1. Este site usa cookies. Ao continuar a usar este site está a concordar com o nosso uso de cookies. Saber Mais.

Virús!!!!

Discussão em 'Dúvidas e Suporte Técnico PC' iniciada por Vini, 17 de Agosto de 2007. (Respostas: 9; Visualizações: 970)

  1. Vini

    Vini Power Member

    Buenos Dia companheiros.

    Bem vamos lá!!!

    Galerá estou com problema aqui em uma maquina "XP",

    Ele fica rodando um processo "iexplore.exe" mas nenhuma janela do IE aberta.

    Sim, antigamente me deparei com um virús que ele roda processos "iexplore.exe"
    vc tenta finalizar o processo mas não deixa --- legal esse eu removi.

    mas agora me deparei com esse, engraçado ele fica rodando ali comendo memória e vai indo...


    Obrigado....
     
  2. Kamipt

    Kamipt Power Member

    correr um antispyware tipo spybot, um antivirus avg, avast etc, até mesmo antivirus online, basta procurar no google poe antivirus online, e sacar o hijackthis do hijackthis.de correr, salvar o log e colocar aqui no forum.
     
  3. Vini

    Vini Power Member

    Log.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:42:38, on 17/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal
    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\csrss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Arquivos de programas\Windows Defender\MsMpEng.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
    D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\WINDOWS\system32\inetsrv\inetinfo.exe
    D:\WINDOWS\system32\cba\pds.exe
    D:\ARQUIV~1\Symantec\SYMANT~1\NSCTOP.EXE
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\ams_ii\iao.exe
    D:\WINDOWS\system32\MsgSys.EXE
    D:\WINDOWS\system32\cba\xfr.exe
    D:\WINDOWS\system32\ams_ii\hndlrsvc.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\Arquivos de programas\Windows Defender\MSASCui.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
    D:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
    D:\Documents and Settings\administrator\Menu Iniciar\Programas\Inicializar\stickit.exe
    D:\WINDOWS\system32\msiexec.exe
    D:\Arquivos de programas\Internet Explorer\iexplore.exe
    D:\WINDOWS\System32\Rundll32.exe
    E:\My Documents\Programas\HiJackThis_v2.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - D:\Arquivos de programas\Scpad\scpsssh2.dll
    O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - D:\WINDOWS\system32\gzmrotate.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [WinVNC] "D:\Arquivos de programas\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [Windows Defender] "D:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG7_CC] D:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ClientCR] "D:\WINDOWS\system32\ConRemo.exe" -servicehelper
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "D:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "D:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [{02-2A-AD-D6-ZN}] d:\windows\system32\lmdsrngl.exe P2D002
    O4 - HKLM\..\Run: [adstart] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\system32\gzmrotate.dll" DllVerify
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "D:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\MsgPlusUninstall.exe" /Cleanup
    O4 - HKCU\..\Run: [K-Lite Nitro BETA] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
    O4 - HKCU\..\Run: [BitTorrent] "D:\Arquivos de programas\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [K-Lite Nitro] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: stickit.exe
    O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\dwdsrngt.exe
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted IP range: http://10.0.0.15
    O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
    O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
    O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} - http://axcab.wrs.mcboo.com/website.cab
    O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/pj/CA.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EDA3C4AB-B1B5-47B7-B6D1-B27858413B53} (Tap7remotex Control) -
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://200.212.184.212/g_bin/eng/snooker_2_0_0_35.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6573176-AC35-441E-8716-7999729E1930}: NameServer = 10.0.0.13,10.0.0.10
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
    O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
    O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
    O23 - Service: Adobe LM Service - Adobe Systems - D:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - D:\WINDOWS\system32\ams_ii\hndlrsvc.exe
    O23 - Service: Intel Alert Originator - LANDesk Software Ltd. - D:\WINDOWS\system32\ams_ii\iao.exe
    O23 - Service: Intel File Transfer - LANDesk Software Ltd. - D:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel PDS - LANDesk Software Ltd. - D:\WINDOWS\system32\cba\pds.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Serviço de descoberta do Symantec System Center (NSCTOP) - Symantec Corporation - D:\ARQUIV~1\Symantec\SYMANT~1\NSCTOP.EXE
    O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Arquivos de programas\UltraVNC\WinVNC.exe
    --
    End of file - 8410 bytes
     
  4. Kamipt

    Kamipt Power Member

    Reparei que tens o avg, ele não detecta nada? fazer um full scan.

