[Resolvido!]Problemas com secure32.html

[fredericoguimaraes 0]

Pessoal, agradeço que puder me ajudar !!!

 

Estou com problemas quando inicio o IE. Aparece uma informação de que não foi encontrado o arquivo secure32.html no diretório c:\, mas não existe nenhum arquivo neste diretório.

Olhei alguns artigos, mas ainda não consegui apagar este malware.

 

Segue abaixo o log do HijackThis.

 

Logfile of HijackThis v1.99.1

Scan saved at 23:39:39, on 01/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\notepad.exe

C:\Documents and Settings\Guilherme\Desktop\SECURE32\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [iBest.baloon] "C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133650037375

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABAE1444-9A0A-4528-9E16-26DBB7F56769}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\lv0609dse.dll

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

[jgarcia 1]

Caro fredericoguimaraes,

 

Baixe o SmitfraudFix.

 

Desabilite a proteção do seu anti-vírus (temporariamente).

 

Extraia o arquivo SmitFraudFix para o seu desktop.

 

Dê duplo-clique no smitfraudfix.cmd.

 

Escolha a opção 1, aguarde o scan acabar e poste o log gerado.

 

Abraços.

[fredericoguimaraes 0]

bom dia,Acabei de executar o programa. Segue abaxio o log.obrigado,----------------------------------------------------------------------------------------------------------------------------SmitFraudFix v2.16Rapport fait à 11:02:08,64 le 04/02/2006Executé à partir de C:\Documents and Settings\Guilherme\DesktopOS: Microsoft Windows XP [versÆo 5.1.2600]»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system32»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\Documents and Settings\Guilherme\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Recherche Menu Démarrer»»»»»»»»»»»»»»»»»»»»»»»» Recherche Bureau»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\Arquivos de programas »»»»»»»»»»»»»»»»»»»»»»»» Recherche présence de clés corrompues»»»»»»»»»»»»»»»»»»»»»»»» Recherche éléments du bureau [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="Minha p gina inicial atual" »»»»»»»»»»»»»»»»»»»»»»»» Recherche Sharedtaskscheduler[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pr‚-carregador Browseui""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon de cache de categorias de componente"»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll»»»»»»»»»»»»»»»»»»»»»»»» Fin du rapport

[jgarcia 1]

Caro fredericoguimaraes,

 

Agora você deve:

 

1. Reiniciar em Modo Seguro;

 

2. Executar o SmitfraudFix --> Opção 2;

 

3. Responder sim (o) à pergunta sobre a limpeza do registro;

 

4. Aguardar o término do scan e a geração do log;

 

5. Reiniciar em Modo Normal;

 

6. Postar o log do SmitfraudFix (opção 2) + log HijackThis (em Modo Normal).

 

Abraços.

[fredericoguimaraes 0]

Caro jsgarcia,

 

Fiz o que voce me indicou e executei os programas.

 

Não está aparecendo mais a mensagem de arquivo não encontrado (secure32.html) quando inicio o IE, mas ainda permane a abertura de páginas na web aleatoriamente.

 

Segue abaixo o log.

----------------------------------------------------

LOG EM MODO DE SEGURANÇA

 

SmitFraudFix v2.16

 

Rapport fait à 17:26:01,28 le 04/02/2006

Executé à partir de C:\Documents and Settings\Guilherme\Desktop

OS: Microsoft Windows XP [versÆo 5.1.2600]

 

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage Fichiers Temporaires

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

 

Nettoyage terminé.

 

»»»»»»»»»»»»»»»»»»»»»»»» Fin du rapport

 

---------------------------------------------------------------------------------------

LOG EM MODO NORMAL

 

Logfile of HijackThis v1.99.1

Scan saved at 17:29:46, on 04/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Guilherme\Desktop\SECURE32\HijackThis.exe

 

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [iBest.baloon] "C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133650037375

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\j84olih3184.dll

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

[jgarcia 1]

Caro fredericoguimaraes,

 

Vou precisar de um log do L2MFix. Clique aqui e baixe.

 

Extraia os arquivos e rode o l2mfix.bat --> opção "run find log". Depois de alguns minutos o bloco de notas deve abrir com um log. É o conteúdo deste log que você deverá colar em sua próxima resposta, bem como um novo log do Hijack.

 

Abraços.

[fredericoguimaraes 0]

Caro jsgarcia,

 

Segue abaixo o log dos aplicativos.

