[Arquivado] MeU COMPUTADOR ESTÁ MUITO LENTO , SERÁ QUE É VIRUS

[G_santos 0]

Aqui está

 

 

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]

"MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"MDNS" = "C:\WINDOWS\system32\service.exe" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided)

-> {HKLM...CLSID} = "BrowsingEnhancer"

\InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = "Mirar"

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

 

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "User" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided)

-> {HKLM...CLSID} = "Mirar"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Pesquisar"

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

a-squared Free Service, a2free, "C:\Arquivos de programas\a-squared Free\a2service.exe" ["Emsi Software GmbH"]

AVG E-mail Scanner, AVGEMS, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

---------- (launch time: 2008-01-30 06:07:27)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 70 seconds, including 4 seconds for message boxes)

[jgarcia 1]

Opa G_santos,

 

Reinicie em Modo Seguro.

 

Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

Navegue até a seguinte subchave:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

No painel à direita localize e delete:

 

"MDNS" = "C:\WINDOWS\system32\service.exe"

 

Navegue até a seguinte subchave:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

 

Localize e delete a seguinte pasta:

 

{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}

 

Navegue até a seguinte subchave:

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

 

Localize e delete a seguinte pasta:

 

{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

 

Agora vá em Editar -> Localizar -> digite Mirar -> clique em Localizar próxima. Caso alguma entrada contendo Mirar seja encontrada, delete-a. Repita a operação até que todas as entradas que contenham Mirar tenham sido removidas.

 

Saia do Editor do Registro.

 

Reinicie em Modo Normal.

 

Retorne com um novo log do SilentRunners.

 

Um abraço.

[G_santos 0]

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]

"MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"MDNS" = "C:\WINDOWS\system32\service.exe" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided)

-> {HKLM...CLSID} = "BrowsingEnhancer"

\InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

 

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "User" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Pesquisar"

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

a-squared Free Service, a2free, "C:\Arquivos de programas\a-squared Free\a2service.exe" ["Emsi Software GmbH"]

AVG E-mail Scanner, AVGEMS, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

Machine Debug Manager, MDM, ""C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

---------- (launch time: 2008-02-14 22:31:16)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 98 seconds, including 12 seconds for message boxes)

[jgarcia 1]

Opa G_santos,

 

Vamos lá.

 

1. Reinicie em Modo Seguro.

 

2. Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

 

3. Navegue até a seguinte subchave:

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

 

4. No painel à direita localize e delete:

 

"MDNS" = "C:\WINDOWS\system32\service.exe"

 

5. Clique em Editar -> Localizar -> coloque WinNB58.dll -> clique em Localizar próxima. Caso seja encontrada alguma entrada, delete-a.

 

6. Repita a operação até que todas as entradas que contenham WinNB58.dll tenham sido removidas.

 

7. Saia do Editor do Registro.

 

8. Reinicie em Modo Normal.

 

9. Poste um novo log do ComboFix.

 

Abraços.

[G_santos 0]

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"updateMgr" = "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]

"MSMSGS" = ""C:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"eMuleAutoStart" = "C:\Arquivos de programas\eMule\emule.exe -AutoStart" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = ""C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\(Default) = (no title provided)

-> {HKLM...CLSID} = "BrowsingEnhancer"

\InProcServer32\(Default) = "C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll" [empty string]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

{C41A1C0E-EA6C-11D4-B1B8-444553540000}\(Default) = "G-Buster Browser Defense"

-> {HKLM...CLSID} = "GbIehObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Extensão de ícone de arquivo do Outlook"

\InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "C:\Arquivos de programas\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" = "GbPlugin ShlObj"

-> {HKLM...CLSID} = "GbPluginObj Class"

\InProcServer32\(Default) = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> GbPluginBb\DLLName = "C:\ARQUIV~1\GbPlugin\gbieh.dll" ["Banco do Brasil"]

<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Arquivos de programas\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Arquivos de programas\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\ARQUIV~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

-> {HKLM...CLSID} = "a-squared Free Shell Extension"

\InProcServer32\(Default) = "C:\Arquivos de programas\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

 

 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

 

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\User\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

 

 

Startup items in "User" & "All Users" startup folders:

------------------------------------------------------

 

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Reader Speed Launch" -> shortcut to: "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\WinNB58.dll" [file not found]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"

\InProcServer32\(Default) = "C:\Arquivos de programas\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Pesquisar"

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Arquivos de programas\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

[jgarcia 1]

Opa G_santos,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\WINDOWS\system32\WinNB58.dll

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

• 2. Salve o arquivo como CFScript.txt;
   
  3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
  
   
  4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta.
  

