[Resolvido!]FreeProd?!?!?

[dieef5 0]

Fala aí galera, gostaria muita da ajuda de vcs p/ mim conseguir resolver um problema do PC da minha casa (agora to no trabalho) que jah ta me dando dor de cabeça.

 

Seguinte o problema começou depois que voltei das férias (03/01/06), quando abri o navegador (firefox, e a pg inicial eh o fórum imasters) e se alto-instalou essa bosta, no início soh aparecia umas pop-ups soh no IE, mas agora o negócio ta incontrolável. Abre páginas de propaganda sozinho no firefox, abre programas sozinhos (ontem abriu até o Photoshop), até os menus dos programas naum estavam funcionando, soh ficava a área das janelas marcadas na tela.

 

Passei diversas vezes os anti spy que tenho (spybot e ad-ware SE), o AD detectava muitos problemas por dia (cerca de 60 a 90 por dia) apagava quase todos mas aparecia uma janela que alguns naum era posssível apagar. Até que ontem consegui apagar todos pelo MODO SEGURO, e ainda consegui descobrir os nomes dos malditos. :angry: (pelo menos acho)

 

O nome eh freeProd (parece que eh um pacotão de spy), na detecção dos antispywares mostra muitos adwares, malwares e worns dessa freeProd e o Spybot me deu esses nomes aqui tb ( SMITFRAUD-C, MAX SEARCH, NAVISEACH, entre outros) dentro deles tem vários executaveis, modificação de registro e etc.

 

AGORA VEM O GRANDE PROBLEMA:ontem eu consegui apagar tudo em MODO SEGURO, porém quando entro em modo normal (a internet liga junto) essa m*****, filhoda@#$@, se re-instala novamente.

Fiz o processo para aparar tudo ontem, 3 vezes (depois tive que tirar o cabo da internet pra parar de se auto instalar). O pior eh que nunca consigo parar a instalação (soh mesmo desligando oPC direto no transformador).

 

E agora galera, como faço p/ isso parar?? Será que tem alguma forma?? jah que nem consigo acessar a internet de casa que isso de instala.

 

Me ajudem aí pessoal, por favor.. :upset:

 

fico no aguardo..

[lagartixxa 0]

tente instalar um fire wall para eles pelo menos nao si reinstalarem, tente busca na net ou espere mais um poco aki para ver si alguem tem alguma solucao para essse mau, mas instale e poste o log do hijackthis

[dieef5 0]

beleza, vou fazer isso. Vou baixar daki do trabalho e depois qundo instalar lah em casa eu posto o log p/ analise.. :) Só uma coisa, você conhece algum firewall grátis p/ poder baixar? Bom o meu anti virus eh o mcfee. será que tem algum problema instalar o firewall?vlw

[jgarcia 1]

Caro dieef5,

 

Faça o seguinte (assim que chegar em casa):

 

Baixe o HijackThis versão 1.99.1.

 

Depois > Iniciar > Meu Computador > 02 cliques no C > Coloca o HijackThis no C (extraindo do zip --> para uma pasta própria tipo c:/Hijack).

 

Execute o Hijack a partir do C, fechando os demais programas (deixando somente a área de trabalho).

 

Clique em Do a system scan and save a logfile, mas não marque nada, apenas poste o log gerado aqui neste mesmo tópico.

 

Um bom Firewall --> Kerio Personal.

 

Abraços.

[dieef5 0]

beleza jgarcia.. :) ...assim que chegar em casa hj a noite eu faço isso e posto log aqui..(se naum conseguir postar o log hj a noite posto amanhã de manhã)vlw pela ajuda..

[dieef5 0]

Fala ae mano... olha soh liguei o cabo agora da internet e até o momento ainda naum se auto-instalou esse spy que tinha dito(geralmente estava instalando rapido), mas oq está acontecendo ainda são as propagandas que aparecem (metirando da pg q estou e indo p/ alguma propaganda)

 

aí vai o log que abriu aqui p/ mim quando executei o hijackthis:

 

Logfile of HijackThis v1.99.1

Scan saved at 21:36:28, on 19/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avconsol.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Network\network.exe

C:\windows\winsysban.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe

C:\hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Arquivos de programas\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012306 serial=DR12WEX-1504397-kty lang=BP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [winupdate] C:\Arquivos de programas\winupdate\winupdate.exe /auto

O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe

O4 - HKLM\..\Run: [Network] C:\Arquivos de programas\Network\network.exe

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe

O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Decompiler - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125497679093

O17 - HKLM\System\CCS\Services\Tcpip\..\{BADEAD12-89D0-4BD0-B8B9-B9EF9CDB8FF9}: NameServer = 200.220.198.2,200.220.198.3

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\wghptb.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

 

 

fico no aguardo :)

[jgarcia 1]

Caro dieef5,

 

Vamos ao ataque.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

Desinstale:

--> winupdate

--> Network

 

Utilize Adicionar / Remover programas.