 

Grato,

 

--------------------------------------------------------------------------------------------------------------------------

L2MFIX find log 010406

These are the registry keys present

********************************************************************************

**

Winlogon/notify:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

"Asynchronous"=dword:00000000

"DllName"=""

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\m4lsle371h.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

********************************************************************************

**

useragent:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{9A8A6DD6-DB13-E50F-C671-CB33D46687D2}"=""

 

********************************************************************************

**

Shell Extension key:

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Folha de propriedades de arquivo de multim¡dia"

"{176d6597-26d3-11d1-b350-080036a75b03}"="Gerenciamento de scanner ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguran‡a NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propriedades do arquivo de documento OLE"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para adaptador de v¡deo"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para monitor de v¡deo"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="ExtensÆo do 'Painel de controle' para panorƒmica de v¡deo"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguran‡a DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidade"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Manipulador de dados de recorte do shell"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="ExtensÆo de c¢pia de disco"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensäes do shell para objetos Microsoft Windows Network"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Gerenciamento de monitor ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Gerenciamento de impressora ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensäes do shell para compacta‡Æo de arquivos"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="ExtensÆo do shell de impressora na Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu de contexto de criptografia"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porta-arquivos"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="ExtensÆo de ¡cone do HyperTerminal"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguran‡a de impressoras"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensäes do Shell para compartilhamento"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo PKO de criptografia"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo do sinal de criptografia"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexäes de rede"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexäes de rede"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & cƒmeras"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & cƒmeras"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & cƒmeras"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & cƒmeras"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & cƒmeras"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensäes shell para host de scripts do Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Vincula‡Æo de dados Microsoft"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tarefas agendadas"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tarefas e menu Iniciar"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Pesquisar"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Executar..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Email"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fontes"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Ferramentas administrativas"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de ferramentas do Microsoft Internet Explorer"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Status do download"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Pasta do shell aumentada"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Pasta do shell aumentada 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Faixa de pesquisa"

"{32683183-48a0-441b-a342-7c2a440a9478}"="Faixa de m¡dia"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Pesquisa no painel"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Pesquisa na Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit rio de op‡äes de  rvore do Registro"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="E&ndere‡o"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Caixa de edi‡Æo de endere‡o"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Preenchimento autom tico da Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista de preenchimento autom tico MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista personalizada MRU preenchida automaticamente"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Acess¡vel"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra Popup de controle"

"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analisador da barra de endere‡os"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista de preenchimento autom tico de hist¢rico da Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista de preenchimento autom tico de pastas do Shell da Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Recipiente de lista de preenchimento autom tico m£ltiplo da Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu de site de faixa do Shell"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistˆncia ao usu rio"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configura‡äes de pasta globais"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servi‡o de hist¢rico de URLs da Microsoft"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Hist¢rico"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Faixa do Explorer"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Pasta cache de ActiveX"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Pasta de inscri‡äes"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gerenciador de aplicativos do shell"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicativos instalado"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Editor de aplicativo Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extrator de miniaturas de arquivo GDI+"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Identificador de informa‡äes de resumo de miniaturas (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extrator de miniaturas HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistente para publica‡Æo na Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impressÆo via Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto do assistente para publica‡Æo do shell"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Obter um Assistente do Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Contas de usu rio"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Arquivo de canal"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Atalho para o canal"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto manipulador de canais"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Pasta de arquivos off-line"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Pessoas..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Pastas da Web"

"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"

"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"

"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"

"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"

"{E37CB5F0-51F5-4395-A808-5FA49E399007}"="GbPlugin ShlObj"

"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"="GbPlugin ShlObj"

"{E37CB5F0-51F5-4395-A808-5FA49E399008}"="GbPlugin ShlObj"

"{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}"=""

"{372383F4-2457-42B5-94A2-D3EA162975EA}"=""

 

********************************************************************************

**

HKEY ROOT CLASSIDS:

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}\InprocServer32]

@="C:\\WINDOWS\\system32\\wnpcd.dll"

"ThreadingModel"="Apartment"

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

 

********************************************************************************

**

Files Found are not all bad files:

 