Abraços.

[G_santos 0]

Aqui está o log

 

 

ComboFix 08-02-21 - User 2008-02-21 10:52:31.5 - NTFSx86

Executando de: C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe

Command switches used :: C:\Documents and Settings\User\Meus documentos\Downloads\CFScript.txt;.txt

* Criado um novo ponto de restauro

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\system32\WinNB58.dll

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat

 

----- BITS: Possible infected sites -----

 

hxxp://au.do

.

((((((((((((((((((((((( Ficheiros criados de 2008-01-21 to 2008-02-21 ))))))))))))))))))))))))))))))))

.

 

2008-02-21 10:36 . 2008-02-21 10:36 <DIR> d----c--- C:\Arquivos de programas\FBrowsingAdvisor

2008-02-21 10:36 . 2008-02-21 10:36 <DIR> d----c--- C:\Arquivos de programas\FBrowserAdvisor

2008-02-21 10:36 . 2006-04-14 23:05 9,952 --a--c--- C:\regxpcom.exe

2008-02-17 13:19 . 2006-07-25 21:39 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos

2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d-------- C:\Documents and Settings\Administrador\Meus documentos

2008-02-17 13:19 . 2006-07-25 18:21 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar

2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-02-17 13:19 . 2006-07-25 18:21 <DIR> dr-h----- C:\Documents and Settings\Administrador\Dados de aplicativos

2008-02-17 13:19 . 2008-02-17 13:19 <DIR> d--h----- C:\Documents and Settings\Administrador\Configurações locais

2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de rede

2008-02-17 13:19 . 2006-07-25 18:21 <DIR> d--h----- C:\Documents and Settings\Administrador\Ambiente de impressão

2008-02-13 17:03 . 2008-02-13 17:03 244 --ah-c--- C:\sqmnoopt18.sqm

2008-02-13 17:03 . 2008-02-13 17:03 232 --ah-c--- C:\sqmdata18.sqm

2008-02-13 16:10 . 2008-02-13 16:11 1,374 --a------ C:\WINDOWS\imsins.BAK

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-21 13:50 --------- dc----w C:\Arquivos de programas\BrowsingEnhancer

2008-02-18 23:28 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\LimeWire

2008-02-12 01:11 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\AVG7

2008-02-07 02:30 --------- dc----w C:\Arquivos de programas\LimeWire

2008-01-29 10:00 --------- d-----w C:\Documents and Settings\LocalService\Dados de aplicativos\AVG7

2008-01-23 18:32 --------- dc----w C:\Arquivos de programas\Java

2008-01-20 09:10 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Java

2008-01-19 23:11 --------- dc----w C:\Arquivos de programas\eMule

2008-01-04 21:13 --------- dc----w C:\Arquivos de programas\CCleaner

2008-01-04 01:09 --------- dc----w C:\Arquivos de programas\GbPlugin

2008-01-04 01:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\GbPlugin

2008-01-03 20:50 --------- dc----w C:\Arquivos de programas\MSN Messenger

2008-01-03 17:28 --------- dc----w C:\Arquivos de programas\Google

2008-01-03 00:40 --------- dc----w C:\Arquivos de programas\Samsung

2008-01-03 00:40 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information

2008-01-03 00:11 --------- d-----w C:\Arquivos de programas\free-downloads

2007-12-26 13:35 --------- dc----w C:\Arquivos de programas\IObit

2007-12-07 02:09 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}]

2007-12-26 20:32 1019904 --a--c--- C:\Arquivos de programas\BrowsingEnhancer\BrowsingEnhancer-2.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

C:\WINDOWS\system32\WinNB58.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{EF99BD32-C1FB-11D2-892F-0090271D4F88}

{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

 

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]

[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208]

"eMuleAutoStart"="C:\Arquivos de programas\eMule\emule.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"AVG7_Run"="C:\ARQUIV~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 09:22 219136]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [2007-12-03 14:30 347976]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]

C:\ARQUIV~1\GbPlugin\gbieh.dll 2007-12-03 14:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Gamma Loader.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Utility Tray.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Utility Tray.lnk

backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

--a------ 2007-12-21 08:23 579072 C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