 

Desinstale, um a um, e reinicie após tê-los desinstalado.

 

OBS.: Caso não encontre algum(ns) do(s) programa(s) apenas passe para o próximo e/ou para a próxima etapa.

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

Baixe, mas não execute ainda.

 

Baixe o SpySweeper em:

SpySweeper

 

Baixe e atualize, mas não execute ainda.

 

2ª Etapa

 

1) Execute o Killbox, clique em Delete on Reboot.

 

2) Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\Arquivos de programas\winupdate

C:\Arquivos de programas\Network

C:\windows\winsysupd.exe

C:\windows\winsysban.exe

c:\\drsmartloadb.exe

C:\WINDOWS\system32\wghptb.dll

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

3ª Etapa

 

Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8 até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e marque:

O4 - HKLM\..\Run: [winupdate] C:\Arquivos de programas\winupdate\winupdate.exe /auto

O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe

O4 - HKLM\..\Run: [Network] C:\Arquivos de programas\Network\network.exe

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe

O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe

O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\wghptb.dll

Clique em Fix Checked.

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8080

Você utiliza um Proxy para conectar-se à internet? Caso não utilize ou não saiba o que é um Proxy, dê Fix Checked na entrada acima também.

 

4ª Etapa

 

Ainda em Modo Seguro faça o seguinte:

 

1) Execute uma verificação completa com o SpySweeper.

 

5ª Etapa

 

Reinicie em modo normal.

 

Verifique se os problemas foram resolvidos e poste o novo log.

 

Aguardo retorno.

 

Um abraço.

[dieef5 0]

Jgarcia, esses winupdate--> Network, naum consta no adicionar/remover programas . vou fazer as etapas aki e depois posto o log

[dieef5 0]

fala, ontem quando fui postar o log minha internet jah tinha saido do ar (soh fica conectado até meia noite...hehehe)

 

Até agora ainda naum redirecionou p/ nenhuma propaganda naum...pelo q vi depois do processo q você me ajudou..tinha vários..esse da propaganda era o tal do look2me..pelo menos eu acho..

 

Aí vai o novo log mano:

 

Logfile of HijackThis v1.99.1

Scan saved at 12:28:14, on 20/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Arquivos de programas\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012306 serial=DR12WEX-1504397-kty lang=BP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Decompiler - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125497679093

O17 - HKLM\System\CCS\Services\Tcpip\..\{BADEAD12-89D0-4BD0-B8B9-B9EF9CDB8FF9}: NameServer = 200.220.198.2,200.220.198.3

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mv04l9dq1.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

soh to achando o pc meio lentão... :( ..mas essa lentidão está desde quando apareceu os problemas..

 

fico no aguardo... :D

[jgarcia 1]

Caro dieef5,

 

..esse da propaganda era o tal do look2me..

É ... o Look2Me ainda está na máquina.

 

Vou precisar de um log do L2MFix. Clique aqui e baixe.

 

Extraia os arquivos e rode o l2mfix.bat --> opção "run find log". Depois de alguns minutos o bloco de notas deve abrir com um log. É o conteúdo deste log que você deverá colar em sua próxima resposta, bem como o novo log do Hijack.

 

Aguardo retorno.

 

Um abraço.