C:\WINDOWS\SYSTEM32\

browseui.dll Wed 23 Nov 2005 21:25:18 A.... 1.022.976 999,00 K

gdi32.dll Wed 28 Dec 2005 23:54:44 A.... 280.064 273,50 K

irpml5~1.dll Fri 3 Feb 2006 21:39:10 ..S.R 234.872 229,37 K

j4p00e~1.dll Sun 5 Feb 2006 13:25:48 ..S.R 236.777 231,23 K

m4lsle~1.dll Sun 5 Feb 2006 11:42:36 ..S.R 236.703 231,15 K

mshtml.dll Wed 23 Nov 2005 21:25:20 A.... 3.013.632 2,87 M

msssc.dll Sat 3 Dec 2005 21:36:32 A.... 44 0,04 K

nv4_disp.dll Fri 11 Nov 2005 13:47:00 A.... 3.924.992 3,74 M

nvapi.dll Fri 11 Nov 2005 13:47:00 A.... 86.016 84,00 K

nvcod.dll Fri 11 Nov 2005 13:47:00 A.... 35.328 34,50 K

nvcodins.dll Fri 11 Nov 2005 13:47:00 A.... 35.328 34,50 K

nvcpl.dll Fri 11 Nov 2005 13:47:00 A.... 7.311.360 6,97 M

nvhwvid.dll Fri 11 Nov 2005 13:47:00 A.... 573.440 560,00 K

nview.dll Fri 11 Nov 2005 13:47:00 A.... 1.466.368 1,40 M

nvmccs.dll Fri 11 Nov 2005 13:47:00 A.... 229.376 224,00 K

nvmccsrs.dll Fri 11 Nov 2005 13:47:00 A.... 45.056 44,00 K

nvmctray.dll Fri 11 Nov 2005 13:47:00 A.... 86.016 84,00 K

nvnt4cpl.dll Fri 11 Nov 2005 13:47:00 A.... 286.720 280,00 K

nvoglnt.dll Fri 11 Nov 2005 13:47:00 A.... 5.394.432 5,14 M

nvrsar.dll Fri 11 Nov 2005 13:47:00 A.... 319.488 312,00 K

nvrscs.dll Fri 11 Nov 2005 13:47:00 A.... 241.664 236,00 K

nvrsda.dll Fri 11 Nov 2005 13:47:00 A.... 245.760 240,00 K

nvrsde.dll Fri 11 Nov 2005 13:47:00 A.... 270.336 264,00 K

nvrsel.dll Fri 11 Nov 2005 13:47:00 A.... 274.432 268,00 K

nvrseng.dll Fri 11 Nov 2005 13:47:00 A.... 241.664 236,00 K

nvrses.dll Fri 11 Nov 2005 13:47:00 A.... 274.432 268,00 K

nvrsesm.dll Fri 11 Nov 2005 13:47:00 A.... 266.240 260,00 K

nvrsfi.dll Fri 11 Nov 2005 13:47:00 A.... 241.664 236,00 K

nvrsfr.dll Fri 11 Nov 2005 13:47:00 A.... 278.528 272,00 K

nvrshe.dll Fri 11 Nov 2005 13:47:00 A.... 319.488 312,00 K

nvrshu.dll Fri 11 Nov 2005 13:47:00 A.... 253.952 248,00 K

nvrsit.dll Fri 11 Nov 2005 13:47:00 A.... 274.432 268,00 K

nvrsja.dll Fri 11 Nov 2005 13:47:00 A.... 258.048 252,00 K

nvrsko.dll Fri 11 Nov 2005 13:47:00 A.... 253.952 248,00 K

nvrsnl.dll Fri 11 Nov 2005 13:47:00 A.... 266.240 260,00 K

nvrsno.dll Fri 11 Nov 2005 13:47:00 A.... 249.856 244,00 K

nvrspl.dll Fri 11 Nov 2005 13:47:00 A.... 249.856 244,00 K

nvrspt.dll Fri 11 Nov 2005 13:47:00 A.... 266.240 260,00 K

nvrsptb.dll Fri 11 Nov 2005 13:47:00 A.... 262.144 256,00 K

nvrsru.dll Fri 11 Nov 2005 13:47:00 A.... 262.144 256,00 K

nvrssk.dll Fri 11 Nov 2005 13:47:00 A.... 249.856 244,00 K

nvrssl.dll Fri 11 Nov 2005 13:47:00 A.... 249.856 244,00 K

nvrssv.dll Fri 11 Nov 2005 13:47:00 A.... 245.760 240,00 K

nvrstr.dll Fri 11 Nov 2005 13:47:00 A.... 249.856 244,00 K

nvrszhc.dll Fri 11 Nov 2005 13:47:00 A.... 217.088 212,00 K

nvrszht.dll Fri 11 Nov 2005 13:47:00 A.... 118.784 116,00 K

nvshell.dll Fri 11 Nov 2005 13:47:00 A.... 466.944 456,00 K

nvwddi.dll Fri 11 Nov 2005 13:47:00 A.... 81.920 80,00 K

