[Resolvido] Minha area de trabalho sumiu

jgarcia · Abril 16, 2008

Opa jeanjcds,

Siga as instruções:

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::
F:\WINDOWS\system32\msnprint.dll

F:\WINDOWS\system32\bitcometres.dll

F:\WINDOWS\system32\rar.exe

F:\WINDOWS\AutoIE.exe

F:\WINDOWS\AutoSS.exe

F:\WINDOWS\Tasks\startt.job

c:\start.bat

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000000

ATENÇÃO: O script acima foi elaborado especifícamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

2. Salve o arquivo como CFScript.txt;

3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.

4. Ao término do processo a ferramenta irá gerar um log. Poste-o (F:\ComboFix.txt) em sua próxima resposta.

Abraços.

jeanjcds · Abril 16, 2008

ComboFix 08-04-13.3 - Jean 2008-04-15 22:39:29.7 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1467 [GMT -3:00]

Executando de: F:\LinhaDefenciva\ComboFix.exe

Command switches used :: F:\LinhaDefenciva\CFScript.txt

* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\start.bat

F:\WINDOWS\AutoIE.exe

F:\WINDOWS\AutoSS.exe

F:\WINDOWS\system32\bitcometres.dll

F:\WINDOWS\system32\msnprint.dll

F:\WINDOWS\system32\rar.exe

F:\WINDOWS\Tasks\startt.job

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\start.bat

F:\WINDOWS\AutoIE.exe

F:\WINDOWS\AutoSS.exe

F:\WINDOWS\system32\bitcometres.dll

F:\WINDOWS\system32\msnprint.dll

F:\WINDOWS\system32\rar.exe

F:\WINDOWS\Tasks\startt.job

.

((((((((((((((((((((((( Ficheiros criados de 2008-03-16 to 2008-04-16 ))))))))))))))))))))))))))))))))

.

2008-04-14 22:38 . 2008-04-14 22:38 2,612 --a------ F:\WINDOWS\system32\tmp.reg

2008-04-13 22:07 . 2008-04-14 23:04 <DIR> d-------- F:\Arquivos de programas\WinISO

2008-04-10 23:34 . 2008-04-10 23:34 <DIR> d-------- F:\Arquivos de programas\Alcohol Soft

2008-04-10 23:06 . 2008-02-18 17:29 96,256 --a------ F:\WINDOWS\system32\drivers\mcdbus.sys

2008-04-10 23:05 . 2008-04-10 23:06 <DIR> d-------- F:\Arquivos de programas\MagicDisc

2008-04-04 22:41 . 2008-04-07 22:31 <DIR> d-------- F:\WINDOWS\NV20562648.TMP

2008-04-04 17:54 . 2008-04-04 17:54 <DIR> d-------- F:\Arquivos de programas\Programas SRF

2008-04-04 17:53 . 2008-04-04 18:14 <DIR> d-------- F:\Recnet

2008-04-04 17:53 . 2006-10-31 13:12 128,000 --a------ F:\WINDOWS\DesinstWRecnet.exe

2008-04-04 17:53 . 2008-02-12 14:27 122,880 --a------ F:\WINDOWS\DesinstRecnet.exe

2008-04-04 17:53 . 2006-10-31 13:12 5,361 --a------ F:\WINDOWS\DesinstWRecnet.ini

2008-04-04 17:53 . 2008-04-04 17:53 131 --a------ F:\WINDOWS\REC-NET.INI

2008-04-01 19:37 . 2008-04-01 19:37 <DIR> d-------- F:\Documents and Settings\Jean\Dados de aplicativos\teamspeak2

2008-04-01 19:36 . 2008-04-01 19:37 <DIR> d-------- F:\Arquivos de programas\Teamspeak2_RC2

2008-04-01 19:36 . 2008-04-01 19:36 34,064 --a------ F:\WINDOWS\system32\lhacm.acm

2008-04-01 18:28 . 2008-04-01 18:28 <DIR> d-------- F:\Arquivos de programas\GameSpy

2008-04-01 18:27 . 2008-04-01 18:27 669,184 --a------ F:\WINDOWS\system32\pbsvc.exe