[dieef5 0]

Aí jgarcia, esse foi o log do L2MFix q apareceu:

 

L2MFIX find log 010406

These are the registry keys present

********************************************************************************

**

Winlogon/notify:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\mv04l9dq1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

********************************************************************************

**

useragent:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{33A64AC2-C6D5-B6B0-78B8-824D88D2F0FB}"=""

 

********************************************************************************

**

Shell Extension key:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Folha de propriedades de arquivo de multim¡dia"

"{176d6597-26d3-11d1-b350-080036a75b03}"="Gerenciamento de scanner ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguran‡a NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propriedades do arquivo de documento OLE"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para adaptador de v¡deo"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para monitor de v¡deo"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para panorƒmica de v¡deo"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguran‡a DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidade"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Manipulador de dados de recorte do shell"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="ExtensÆo de c¢pia de disco"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensäes do shell para objetos Microsoft Windows Network"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gerenciamento de monitor ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gerenciamento de impressora ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensäes do shell para compacta‡Æo de arquivos"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="ExtensÆo do shell de impressora na Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu de contexto de criptografia"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porta-arquivos"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="ExtensÆo de ¡cone do HyperTerminal"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguran‡a de impressoras"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo PKO de criptografia"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo do sinal de criptografia"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexäes de rede"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexäes de rede"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & cƒmeras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & cƒmeras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & cƒmeras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & cƒmeras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & cƒmeras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensäes shell para host de scripts do Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Vincula‡Æo de dados Microsoft"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tarefas agendadas"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tarefas e menu Iniciar"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Pesquisar"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Executar..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Email"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fontes"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Ferramentas administrativas"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="P gina de propriedades de versäes anteriores"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Versäes anteriores"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de ferramentas do Microsoft Internet Explorer"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Status do download"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Pasta do shell aumentada"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Pasta do shell aumentada 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Faixa de pesquisa"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Pesquisa no painel"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Pesquisa na Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit rio de op‡äes de rvore do Registro"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="E&ndere‡o"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Caixa de edi‡Æo de endere‡o"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Preenchimento autom tico da Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista de preenchimento autom tico MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista personalizada MRU preenchida automaticamente"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Acess¡vel"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra Popup de controle"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista de preenchimento autom tico de hist¢rico da Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista de preenchimento autom tico de pastas do Shell da Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Recipiente de lista de preenchimento autom tico m£ltiplo da Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu de site de faixa do Shell"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistˆncia ao usu rio"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configura‡äes de pasta globais"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servi‡o de hist¢rico de URLs da Microsoft"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Hist¢rico"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Faixa do Explorer"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Pasta cache de ActiveX"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Pasta de inscri‡äes"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gerenciador de aplicativos do shell"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicativos instalado"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Editor de aplicativo Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extrator de miniaturas de arquivo GDI+"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Identificador de informa‡äes de resumo de miniaturas (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extrator de miniaturas HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistente para publica‡Æo na Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impressÆo via Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto do assistente para publica‡Æo do shell"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Obter um Assistente do Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Contas de usu rio"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Arquivo de canal"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Atalho para o canal"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto manipulador de canais"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Pasta de arquivos off-line"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Pessoas..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Pastas da Web"

"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"

"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"

@="CorelDRAW Shell Extension Component"

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"

"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"

"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension"

"{9F5817AA-0843-405E-BC23-E65B7739AC80}"=""

"{91091E5D-8DC5-4C39-ACCC-3168F7A65090}"=""

"{B962F4CD-6945-4489-BE9E-EDC7054B47FF}"=""

"{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}"=""

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

 

********************************************************************************

**

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}\InprocServer32]

@="C:\\WINDOWS\\system32\\sutupapi.dll"

"ThreadingModel"="Apartment"

 

********************************************************************************

**

Files Found are not all bad files:

 

C:\WINDOWS\SYSTEM32\

bszip.dll Thu 19 Jan 2006 18:46:10 A.... 62.464 61,00 K

cmdlin~1.dll Thu 15 Dec 2005 23:32:10 A.... 43.520 42,50 K

gccoll~1.dll Tue 15 Nov 2005 12:12:08 A.... 126.680 123,71 K

gcunco~1.dll Tue 15 Nov 2005 12:12:06 A.... 95.448 93,21 K

hashlib.dll Tue 15 Nov 2005 12:12:08 A.... 117.976 115,21 K

wrlogo~1.dll Wed 14 Dec 2005 19:17:20 A.... 492.544 481,00 K

wrlzma.dll Wed 14 Dec 2005 19:17:16 A.... 17.920 17,50 K

 

7 items found: 7 files, 0 directories.

Total of file sizes: 956.552 bytes 934,13 K

Locate .tmp files:

 

No matches found.

********************************************************************************

**

Directory Listing of system files:

O volume na unidade C nÆo tem nome.