nvwdmcpl.dll Fri 11 Nov 2005 13:47:00 A.... 1.662.976 1,59 M

nvwimg.dll Fri 11 Nov 2005 13:47:00 A.... 1.019.904 996,00 K

nvwrsar.dll Fri 11 Nov 2005 13:47:00 A.... 282.624 276,00 K

nvwrscs.dll Fri 11 Nov 2005 13:47:00 A.... 286.720 280,00 K

nvwrsda.dll Fri 11 Nov 2005 13:47:00 A.... 294.912 288,00 K

nvwrsde.dll Fri 11 Nov 2005 13:47:00 A.... 311.296 304,00 K

nvwrsel.dll Fri 11 Nov 2005 13:47:00 A.... 335.872 328,00 K

nvwrseng.dll Fri 11 Nov 2005 13:47:00 A.... 286.720 280,00 K

nvwrses.dll Fri 11 Nov 2005 13:47:00 A.... 335.872 328,00 K

nvwrsesm.dll Fri 11 Nov 2005 13:47:00 A.... 327.680 320,00 K

nvwrsfi.dll Fri 11 Nov 2005 13:47:00 A.... 303.104 296,00 K

nvwrsfr.dll Fri 11 Nov 2005 13:47:00 A.... 327.680 320,00 K

nvwrshe.dll Fri 11 Nov 2005 13:47:00 A.... 278.528 272,00 K

nvwrshu.dll Fri 11 Nov 2005 13:47:00 A.... 315.392 308,00 K

nvwrsit.dll Fri 11 Nov 2005 13:47:00 A.... 323.584 316,00 K

nvwrsja.dll Fri 11 Nov 2005 13:47:00 A.... 212.992 208,00 K

nvwrsko.dll Fri 11 Nov 2005 13:47:00 A.... 196.608 192,00 K

nvwrsnl.dll Fri 11 Nov 2005 13:47:00 A.... 319.488 312,00 K

nvwrsno.dll Fri 11 Nov 2005 13:47:00 A.... 299.008 292,00 K

nvwrspl.dll Fri 11 Nov 2005 13:47:00 A.... 294.912 288,00 K

nvwrspt.dll Fri 11 Nov 2005 13:47:00 A.... 323.584 316,00 K

nvwrsptb.dll Fri 11 Nov 2005 13:47:00 A.... 319.488 312,00 K

nvwrsru.dll Fri 11 Nov 2005 13:47:00 A.... 315.392 308,00 K

nvwrssk.dll Fri 11 Nov 2005 13:47:00 A.... 299.008 292,00 K

nvwrssl.dll Fri 11 Nov 2005 13:47:00 A.... 303.104 296,00 K

nvwrssv.dll Fri 11 Nov 2005 13:47:00 A.... 294.912 288,00 K

nvwrstr.dll Fri 11 Nov 2005 13:47:00 A.... 303.104 296,00 K

nvwrszhc.dll Fri 11 Nov 2005 13:47:00 A.... 163.840 160,00 K

nvwrszht.dll Fri 11 Nov 2005 13:47:00 A.... 167.936 164,00 K

shdocvw.dll Thu 1 Dec 2005 1:01:14 A.... 1.492.480 1,42 M

wnpcd.dll Sun 5 Feb 2006 13:25:48 ..S.R 236.703 231,15 K

 

79 items found: 79 files (4 H/S), 0 directories.

Total of file sizes: 44.185.547 bytes 42,14 M

Locate .tmp files:

 

No matches found.

********************************************************************************

**

Directory Listing of system files:

O volume na unidade C nÆo tem nome.

O n£mero de s‚rie do volume ‚ D89B-151A

 

Pasta de C:\WINDOWS\System32

 

05/02/2006 13:25 236.703 wnpcd.dll

05/02/2006 13:25 236.777 j4p00e7meh.dll

05/02/2006 11:42 236.703 m4lsle371h.dll

03/02/2006 21:39 234.872 irpml5711.dll

11/01/2006 10:39 <DIR> dllcache

03/12/2005 19:31 <DIR> Microsoft

4 arquivo(s) 945.055 bytes

2 pasta(s) 27.631.063.040 bytes dispon¡veis

 

-----------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 13:32:31, on 05/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\Arquivos de programas\Network Associates\Common

 

Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\system32\ntvdm.exe

C:\Documents and Settings\Guilherme\Desktop\SECURE32\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://www.terra.com.br/

