[Arquivado] &nbspAnalise de Log

SLaurianO · Fevereiro 5, 2011

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 17:30:19, on 05/02/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\ARQUIV~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ZSSnp211.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Arquivos comuns\Spigot\Search Settings\SearchSettings.exe

C:\Arquivos de programas\AVG\AVG10\avgtray.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\system32\afasrv32.exe

C:\Arquivos de programas\Application Updater\ApplicationUpdater.exe

C:\Arquivos de programas\AVG\AVG10\avgwdsvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe

C:\Arquivos de programas\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Arquivos de programas\TeamViewer\Version6\TeamViewer.exe

C:\Arquivos de programas\AVG\AVG10\avgnsx.exe

C:\Arquivos de programas\AVG\AVG10\avgemcx.exe

C:\Arquivos de programas\TeamViewer\Version6\tv_w32.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jucheck.exe

C:\ARQUIV~1\AVG\AVG10\avgrsx.exe

C:\Arquivos de programas\AVG\AVG10\avgcsrvx.exe

C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\AVG\AVG10\avgui.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sergio\Meus documentos\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Arquivos de programas\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Arquivos de programas\AVG\AVG10\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Arquivos de programas\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Arquivos de programas\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll

O4 - HKLM\..\Run: [ZSSnp211] C:\WINDOWS\ZSSnp211.exe

O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [uSBestCR] C:\Arquivos de programas\USIM Editor\iconcs1069140.exe RunFromReg

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [searchSettings] "C:\Arquivos de programas\Arquivos comuns\Spigot\Search Settings\SearchSettings.exe"

O4 - HKLM\..\Run: [AVG_TRAY] C:\Arquivos de programas\AVG\AVG10\avgtray.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG10\avgpp.dll

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Afa Card Reader Service (AfaService) - Unknown owner - C:\WINDOWS\system32\afasrv32.exe

O23 - Service: Application Updater - Spigot, Inc. - C:\Arquivos de programas\Application Updater\ApplicationUpdater.exe

O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Arquivos de programas\AVG\AVG9\avgemc.exe (file missing)

O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Arquivos de programas\AVG\AVG9\avgwdsvc.exe (file missing)

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: Watchdog do AVG (avgwd) - AVG Technologies CZ, s.r.o. - C:\Arquivos de programas\AVG\AVG10\avgwdsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Arquivos de programas\TeamViewer\Version6\TeamViewer_Service.exe

--

End of file - 8967 bytes

wings · Fevereiro 5, 2011

Olá SLaurianO

*Baixe o AD-Remover e salve-o no desktop

*Execute o AD-Remover

*Clique [Clean] > [OK] > [sim]

*O PC será reiniciado

*Cole o relatório apresentado (C:\Ad-Report-CLEAN[1].txt)

SLaurianO · Fevereiro 18, 2011

Olá SLaurianO

*Baixe o AD-Remover e salve-o no desktop

*Execute o AD-Remover

*Clique [Clean] > [OK] > [sim]

*O PC será reiniciado

*Cole o relatório apresentado (C:\Ad-Report-CLEAN[1].txt)

======= REPORT FROM AD-REMOVER 2.0.0.2,E | ONLY XP/VISTA/7 =======

Updated by TeamXscript on 16/02/11

Contact: AdRemover[DOT]contact[AT]gmail[DOT]com

website: http://www.teamxscript.org

C:\Arquivos de programas\Ad-Remover\main.exe (CLEAN [1]) -> Launched at 08:17:22 on 18/02/2011, Normal boot

Microsoft Windows XP Professional Service Pack 3 (X86)

Sergio@SRG1 ( )

============== ACTION(S) ==============

Service: "Application Updater" Service stopped and deleted

Folder deleted: C:\Arquivos de programas\Application Updater

Folder deleted: C:\Documents and Settings\Sergio\Dados de aplicativos\pdfforge

Folder deleted: C:\Arquivos de programas\pdfforge Toolbar

Folder deleted: C:\Documents and Settings\Sergio\Dados de aplicativos\Search Settings

Folder deleted: C:\Arquivos de programas\Arquivos comuns\Spigot

(!) -- Temporary files deleted.