O n£mero de s‚rie do volume ‚ 5808-DC63

 

Pasta de C:\WINDOWS\System32

 

20/01/2006 21:23 <DIR> ..

20/01/2006 21:23 <DIR> .

25/08/2005 17:13 <DIR> Microsoft

25/08/2005 13:57 <DIR> dllcache

0 arquivo(s) 0 bytes

4 pasta(s) 51.406.962.688 bytes dispon¡veis

 

 

 

E esse eh o novo log do hijack:

 

Logfile of HijackThis v1.99.1

Scan saved at 21:29:48, on 20/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avconsol.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Arquivos de programas\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012306 serial=DR12WEX-1504397-kty lang=BP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Decompiler - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125497679093

O17 - HKLM\System\CCS\Services\Tcpip\..\{BADEAD12-89D0-4BD0-B8B9-B9EF9CDB8FF9}: NameServer = 200.220.198.2,200.220.198.3

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mv04l9dq1.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

Vlw mano, fico no aguardo... :)

[jgarcia 1]

Caro dieef5,

 

Rode o arquivo l2mfix.bat, aperte <Enter>, então digite 2 e aperte Enter novamente. Depois disso, você deverá apertar qualquer tecla e o computador será reiniciado.

 

Após reiniciar, sua área de trabalho deve sumir e reaparecer. A correção ainda não terminou. Quando ela terminar o Bloco de Notas deve abrir com um log. Anexe este log na sua resposta como você fez antes, junto com um novo log do HijackThis.

 

Vá até a pasta l2mfix que foi criada e copie o arquivo ntrights para o C:\

 

Clique em Iniciar --> Executar, digite cmd e clique em OK. Um prompt de comando vai aparecer.

 

Digite o seguinte:

 

cd c:\

Dê Enter. Agora digite o seguinte comando:

 

ntrights -u Administradores +r SeDebugPrivilege > log.txt

Atenção --> Certifique-se digitar este comando corretamente.

 

Dê Enter novamente. Agora deverá existir um arquivo chamado c:\log.txt. Abra-o e cole o conteúdo aqui.

 

Aguardo retorno.

 

Um abraço.

[dieef5 0]

Aí, esse foi o log do l2mfix:

 

L2mfix 010406

Creating Account.

Comando conclu¡do com ˆxito.

 

Adding Administrative privleges.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

 

Running From:

C:\WINDOWS\system32

 

Killing Processes!

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 400 'smss.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 488 'winlogon.exe'

Killing PID 488 'winlogon.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 328 'explorer.exe'

Killing PID 328 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 880 'rundll32.exe'

Killing PID 1184 'rundll32.exe'

Restoring Sedebugprivilege:

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

 

 

 

Restoring Windows Update Certificates.:

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\mv04l9dq1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

 

The following are the files found:

****************************************************************************

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}\InprocServer32]

@="C:\\WINDOWS\\system32\\sutupapi.dll"

"ThreadingModel"="Apartment"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{9F5817AA-0843-405E-BC23-E65B7739AC80}"=-

"{91091E5D-8DC5-4C39-ACCC-3168F7A65090}"=-

"{B962F4CD-6945-4489-BE9E-EDC7054B47FF}"=-

"{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}"=-

[-HKEY_CLASSES_ROOT\CLSID\{9F5817AA-0843-405E-BC23-E65B7739AC80}]

[-HKEY_CLASSES_ROOT\CLSID\{91091E5D-8DC5-4C39-ACCC-3168F7A65090}]

[-HKEY_CLASSES_ROOT\CLSID\{B962F4CD-6945-4489-BE9E-EDC7054B47FF}]

[-HKEY_CLASSES_ROOT\CLSID\{DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190}]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

 

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

zip warning: name not matched: dlls\*.*

 

zip error: Nothing to do! (backup.zip)

adding: backregs/DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190.reg (212 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 78%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

 

 

E esse o novo log do HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:31:11, on 20/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avconsol.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Arquivos de programas\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012306 serial=DR12WEX-1504397-kty lang=BP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Decompiler - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125497679093

O17 - HKLM\System\CCS\Services\Tcpip\..\{BADEAD12-89D0-4BD0-B8B9-B9EF9CDB8FF9}: NameServer = 200.220.198.2,200.220.198.3

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mv04l9dq1.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

 

Depois fiz todo o restante do processo, e o log que apareceu depois de digitar no prompt foi somente esse:

 

Granting SeDebugPrivilege to Administradores ... successful

 

fico no aguardo mano... :)

[jgarcia 1]

Caro dieef5,

 

Execute o L2MFIX novamente (conforme meu último post).