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} -

 

C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO -

 

{C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program

 

Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco -

 

{C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program

 

Files\gbiehuni.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de

 

programas\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network

 

Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network

 

Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de

 

programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog

 

Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

 

C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

 

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe"

 

/background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe"

 

/background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [iBest.baloon] "C:\Arquivos de programas\Yahoo! Acesso

 

Grátis\baloon.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de

 

programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel -

 

res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

 

programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

 

C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

 

programas\Messenger\msmsgs.exe

O14 - IERESET.INF:

 

SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

 

https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

 

http://update.microsoft.com/windowsupdate/...ient/wuweb_site

 

.cab?1133650037375

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -

 

https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) -

 

https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) -

 

https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABAE1444-9A0A-4528-9E16-26DBB7F56769}:

 

NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

 

"C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\m4lsle371h.dll

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de

 

programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates,

 

Inc. - C:\Arquivos de programas\Network Associates\Common

 

Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc.

 

- C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network

 

Associates, Inc. - C:\Arquivos de programas\Network

 

Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

 

C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

 

Analog Devices, Inc. - C:\Arquivos de programas\Analog

 

Devices\SoundMAX\SMAgent.exe

[jgarcia 1]

Caro fredericoguimaraes,

 

Rode o arquivo l2mfix.bat, aperte <Enter>, então digite 2 e aperte Enter novamente. Depois disso, você deverá apertar qualquer tecla e o computador será reiniciado.

 

Após reiniciar, sua área de trabalho deve sumir e reaparecer. A correção ainda não terminou. Quando ela terminar o Bloco de Notas deve abrir com um log. Anexe este log na sua resposta como você fez antes, junto com um novo log do HijackThis.

 

Vá até a pasta l2mfix que foi criada e copie o arquivo ntrights para o C:\

 

Clique em Iniciar --> Executar, digite cmd e clique em OK. Um prompt de comando vai aparecer.

 

Digite o seguinte:

 

cd c:\

Dê Enter. Agora digite o seguinte comando:

 

ntrights -u Administradores +r SeDebugPrivilege > log.txt

Atenção --> Certifique-se digitar este comando corretamente.

 

Dê Enter novamente. Agora deverá existir um arquivo chamado c:\log.txt. Abra-o e cole o conteúdo aqui.

 

Aguardo retorno.

 

Um abraço.

[fredericoguimaraes 0]

Caro jsgarcia,

 

Acabei de executar os passos que me indicou e segue em anexo os logs.

 

------------------------------------------------------------------------------------------------------------------------

log de quando reiniciou o computador

 

L2mfix 010406

Creating Account.

Comando conclu¡do com ˆxito.

 

Adding Administrative privleges.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

 

Running From:

C:\WINDOWS\system32

 

Killing Processes!

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 464 'smss.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 544 'winlogon.exe'

Killing PID 544 'winlogon.exe'

Killing PID 544 'winlogon.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1588 'explorer.exe'

Killing PID 1588 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1280 'rundll32.exe'

Killing PID 1280 'rundll32.exe'

Killing PID 312 'rundll32.exe'

Restoring Sedebugprivilege:

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

1 arquivo(s) copiado(s).

1 arquivo(s) copiado(s).

1 arquivo(s) copiado(s).

1 arquivo(s) copiado(s).

Deleting: C:\WINDOWS\system32\irpml5711.dll

Successfully Deleted: C:\WINDOWS\system32\irpml5711.dll

Deleting: C:\WINDOWS\system32\j4p00e7meh.dll

Successfully Deleted: C:\WINDOWS\system32\j4p00e7meh.dll

Deleting: C:\WINDOWS\system32\m4lsle371h.dll

Successfully Deleted: C:\WINDOWS\system32\m4lsle371h.dll

Deleting: C:\WINDOWS\system32\wnpcd.dll

Successfully Deleted: C:\WINDOWS\system32\wnpcd.dll

 

msg11?.dll

0 arquivo(s) copiado(s).