-ra------ 2003-04-06 06:39 1818624 C:\WINDOWS\mixer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

-ra------ 2004-10-07 21:27 126976 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

-ra------ 2004-10-07 21:31 155648 C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a--c--- 2007-01-19 11:54 5674352 C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

--a------ 2003-03-11 16:24 86016 C:\Arquivos de programas\Intel\NCS\PROSet\PRONoMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

C:\Arquivos de programas\VIA\RAID\raid_t

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2003-12-08 17:35 32768 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]

--a------ 2002-07-12 07:15 106496 C:\WINDOWS\SiSUSBrg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

--a------ 2006-06-26 15:53 20005928 C:\Arquivos de programas\Skype\Phone\Skype.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

-ra------ 2005-06-06 06:40 544768 C:\WINDOWS\sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2005-05-17 07:48 77824 C:\WINDOWS\SOUNDMAN.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VModes]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

-ra------ 2005-03-07 16:33 53248 C:\WINDOWS\system32\VTTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

-ra------ 2005-03-11 06:33 147456 C:\WINDOWS\system32\VTTrayp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsTranslator]

--a------ 2000-08-31 16:33 395776 C:\ARQUIV~1\MICROP~1\DELTAT~1.0\DWinTrsl.exe

 

S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-21 11:37]

S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-11-04 04:39]

S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 11:19]

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-21 10:56:23

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-02-21 10:58:59

ComboFix-quarantined-files.txt 2008-02-21 13:58:49

ComboFix2.txt 2008-01-11 13:07:55

.

2008-02-13 19:14:21 --- E O F ---

[jgarcia 1]

Opa G_santos,

 

Execute o Active Scan da Panda, observando os seguintes procedimentos:

 

1) Alguns anti-vírus, tal como o AVAST, podem exibir um alerta de detecção durante a execução do scan, porém tal alerta deve ser ignorado. O aviso não passa de um falso-positivo. Sugiro que o AV seja desabilitado, temporariamente, a fim de que o scan ocorra sem problemas;

 

2) Para iniciar o processo, clique sobre o botão ;

 

3) Informe os dados solicitados no formulário;

 

4) Clique sobre o botão "Pesquise agora sem custos";

 

5) Siga todas as instruções que lhe serão passadas e aguarde o fim da varredura;

 

6) Ao término do scan, clique em visualizar o log. Salve-o em seu Desktop;

 

7) Poste o conteúdo do log em sua próxima resposta.

 

Abraços.

[G_santos 0]

OLá J Garcia

 

 

Não consegui , passar o Active Scan da Panda

A pagina da Web estava com erro.

 

Ok.

[jgarcia 1]

OLá J Garcia

 

 

Não consegui , passar o Active Scan da Panda

A pagina da Web estava com erro.

 

Ok.

Qual erro?

[G_santos 0]

OLá Jgarcia .

Obrigado por está resolvendo esses problemas de infecção

espero que esse seu trabalho continue ajudando muitas pessoas.

 

Mais uma coisa , liguei meu computador hoje e ele estava sem audio

o Que pode ser?

Sera que a placa queimou ou é algum virus.

[G_santos 0]

OLá jgarcia

finalmente consegui rodar o activescan do panda

aqui está o relatorio.

acho que o virus que estava no meu computador danificou o audio do meu computador.

 

 

 

Incidência Estado Localização

 

Adware:adware/mirar Não desinfectado Registo do Windows

Possível Vírus. Não desinfectado C:\Arquivos de programas\MicroPower Software\Delta Translator 2.0\Registro.exe

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\ComboFix\nircmd.com

Spyware:Cookie/AdDynamix Não desinfectado C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt

Spyware:Cookie/PointRoll Não desinfectado C:\Documents and Settings\User\Cookies\user@ads.pointroll[2].txt

Spyware:Cookie/Ccbill Não desinfectado C:\Documents and Settings\User\Cookies\user@ccbill[1].txt

Spyware:Cookie/onestat.com Não desinfectado C:\Documents and Settings\User\Cookies\user@stat.onestat[2].txt

Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@terra.com[1].txt

Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@uol.com[1].txt

Virus:Trj/Bancos.RQ Desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\bankerfix.exe

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.com]

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]

Virus:Trj/Bancos.RQ Desinfectado C:\Documents and Settings\User\Meus documentos\Meus arquivos recebidos\bankerfix.exe

Virus:Trj/Bankfake.I Desinfectado C:\LinhaDefensiva\fx.reg

Virus:Trj/Bancos.RQ Desinfectado C:\LinhaDefensiva\pv.exe

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\WINDOWS\Nircmd.exe

Ferramenta potencialmente indesejada:Application/Psexec.A Não desinfectado C:\WINDOWS\PSEXESVC.EXE

[jgarcia 1]

Opa G_santos,

 

Vamos lá.

