Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Pablo3322

[Resolvido!]Meu desktop sumiuuu! zz ='(

Recommended Posts

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Windows Registry Repair Pro" = "C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4" [file not found]

"Free Download Manager" = "C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun" [file not found]

"TerraVOIP" = "C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe" [file not found]

"Skype" = ""C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"STYLEXP" = "C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"Padrão do Windows" = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:"/InstallVS:'','Padrão do Windows','Normal'" C:\WINDOWS\system32\themeui.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"RemoteControl" = ""C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"QuickTime Task" = ""C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"AVG7_CC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

"Windows Defender" = ""C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide" [MS]

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

{FC9BCC0B-5745-21E7-F5A2-5A6E55758E50}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Class"

\InProcServer32\(Default) = "C:\WINDOWS\axybn1.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

 

 

 

 

Vlw por continuar tentando. :joia:

Compartilhar este post


Link para o post
Compartilhar em outros sites

Opa Pablo3322,

 

O log do SilentRunners está incompleto.

 

Vlw por continuar tentando.

Não esquenta cara. Vou continuar até onde o meu conhecimento permitir.

 

Abraços.

Compartilhar este post


Link para o post
Compartilhar em outros sites

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Windows Registry Repair Pro" = "C:\Arquivos de programas\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4" [file not found]

"Free Download Manager" = "C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun" [file not found]

"TerraVOIP" = "C:\Arquivos de programas\Terra VOIP\TerraVOIP.exe" [file not found]

"Skype" = ""C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"STYLEXP" = "C:\Arquivos de programas\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"Padrão do Windows" = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:"/InstallVS:'','Padrão do Windows','Normal'" C:\WINDOWS\system32\themeui.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"RemoteControl" = ""C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"QuickTime Task" = ""C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"AVG7_CC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

"Windows Defender" = ""C:\Arquivos de programas\Windows Defender\MSASCui.exe" -hide" [MS]

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"

\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

{FC9BCC0B-5745-21E7-F5A2-5A6E55758E50}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Class"

\InProcServer32\(Default) = "C:\WINDOWS\axybn1.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"

-> {HKLM...CLSID} = "Menu Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"

-> {HKLM...CLSID} = "Tracking Shell Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"

-> {HKLM...CLSID} = "Menu Site"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"

-> {HKLM...CLSID} = "Menu Desk Bar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"

-> {HKLM...CLSID} = "IShellFolderBand"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "Lin&ks"

-> {HKLM...CLSID} = "Lin&ks"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"

-> {HKLM...CLSID} = "Thumbnail Image"

\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\Office10\msohev.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Explorer da área de trabalho"

-> {HKLM...CLSID} = "Explorer da área de trabalho"

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"

-> {HKLM...CLSID} = "NetWare Objects"

\InProcServer32\(Default) = "nwprovau.dll" [MS]

"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

-> {HKLM...CLSID} = "NetWare UNC Folder Menu"

\InProcServer32\(Default) = "nwprovau.dll" [MS]

"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"

-> {HKLM...CLSID} = "NetWare Hood Verbs"

\InProcServer32\(Default) = "nwprovau.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"

-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"

\InProcServer32\(Default) = "C:\Arquivos de programas\SmartFTP\smarthook.dll" [file not found]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\gbieh.dll" ["Banco do Brasil"]

INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINDOW~3\MpShHook.dll" [MS]

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Arquivos de programas\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

 

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "Shell" = "C:\ARQUIV~1\Aston\ShellSwp.exe ,svchost.exe" [file not found], [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Arquivos de programas\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{548773BA-874E-4C02-9DC7-B7A096772C7D}"

-> {HKLM...CLSID} = "CountLines Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\MP3 Player Utilities 3.57\AMVTools\SrcCount.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Arquivos de programas\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]

NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"

-> {HKLM...CLSID} = "NetWare UNC Folder Menu"

\InProcServer32\(Default) = "nwprovau.dll" [MS]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

 

Default executables:

--------------------

 

INFECTION WARNING! HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" /S "%3"" [file not found]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Particular\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

 

 

Startup items in "Particular" & "All Users" startup folders:

------------------------------------------------------------

 

C:\WINDOWS\All Users\Menu Iniciar\Programas\Iniciar

"Microsoft Office" -> shortcut to: "C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

"WinZip Quick Pick" -> shortcut to: "C:\Arquivos de programas\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]

 

 

Enabled Scheduled Tasks:

------------------------

 

"MP Scheduled Scan" -> launches: "C:\Arquivos de programas\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"

-> {HKLM...CLSID} = "Microsoft CommBand"

\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"

-> {HKLM...CLSID} = "MSN"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll" [file not found]

"{2D51D869-C36B-42BD-AE68-0A81BC771FA5}"

-> {HKLM...CLSID} = "Starware"

\InProcServer32\(Default) = "C:\Arquivos de programas\Starware\bin\Starware.dll" [file not found]

"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"

-> {HKLM...CLSID} = "Microsoft CommBand"

\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"

-> {HKLM...CLSID} = "MSN"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll" [file not found]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

 

Explorer Bars

 

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp"

[strings]: SAFESITE_VALUE="search.msn.com.br"

 

Missing lines (compared with English-language version):

[strings]: 2 lines

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Serviço de cliente para NetWare, NWCWorkstation, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}

StyleXPService, StyleXPService, ""C:\Arquivos de programas\TGTSoft\StyleXP\StyleXPService.exe"" [empty string]

Windows Defender Service, WinDefend, ""C:\Arquivos de programas\Windows Defender\MsMpEng.exe"" [MS]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 31 seconds, including 7 seconds for message boxes)

Compartilhar este post


Link para o post
Compartilhar em outros sites

Opa Pablo3322,

 

Vamos lá.

 

1ª Etapa

 

1. Execute o Killbox, clique em Delete on Reboot.

 

2. Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar.

C:\WINDOWS\axybn1.dll

3. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

4. Aperte em "X". Responda "não" à pergunta.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo de Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie o computador em Modo Seguro.

 

Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

Navegue até a seguinte chave:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command

 

No painel à direita selecione o nome - Default - dê um clique direito e aperte em modificar. Uma janela abrir-se-á. No local destinado ao valor coloque o seguinte:

 

"%1" /S

 

Navegue até a seguinte chave:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

 

Delete a pasta ShellState.

 

Navegue até a seguinte chave:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion

 

No painel à direita delete a seguinte entrada:

 

"Shell" = "C:\ARQUIV~1\Aston\ShellSwp.exe ,svchost.exe"

 

Saia do Editor do Registro.

 

3ª Etapa

 

Reinicie em Modo Normal.

 

Verifique se o problema foi resolvido e poste um novo log do HijackThis.

 

Um abraço.

Compartilhar este post


Link para o post
Compartilhar em outros sites

Opa Pablo3322,

 

Fico feliz por saber que consegui ajudá-lo a resolver o problema. :D

 

Devo lhe parabenizar pela persistência, pois a maioria dos usuários desiste quando o problema não se resolve em poucos posts, contudo nem sempre a resolução é de fácil percepção. Batalhei para descobrir a origem do problema, mas consegui. :joia:

 

PS.: Não esqueça de Desabilitar e Reabilitar a função de Restauração Automática do XP. Clique aqui para ver como.

 

Abraços.

Compartilhar este post


Link para o post
Compartilhar em outros sites

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto é necessário enviar uma Mensagem Privada para um Moderador com um link para o tópico.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.