 

 

 

Restoring Windows Update Certificates.:

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\m4lsle371h.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

 

The following are the files found:

****************************************************************************

C:\WINDOWS\system32\irpml5711.dll

C:\WINDOWS\system32\j4p00e7meh.dll

C:\WINDOWS\system32\m4lsle371h.dll

C:\WINDOWS\system32\wnpcd.dll

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}\InprocServer32]

@="C:\\WINDOWS\\system32\\wnpcd.dll"

"ThreadingModel"="Apartment"

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}\Implemented Categories]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

 

[HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}\InprocServer32]

@="C:\\WINDOWS\\system32\\guard.tmp"

"ThreadingModel"="Apartment"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}"=-

"{372383F4-2457-42B5-94A2-D3EA162975EA}"=-

[-HKEY_CLASSES_ROOT\CLSID\{48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC}]

[-HKEY_CLASSES_ROOT\CLSID\{372383F4-2457-42B5-94A2-D3EA162975EA}]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

 

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

adding: dlls/irpml5711.dll (164 bytes security) (deflated 5%)

adding: dlls/j4p00e7meh.dll (164 bytes security) (deflated 5%)

adding: dlls/m4lsle371h.dll (164 bytes security) (deflated 5%)

adding: dlls/wnpcd.dll (164 bytes security) (deflated 5%)

adding: backregs/372383F4-2457-42B5-94A2-D3EA162975EA.reg (212 bytes security) (deflated 70%)

adding: backregs/48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC.reg (212 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 72%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

 

------------------------------------------------------------------------------------------------------------------------

log do comando em dos

 

Granting SeDebugPrivilege to Administradores ... successful

 

------------------------------------------------------------------------------------------------------------------------

log do hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 14:38:33, on 05/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\Arquivos de programas\Network Associates\Common

 

Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe

C:\WINDOWS\system32\cmd.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Guilherme\Desktop\SECURE32\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

 

http://www.terra.com.br/

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} -

 

C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO -

 

{C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program

 

Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco -

 

{C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program

 

Files\gbiehuni.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de

 

programas\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network

 

Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network

 

Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de

 

programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog

 

Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

 

C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

 

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe"

 

/background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe"

 

/background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [iBest.baloon] "C:\Arquivos de programas\Yahoo! Acesso

 

Grátis\baloon.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de

 

programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel -

 

res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

 

C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console -

 

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

 

programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

 

C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

 

programas\Messenger\msmsgs.exe

O14 - IERESET.INF:

 

SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

 

https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

 

http://update.microsoft.com/windowsupdate/...ient/wuweb_site

 

.cab?1133650037375

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -

 

https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) -

 

https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) -

 

https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABAE1444-9A0A-4528-9E16-26DBB7F56769}:

 

NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

 

"C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\m4lsle371h.dll (file

 

missing)

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de

 

programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates,

 

Inc. - C:\Arquivos de programas\Network Associates\Common

 

Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc.

 

- C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network

 

Associates, Inc. - C:\Arquivos de programas\Network

 

Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

 

C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

 

Analog Devices, Inc. - C:\Arquivos de programas\Analog

 

Devices\SoundMAX\SMAgent.exe

 

 

 

------------------------------------------------------------------------------------------------------------------------

[jgarcia 1]

Caro fredericoguimaraes,

 

Baixe o SpySweeper clicando aqui.

 

Baixe e atualize.

 

Reinicie em Modo Seguro.

 

Execute uma verificação completa com o SpySweeper.

 

Reinicie em Modo Normal.

 

Execute a opção 2 do L2MFIX novamente.

 

Poste ambos os logs novamente.

 

Abraços.

[fredericoguimaraes 0]

Caro Jsgarcia,

 

Acabei de executar os programas. Segue os logs abaixo.

 

------------------------------------------------------------------------------------------------------------------------

********

21:02: | Start of Session, domingo, 5 de fevereiro de 2006 |

21:02: Spy Sweeper started

21:02: Sweep initiated using definitions version 556

21:02: Starting Memory Sweep

21:03: Memory Sweep Complete, Elapsed Time: 00:00:49

21:03: Starting Registry Sweep

21:03: Registry Sweep Complete, Elapsed Time:00:00:12

21:03: Starting Cookie Sweep

21:03: Found Spy Cookie: abcsearch cookie

21:03: guilherme@abcsearch[1].txt (ID = 2033)

21:03: Found Spy Cookie: hbmediapro cookie

21:03: guilherme@adopt.hbmediapro[2].txt (ID = 2768)

21:03: Found Spy Cookie: adultfriendfinder cookie

21:03: guilherme@adultfriendfinder[1].txt (ID = 2165)

21:03: Found Spy Cookie: alt cookie

21:03: guilherme@alt[1].txt (ID = 2217)

21:03: Found Spy Cookie: apmebf cookie

21:03: guilherme@apmebf[2].txt (ID = 2229)

21:03: Found Spy Cookie: atlas dmt cookie

21:03: guilherme@atdmt[1].txt (ID = 2253)