2008-04-01 18:14 . 2008-04-01 18:14 <DIR> d-------- F:\Arquivos de programas\Electronic Arts

2008-03-31 09:23 . 2008-04-09 17:35 <DIR> d-------- F:\Documents and Settings\Jean\Dados de aplicativos\Pandion

2008-03-31 09:23 . 2008-03-31 09:23 <DIR> d-------- F:\Arquivos de programas\Pandion

2008-03-30 10:01 . 2008-03-30 10:02 <DIR> d-------- F:\temp\smallville

2008-03-30 09:16 . 2008-03-30 09:16 <DIR> d-------- F:\temp\ShopFacil

2008-03-30 09:15 . 2008-03-30 09:15 <DIR> d-------- F:\temp\SisFaturaItaum para teste

2008-03-30 09:15 . 2008-03-30 09:16 <DIR> d-------- F:\temp\Restaurante

2008-03-30 09:15 . 2008-03-30 09:15 <DIR> d-------- F:\temp\PcAnywereCompleto

2008-03-30 09:13 . 2008-03-30 09:14 <DIR> d-------- F:\temp\Disco

2008-03-30 09:13 . 2008-03-30 09:13 <DIR> d-------- F:\temp\Comercial service- Fix Rep

2008-03-30 09:13 . 2008-03-30 09:13 <DIR> d-------- F:\temp\Comercial Service

2008-03-30 09:13 . 2008-03-30 09:13 <DIR> d-------- F:\temp\Camisaria Avenida

2008-03-30 09:13 . 2008-03-30 09:13 <DIR> d-------- F:\temp\Atualização ItaumCar

2008-03-30 09:13 . 2008-03-30 09:13 <DIR> d-------- F:\temp\Acoplatec

2008-03-24 20:22 . 2008-03-24 20:22 <DIR> d---s---- F:\WINDOWS\Downloaded Program Files

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-15 01:59 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\Google Updater

2008-04-01 21:30 --------- d-----w F:\Arquivos de programas\GameVicio

2008-04-01 21:27 66,872 ----a-w F:\WINDOWS\system32\PnkBstrA.exe

2008-04-01 21:27 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-04-01 21:27 22,328 ----a-w F:\Documents and Settings\Jean\Dados de aplicativos\PnkBstrK.sys

2008-04-01 21:27 103,736 ----a-w F:\WINDOWS\system32\PnkBstrB.exe

2008-03-26 23:13 --------- d-----w F:\Arquivos de programas\eMule

2008-03-15 18:19 --------- d-----w F:\Documents and Settings\Jean\Dados de aplicativos\AdobeUM

2008-03-14 12:11 --------- d-----w F:\Documents and Settings\Jean\Dados de aplicativos\Samsung

2008-03-14 11:50 --------- d--h--w F:\Arquivos de programas\InstallShield Installation Information

2008-03-14 11:43 --------- d-----w F:\Arquivos de programas\Samsung

2008-03-09 23:31 --------- d-----w F:\Documents and Settings\NetworkService\Dados de aplicativos\AVG7

2008-03-09 03:24 --------- d-----w F:\Arquivos de programas\BitComet

2008-03-06 22:21 --------- d-----w F:\Arquivos de programas\IObit

2008-03-06 22:11 --------- dcsh--w F:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller

2008-03-06 22:11 --------- d-----w F:\Arquivos de programas\Windows Live

2008-03-06 22:10 --------- d-----w F:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller

2008-03-05 00:27 --------- d-----w F:\Arquivos de programas\CoolSMS

2008-03-02 11:00 --------- d-----w F:\Documents and Settings\Jean\Dados de aplicativos\AVG7

2008-03-01 14:38 --------- d---a-w F:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-03-01 02:12 --------- d-----w F:\Arquivos de programas\Cartoon Network All-Stars

2008-02-25 22:50 --------- d-----w F:\Documents and Settings\Jean\Dados de aplicativos\The Chosen

2008-02-23 22:06 --------- d-----w F:\Documents and Settings\Jean\Dados de aplicativos\Frater