 

Execute uma verificação completa como SpySweeper novamente.

 

Poste o novo log.

 

Abraços.

[dieef5 0]

jgarcia,

 

executei o L2MFIX conforme a última vez o log foi esse:

 

L2mfix 010406

Creating Account.

Comando conclu¡do com ˆxito.

 

Adding Administrative privleges.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

 

Running From:

C:\WINDOWS\system32

 

Killing Processes!

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 400 'smss.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 488 'winlogon.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 424 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1472 'rundll32.exe'

Killing PID 1380 'rundll32.exe'

Restoring Sedebugprivilege:

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

 

 

 

Restoring Windows Update Certificates.:

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\mv04l9dq1.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

 

The following are the files found:

****************************************************************************

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

zip warning: name not matched: dlls\*.*

 

zip error: Nothing to do! (backup.zip)

adding: backregs/DB00ABCE-FE7E-40B8-B5AC-EE2C7170B190.reg (212 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

 

 

Executei o SpySweeper e naum acusou nada

 

Esse eh o novo log HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 23:19:51, on 20/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avconsol.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe

C:\hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Arquivos de programas\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012306 serial=DR12WEX-1504397-kty lang=BP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Decompiler - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125497679093

O17 - HKLM\System\CCS\Services\Tcpip\..\{BADEAD12-89D0-4BD0-B8B9-B9EF9CDB8FF9}: NameServer = 200.220.198.2,200.220.198.3

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mv04l9dq1.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

Fico no aguardo... :)

[jgarcia 1]

Caro dieef5,

 

Opa, vamos lá.

 

1ª Etapa

 

1) Execute o Killbox, clique em Delete on Reboot.

 

2) Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\WINDOWS\system32\mv04l9dq1.dll

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

2ª Etapa

 

Execute o HijackThis, clique em Do a system scan only e marque:

O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\mv04l9dq1.dll (file missing)

Clique em Fix Checked.

 

3ª Etapa

 

Reinicie em modo normal.

 

Vou precisar de mais um log do L2MFix.

 

Execute o l2mfix.bat --> opção "run find log". Depois de alguns minutos o bloco de notas deve abrir com um log. É o conteúdo deste log que você deverá colar em sua próxima resposta, bem como o novo log do Hijack.

 

Aguardo retorno.

 

Um abraço.

[dieef5 0]

opa.. :) .. aí vai os log do L2MFix depois dos processos:

L2MFIX find log 010406

These are the registry keys present

********************************************************************************

**

Winlogon/notify:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

********************************************************************************

**

useragent:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

 

********************************************************************************

**

Shell Extension key:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Folha de propriedades de arquivo de multim¡dia"

"{176d6597-26d3-11d1-b350-080036a75b03}"="Gerenciamento de scanner ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguran‡a NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propriedades do arquivo de documento OLE"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para adaptador de v¡deo"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para monitor de v¡deo"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para panorƒmica de v¡deo"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguran‡a DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidade"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Manipulador de dados de recorte do shell"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="ExtensÆo de c¢pia de disco"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensäes do shell para objetos Microsoft Windows Network"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gerenciamento de monitor ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gerenciamento de impressora ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensäes do shell para compacta‡Æo de arquivos"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="ExtensÆo do shell de impressora na Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu de contexto de criptografia"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porta-arquivos"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="ExtensÆo de ¡cone do HyperTerminal"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguran‡a de impressoras"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo PKO de criptografia"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo do sinal de criptografia"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexäes de rede"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexäes de rede"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & cƒmeras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & cƒmeras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & cƒmeras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & cƒmeras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & cƒmeras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensäes shell para host de scripts do Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Vincula‡Æo de dados Microsoft"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tarefas agendadas"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tarefas e menu Iniciar"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Pesquisar"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Executar..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Email"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fontes"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Ferramentas administrativas"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="P gina de propriedades de versäes anteriores"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Versäes anteriores"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de ferramentas do Microsoft Internet Explorer"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Status do download"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Pasta do shell aumentada"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Pasta do shell aumentada 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Faixa de pesquisa"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Pesquisa no painel"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Pesquisa na Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit rio de op‡äes de rvore do Registro"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="E&ndere‡o"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Caixa de edi‡Æo de endere‡o"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Preenchimento autom tico da Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista de preenchimento autom tico MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista personalizada MRU preenchida automaticamente"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Acess¡vel"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra Popup de controle"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista de preenchimento autom tico de hist¢rico da Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista de preenchimento autom tico de pastas do Shell da Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Recipiente de lista de preenchimento autom tico m£ltiplo da Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu de site de faixa do Shell"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistˆncia ao usu rio"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configura‡äes de pasta globais"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servi‡o de hist¢rico de URLs da Microsoft"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Hist¢rico"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Faixa do Explorer"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Pasta cache de ActiveX"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Pasta de inscri‡äes"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gerenciador de aplicativos do shell"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicativos instalado"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Editor de aplicativo Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extrator de miniaturas de arquivo GDI+"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Identificador de informa‡äes de resumo de miniaturas (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extrator de miniaturas HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistente para publica‡Æo na Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impressÆo via Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto do assistente para publica‡Æo do shell"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Obter um Assistente do Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Contas de usu rio"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Arquivo de canal"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Atalho para o canal"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto manipulador de canais"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Pasta de arquivos off-line"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Pessoas..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Pastas da Web"