    Deves instalar e correr o spybot ou o ad-aware.

    O hijack aconselha remover estas entrys no entanto p,ode haver alguma aplicação que o hijack desconheça e marque como nociva, para removeres estas linhas corres o hijack de novo e clickas nas caixas correspondentes às linhas, para analizares tu o log, basta no site fazeres paste no quadrado em branco e depois em baixo analyze.

    [?] - D:\Documents and Settings\administrator\Menu Iniciar\Programas\Inicializar\stickit.exe
    [?] - R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    [?] - O2 - BHO: rightonadz.biz browser optimizer - {36A91CEC-6C71-4758-B492-397BFC8E96A2} - D:\WINDOWS\system32\gzmrotate.dll
    [N] - O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
    [X] - O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    [?] - O4 - HKLM\..\Run: [ClientCR] "D:\WINDOWS\system32\ConRemo.exe" -servicehelper
    [?] - O4 - HKLM\..\Run: [{02-2A-AD-D6-ZN}] d:\windows\system32\lmdsrngl.exe P2D002
    [?] - O4 - HKLM\..\Run: [adstart] D:\WINDOWS\System32\Rundll32.exe "D:\WINDOWS\system32\gzmrotate.dll" DllVerify
    [?] - O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "D:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\MsgPlusUninsta ll.exe" /Cleanup
    [?] - O4 - HKCU\..\Run: [K-Lite Nitro BETA] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
    [?] - O4 - HKCU\..\Run: [K-Lite Nitro] D:\Arquivos de programas\K-LiteNitro\K-LiteNitro.exe /hide
    [?] - O4 - Startup: stickit.exe
    [?] - O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\dwdsrngt.exe
    [?] - O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
    [?] - O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
    [?] - O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} - http://axcab.wrs.mcboo.com/website.cab
    [?] - O16 - DPF: {B3D3825B-2120-4B0E-8C45-80ECC1D3E70D} (GeraCert Class) - https://bradesconetempresa.com.br/pj/CA.cab
    [?] - O16 - DPF: {EDA3C4AB-B1B5-47B7-B6D1-B27858413B53} (Tap7remotex Control) -
    [?] - O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
    [?] - O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
    [?] - O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - D:\Arquivos de programas\Scpad\scpLIB.dll
     
  5. Vini

    Vini Power Member

    Sim, estou tentando remove-lo manualmente...
    o AVG passou direto...
    e vejo toda vez que eu inicio um IE ele explode a memoria chega a rodar...
    {159.000 K} Neim se eu tivesse baixando um caminhao da internet estaria com esses processos!!!
     
  6. Kamipt

    Kamipt Power Member

    O spybot é capaz de apanhar algo.
     
  7. Vini

    Vini Power Member

    Vo instalar ele aqui pra ve se ele encontra algo..
     
  8. Vini

    Vini Power Member

    Achei os desgramados.....rsrsrsrs

    X:\windows\system32\msnau32.ax
    X:\windows\system32\zxdnt3d.cfg
    X:\windows\system32\winpfz32.sys
    "X:\windows\system32\imdsrngl.exe" Esse que fica no Task Maneger"
    X:\windows\system32\dwdsrngt.exe
     
  9. Vini

    Vini Power Member

    opa cara vlw mesmo a ajuda....obrigado mesmo :) o spybot resolveu o assunto....rsrsrs

    te mais....e um bom fim de semana...
     
  10. Kamipt

    Kamipt Power Member

    bom fim de semana
     

Partilhar esta Página