[Arquivado] Analise de Log

[iSombra 0]

Opa.. então, estou postando aqui mais precisamente pelo seguinte... to com uma *************** de toda vez que eu abro uma nova aba em qualquer navegador, abre aquele "babylon search"... sinceramente, eu tentei de TUDO POSSÍVEL para remover isso. Desinstalei, fui nas aplicações, tirei do registro no regedit, enfim, eu fiz de tudo que eu pesquisei e podia fazer e não funcionou.. então aproveitando também, ja vou postar para analisarem meu log

 

Segue o log do hijackthis

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 02:42:40, on 24/7/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Programas\AVAST Software\Avast\AvastSvc.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\WINDOWS\system32\RunDLL32.exe

D:\Programas\Yuna Software\Messenger Plus!\PlusService.exe

D:\Programas\AVAST Software\Avast\avastUI.exe

D:\Programas\Steam\Steam.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Documents and Settings\igor\Definições locais\Application Data\Akamai\netsession_win.exe

D:\Documents and Settings\igor\Definições locais\Application Data\Akamai\netsession_win.exe

D:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\wuauclt.exe

D:\WINDOWS\system32\wscntfy.exe

D:\Documents and Settings\igor\Os meus documentos\Downloads\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=113480&tt=2912_7&babsrc=HP_ss&mntrId=cacbd51900000000000000270e17449c

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - D:\Programas\AVAST Software\Avast\aswWebRepIE.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - D:\Programas\AVAST Software\Avast\aswWebRepIE.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] D:\Programas\NVIDIA Corporation\nview\nwiz.exe /installquiet

O4 - HKLM\..\Run: [PlusService] D:\Programas\Yuna Software\Messenger Plus!\PlusService.exe

O4 - HKLM\..\Run: [avast] "D:\Programas\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKLM\..\Run: [Aeria Ignite] "D:\Programas\Aeria Games\Ignite\aeriaignite.exe" silent

O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\igor\Definições locais\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [msnmsgr] "D:\Programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [steam] "D:\Programas\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Akamai NetSession Interface] "D:\Documents and Settings\igor\Definições locais\Application Data\Akamai\netsession_win.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')

O4 - HKUS\S-1-5-21-1715567821-1220945662-1417001333-1004\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programas\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon da cache de categorias dos componentes - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - D:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: avast! Antivirus - AVAST Software - D:\Programas\AVAST Software\Avast\AvastSvc.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - D:\Programas\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - D:\Programas\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - D:\Programas\Skype\Updater\Updater.exe

O23 - Service: Steam Client Service - Valve Corporation - D:\Programas\Ficheiros comuns\Steam\SteamService.exe

 

--

End of file - 5998 bytes

[DigRam 144]

Bom Dia! iSombra

 

|- Baixe: < AdwCleaner > ( ... par Xplode )

 

|- Ao acessar,clique na imagem: < >

 

|- Salve-o no desktop!

|- Execute o arquivo adwcleaner.exe <-

|- Ps: Dê início ao scan,clicando em "Delete" ou "Suppression".

 

 

|- Ao concluir,poste o relatório: D:\AdwCleaner[S].txt

 

|- Baixe: < > ( ... par Nicolas Coolman )

 

|- Salve-o no desktop!

|- Para Windows Vista ou 7,clique direito e execute o arquivo como administrador.

|- Aguarde a conclusão do scan e clique em "Copier". <- Aguarde!

|- Poste e/ou cole aqui,o link que foi gerado!

 

Abraços!

[iSombra 0]

Opa, boa tarde DigRam, segue o log do AdwCleaner[s2] que foi aberto após o pedido de reiniciar o pc.