2008-02-23 22:06 --------- d-----w F:\Arquivos de programas\The Chosen - Well of Souls

2008-02-22 17:29 --------- d-----w F:\Arquivos de programas\Windows Media Connect 2

2008-02-20 21:52 --------- d-----w F:\Arquivos de programas\Activision

2008-02-20 00:05 --------- d-----w F:\Arquivos de programas\Messenger Plus! Live

2008-02-19 23:41 --------- d-----w F:\Arquivos de programas\Congoo Netpass

2008-02-17 12:33 --------- d-----w F:\Arquivos de programas\EA GAMES

2008-02-17 01:55 --------- d-----w F:\Arquivos de programas\Arquivos comuns\Raxco

2008-02-07 20:40 9,216 ----a-w F:\WINDOWS\system32\avgwlntf.dll

2008-01-19 19:01 774,144 ----a-w F:\Arquivos de programas\RngInterstitial.dll

2007-12-11 15:19 1,024 ----a-w F:\Documents and Settings\All Users\Dados de aplicativos\pdfdoc2.dll

2007-11-09 10:49 1 ----a-w F:\Documents and Settings\Jean\SI.bin

.

((((((((((((((((((((((((((((( snapshot@2008-04-14_22.53.38,76 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-15 01:40:44 2,048 --s-a-w F:\WINDOWS\bootstat.dat

+ 2008-04-16 01:31:43 2,048 --s-a-w F:\WINDOWS\bootstat.dat

- 2008-04-15 01:45:15 69,960 ----a-w F:\WINDOWS\system32\perfc009.dat

+ 2008-04-16 01:36:20 69,960 ----a-w F:\WINDOWS\system32\perfc009.dat

- 2008-04-15 01:45:15 78,596 ----a-w F:\WINDOWS\system32\perfc016.dat

+ 2008-04-16 01:36:20 78,596 ----a-w F:\WINDOWS\system32\perfc016.dat

- 2008-04-15 01:45:15 418,894 ----a-w F:\WINDOWS\system32\perfh009.dat

+ 2008-04-16 01:36:20 418,894 ----a-w F:\WINDOWS\system32\perfh009.dat

- 2008-04-15 01:45:15 451,670 ----a-w F:\WINDOWS\system32\perfh016.dat

+ 2008-04-16 01:36:20 451,670 ----a-w F:\WINDOWS\system32\perfh016.dat

+ 2008-04-16 01:32:04 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_1d8.dat

+ 2008-04-16 01:32:29 16,384 ----atw F:\WINDOWS\Temp\Perflib_Perfdata_284.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40498DEF-8B13-44A6-A1A7-69DFE36E9210}]

2007-03-05 17:39 915160 --------- F:\Arquivos de programas\Congoo Netpass\congootb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{40498DEF-8B13-44A6-A1A7-69DFE36E9210}"= "F:\Arquivos de programas\Congoo Netpass\congootb.dll" [2007-03-05 17:39 915160]

[HKEY_CLASSES_ROOT\clsid\{40498def-8b13-44a6-a1a7-69dfe36e9210}]

[HKEY_CLASSES_ROOT\congootb.Band.1]

[HKEY_CLASSES_ROOT\TypeLib\{7AB2CD40-C33A-4C5A-B701-A68541DFF7DF}]

[HKEY_CLASSES_ROOT\congootb.Band]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

"LightDialer"="F:\Arquivos de programas\Turbo\Discador Turbo\DISCADOR.EXE" [2004-08-16 08:48 864256]

"NVIDIA nTune"="F:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-12-12 19:00 106496]

"MSMSGS"="F:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24 1694208]

"BitComet"="F:\Arquivos de programas\BitComet\BitComet.exe" [2008-02-01 04:20 2194744]

"CoolSMS"="F:\Arquivos de programas\CoolSMS\CoolSMS.exe" [2007-08-28 16:01 1067520]

"updateMgr"="F:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

"eMuleAutoStart"="F:\Arquivos de programas\eMule\eMule.exe" [2007-05-13 11:57 5308416]

"Comrade.exe"="F:\Arquivos de programas\GameSpy\Comrade\Comrade.exe" [2007-06-29 15:03 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 F:\WINDOWS\system32\nwiz.exe]

"SunJavaUpdateSched"="F:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"WatchDog"="F:\Arquivos de programas\mobile PhoneTools\WatchDog.exe" [2004-08-14 04:42 36864]

"C6501Sound"="c6501.cpl" []

"AVG7_CC"="F:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2008-02-07 17:40 579072]

"amd_dc_opt"="F:\Arquivos de programas\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 10:06 77824]

"!AVG Anti-Spyware"="F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 06:25 6731312]

"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"AVG7_Run"="F:\ARQUIV~1\Grisoft\AVG7\avgw.exe" [2008-02-07 17:40 219136]

F:\Documents and Settings\Jean\Menu Iniciar\Programas\Inicializar\

MagicDisc.lnk - F:\Arquivos de programas\MagicDisc\MagicDisc.exe [2008-04-10 23:05:59 546816]

F:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\

Adobe Reader Speed Launch.lnk - F:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]

Google Updater.lnk - F:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [2008-02-10 11:27:19 125624]

Pandion.lnk - F:\Arquivos de programas\Pandion\Pandion.exe [2006-01-10 22:06:07 993792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]

avgwlntf.dll 2008-02-07 17:40 9216 F:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

PCANotify.dll 2007-04-27 11:10 18744 F:\WINDOWS\system32\PCANotify.dll

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]

path=F:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk

backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]

--a------ 2008-02-01 04:20 2194744 F:\Arquivos de programas\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

F:\Arquivos de programas\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 13:24 1694208 F:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2006-01-12 15:40 155648 F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

--a------ 2004-03-11 00:26 406016 F:\WINDOWS\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2006-06-05 11:06 188416 F:\Arquivos de programas\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

F:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"F:\\Arquivos de programas\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=

"F:\\Arquivos de programas\\BitComet\\BitComet.exe"=

"F:\\Arquivos de programas\\eMule\\emule.exe"=

"F:\\Arquivos de programas\\Pandion\\Pandion.exe"=

"F:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"F:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"F:\\Arquivos de programas\\Midway Home Entertainment\\Stranglehold\\Binaries\\Retail-Stranglehold.exe"=

"F:\\Arquivos de programas\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=

"F:\\Arquivos de programas\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"F:\\Arquivos de programas\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"F:\\WINDOWS\\system32\\PnkBstrA.exe"=

"F:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11510:TCP"= 11510:TCP:BitComet 11510 TCP(ED2K)

"11510:UDP"= 11510:UDP:BitComet 11510 UDP(ED2K)

"19519:TCP"= 19519:TCP:BitComet 19519 TCP

"19519:UDP"= 19519:UDP:BitComet 19519 UDP

R0 Defrag32b;Defrag32Boot;F:\WINDOWS\system32\drivers\Defrag32b.sys [2005-11-22 11:33]

R2 Defrag32;Defrag32;F:\WINDOWS\system32\drivers\Defrag32.sys [2005-11-22 11:33]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;F:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe [2007-01-31 00:05]

R2 NVR0FLASHDev;NVR0FLASHDev;F:\WINDOWS\nvflash.sys [2007-12-12 18:58]

R2 PDSched;PDScheduler;"F:\Arquivos de programas\Raxco\PerfectDisk\PDSched.exe" [2005-11-29 11:16]

R2 UpdateCenterService;Update Center Service;F:\Arquivos de programas\NVIDIA Corporation\System Update\UpdateCenterService.exe [2007-12-12 18:59]

R3 cm102u32;C-Media CM6501 Like Sound Interface;F:\WINDOWS\system32\drivers\c6501.sys [2006-09-05 06:04]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;F:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe [2007-01-31 00:05]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);F:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]

S3 NPF;WinPcap Packet Driver (NPF);F:\WINDOWS\system32\drivers\NPF.sys []

S3 PciCon;PciCon;E:\PciCon.sys []

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);F:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]

S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;F:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]

S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;F:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

S3 usb2vcom;Nokia CA-42 USB;F:\WINDOWS\system32\DRIVERS\usb2vcom.sys [2006-04-03 04:41]

S3 XDva030;XDva030;F:\WINDOWS\system32\XDva030.sys []

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-15 22:41:30

Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso

Ficheiros ocultos: 0

**************************************************************************

.

Tempo para conclusão: 2008-04-15 22:42:18

ComboFix-quarantined-files.txt 2008-04-16 01:41:58

ComboFix2.txt 2008-02-10 18:43:47

Pre-Run: 7,796,854,784 bytes disponíveis

Post-Run: 7,779,586,048 bytes disponíveis

.

2008-01-13 14:26:00 --- E O F ---

jgarcia · Abril 27, 2008

Opa jeanjcds,

Baixe o SilentRunners.

Extraia o arquivo SilentRunners.vbs para o F. Dê duplo clique sobre o arquivo para executá-lo.

Após executá-lo aguarde até que seja gerado um documento denominado Startup Programs (USUÁRIO) data. Copie o conteúdo deste documento e cole em sua próxima resposta.

Abraços.

Obs.: Caso o seu AV detecte o arquivo como sendo um script malicioso não se preocupe e autorize a execução.

jeanjcds · Abril 27, 2008

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "F:\WINDOWS\system32\ctfmon.exe" [MS]

"LightDialer" = "F:\Arquivos de programas\Turbo\Discador Turbo\DISCADOR.EXE" ["LightComm"]

"NVIDIA nTune" = ""F:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe" resetprofile" ["NVIDIA"]

"MSMSGS" = ""F:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"BitComet" = ""F:\Arquivos de programas\BitComet\BitComet.exe" /tray" ["www.BitComet.com"]

"CoolSMS" = "F:\Arquivos de programas\CoolSMS\CoolSMS.exe /minimized" ["Cool Tecnologia - www.cool.com.br"]

"updateMgr" = ""F:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1" ["Adobe Systems Incorporated"]

"eMuleAutoStart" = "F:\Arquivos de programas\eMule\eMule.exe -AutoStart" ["http://www.emule-project.net"]

"Comrade.exe" = "F:\Arquivos de programas\GameSpy\Comrade\Comrade.exe" [null data]

"dash data" = "F:\DOCUME~1\Jean\DADOSD~1\DOESCO~1\dale gram joy.exe" [null data]

"Discador BRTurbo" = ""F:\Arquivos de programas\Discador BRTurbo\autoupdate.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"SunJavaUpdateSched" = ""F:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"WatchDog" = "F:\Arquivos de programas\mobile PhoneTools\WatchDog.exe" [null data]

"C6501Sound" = "RunDll32 c6501.cpl,CMICtrlWnd" [MS]

"AVG7_CC" = "F:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"amd_dc_opt" = "F:\Arquivos de programas\AMD\Dual-Core Optimizer\amd_dc_opt.exe" ["AMD"]

"!AVG Anti-Spyware" = ""F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"NvMediaCenter" = "RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"warn default inter for" = "F:\Documents and Settings\All Users\Dados de aplicativos\Time Dead Warn Default\date peak.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "F:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

-> {HKLM...CLSID} = "BitComet Helper"

\InProcServer32\(Default) = "F:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.1.2.dll" ["BitComet"]

{40498DEF-8B13-44A6-A1A7-69DFE36E9210}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Congoo Netpass"

\InProcServer32\(Default) = "F:\Arquivos de programas\Congoo Netpass\congootb.dll" ["Congoo LLC"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{7E6CDC1C-3B90-47D7-B2A8-24438CA96075}\(Default) = (no title provided)

-> {HKLM...CLSID} = "IbestBHO Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Discador BRTurbo\bho.dll" [empty string]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Auxiliar de Conexão do Windows Live"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

\InProcServer32\(Default) = "F:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "F:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "F:\Arquivos de programas\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Gestor de Ficheiros da Sony Ericsson"

-> {HKLM...CLSID} = "Gestor de Ficheiros da Sony Ericsson"

\InProcServer32\(Default) = "F:\Arquivos de programas\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]

"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Gestor de Ficheiros da Sony Ericsson"

-> {HKLM...CLSID} = "Gestor de Ficheiros da Sony Ericsson"

\InProcServer32\(Default) = "F:\Arquivos de programas\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

-> {HKLM...CLSID} = "Nokia Phone Browser"

\InProcServer32\(Default) = "F:\Arquivos de programas\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"

-> {HKLM...CLSID} = "IZArc DragDrop Menu"

\InProcServer32\(Default) = "F:\ARQUIV~1\IZArc\IZArcCM.dll" [null data]

"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"

-> {HKLM...CLSID} = "IZArc Shell Context Menu"

\InProcServer32\(Default) = "F:\ARQUIV~1\IZArc\IZArcCM.dll" [null data]

"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "F:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

<<!>> "Shell" = "F:\ARQUIV~1\Aston\ShellSwp.exe ,svchost.exe" [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> avgwlntf\DLLName = "avgwlntf.dll" ["GRISOFT, s.r.o."]

<<!>> PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "F:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

-> {HKLM...CLSID} = "IZArc Shell Context Menu"

\InProcServer32\(Default) = "F:\ARQUIV~1\IZArc\IZArcCM.dll" [null data]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

-> {HKLM...CLSID} = "IZArc Shell Context Menu"

\InProcServer32\(Default) = "F:\ARQUIV~1\IZArc\IZArcCM.dll" [null data]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"NoSMHelp" = (REG_DWORD) dword:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Help menu from Start Menu}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|

Disable customizing browser toolbars}

"NoMovingBands" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoCloseDragDropBands" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoSetTaskbar" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Prevent changes to Taskbar and Start Menu Settings}

"NoToolbarsOnTaskbar" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

Startup items in "Jean" & "All Users" startup folders:

------------------------------------------------------

F:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Adobe Reader Speed Launch" -> shortcut to: "F:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Google Updater" -> shortcut to: "F:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]

"Pandion" -> shortcut to: "F:\Arquivos de programas\Pandion\Pandion.exe /minimized" ["Deckers & Staelens VOF"]

Enabled Scheduled Tasks:

------------------------

"B3788BB59F8B078D" -> launches: "f:\docume~1\jean\dadosd~1\doesco~1\Funk One Rdr.exe" [null data]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{40498DEF-8B13-44A6-A1A7-69DFE36E9210}" = (no title provided)

-> {HKLM...CLSID} = "Congoo Netpass"

\InProcServer32\(Default) = "F:\Arquivos de programas\Congoo Netpass\congootb.dll" ["Congoo LLC"]

"{4F869C58-D71D-4850-8BDD-7B5CDF8EC911}" = "IBEST"

-> {HKLM...CLSID} = "iBEST Tools"

\InProcServer32\(Default) = "F:\Arquivos de programas\Discador BRTurbo\ibestbar.dll" [empty string]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "F:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\

"ButtonText" = "BitComet"

"Script" = "res://F:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.1.2.dll/206" ["BitComet"]

Miscellaneous IE Hijack Points

------------------------------

F:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: SEARCH_PAGE_URL="&http://home.microsoft.com/intl/br/access/allinone.asp"

[strings]: SAFESITE_VALUE="search.msn.com.br"

Missing lines (compared with English-language version):

[strings]: 2 lines

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""F:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]

AVG E-mail Scanner, AVGEMS, "F:\ARQUIV~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "F:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Resident Shield Service, AvgCoreSvc, "F:\ARQUIV~1\Grisoft\AVG7\avgrssvc.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "F:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]

Cyberlink RichVideo Service(CRVS), RichVideo, ""F:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe"" [empty string]

Firebird Guardian - DefaultInstance, FirebirdGuardianDefaultInstance, "F:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbguard.exe -s" ["The Firebird Project"]

Firebird Server - DefaultInstance, FirebirdServerDefaultInstance, "F:\Arquivos de programas\Firebird\Firebird_1_5\bin\fbserver.exe -s" ["The Firebird Project"]

Google Updater Service, gusvc, ""F:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]

MSSQL$PINNACLESYS, MSSQL$PINNACLESYS, ""F:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS" [MS]

NVIDIA Display Driver Service, NVSvc, "F:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

PDScheduler, PDSched, ""F:\Arquivos de programas\Raxco\PerfectDisk\PDSched.exe"" ["Raxco Software, Inc."]

Performance Service, nTuneService, "F:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]

PnkBstrA, PnkBstrA, "F:\WINDOWS\system32\PnkBstrA.exe" [null data]

Update Center Service, UpdateCenterService, "F:\Arquivos de programas\NVIDIA Corporation\System Update\UpdateCenterService.exe /StartService" ["NVIDIA"]

Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"F:\WINDOWS\System32\WUDFSvc.dll" [MS]}

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

pcAnywhere Remote Printing\Driver = "awmon.dll" ["Symantec Corporation"]

PDFConverter\Driver = "pdfmonnt.dll" [null data]

---------- (launch time: 2008-04-27 18:27:55)

<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 72 seconds, including 15 seconds for message boxes)

jgarcia · Maio 3, 2008

Opa jeanjcds,

Vamos lá.

1ª Etapa

Baixe o Killbox em:

Killbox

1) Execute o KillBox. Clique em Delete on reboot;

2) Copie a lista abaixo em negrito para a área de transferência. Selecione --> Editar --> Copiar:

F:\Documents and Settings\All Users\Dados de aplicativos\Time Dead Warn Default\date peak.exe
F:\DOCUME~1\Jean\DADOSD~1\DOESCO~1\dale gram joy.exe

F:\docume~1\jean\dadosd~1\doesco~1\Funk One Rdr.exe

F:\Documents and Settings\All Users\Dados de aplicativos\Time Dead Warn Default

F:\DOCUME~1\Jean\DADOSD~1\DOESCO~1

3) Retorne ao Killbox. Clique em File --> Paste from clipboard --> All files;

4) Aperte em "X". Responda "não" à pergunta.

É prudente que você faça a impressão deste documento ou salve-o em um lugar de fácil acesso, pois na próxima etapa entraremos em Modo Seguro e a conexão à internet não será possível.

2ª Etapa

Reinicie o computador em Modo Seguro (após reiniciar aperte a tecla F8, repetidamente, até aparecer uma tela preta em DOS e escolha Modo Seguro).

Vá em Iniciar -> Executar -> digite regedit -> dê Ok.

Navegue até a seguinte chave:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Delete a pasta ShellState.

Navegue até a seguinte chave:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

No painel à direita delete a seguinte entrada:

"Shell" = "F:\ARQUIV~1\Aston\ShellSwp.exe ,svchost.exe"

Saia do Editor do Registro.

3ª Etapa

Reinicie em Modo Normal.

Verifique se o problema foi resolvido e poste um novo log do SilentRunners.

Um abraço.

jeanjcds · Maio 4, 2008

ola!

por hr voltou td ao normal a area de trabalho voltou

obrigado

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "F:\WINDOWS\system32\ctfmon.exe" [MS]

"LightDialer" = "F:\Arquivos de programas\Turbo\Discador Turbo\DISCADOR.EXE" ["LightComm"]

"NVIDIA nTune" = ""F:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe" resetprofile" ["NVIDIA"]

"MSMSGS" = ""F:\Arquivos de programas\Messenger\msmsgs.exe" /background" [MS]

"BitComet" = ""F:\Arquivos de programas\BitComet\BitComet.exe" /tray" ["www.BitComet.com"]

"updateMgr" = ""F:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1" ["Adobe Systems Incorporated"]

"dash data" = "F:\DOCUME~1\Jean\DADOSD~1\DOESCO~1\dale gram joy.exe" [file not found]

"Discador BRTurbo" = ""F:\Arquivos de programas\Discador BRTurbo\autoupdate.exe"" [null data]

"eMuleAutoStart" = "F:\Arquivos de programas\eMule\eMule.exe -AutoStart" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"SunJavaUpdateSched" = ""F:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"WatchDog" = "F:\Arquivos de programas\mobile PhoneTools\WatchDog.exe" [null data]

"C6501Sound" = "RunDll32 c6501.cpl,CMICtrlWnd" [MS]

"AVG7_CC" = "F:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"amd_dc_opt" = "F:\Arquivos de programas\AMD\Dual-Core Optimizer\amd_dc_opt.exe" ["AMD"]

"!AVG Anti-Spyware" = ""F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"NvMediaCenter" = "RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"warn default inter for" = "F:\Documents and Settings\All Users\Dados de aplicativos\Time Dead Warn Default\date peak.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "F:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

-> {HKLM...CLSID} = "BitComet Helper"

\InProcServer32\(Default) = "F:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.1.2.dll" ["BitComet"]

{40498DEF-8B13-44A6-A1A7-69DFE36E9210}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Congoo Netpass"

\InProcServer32\(Default) = "F:\Arquivos de programas\Congoo Netpass\congootb.dll" ["Congoo LLC"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

{7E6CDC1C-3B90-47D7-B2A8-24438CA96075}\(Default) = (no title provided)

-> {HKLM...CLSID} = "IbestBHO Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Discador BRTurbo\bho.dll" [empty string]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Auxiliar de Conexão do Windows Live"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensão do 'Painel de controle' para panorâmica de vídeo"

-> {HKLM...CLSID} = "Extensão do 'Painel de controle' para panorâmica de vídeo"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensão de ícone do HyperTerminal"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "F:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "Minhas Pastas de Compartilhamento"

\InProcServer32\(Default) = "F:\Arquivos de programas\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\Arquivos de programas\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Gestor de Ficheiros da Sony Ericsson"

-> {HKLM...CLSID} = "Gestor de Ficheiros da Sony Ericsson"

\InProcServer32\(Default) = "F:\Arquivos de programas\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]

"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Gestor de Ficheiros da Sony Ericsson"

-> {HKLM...CLSID} = "Gestor de Ficheiros da Sony Ericsson"

\InProcServer32\(Default) = "F:\Arquivos de programas\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

-> {HKLM...CLSID} = "Nokia Phone Browser"

\InProcServer32\(Default) = "F:\Arquivos de programas\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "F:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "F:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> avgwlntf\DLLName = "avgwlntf.dll" ["GRISOFT, s.r.o."]

<<!>> PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "F:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

-> {HKLM...CLSID} = "PowerISO"

\InProcServer32\(Default) = "F:\Arquivos de programas\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]

UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"

-> {HKLM...CLSID} = "UIContextMenu Class"

\InProcServer32\(Default) = "F:\Arquivos de programas\UltraISO\isoshell.dll" ["EZB Systems, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "F:\Arquivos de programas\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"NoSMHelp" = (REG_DWORD) dword:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Help menu from Start Menu}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|

Disable customizing browser toolbars}

"NoMovingBands" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoCloseDragDropBands" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoSetTaskbar" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Prevent changes to Taskbar and Start Menu Settings}

"NoToolbarsOnTaskbar" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoUpdateCheck" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "F:\Documents and Settings\Jean\Configurações locais\Dados de aplicativos\Microsoft\Wallpaper1.bmp"

Startup items in "Jean" & "All Users" startup folders:

------------------------------------------------------

F:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

"Pandion" -> shortcut to: "F:\Arquivos de programas\Pandion\Pandion.exe /minimized" ["Deckers & Staelens VOF"]

Enabled Scheduled Tasks:

------------------------

"B3788BB59F8B078D" -> launches: "f:\docume~1\jean\dadosd~1\doesco~1\Funk One Rdr.exe" [file not found]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{40498DEF-8B13-44A6-A1A7-69DFE36E9210}" = (no title provided)

-> {HKLM...CLSID} = "Congoo Netpass"

\InProcServer32\(Default) = "F:\Arquivos de programas\Congoo Netpass\congootb.dll" ["Congoo LLC"]

"{4F869C58-D71D-4850-8BDD-7B5CDF8EC911}" = "IBEST"

-> {HKLM...CLSID} = "iBEST Tools"

\InProcServer32\(Default) = "F:\Arquivos de programas\Discador BRTurbo\ibestbar.dll" [empty string]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Pesquisar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "F:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "F:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "F:\Arquivos de programas\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]