuleFileNameA (372) blocked12/7/2008 11:02:28 Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A012/7/2008 11:02:28 Hook kernel32.dll:GetModuleFileNameW (373) blocked12/7/2008 11:02:28 Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F0464812/7/2008 11:02:28 Hook kernel32.dll:GetProcAddress (408) blocked12/7/2008 11:02:28 Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F12/7/2008 11:02:28 Hook kernel32.dll:LoadLibraryA (578) blocked12/7/2008 11:02:28 >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)12/7/2008 11:02:28 Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF12/7/2008 11:02:28 Hook kernel32.dll:LoadLibraryExA (579) blocked12/7/2008 11:02:28 >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)12/7/2008 11:02:28 Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A12/7/2008 11:02:28 Hook kernel32.dll:LoadLibraryExW (580) blocked12/7/2008 11:02:28 Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C12/7/2008 11:02:28 Hook kernel32.dll:LoadLibraryW (581) blocked12/7/2008 11:02:28 IAT modification detected: GetModuleFileNameW - 009A0010<>7C80B3D512/7/2008 11:02:28 Analysis: ntdll.dll, export table found in section .text12/7/2008 11:02:28 Analysis: user32.dll, export table found in section .text12/7/2008 11:02:29 Analysis: advapi32.dll, export table found in section .text12/7/2008 11:02:29 Analysis: ws2_32.dll, export table found in section .text12/7/2008 11:02:29 Analysis: wininet.dll, export table found in section .text12/7/2008 11:02:30 Analysis: rasapi32.dll, export table found in section .text12/7/2008 11:02:31 Analysis: urlmon.dll, export table found in section .text12/7/2008 11:02:31 Analysis: netapi32.dll, export table found in section .text12/7/2008 11:02:33 1.2 Searching for kernel-mode API hooks12/7/2008 11:02:33 Driver loaded successfully12/7/2008 11:02:33 SDT found (RVA=082680)12/7/2008 11:02:33 Kernel ntoskrnl.exe found in memory at address 804D700012/7/2008 11:02:33 SDT = 8055968012/7/2008 11:02:33 KiST = 804E26A8 (284)12/7/2008 11:02:35 Function NtClose (19) intercepted (80566D49->F8F10588), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:35 >>> Function restored successfully !12/7/2008 11:02:35 >>> Hook code blocked12/7/2008 11:02:36 Function NtCreateKey (29) intercepted (8056E7A9->F8F10444), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtDeleteValueKey (41) intercepted (80593AAC->F8F10922), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtDuplicateObject (44) intercepted (80572B26->F8F1001C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtOpenKey (77) intercepted (80567CFB->F8F1051E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtOpenProcess (7A) intercepted (80572D06->F8F0FF5C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtOpenThread (80) intercepted (8058C806->F8F0FFC0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtQueryValueKey (B1) intercepted (8056B103->F8F1063E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:36 Function NtRestoreKey (CC) intercepted (8064C042->F8F105FE), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:36 >>> Function restored successfully !12/7/2008 11:02:36 >>> Hook code blocked12/7/2008 11:02:37 Function NtSetValueKey (F7) intercepted (80573C8D->F8F1077E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS12/7/2008 11:02:37 >>> Function restored successfully !12/7/2008 11:02:37 >>> Hook code blocked12/7/2008 11:02:39 Functions checked: 284, intercepted: 10, restored: 1012/7/2008 11:02:39 1.3 Checking IDT and SYSENTER12/7/2008 11:02:39 Analysis for CPU 112/7/2008 11:02:39 Checking IDT and SYSENTER - complete12/7/2008 11:02:41 >>>> Suspicion for Rootkit uteznzg1 C:\WINDOWS\system32\Drivers\uteznzg1.sys12/7/2008 11:02:41 1.4 Searching for masking processes and drivers12/7/2008 11:02:41 Checking not performed: extended monitoring driver (AVZPM) is not installed12/7/2008 11:02:41 Driver loaded successfully12/7/2008 11:02:41 1.5 Checking of IRP