 

# AdwCleaner v1.703 - Logfile created 07/24/2012 at 15:07:19
# Updated 20/07/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : igor - IGR-420-PC
# Running from : D:\Documents and Settings\igor\Os meus documentos\Downloads\adwcleaner.exe
# Option [Delete]


***** [services] *****


***** [Files / Folders] *****

Folder Deleted : D:\DOCUME~1\igor\DEFINI~1\Temp\BabylonToolbar
Folder Deleted : D:\Documents and Settings\igor\Application Data\Babylon
Folder Deleted : D:\Documents and Settings\All Users\Application Data\Babylon

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A3F2A195-0D11-463b-96BB-D2FF1B7490A1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ECD0ECC6-DCA4-4013-A915-12355AB70999}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.babylon.com/?affID=113480&tt=2912_7&babsrc=HP_ss&mntrId=cacbd51900000000000000270e17449c --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=113480&tt=2912_7&babsrc=NT_ss&mntrId=cacbd51900000000000000270e17449c --> hxxp://www.google.com

*************************

AdwCleaner[s1].txt - [304 octets] - [24/07/2012 15:06:34]
AdwCleaner[s2].txt - [1916 octets] - [24/07/2012 15:07:19]

########## EOF - D:\AdwCleaner[s2].txt - [2044 octets] ##########

 

 

O link do ZHP

 

http://pjjoint.malekal.com/files.php?read=ZHPDiag_20120724_m8e12e13b11w12

 

Abraços e agradeço desde já

[DigRam 144]

Boa Noite! iSombra

 

|- Baixe: < ZHPFix.zip >

 

|- Descompacte-o para o desktop.

 

|- Feche programas/pastas que estejam abertas.

|- Feche,também,o navegador!

|- Para Windows Vista,desabilite a UAC.

 

>>

 

|- Para Windows Vista ou 7,clique direito em ZHPFix.exe e execute-o como administrador.

|- Selecione e copie estas informações,que estão em vermelho,para o "Bloco de Notas".

 

O44 - LFC:[MD5.DBD3ACDC98D878BE455B0617AF5B4BFF] - 17/7/2012 - 18:43:02 ---A- . (...) -- D:\user.js [247]

O47 - AAKE:Key Export SP - "D:\Programas\PSafe\PSRsync.exe" [Enabled] .(...) -- D:\Programas\PSafe\PSRsync.exe (.not file.)

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("browser.newtab.url", "http://search.babylon.com/?affID=113480tt=2912_7babsrc=NT_ssmntrId=cacbd51900000000000000270e1'>http://search.babylon.com/?affID=113480tt=2912_7babsrc=NT_ssmntrId=cacbd51900000000000000270e1[...]

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("browser.search.defaultenginename", "Search the web (Babylon)");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("browser.search.order.1", "Search the web (Babylon)");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.aflt", "babsst");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.babExt", "");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.babTrack", "affID=113480tt=2912_7");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.hardId", "cacbd51900000000000000270e17449c");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.id", "cacbd51900000000000000270e17449c");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.instlDay", "15538");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.instlRef", "sst");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.newTab", true);

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.newTabUrl", "http://search.babylon.com/?affID=113480tt=2912_7babsrc=NT_ssmntrId=cacbd519[...]

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.smplGrp", "none");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.srcExt", "ss");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1718:42:59");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");

O69 - SBI: prefs.js [igor - igw5wc1r.default] user_pref("keyword.URL", "http://search.babylon.com/?affID=113480tt=2912_7babsrc=KW_ssmntrId=cacbd51900000000000000270e17449cq[...]

 

[HKLM\Software\360Safe] => Infection Diverse (Lozavita.Troj)

 

emptytemp

emptyflash

proxyfix

firewallraz

sysrestore

|- Estando com o Bloco de Notas aberto,acione os atalhos: "Ctrl+A" -> "Ctrl+C"

|- Minimize o Bloco de Notas.

 

 

|- Clique no menu,"Paste ClipBoard".

|- Clique em "GO" -> Oui.

 

 

|- Ps: Temos,àcima,sequência de imagens para maior exclarecimento.

|- Poste o relatório: D:\ZHP\ZHPFix[R1].txt

 

Abraços!

[wings 22]

Tópico Arquivado

 

Como o autor não respondeu por mais de 10 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.