 

1. Clique em Iniciar > Executar.

 

2. Digite regedit > clique em OK.

 

3. Navegue até a seguinte subchave:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

4. No painel à direita, delete o valor:

 

"ToolbarInstall" = "MirarSetup.exe"

 

5. Navegue até as seguintes chaves:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

 

6. No painel à direita, delete o valor:

 

"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = ""

 

7. Navegue até a seguinte chave:

 

HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

 

8. No painel à direita, delete os valores:

 

"C:\WINDOWS\Downloaded Program Files\MirarSetup.exe" = ""

"C:\WINDOWS\System32\WinDmy.dll" = ""

 

9. Navegue e delete as seguintes chaves do registro:

 

HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_WebBand.1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4035DE1B-D54A-411E-9EE7-923295D2E86E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{753B9349-7E46-4E5C-A27F-A60A6BF1EAB5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MirarSetup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinDmy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

 

10. Saia do Editor do Registro.

 

11. Execute o Killbox, clique em Delete on Reboot.

 

12. Copie a lista abaixo em negrito para a área de transferência. Selecione tudo com o auxílio do mouse --> vá até a aba Editar na barra do navegador --> clique em Copiar.

 

C:\Arquivos de programas\MicroPower Software\Delta Translator 2.0\Registro.exe

C:\WINDOWS\PSEXESVC.EXE

 

13. Retorne ao Killbox. Clique em File > Paste from clipboard. Clique em All Files.

 

14. Aperte em "X". Responda "não" à pergunta.

 

15. Reinicie em Modo Normal.

 

16. Delete o conteúdo da pasta C:\!Killbox.

 

17. Execute o CCleaner e clique em Executar Limpeza.

 

18. Execute o Active Scan novamente e verifique se ainda detecta algo.

 

Um abraço.

[G_santos 0]

AQui está o log.

 

 

 

Incidência Estado Localização

 

Adware:adware/mirar Não desinfectado Registo do Windows

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\ComboFix\nircmd.com

Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@uol.com[1].txt

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.com]

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\WINDOWS\Nircmd.exe

[jgarcia 1]

Opa G_santos,

 

Vamos lá.

 

1ª Etapa

 

Baixe o AVG Anti-Spyware em:

AVG AntiSpyware

 

1. Dê duplo-clique sobre o ícone do arquivo baixado;

 

2. Selecione Português como idioma para instalação;

 

3. Na janela de boas-vindas do Assistente do AVG Anti-Spyware clique em Seguinte >;

 

4. Na janela do Contrato de Licença clique em Aceito;

 

5. Clique em Seguinte > Instalar > aguarde o término do processo de instalação > clique em Terminar;

 

6. Quando a janela do AVG Anti-Spyware abrir, escolha Atualizar e aguarde o término do processo, mas não o execute ainda.

 

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível.

 

2ª Etapa

 

Reinicie em Modo Seguro.

 

1. Execute o AVG Anti-Spyware e clique em Status. Em Última verificação escolha Verificar agora > Verificação completa do sistema > aguarde o término da varredura;

 

2. Quando a varredura terminar verifique a coluna Ameaça e, sobretudo, a Ação que será executada. Caso não possua certeza sobre a exclusão de algum arquivo ou tenha certeza de que ele é legítimo, basta selecioná-lo dar um clique direito e escolher Ignorar uma vez ou Adicionar à lista de exceções;

 

3. Feito o procedimento acima clique em Aplicar todas as ações;

 

4. Clique em Salvar relatório. Copie o conteúdo do relatório e poste em sua próxima resposta.

 

3ª Etapa

 

Reinicie o computador em Modo Normal.

 

Execute o CCleaner e clique em Executar Limpeza.

 

Execute o Active Scan mais uma vez e verifique se ainda detecta algo.

 

Abraços.

