[Resolvido!] Vírus; Vários iexplore.exe, Som Wave abaixa

[Augusto Cunha 0]

Estou com vírus que está me causando 2 problemas:

- Som Wave, nos controladores de áudio abaixa sozinho, ficando sem som, e toda hora tendo que voltar o volume ao normal.

- Vários processos iexplore.exe, mesmo com o Internet Explorer fechado, abrindo propagandas e ocupando um espaço considerável na memória RAM.(Obs: não adianta fechar os processos, eles voltam em segundos)

 

Já passei ComboFix, Malwarebytes' Anti-Malware, Microsoft Security Essentials, Spyware Terminator, e nenhum neles resolveu, e nem ao menos encontrou o problema.

 

 

Log do HijackThis:

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:41:47, on 2/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\Arquivos de programas\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Hijack\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [MSSE] "c:\Arquivos de programas\Microsoft Security Essentials\msseces.exe" -hide -runkey

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {09E90109-A9AA-4980-BCEF-76F8D924E902} - (no file)

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: (no name) - {09E90109-A9AA-4980-BCEF-76F8D924E902} - (no file) (HKCU)

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe

O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Arquivos de programas\Spyware Terminator\sp_rsser.exe

 

--

End of file - 5812 bytes

[Marcelo de Andrade 2]

Estou exatamente com o mesmo problema ... já tinha postado :

http://forum.imasters.com.br/index.php?/topic/400943-analise-de-log-iexplorerexe/

 

Espero que alguém posso nos ajudar ;(

[wings 22]

*Desative seu antivírus temporariamente

*Faça um scan online com o NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

[RodrigoSdeC 0]

entao...voce vai conseguir resolver o problema com o bootkit remover..procure no google e faça o download..

no forum linha defensiva tem um post explicando...

 

QUANDO RODAR O PROGRAMA DEVE APARECER ISTO:

 

\ \. \ C: ->

\ \. \ PhysicalDrive0

MD5: 274955059efe9236c07688c5ff9242b2

Device Size

Name MBR Status

--------------------------------------------

149 GB

\ \. \ PhysicalDrive0 Unknown bootcode

 

Unknown bootcode Has Been Found on

Some of your physical disks.

To inspect manually, the boot code, dump the

master boot sector remover.exe dump [output_file]

To disinfect

the master boot sector, use the following commandline: remover.exe fix

 

 

ABRA O BLOCO DE NOTAS E ESCREVA ISTO:

 

@ ECHO OFF

START remover.exe fix \ \. \ PhysicalDrive0

EXIT

 

VA EM SALVAR COMO E SALVE EM ALL FILES COMO FIX.BAT NO DESKTOP

 

EXECUTE O ARQUIVO FIX.BAT

 

RODE NOVAMENTO O PROGRAMA BOOTKIT REMOVER E VEJA SE APARECE ISTO:

 

 

 

\ \. \ C: -> \ \. \ PhysicalDrive0 \ \. \ C: -> \ \. \ PhysicalDrive0

MD5: MD5 6def5ffcbcdbdb4082f1015625e597bd: 6def5ffcbcdbdb4082f1015625e597bd

 

MBR MBR Status Size Device Name Device Name Size Status

------ -------------------------------------------- --------------------------------------

149 GB \ \. \ PhysicalDrive0 OK (DOS/Win32 Boot code found) 74 GB \ \. \ PhysicalDrive0 OK (DOS/Win32 Boot code found)

 

 

REINICIE O COMPUTADOR...STAUTS OK

[Augusto Cunha 0]

*Desative seu antivírus temporariamente

*Faça um scan online com o NOD32'>http://eset.com/onlinescan"]NOD32

 

 

*Ao término cole o relatório criado em C:\Arquivos de programas\EsetOnlineScanner\log

 

Problema resolvido! Muito obrigado Wings! Ao fazer o scan com o NOD32, foram detectados 9 ameaças, ao termino do scan foram deletadas. Ao reiniciar o computador, os processos "iexplore.exe" não estavam mais iniciando automaticamente, nem o Som Wave abaixando sozinho.

 

Agora uma ultima pergunta, queria saber como faço para o ícone do volume voltar pra barra de tarefas?

 

E mais uma vez, muito obrigado! :D

 

Só pra constar, ta aí o log do scan:

 

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=f9a45109bd2e0348a3c7118d6eced890

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-07-09 09:36:18

# local_time=2010-07-09 06:36:18 (-0300, Hora oficial do Brasil)

# country="Brazil"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5891 16776869 100 100 0 9056518 0 0

# compatibility_mode=7937 16777213 100 100 591556 13297716 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=93833

# found=9

# cleaned=9

# scan_time=8646

C:\WINDOWS\system32\drivers\etc\hosts5E3B5043 Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\etc\hosts66F8B0C7 Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\etc\hosts9C9B1896 Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\etc\hostsA13641E2 Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\etc\hostsAAEC20EC Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\drivers\etc\hostsF3729A67 Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

D:\Augusto\Download\nli-bcb6kg.zip probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C

D:\Augusto\Download\Proteus 7.2.rar a variant of Win32/HackTool.Patcher.A application (deleted - quarantined) 00000000000000000000000000000000 C

D:\Augusto\Download\graphmatica_setup.rar Win32/Slugin.A virus (deleted - quarantined) 00000000000000000000000000000000 C

[wings 22]

1. Clique em [iniciar] > [Executar] > Copie e cole: mmsys.cpl

2. Clique OK

3. Selecione a caixa Colocar ícone de volume na barra de tarefas.

4. Clique em OK.

[Augusto Cunha 0]

Tudo OK agora! Por mim já podem fechar o tópico.

Muito obrigado ao fórum pela ajuda :)

Especialmente ao Wings.

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.