21:03: Found Spy Cookie: belnk cookie

21:03: guilherme@belnk[1].txt (ID = 2292)

21:03: Found Spy Cookie: bravenet cookie

21:03: guilherme@bravenet[1].txt (ID = 2322)

21:03: Found Spy Cookie: ccbill cookie

21:03: guilherme@ccbill[1].txt (ID = 2369)

21:03: guilherme@dist.belnk[2].txt (ID = 2293)

21:03: Found Spy Cookie: touchclarity cookie

21:03: guilherme@ford.touchclarity[1].txt (ID = 3566)

21:03: Found Spy Cookie: starware.com cookie

21:03: guilherme@h.starware[2].txt (ID = 3442)

21:03: Found Spy Cookie: kinghost cookie

21:03: guilherme@kinghost[2].txt (ID = 2903)

21:03: Found Spy Cookie: domainsponsor cookie

21:03: guilherme@landing.domainsponsor[2].txt (ID = 2535)

21:03: Found Spy Cookie: maxserving cookie

21:03: guilherme@maxserving[1].txt (ID = 2966)

21:03: Found Spy Cookie: passion cookie

21:03: guilherme@passion[1].txt (ID = 3113)

21:03: Found Spy Cookie: rc cookie

21:03: guilherme@rc[1].txt (ID = 3231)

21:03: Found Spy Cookie: webpower cookie

21:03: guilherme@webpower[1].txt (ID = 3660)

21:03: Found Spy Cookie: redzip cookie

21:03: guilherme@www.redzip[1].txt (ID = 3250)

21:03: Found Spy Cookie: upspiral cookie

21:03: guilherme@www.upspiral[1].txt (ID = 3615)

21:03: Found Spy Cookie: xiti cookie

21:03: guilherme@xiti[1].txt (ID = 3717)

21:03: Found Spy Cookie: xren_cj cookie

21:03: guilherme@xren_cj[1].txt (ID = 3723)

21:03: Found Spy Cookie: zedo cookie

21:03: guilherme@zedo[2].txt (ID = 3762)

21:03: Cookie Sweep Complete, Elapsed Time: 00:00:00

21:03: Starting File Sweep

21:04: Found Adware: effective-i toolbar

21:04: c:\arquivos de programas\thesearchaccelerator (ID = -2147481059)

21:04: dc81.exe (ID = 59853)

21:07: File Sweep Complete, Elapsed Time: 00:03:48

21:07: Full Sweep has completed. Elapsed time 00:04:59

21:07: Traces Found: 25

21:08: Removal process initiated

21:08: Quarantining All Traces: abcsearch cookie

21:08: Quarantining All Traces: hbmediapro cookie

21:08: Quarantining All Traces: adultfriendfinder cookie

21:08: Quarantining All Traces: alt cookie

21:08: Quarantining All Traces: apmebf cookie

21:08: Quarantining All Traces: atlas dmt cookie

21:08: Quarantining All Traces: belnk cookie

21:08: Quarantining All Traces: bravenet cookie

21:08: Quarantining All Traces: ccbill cookie

21:08: Quarantining All Traces: touchclarity cookie

21:08: Quarantining All Traces: starware.com cookie

21:08: Quarantining All Traces: kinghost cookie

21:08: Quarantining All Traces: domainsponsor cookie

21:08: Quarantining All Traces: maxserving cookie

21:08: Quarantining All Traces: passion cookie

21:08: Quarantining All Traces: rc cookie

21:08: Quarantining All Traces: webpower cookie

21:08: Quarantining All Traces: redzip cookie

21:08: Quarantining All Traces: upspiral cookie

21:08: Quarantining All Traces: xiti cookie

21:08: Quarantining All Traces: xren_cj cookie

21:08: Quarantining All Traces: zedo cookie

21:08: Quarantining All Traces: effective-i toolbar

21:08: Removal process completed. Elapsed time 00:00:14

********

21:02: | Start of Session, domingo, 5 de fevereiro de 2006 |

21:02: Spy Sweeper started

21:02: Program Version 4.5.9 (Build 709) Using Spyware Definitions 556

21:02: | End of Session, domingo, 5 de fevereiro de 2006 |

 

------------------------------------------------------------------------------------------------------------------------

L2mfix 010406

Creating Account.

Comando conclu¡do com ˆxito.

 

Adding Administrative privleges.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

 

Running From:

C:\WINDOWS\system32

 

Killing Processes!