"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"

"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"

"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"

@="CorelDRAW Shell Extension Component"

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"

"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"

"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension"

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

 

********************************************************************************

**

HKEY ROOT CLASSIDS:

********************************************************************************

**

Files Found are not all bad files:

 

C:\WINDOWS\SYSTEM32\

bszip.dll Thu 19 Jan 2006 18:46:10 A.... 62.464 61,00 K

cmdlin~1.dll Thu 15 Dec 2005 23:32:10 A.... 43.520 42,50 K

gccoll~1.dll Tue 15 Nov 2005 12:12:08 A.... 126.680 123,71 K

gcunco~1.dll Tue 15 Nov 2005 12:12:06 A.... 95.448 93,21 K

hashlib.dll Tue 15 Nov 2005 12:12:08 A.... 117.976 115,21 K

wrlogo~1.dll Wed 14 Dec 2005 19:17:20 A.... 492.544 481,00 K

wrlzma.dll Wed 14 Dec 2005 19:17:16 A.... 17.920 17,50 K

 

7 items found: 7 files, 0 directories.

Total of file sizes: 956.552 bytes 934,13 K

Locate .tmp files:

 

No matches found.

********************************************************************************

**

Directory Listing of system files:

O volume na unidade C nÆo tem nome.

O n£mero de s‚rie do volume ‚ 5808-DC63

 

Pasta de C:\WINDOWS\System32

 

21/01/2006 14:35 <DIR> ..

21/01/2006 14:35 <DIR> .

25/08/2005 17:13 <DIR> Microsoft

25/08/2005 13:57 <DIR> dllcache

0 arquivo(s) 0 bytes

4 pasta(s) 51.385.729.024 bytes dispon¡veis

 

 

Aí o novo log do Hijack:

 

Logfile of HijackThis v1.99.1

Scan saved at 14:37:38, on 21/1/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\VsStat.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Arquivos de programas\McAfee\McAfee VirusScan\Avconsol.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe

C:\hijack\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.compartilhando.org/

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Arquivos de programas\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=012306 serial=DR12WEX-1504397-kty lang=BP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Arquivos de programas\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Decompiler - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://www.compartilhando.org/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125497679093

O17 - HKLM\System\CCS\Services\Tcpip\..\{BADEAD12-89D0-4BD0-B8B9-B9EF9CDB8FF9}: NameServer = 200.220.198.2,200.220.198.3

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Arquivos de programas\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McShield - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Network Associates\McShield\Mcshield.exe

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2004\WinStylerThemeSvc.exe

 

fico no aguardo mano.. :)

[jgarcia 1]

Caro dieef5,

 

Agora sim!!! O seu log está LIMPO. :D

 

Para finalizar:

 

1. Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui para ver como.

 

Abraços.

[dieef5 0]

ae,,,vlw muito pela ajuda jgarcia... :joia: Abraços mano..

[jgarcia 1]

Opa dieef5,

 

Foi um prazer ajudá-lo. :thumbsup:

 

Quando precisar conte com a minha ajuda.

 

Abraços.