handlers12/7/2008 11:02:41 \driver\tcpip[iRP_MJ_INTERNAL_DEVICE_CONTROL] = FB10A85A -> C:\WINDOWS\System32\Drivers\avgtdi.sys, driver recognized as trusted12/7/2008 11:02:42 Checking - complete12/7/2008 11:02:57 >>> C:\WINDOWS\wt\webdriver\webdriver.dll HSC: suspicion for Spy.WindTangent12/7/2008 11:03:00 >>> C:\WINDOWS\Downloaded Program Files\popcaploader.dll HSC: suspicion for Downloader.PopCapLoader (high degree of probability)12/7/2008 11:03:09 >> Services: potentially dangerous service allowed: RemoteRegistry (Registro remoto)12/7/2008 11:03:09 >> Services: potentially dangerous service allowed: TermService (Serviços de terminal)12/7/2008 11:03:10 >> Services: potentially dangerous service allowed: SSDPSRV (Serviço de descoberta SSDP)12/7/2008 11:03:10 >> Services: potentially dangerous service allowed: Schedule (Agendador de tarefas)12/7/2008 11:03:10 >> Services: potentially dangerous service allowed: mnmsrvc (Compartilhamento remoto da área de trabalho do NetMeeting)12/7/2008 11:03:10 >> Services: potentially dangerous service allowed: RDSessMgr (Gerenciador de sessão de ajuda de área de trabalho remota)12/7/2008 11:03:10 > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!12/7/2008 11:03:10 >> Security: disk drives' autorun is enabled12/7/2008 11:03:10 >> Security: administrative shares (C$, D$ ...) are enabled12/7/2008 11:03:10 >> Security: anonymous user access is enabled12/7/2008 11:03:10 >> Security: sending Remote Assistant queries is enabled12/7/2008 11:03:10 >> Security: automatic logon is enabled12/7/2008 11:03:17 >> Disable HDD autorun12/7/2008 11:03:18 >> Disable autorun from network drives12/7/2008 11:03:18 >> Disable CD/DVD autorun12/7/2008 11:03:18 >> Disable removable media autorun12/7/2008 11:03:18 >> Windows Update is disabled12/7/2008 11:03:18 System Analysis in progress12/7/2008 11:07:18 System Analysis - complete12/7/2008 11:07:18 Delete file:C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-LN5PN\LOG\avptool_syscheck.htm12/7/2008 11:07:18 Delete file:C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-LN5PN\LOG\avptool_syscheck.xml12/7/2008 11:07:18 Script executed without errors Link para o comentário Compartilhar em outros sites More sharing options...
0 JackSSA Postado Julho 14, 2008 Denunciar Share Postado Julho 14, 2008 Faça o download do BankerFix:http://linhadefensiva.uol.com.br/dl/bankerfixImportante: A ferramenta irá finalizar o Internet Explorer. Salve qualquer link que você precisa acessar depois antes de executá-la.Dê dois cliques no bankerfix.exe para executá-lo.Clique em OK na primeira e na segunda vez que aparecerem caixas de mensagem. Se você estiver executando o BankerFix pela segunda vez, ele irá pedir para verificar por uma atualização. Diga que Sim e depois clique em OK.Quando ele executar, aparecerá uma tela preta pedindo para que aperte qualquer tecla. Tecle Enter e espere ele terminar. Pode levar algum tempo.Ao terminar, leia a mensagem na tela e aperte Enter novamente. Quando ele terminar, poste o arquivo relatorio.txt localizado em: C:\LinhaDefensiva\relatorio.txtFaça também um novo log do HijackThis para colocar na sua resposta.Depois de fazer sua resposta você pode apagar a pasta:C:\LinhaDefensiva Link para o comentário Compartilhar em outros sites More sharing options...
0 Viviane Tavares Postado Julho 17, 2008 Autor Denunciar Share Postado Julho 17, 2008 Link para o comentário Compartilhar em outros sites More sharing options...
0 JackSSA Postado Julho 17, 2008 Denunciar Share Postado Julho 17, 2008 Acesse este site: http://www.kaspersky.com/virusscannerClique em Siga as instruções de configuração do verificador conforme imagem abaixo.Salve o log com os resultados e poste-o na sua próxima resposta. Link para o comentário Compartilhar em outros sites More sharing options...
Pergunta
Viviane Tavares
Link para o comentário
Compartilhar em outros sites
5 respostass a esta questão
Posts Recomendados