[G_santos 0]

Aqui estão

 

---------------------------------------------------------

AVG Anti-Spyware - Relatório de verificação

---------------------------------------------------------

 

+ Criação: 21:55 2008-03-13

 

+ Resultado da verificação:

 

 

 

C:\Documents and Settings\User\Meus documentos\Musicas\gospel (variados)\Top of Charts - 2005.wma -> Downloader.Wimad.l : Limpo com backup (em quarentena).

C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000025.dll -> Not-A-Virus.Adware.Mirar : Ignorado.

C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000031.dll -> Not-A-Virus.Adware.Mirar : Ignorado.

C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Limpo.

C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Limpo.

C:\Documents and Settings\User\Cookies\user@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Limpo.

C:\Documents and Settings\User\Cookies\user@searchportal.information[1].txt -> TrackingCookie.Information : Limpo.

C:\Documents and Settings\User\Cookies\user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Limpo.

C:\Documents and Settings\User\Cookies\user@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Limpo.

 

 

::Fim do relatório

 

 

 

 

 

 

Incidência Estado Localização

 

Adware:adware/mirar Não desinfectado Registo do Windows

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\ComboFix\nircmd.com

Spyware:Cookie/Com.com Não desinfectado C:\Documents and Settings\User\Cookies\user@uol.com[1].txt

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.com]

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\Documents and Settings\User\Meus documentos\Downloads\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]

Ferramenta potencialmente indesejada:Application/NirCmd.A Não desinfectado C:\WINDOWS\Nircmd.exe

[jgarcia 1]

Opa G_santos,

 

Execute o Housecall da Trendmicro e retorne com o resultado.

 

Abraços.

[G_santos 0]

ele encontrou um malware e desinfectou

mas site não gera um log .

 

eu rodei o avg anti-spynware

 

e eu encontrou 2 trojans estão em quarentena

 

---------------------------------------------------------

AVG Anti-Spyware - Relatório de verificação

---------------------------------------------------------

 

+ Criação: 21:55 2008-03-13

 

+ Resultado da verificação:

 

 

 

C:\Documents and Settings\User\Meus documentos\Musicas\gospel (variados)\Top of Charts - 2005.wma -> Downloader.Wimad.l : Limpo com backup (em quarentena).

C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000025.dll -> Not-A-Virus.Adware.Mirar : Ignorado.

C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000031.dll -> Not-A-Virus.Adware.Mirar : Ignorado.

 

 

 

::Fim do relatório

 

---------------------------------------------------------

AVG Anti-Spyware - Relatório de verificação

---------------------------------------------------------

 

+ Criação: 23:05 2008-03-17

 

+ Resultado da verificação:

 

 

 

C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000025.dll -> Not-A-Virus.Adware.Mirar : Limpo com backup (em quarentena).

C:\System Volume Information\_restore{BF93FFD3-679A-4E47-BF87-558E8707F85B}\RP1\A0000031.dll -> Not-A-Virus.Adware.Mirar : Limpo com backup (em quarentena).

 

 

::Fim do relatório

 

 

e o meu computador está sem audio!

[jgarcia 1]

Opa G_santos,

 

Baixe o BugHunter e salve em seu desktop.

 

Execute-o dando duplo-clique sobre o arquivo BUGHUNT.EXE.

 

Abrir-se-á uma janela em DOS com as seguintes opções:

 

[A] - Scan for malware only (Localizar o malware, apenas).

- Scan for malware and rename it (Localizar e renomear o malware).

[C] - Scan for malware and remove it (Localizar e remover o malware).

[D] - Scan for malware and ask what to do (Localizar o malware e perguntar o que fazer).

[Q] - Exit BugHunter - (Sair do BugHunter).

 

Escolha e opção C e clique sobre o Enter.

 

Aguarde o término da varredura, a qual poderá demorar alguns minutos, portanto seja paciente.

 

Retorne com o resultado.

 

Abraços.

[G_santos 0]

Log file opened: 13:20:09 - 03-21-2008

BugHunter v2.2e using database date/time 03-19-2008|01:15:26

Using configuration file: BUGHUNT.INI

 

=> Nfo: Recursive scanning is enabled.

=> Nfo: BugHunter is only logging found malware...

Action taken, and result.

 

===============================================================

Finished Scanning...50,602 Files

 

No known MalWare was found in the specified directories.

BugHunter took approximately 24 minutes and 46 seconds to scan the folders.

===============================================================

Log file closed.: 13:44:39 - 03-21-2008