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 464 'smss.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 544 'winlogon.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 2256 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 2444 'rundll32.exe'

Restoring Sedebugprivilege:

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

 

 

 

Restoring Windows Update Certificates.:

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\m4lsle371h.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

 

The following are the files found:

****************************************************************************

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

adding: dlls/irpml5711.dll (164 bytes security) (deflated 5%)

adding: dlls/j4p00e7meh.dll (164 bytes security) (deflated 5%)

adding: dlls/m4lsle371h.dll (164 bytes security) (deflated 5%)

adding: dlls/wnpcd.dll (164 bytes security) (deflated 5%)

adding: backregs/372383F4-2457-42B5-94A2-D3EA162975EA.reg (212 bytes security) (deflated 70%)

adding: backregs/48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC.reg (212 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

[jgarcia 1]

Caro fredericoguimaraes,

 

Faltou o log do HijackThis (o do Sweeper é dispensável).

 

Abraços.

[fredericoguimaraes 0]

Caro jsgarcia,

 

segue abaixo o log que estava faltando.

 

Logfile of HijackThis v1.99.1

Scan saved at 22:47:29, on 06/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe

C:\Documents and Settings\Guilherme\Desktop\SECURE32\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [iBest.baloon] "C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133650037375

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABAE1444-9A0A-4528-9E16-26DBB7F56769}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\m4lsle371h.dll (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

[jgarcia 1]

Caro fredericoguimaraes,

 

Vamos lá.

 

Habilite o Windows para mostrar todos os arquivos (até ocultos).

 

1ª Etapa

 

Baixe o Killbox em:

Killbox

 

1) Execute o Killbox, clique em Delete on Reboot.

 

2) Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\WINDOWS\system32\m4lsle371h.dll

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8 até aparecer uma tela preta em DOS e escolha Modo Seguro).

 

Execute o HijackThis, clique em Do a system scan only e marque:

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\m4lsle371h.dll (file missing)

Clique em Fix Checked.

 

3ª Etapa

 

Reinicie em modo normal.

 

Execute o L2MFIX novamente (opção 2).

 

Poste ambos os logs (L2MFIX + HijackThis).

 

Aguardo retorno.

 

Um abraço.

[fredericoguimaraes 0]

Caro jsgarcia,

 

Segue em anexo o log dos programas.

 

L2mfix 010406

Creating Account.

Comando conclu¡do com ˆxito.

 

Adding Administrative privleges.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

 

Running From:

C:\WINDOWS\system32

 

Killing Processes!

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 464 'smss.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 544 'winlogon.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1428 'explorer.exe'

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 1700 'rundll32.exe'

Restoring Sedebugprivilege:

 

Scanning First Pass. Please Wait!

 

First Pass Completed

 

Second Pass Scanning

 

Second pass Completed!

 

 

 

Restoring Windows Update Certificates.:

 

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

 

The following are the files found:

****************************************************************************

 

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

adding: dlls/irpml5711.dll (164 bytes security) (deflated 5%)

adding: dlls/j4p00e7meh.dll (164 bytes security) (deflated 5%)

adding: dlls/m4lsle371h.dll (164 bytes security) (deflated 5%)

adding: dlls/wnpcd.dll (164 bytes security) (deflated 5%)

adding: backregs/372383F4-2457-42B5-94A2-D3EA162975EA.reg (212 bytes security) (deflated 70%)

adding: backregs/48131E4F-ADE6-45FF-AB8B-E44E09AAA7CC.reg (212 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

 

 

---------------------------------------------------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 21:35:25, on 07/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE

C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe

C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Arquivos de programas\Messenger\msmsgs.exe

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe

C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe

C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Documents and Settings\Guilherme\Desktop\SECURE32\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll

O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Arquivos de programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Arquivos de programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Arquivos de programas\Arquivos comuns\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [smapp] C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [iBest.baloon] "C:\Arquivos de programas\Yahoo! Acesso Grátis\baloon.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133650037375

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Arquivos de programas\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe

[jgarcia 1]

Caro fredericoguimaraes,

 

Beleza!!! O seu log está LIMPO. :thumbsup:

 

Para finalizar:

 

1. Desabilite e Reabilite a função de Restauração Automática do XP. Clique aqui para ver como.

 

Abraços.

[fredericoguimaraes 0]

Muito obrigado pela ajuda Jsgarcia,

 

Deu um pouco de trabalho, mas o resultado final ficou excelente.

 

Valeu !!!!

 

Abraços,

[jgarcia 1]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.