Virús!!!!

V

Vini

Power Member
Buenos Dia companheiros.

Bem vamos lá!!!

Galerá estou com problema aqui em uma maquina "XP",

Ele fica rodando um processo "iexplore.exe" mas nenhuma janela do IE aberta.

Sim, antigamente me deparei com um virús que ele roda processos "iexplore.exe"
vc tenta finalizar o processo mas não deixa --- legal esse eu removi.

mas agora me deparei com esse, engraçado ele fica rodando ali comendo memória e vai indo...


Obrigado....
 
correr um antispyware tipo spybot, um antivirus avg, avast etc, até mesmo antivirus online, basta procurar no google poe antivirus online, e sacar o hijackthis do hijackthis.de correr, salvar o log e colocar aqui no forum.
 
Log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:42:38, on 17/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Arquivos de programas\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\WINDOWS\system32\cba\pds.exe
D:\ARQUIV~1\Symantec\SYMANT~1\NSCTOP.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ams_ii\iao.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\WINDOWS\system32\cba\xfr.exe
D:\WINDOWS\system32\ams_ii\hndlrsvc.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Arquivos de programas\Windows Defender\MSASCui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
D:\Documents and Settings\administrator\Menu Iniciar\Programas\Inicializar\stickit.exe
D:\WINDOWS\system32\msiexec.exe
D:\Arquivos de programas\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\Rundll32.exe
E:\My Documents\Programas\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - D:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - D:\WINDOWS\system32\gzmrotate.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinVNC] "D:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "D:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ClientCR] "D:\WINDOWS\system32\ConRemo.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [{02-2A-AD-D6-ZN}] d:\windows\system32\lmdsrngl.exe P2D002
O4 - HKLM\..\Run: [adstart] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\system32\gzmrotate.dll" DllVerify
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "D:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\MsgPlusUninstall.exe" /Cleanup
O4 - HKCU\..\Run: [K-Lite Nitro BETA] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
O4 - HKCU\..\Run: [BitTorrent] "D:\Arquivos de programas\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [K-Lite Nitro] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: stickit.exe
O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\dwdsrngt.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted IP range: http://10.0.0.15
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} - http://axcab.wrs.mcboo.com/website.cab
O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/pj/CA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EDA3C4AB-B1B5-47B7-B6D1-B27858413B53} (Tap7remotex Control) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://200.212.184.212/g_bin/eng/snooker_2_0_0_35.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6573176-AC35-441E-8716-7999729E1930}: NameServer = 10.0.0.13,10.0.0.10
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - D:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - LANDesk Software Ltd. - D:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - LANDesk Software Ltd. - D:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - D:\WINDOWS\system32\cba\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço de descoberta do Symantec System Center (NSCTOP) - Symantec Corporation - D:\ARQUIV~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Arquivos de programas\UltraVNC\WinVNC.exe
--
End of file - 8410 bytes
 
Reparei que tens o avg, ele não detecta nada? fazer um full scan.

Deves instalar e correr o spybot ou o ad-aware.

O hijack aconselha remover estas entrys no entanto p,ode haver alguma aplicação que o hijack desconheça e marque como nociva, para removeres estas linhas corres o hijack de novo e clickas nas caixas correspondentes às linhas, para analizares tu o log, basta no site fazeres paste no quadrado em branco e depois em baixo analyze.

[?] - D:\Documents and Settings\administrator\Menu Iniciar\Programas\Inicializar\stickit.exe
[?] - R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
[?] - O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - D:\WINDOWS\system32\gzmrotate.dll
[N] - O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
[X] - O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
[?] - O4 - HKLM\..\Run: [ClientCR] "D:\WINDOWS\system32\ConRemo.exe" -servicehelper
[?] - O4 - HKLM\..\Run: [{02-2A-AD-D6-ZN}] d:\windows\system32\lmdsrngl.exe P2D002
[?] - O4 - HKLM\..\Run: [adstart] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\system32\gzmrotate.dll" DllVerify
[?] - O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "D:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\MsgPlusUninsta ll.exe" /Cleanup
[?] - O4 - HKCU\..\Run: [K-Lite Nitro BETA] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
[?] - O4 - HKCU\..\Run: [K-Lite Nitro] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
[?] - O4 - Startup: stickit.exe
[?] - O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\dwdsrngt.exe
[?] - O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
[?] - O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
[?] - O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} - http://axcab.wrs.mcboo.com/website.cab
[?] - O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/pj/CA.cab
[?] - O16 - DPF: {EDA3C4AB-B1B5-47B7-B6D1-B27858413B53} (Tap7remotex Control) -
[?] - O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
[?] - O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
[?] - O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
 
Sim, estou tentando remove-lo manualmente...
o AVG passou direto...
e vejo toda vez que eu inicio um IE ele explode a memoria chega a rodar...
{159.000 K} Neim se eu tivesse baixando um caminhao da internet estaria com esses processos!!!
 
Achei os desgramados.....rsrsrsrs

X:\windows\system32\msnau32.ax
X:\windows\system32\zxdnt3d.cfg
X:\windows\system32\winpfz32.sys
"X:\windows\system32\imdsrngl.exe" Esse que fica no Task Maneger"
X:\windows\system32\dwdsrngt.exe
 
Inicie sessão ou registe-se para poder participar.
Back
Topo