Key deleted: HKLM\Software\Classes\CLSID\{B922D405-6D13-4A2B-AE89-08A030DA4402}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402}

Key deleted: HKLM\Software\Application Updater

Key deleted: HKLM\Software\Conduit

Key deleted: HKLM\Software\pdfforge

Key deleted: HKLM\Software\Search Settings

Key deleted: HKCU\Software\Conduit

Key deleted: HKCU\Software\AppDataLow\Software\Search Settings

Key deleted: HKLM\Software\Classes\Installer\Products\7A931B0A5D8E8E947AFB2124E1562280

Key deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\7A931B0A5D8E8E947AFB2124E1562280

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}

Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}

Value deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SearchSettings

============== ADDITIONNAL SCAN ==============

-- C:\Documents and Settings\Sergio\Dados de aplicativos\Mozilla\FireFox\Profiles\4zx09c2s.default --

Prefs.js - browser.download.lastDir, C:\\Documents and Settings\\Sergio\\Meus documentos\\Minhas músicas\\Red Hot Chili Peppers

Prefs.js - browser.startup.homepage_override.buildID, 20110110191547

Prefs.js - browser.startup.homepage_override.mstone, rv:2.0b9

Prefs.js - keyword.URL, hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=302398&p=

========================================

**** Google Chrome Version [9.0.597.98] ****

Google Chrome\Shell\Open\Command - C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

Extension\lifbcibllhkdhoafpjfnlhfpfgnpldfl (C:\Arquivos de programas\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx) (?)

-- C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Chrome\User Data\Default --

Preferences - default_search_provider: "Google" (Enabled: true) (?)

Plugin - Unity Player (Enabled: true) (C:\Documents and Settings\Sergio\Configura\u00E7\u00F5es locais\Dados de aplicativos\Unity\WebPlayer\loader\npUnity3D32.dll) (x)

Plugin - "Unity Player" (Enabled: true)

========================================

**** Internet Explorer Version [8.0.6001.18702] ****

HKCU_Main|Default_Page_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

HKCU_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKCU_Main|Search bar - hxxp://go.microsoft.com/fwlink/?linkid=54896

HKCU_Main|Start Page - hxxp://fr.msn.com/

HKLM_Main|Default_Page_URL - hxxp://go.microsoft.com/fwlink/?LinkId=54896

HKLM_Main|Default_Search_URL - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM_Main|Search bar - hxxp://search.msn.com/spbasic.htm

HKLM_Main|Search Page - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM_Main|Start Page - hxxp://fr.msn.com/

HKLM_Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - "Skype Plug-In" (C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\icon.ico)

HKLM_Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583} - "?" (?)

BHO\{5C255C8A-E604-49b4-9D64-90988571CECB} (?)

BHO\{9030D464-4C02-4ABF-8ECC-5164760863C6} - "Auxiliar de Conexão do Windows Live" (C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll)

========================================

C:\Arquivos de programas\Ad-Remover\Quarantine: 69 File(s)

C:\Arquivos de programas\Ad-Remover\Backup: 13 File(s)

C:\Ad-Report-CLEAN[1].txt - 18/02/2011 08:17:29 (4027 Byte(s))

End at: 08:18:29, 18/02/2011

============== E.O.F ==============

wings · Fevereiro 18, 2011

1.

*Execute o AD-Remover e clique [uninstall] > [Não] > [Close]

2.

*Novo log do hijack

SLaurianO · Fevereiro 19, 2011

1.

*Execute o AD-Remover e clique [uninstall] > [Não] > [Close]

2.

*Novo log do hijack

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:15:05, on 19/02/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\ARQUIV~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ZSSnp211.exe

C:\WINDOWS\Domino.exe

C:\Arquivos de programas\USIM Editor\iconcs1069140.exe

C:\Arquivos de programas\AVG\AVG10\avgtray.exe

C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\system32\afasrv32.exe

C:\Arquivos de programas\AVG\AVG10\avgwdsvc.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Arquivos de programas\AVG\AVG10\avgnsx.exe

C:\Arquivos de programas\AVG\AVG10\avgemcx.exe

C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe

C:\ARQUIV~1\AVG\AVG10\avgrsx.exe

C:\Arquivos de programas\AVG\AVG10\avgcsrvx.exe

C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

C:\Documents and Settings\Sergio\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Sergio\Meus documentos\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/?linkid=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =