[Arquivado] explorer fechando e abrindo @ Analisem meu log

[MAcgYvER everyONE 0]

meu explorer.exe fica abrindo e fechando o tempo td

e o pc fica mt lento

quando eu ligo o pc o explorer n abre eu abro ele pelo Gerenciador de tarefas

ai esta meu log

Logfile of HijackThis v1.99.1

Scan saved at 23:45:09, on 23/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20861)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\system32\SnAgOS.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\SnMgrSvc.exe

C:\WINDOWS\system32\SnLiveUp.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\SnEngine.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\DAP\DAP.EXE

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\Temp\Rar$EX00.906\HijackThis.exe

C:\WINDOWS\explorer.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: CUOLSearchHook Object - {1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3} - C:\Arquivos de programas\Arquivos comuns\uol\urlsearch\UOLSearchHook.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [avast!] "C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [smartRAM] C:\Arquivos de programas\IObit\Advanced WindowsCare V2 Pro\MemCleaner.exe /m

O4 - HKLM\..\RunOnce: [MSNFix] C:\Documents and Settings\Mario\Desktop\MSNFix\MSNFix.bat /pass2

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Arquivos de programas\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\Microsoft Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185320123750

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://www.sisdera.com/stream/ampx2.6.1.11_en_dl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: Apache2.2 - Unknown owner - C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice (file missing)

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing)

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

[jgarcia 1]

Opa MAcgYvER everyONE,

 

Baixe o ComboFix em:

ComboFix

 

1) Desabilite o seu anti-vírus temporariamente;

2) Dê um duplo-clique no combofix.exe e tecle "1" para prosseguir. O processo vai durar, em média, 10 minutos;

3) O ComboFix reiniciará o PC automaticamente, a fim de que o processo de remoção seja finalizado (somente se houver infecção);

4) Quando a varredura acabar, será gerado um log, que estará em C:\ComboFix.txt;

5) Não clique na janela do ComboFix, nem feche clicando no X, enquanto a ferramenta estiver sendo executada, pois isto implicará na desconfiguração de seu desktop (ele ficará todo branco);

6) Para parar ou sair do ComboFix, tecle "N";

7) Reabilite o seu anti-vírus;

8) Preciso que você cole o conteúdo do ComboFix.txt em sua próxima resposta, juntamente com um log do Hijackthis.

 

Abraços.

[MAcgYvER everyONE 0]

quando eu abro o combo fix aparece isso

you cannot rename combofix as combofix[1]

please user another name,preferbaly madeup of alphanumeric

e nao abre =X

[jgarcia 1]

you cannot rename combofix as combofix[1]

please user another name,preferbaly madeup of alphanumeric

Você não pode renomear ComboFix como ComboFix[1].

 

Por favor utilize outro nome, de preferência um alfanumérico

Você já havia baixado o ComboFix anteriormente ou o renomeou quando fez o download?

[MAcgYvER everyONE 0]

ja havia baxado anteriormente mais mesmo na primera vez q baixei deu o mesmo erro

[MAcgYvER everyONE 0]

consegui usar o combo fix apos renomear para combo-fix.exe

aqui esta o log do combo fix e o novo log do hkackthis

 

ComboFix 08-08-25.01 - Mario 2008-08-26 15:20:03.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.560 [GMT -3:00]

Executando de: C:\Documents and Settings\Mario\Desktop\Combo-Fix.exe

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\outlook

C:\Documents and Settings\Mario\Dados de aplicativos\inst.exe

C:\Documents and Settings\Mario\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\VXL5R4LB\bin.clearspring.com

C:\Documents and Settings\Mario\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\VXL5R4LB\bin.clearspring.com\clearspring.sol

C:\Documents and Settings\Mario\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com

C:\Documents and Settings\Mario\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

C:\WINDOWS\msvrc20.dll

C:\WINDOWS\system32\byXQGvSK.dll

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\JiOWxyxx.ini

C:\WINDOWS\system32\JiOWxyxx.ini2

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pskill.exe

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\wpcap.dll

C:\WINDOWS\system32\xxyxWOiJ.dll

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NPF

-------\Service_NPF

 

 

((((((((((((((((((((((( Ficheiros criados de 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))))

.

 

2008-08-26 15:29 . 53,248 C:\Temp\catchme.dll

2008-08-26 15:29 . 2008-08-26 15:29 16,384 --a----t- C:\Temp\Perflib_Perfdata_f2c.dat

2008-08-26 15:29 . 2008-08-26 15:29 16,384 --a----t- C:\Temp\Perflib_Perfdata_100.dat

2008-08-26 15:28 . 2008-08-26 15:28 <DIR> d-------- C:\Temp\WPDNSE

2008-08-26 14:21 . 2008-08-26 14:21 186,504 --a------ C:\WINDOWS\system32\SnAgOS.TMP

2008-08-26 13:44 . 2008-08-26 13:44 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll

2008-08-26 13:41 . 2008-08-26 13:42 <DIR> d-------- C:\WINDOWS\ERUNT

2008-08-25 22:27 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0001

2008-08-25 22:27 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0000

2008-08-25 22:17 . 2008-08-25 22:17 137 --a------ C:\WINDOWS\system\sysxpvsetup.ini

2008-08-25 22:03 . 2008-08-25 22:19 <DIR> d-------- C:\Temp\{236BB7C4-4419-42FD-0409-1E257A25E34D}

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\system32\npp

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\srchasst

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage

2008-08-24 02:16 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\is-A581P.tmp

2008-08-24 02:16 . 2008-08-24 10:38 <DIR> d-------- C:\Arquivos de programas\Uniblue

2008-08-23 23:26 . 2008-08-23 23:26 <DIR> d-------- C:\!KillBox

2008-08-23 22:41 . 2008-08-23 22:41 <DIR> d-------- C:\LinhaDefensiva

2008-08-23 21:08 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\is-6JCHA.tmp

2008-08-23 20:45 . 2008-08-26 13:56 <DIR> d-------- C:\SDFix

2008-08-23 20:12 . 2008-08-25 14:35 <DIR> d-------- C:\VundoFix Backups

2008-08-22 22:12 . 2008-08-22 22:12 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\IObit

2008-08-22 17:06 . 2008-08-24 11:37 <DIR> d-------- C:\Perl

2008-08-22 16:06 . 2008-08-24 11:41 <DIR> d-------- C:\Temp\~nsu.tmp

2008-08-22 16:05 . 2008-08-22 16:05 115 --a------ C:\WINDOWS\AWOPR.INI

2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Arquivos de programas\ElcomSoft

2008-08-22 13:46 . 2008-08-22 13:47 <DIR> d-------- C:\Downloads

2008-08-22 13:36 . 2008-08-22 13:48 <DIR> d-------- C:\Arquivos de programas\Free Download Manager

2008-08-20 21:44 . 2008-08-20 21:51 <DIR> d-------- C:\Arquivos de programas\sXe Injected

2008-08-15 12:36 . 2008-08-22 18:48 <DIR> d-------- C:\Arquivos de programas\Jogando.net - Episodio 3

2008-08-13 16:01 . 2008-08-13 16:01 <DIR> d-------- C:\Temp\_is48

2008-08-13 16:01 . 2008-08-13 16:01 <DIR> d-------- C:\Arquivos de programas\Microsoft IntelliPoint

2008-08-13 16:01 . 2007-08-21 05:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys

2008-08-13 15:55 . 2008-08-13 15:55 <DIR> d-------- C:\Temp\_isA

2008-08-13 13:36 . 2008-05-01 11:32 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-09 03:40 . 2008-08-09 03:40 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Yahoo!

2008-08-09 03:40 . 2008-08-09 03:40 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo! Companion

2008-08-09 03:40 . 2008-08-09 03:40 <DIR> d-------- C:\Arquivos de programas\Yahoo!

2008-08-09 03:40 . 2008-08-22 22:41 <DIR> d-------- C:\Arquivos de programas\IObit

2008-08-08 23:15 . 2008-08-08 23:15 <DIR> d-------- C:\Arquivos de programas\AnalogX

2008-08-08 23:01 . 2008-08-09 03:01 <DIR> d-------- C:\Arquivos de programas\Typle2.0v

2008-08-08 19:40 . 2008-08-08 19:40 244 --ah----- C:\sqmnoopt11.sqm

2008-08-08 19:40 . 2008-08-08 19:40 232 --ah----- C:\sqmdata11.sqm

2008-08-08 17:19 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\No-IP

2008-08-08 17:18 . 2008-08-08 17:19 <DIR> d-------- C:\srcds

2008-08-08 17:18 . 2008-08-08 17:18 <DIR> d-------- C:\Fraps

2008-08-08 17:13 . 2008-08-08 17:13 <DIR> d-------- C:\Arquivos de programas\Enigma Software Group

2008-08-08 17:09 . 2008-08-08 17:09 <DIR> d-------- C:\Arquivos de programas\Xvid

2008-08-08 16:24 . 2008-08-08 16:24 0 --a------ C:\WINDOWS\ativpsrm.bin

2008-08-08 16:22 . 2008-08-08 16:22 <DIR> d-------- C:\ATI

2008-08-07 18:08 . 2008-08-08 16:35 <DIR> d-------- C:\Arquivos de programas\Movie Converter V3(2)

2008-08-07 18:07 . 2008-08-07 18:07 <DIR> d-------- C:\Arquivos de programas\ezvideotools.com

2008-08-07 18:07 . 2008-08-07 18:07 165,390 --a------ C:\SDV_0053.wmv

2008-08-07 18:07 . 2008-08-07 18:10 5 --a------ C:\WINDOWS\system32\SySAVI2WMV.dat

2008-08-06 18:14 . 2008-08-08 16:56 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack(2)

2008-08-06 18:14 . 2008-07-04 03:34 860,160 --a------ C:\WINDOWS\system32\lameACM.acm

2008-08-06 18:14 . 2007-09-20 21:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm

2008-08-06 18:14 . 2007-10-03 12:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml

2008-08-05 20:13 . 2008-08-05 20:13 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Apple Computer

2008-08-05 20:08 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\QuickTime

2008-08-05 20:08 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\Apple Software Update

2008-08-05 19:29 . 2008-08-08 16:57 <DIR> d-------- C:\WINDOWS\system32\codec

2008-08-05 19:29 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\avi2divx

2008-08-05 18:09 . 2008-08-05 18:09 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Media Player Classic

2008-08-05 17:40 . 2008-08-08 17:09 <DIR> d-------- C:\Arquivos de programas\VLCPortable

2008-08-05 15:10 . 2008-08-08 17:10 <DIR> d-------- C:\WINDOWS\LastGood(2)

2008-08-03 05:07 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\PowerStrip(2)

2008-08-03 04:25 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\plugtmp

2008-07-30 00:15 . 2008-07-30 00:15 28,636 --a------ C:\WINDOWS\NTWLOG.007

2008-07-30 00:15 . 2008-07-30 00:15 1,592 --a------ C:\WINDOWS\NTWLOG.003

2008-07-30 00:12 . 2008-07-30 00:12 200,704 --------- C:\WINDOWS\Setup1.exe

2008-07-28 18:51 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\SAINST

2008-07-28 18:51 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\SpeedBit Video Accelerator

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-26 18:16 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-08-26 01:21 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-08-24 00:09 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\Uniblue

2008-08-19 19:28 --------- d-----w C:\Arquivos de programas\Valve

2008-08-09 07:37 --------- d-----w C:\Arquivos de programas\1.0 CDBGHF

2008-08-08 20:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\SpeederXP

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\Gabest

2008-08-08 20:11 --------- d-----w C:\Arquivos de programas\Norton Security Scan

2008-08-08 20:03 --------- d-----w C:\Arquivos de programas\Bonjour

2008-07-30 03:12 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

2008-07-25 00:40 --------- d-----w C:\Arquivos de programas\GCH Guitar academy

2008-07-23 21:12 --------- d-----w C:\Arquivos de programas\Robster Productions

2008-07-23 16:38 --------- d-----w C:\Arquivos de programas\Auslogics

2008-07-19 04:42 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\teamspeak2

2008-07-18 18:38 587,264 ----a-w C:\WINDOWS\WLXPGSS.SCR

2008-07-15 18:24 --------- d-----w C:\Arquivos de programas\Cucusoft

2008-07-07 20:18 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:18 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll

2008-06-30 22:24 --------- d-----w C:\Arquivos de programas\Google

2008-06-28 13:04 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\Windows Live Writer

2008-06-28 13:04 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\mIRC

2008-06-28 13:04 --------- d-----w C:\Arquivos de programas\PS Monitor

2008-06-28 13:04 --------- d-----w C:\Arquivos de programas\mIRC

2008-06-24 16:30 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:30 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-23 08:23 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-06-23 08:23 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-06-23 08:23 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-06-20 17:36 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:36 247,808 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:32 225,920 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 17:59 272,384 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2007-12-28 16:18 672,812 ----a-w C:\Arquivos de programas\verifinternet.exe

2007-10-20 23:42 47,360 ----a-w C:\Documents and Settings\Mario\Dados de aplicativos\pcouffin.sys

2007-08-13 00:10 1,881,224 ----a-w C:\Arquivos de programas\poker.zip

2007-08-12 16:06 2,785,457 ----a-w C:\Arquivos de programas\bridge.zip

2007-05-04 00:15 5,594,317 ----a-w C:\WINDOWS\system32\config\systemprofile\gtk-runtime.exe

2007-05-04 00:15 5,594,317 ----a-w C:\Documents and Settings\Default User\gtk-runtime.exe

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12 90112]

"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-08-13 23:51 352256]

"SmartRAM"="C:\Arquivos de programas\IObit\Advanced WindowsCare V2 Pro\MemCleaner.exe" [2007-10-29 16:43 662016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"Picasa Media Detector"="C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2007-09-27 22:17 443968]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

 

C:\WINDOWS\system32\config\systemprofile\Menu Iniciar\Programas\Inicializar\

inicial.cmd [2007-06-03 22:26:34 2458]

 

C:\Documents and Settings\Mario\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-29 22:09:01 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"StartMenuFavorites"= 1 (0x1)

"Start_ShowHelp"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowMyPics"= 0 (0x0)

"Start_ShowNetConn"= 1 (0x1)

"Start_ShowPrinters"= 1 (0x1)

"HideRunAsVerb"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"=hex(2):25,77,69,6e,64,69,72,25,5c,52,65,73,6f,75,72,63,65,73,5c,4c,6f,\

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.i420"= i263_32.drv

"msacm.imc"= imc32.acm

"msacm.l3codecp"= l3codecp.acm

"VIDC.i263"= i263_32.drv

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\counter-strike\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\hltv.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\Steam.exe"=

"C:\\Arquivos de programas\\Ares\\Ares.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\condition zero\\hl.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\gordix\\counter-strike source\\hl2.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Arquivos de programas\\DAP\\DAP.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\dedicated server\\hltv.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\day of defeat\\hl.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

"C:\\Arquivos de programas\\mIRC\\mirc.exe"=

"C:\\Arquivos de programas\\PS Monitor\\PsMon.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\freeman212\\counter-strike\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\dedicated server\\hlds.exe"=

"C:\\Arquivos de programas\\Valve\\hlds.exe"=

"C:\\Arquivos de programas\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

 

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 16:22]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 13:39]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 11:35]

R1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys [2007-05-30 11:23]

R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys [2007-05-30 11:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 11:37]

R2 NMSAccessU;NMSAccessU;C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe [2007-10-12 07:34]

R2 Ps2KSecureKeyboard;SecureKbd;C:\WINDOWS\system32\DRIVERS\psseckbd.sys [2007-05-30 11:21]

R2 sbbotdi;sbbotdi;C:\ARQUIV~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-07-28 18:51]

R2 SNMgrSvc;SNMgrSvc;C:\WINDOWS\system32\SnMgrSvc.exe [2007-05-30 11:34]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-10-24 15:07]

R2 VideoAcceleratorService;VideoAcceleratorService;C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-07-28 18:51]

R3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\DRIVERS\MusCVideo32.sys [2007-12-28 13:50]

R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys [2007-05-30 11:21]

S2 Apache2.2;Apache2.2;C:\AppServ\Apache2.2\bin\httpd.exe []

S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys []

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]

 

*Newly Created Service* - ASPI32

*Newly Created Service* - HELPSVC

.

Conte£do da pasta 'Tarefas Agendadas'

 

2008-08-25 C:\WINDOWS\Tasks\AwcProUpdate.job

- C:\Arquivos de programas\IObit\Advanced WindowsCare V2 Pro\AutoUpdate.exe [2008-04-16 16:47]

 

2008-08-25 C:\WINDOWS\Tasks\AwcProUpdate.job

- C:\Arquivos de programas\IObit\Advanced WindowsCare V2 Pro\ [2008-08-23 20:00]

 

2008-08-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job

- C:\Arquivos de programas\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

 

2008-08-24 C:\WINDOWS\Tasks\Norton Security Scan.job

- C:\Arquivos de programas\Norton Security Scan\Nss.exe [2008-01-09 04:08]

 

2008-08-17 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job

- C:\Arquivos de programas\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

 

2007-09-12 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

- C:\Arquivos de programas\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

 

2008-08-26 C:\WINDOWS\Tasks\User_Feed_Synchronization-{0BC05769-4C2A-4E27-8129-EC618F7390F7}.job

- C:\WINDOWS\system32\msfeedssync.exe [2007-06-04 11:38]

.

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Mario\Dados de aplicativos\Mozilla\Firefox\Profiles\1juqpct1.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://portuguese.eazel.com/index.php?rvs=hompag

FF -: plugin - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava11.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava12.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava13.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava14.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava32.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJPI150_11.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPOJI610.dll

.

.

------- File Associations (Beta) -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-26 15:29:10

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execu‡Æo ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\SnAgOS.EXE

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\SnLiveUp.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-08-26 15:32:49 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-08-26 18:32:40

 

Pre-Run: 22 pasta(s) 35,624,792,064 bytes disponíveis

Post-Run: 26 pasta(s) 35,546,206,208 bytes dispon¡veis

 

320 --- E O F --- 2008-08-25 20:10:07

 

 

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:35:48, on 26/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20861)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\SnAgOS.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\SnMgrSvc.exe

C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\SnLiveUp.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\SnEngine.EXE

C:\Arquivos de programas\DAP\DAP.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\WINDOWS\system32\svchost.exe

C:\Temp\Rar$EX00.922\HijackThis.exe

C:\Temp\Rar$EX00.516\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: CUOLSearchHook Object - {1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3} - C:\Arquivos de programas\Arquivos comuns\uol\urlsearch\UOLSearchHook.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Arquivos de programas\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ATICCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [smartRAM] C:\Arquivos de programas\IObit\Advanced WindowsCare V2 Pro\MemCleaner.exe /m

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\Microsoft Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185320123750

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://www.sisdera.com/stream/ampx2.6.1.11_en_dl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: Apache2.2 - Unknown owner - C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice (file missing)

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Arquivos de programas\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing)

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

[jgarcia 1]

Opa MAcgYvER everyONE,

 

Siga as instruções:

 

1. Abra o Bloco de Notas -> Copie (Control + C) e Cole (Control + V) todo o texto incluído no "Quote":

File::

C:\WINDOWS\system32\config\systemprofile\Menu Iniciar\Programas\Inicializar\inicial.cmd

C:\Documents and Settings\Mario\Dados de aplicativos\pcouffin.sys

C:\WINDOWS\system32\config\systemprofile\gtk-runtime.exe

C:\Documents and Settings\Default User\gtk-runtime.exe

C:\Arquivos de programas\verifinternet.exe

C:\Arquivos de programas\poker.zip

C:\Arquivos de programas\bridge.zip

C:\Arquivos de programas\Typle2.0v

C:\Arquivos de programas\ezvideotools.com

C:\WINDOWS\system32\SnAgOS.EXE

C:\WINDOWS\system32\SnLiveUp.exe

C:\WINDOWS\system32\SnAgOS.TMP

C:\WINDOWS\system\sysxpvsetup.ini

C:\WINDOWS\system32\SySAVI2WMV.dat

C:\WINDOWS\system32\lameACM.acm

C:\WINDOWS\system32\ac3acm.acm

C:\WINDOWS\system32\lame_acm.xml

C:\Temp\Adobelm_Cleanup.0001.dir.0001

C:\Temp\Adobelm_Cleanup.0001.dir.0000

C:\Temp\is-A581P.tmp

C:\Temp\is-6JCHA.tmp

C:\Temp\~nsu.tmp

C:\WINDOWS\AWOPR.INI

C:\WINDOWS\ativpsrm.bin

C:\WINDOWS\NTWLOG.003

C:\WINDOWS\NTWLOG.007

C:\WINDOWS\Setup1.exe

C:\WINDOWS\ST6UNST.EXE

C:\WINDOWS\WLXPGSS.SCR

C:\SDV_0053.wmv

Folder::

C:\Temp\{236BB7C4-4419-42FD-0409-1E257A25E34D}

Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"=-

ATENÇÃO: O script acima foi elaborado especificamente para a infecção contida neste computador. Utilizá-lo em outra máquina poderá originar graves problemas ao usuário.

• 2. Salve o arquivo como CFScript.txt;
   
  3. Tal como exemplificado na foto abaixo, arraste o arquivo CFScript.txt para o ComboFix.exe.
  
   
  4. Ao término do processo a ferramenta irá gerar um log. Poste-o (C:\ComboFix.txt) em sua próxima resposta, juntamente com um novo log do HijackThis.
  

Abraços.

[MAcgYvER everyONE 0]

ComboFix 08-08-31.01 - Mario 2008-09-01 13:54:39.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.546 [GMT -3:00]

Executando de: C:\Documents and Settings\Mario\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Mario\Desktop\CFScript.txt

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

 

FILE ::

C:\Arquivos de programas\bridge.zip

C:\Arquivos de programas\ezvideotools.com

C:\Arquivos de programas\poker.zip

C:\Arquivos de programas\Typle2.0v

C:\Arquivos de programas\verifinternet.exe

C:\Documents and Settings\Default User\gtk-runtime.exe

C:\Documents and Settings\Mario\Dados de aplicativos\pcouffin.sys

C:\SDV_0053.wmv

C:\Temp\~nsu.tmp

C:\Temp\Adobelm_Cleanup.0001.dir.0000

C:\Temp\Adobelm_Cleanup.0001.dir.0001

C:\Temp\is-6JCHA.tmp

C:\Temp\is-A581P.tmp

C:\WINDOWS\ativpsrm.bin

C:\WINDOWS\AWOPR.INI

C:\WINDOWS\NTWLOG.003

C:\WINDOWS\NTWLOG.007

C:\WINDOWS\Setup1.exe

C:\WINDOWS\ST6UNST.EXE

C:\WINDOWS\system\sysxpvsetup.ini

C:\WINDOWS\system32\ac3acm.acm

C:\WINDOWS\system32\config\systemprofile\gtk-runtime.exe

C:\WINDOWS\system32\config\systemprofile\Menu Iniciar\Programas\Inicializar\inicial.cmd

C:\WINDOWS\system32\lame_acm.xml

C:\WINDOWS\system32\lameACM.acm

C:\WINDOWS\system32\SnAgOS.EXE

C:\WINDOWS\system32\SnAgOS.TMP

C:\WINDOWS\system32\SnLiveUp.exe

C:\WINDOWS\system32\SySAVI2WMV.dat

C:\WINDOWS\WLXPGSS.SCR

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\bridge.zip

C:\Arquivos de programas\poker.zip

C:\Arquivos de programas\verifinternet.exe

C:\Documents and Settings\Default User\gtk-runtime.exe

C:\Documents and Settings\Mario\Dados de aplicativos\pcouffin.sys

C:\SDV_0053.wmv

C:\Temp\{236BB7C4-4419-42FD-0409-1E257A25E34D}

C:\WINDOWS\ativpsrm.bin

C:\WINDOWS\AWOPR.INI

C:\WINDOWS\msvrc20.dll

C:\WINDOWS\NTWLOG.003

C:\WINDOWS\NTWLOG.007

C:\WINDOWS\Setup1.exe

C:\WINDOWS\ST6UNST.EXE

C:\WINDOWS\system\sysxpvsetup.ini

C:\WINDOWS\system32\ac3acm.acm

C:\WINDOWS\system32\config\systemprofile\gtk-runtime.exe

C:\WINDOWS\system32\config\systemprofile\Menu Iniciar\Programas\Inicializar\inicial.cmd

C:\WINDOWS\system32\lame_acm.xml

C:\WINDOWS\system32\lameACM.acm

C:\WINDOWS\system32\SnAgOS.EXE

C:\WINDOWS\system32\SnAgOS.TMP

C:\WINDOWS\system32\SnLiveUp.exe

C:\WINDOWS\system32\SySAVI2WMV.dat

C:\WINDOWS\WLXPGSS.SCR

 

.

((((((((((((((((((((((( Ficheiros criados de 2008-08-01 to 2008-09-01 ))))))))))))))))))))))))))))))))

.

 

2008-09-01 14:01 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\WPDNSE

2008-09-01 14:01 . 2008-09-01 14:01 53,248 --a------ C:\Temp\catchme.dll

2008-09-01 13:33 . 2008-09-01 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo! Companion

2008-09-01 13:33 . 2008-09-01 13:33 <DIR> d-------- C:\Arquivos de programas\Yahoo!

2008-08-31 03:18 . 2008-08-31 03:31 <DIR> d-------- C:\Arquivos de programas\UltraVNC

2008-08-30 08:34 . 2008-08-30 08:34 <DIR> d-------- C:\Arquivos de programas\BySoft Network Monitor

2008-08-30 03:17 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0003

2008-08-30 03:17 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0002

2008-08-29 15:01 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\mzlive

2008-08-27 17:19 . 2008-08-27 17:19 <DIR> d-------- C:\Temp\~CaA5

2008-08-27 17:19 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\!daA9.tmp

2008-08-27 17:19 . 2008-08-27 17:19 <DIR> d-------- C:\Temp\!daA6.tmp

2008-08-27 17:14 . 2008-08-27 17:14 <DIR> d-------- C:\Temp\146808901

2008-08-27 17:14 . 2008-08-27 17:14 <DIR> d-------- C:\Temp\146762341

2008-08-27 17:13 . 2008-08-27 17:13 <DIR> d-------- C:\Temp\~Ca61

2008-08-27 17:13 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\!da65.tmp

2008-08-27 17:13 . 2008-08-27 17:13 <DIR> d-------- C:\Temp\!da62.tmp

2008-08-27 17:10 . 2008-08-27 17:10 <DIR> d-------- C:\Temp\~Ca51

2008-08-27 17:10 . 2008-09-01 14:01 <DIR> d-------- C:\Temp\!da30.tmp

2008-08-27 17:08 . 2008-08-27 17:08 <DIR> d--h----- C:\Temp\~scrap

2008-08-27 17:08 . 2008-08-27 17:08 <DIR> d-------- C:\Temp\~Ca2C

2008-08-27 17:08 . 2008-08-27 17:08 <DIR> d-------- C:\Temp\!da2D.tmp

2008-08-26 15:32 . 2008-08-26 15:32 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configurações locais

2008-08-26 15:32 . 2008-08-26 15:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais

2008-08-26 15:32 . 2008-08-26 15:32 <DIR> d-------- C:\Documents and Settings\Mario\Configurações locais

2008-08-26 15:32 . 2008-08-26 15:32 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais

2008-08-26 13:44 . 2008-08-26 13:44 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll

2008-08-26 13:41 . 2008-08-26 13:42 <DIR> d-------- C:\WINDOWS\ERUNT

2008-08-25 22:27 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0001

2008-08-25 22:27 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0000

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\system32\npp

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\srchasst

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage

2008-08-24 02:16 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\is-A581P.tmp

2008-08-24 02:16 . 2008-08-24 10:38 <DIR> d-------- C:\Arquivos de programas\Uniblue

2008-08-23 23:26 . 2008-08-23 23:26 <DIR> d-------- C:\!KillBox

2008-08-23 22:41 . 2008-08-23 22:41 <DIR> d-------- C:\LinhaDefensiva

2008-08-23 21:08 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\is-6JCHA.tmp

2008-08-23 20:45 . 2008-08-26 13:56 <DIR> d-------- C:\SDFix

2008-08-23 20:12 . 2008-08-30 17:40 <DIR> d-------- C:\VundoFix Backups

2008-08-22 22:12 . 2008-08-22 22:12 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\IObit

2008-08-22 17:06 . 2008-08-24 11:37 <DIR> d-------- C:\Perl

2008-08-22 16:06 . 2008-08-28 07:40 <DIR> d-------- C:\Temp\~nsu.tmp

2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Arquivos de programas\ElcomSoft

2008-08-22 13:46 . 2008-08-22 13:47 <DIR> d-------- C:\Downloads

2008-08-22 13:36 . 2008-08-22 13:48 <DIR> d-------- C:\Arquivos de programas\Free Download Manager

2008-08-20 21:44 . 2008-08-20 21:51 <DIR> d-------- C:\Arquivos de programas\sXe Injected

2008-08-13 16:01 . 2008-08-13 16:01 <DIR> d-------- C:\Temp\_is48

2008-08-13 16:01 . 2008-08-13 16:01 <DIR> d-------- C:\Arquivos de programas\Microsoft IntelliPoint

2008-08-13 16:01 . 2007-08-21 05:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys

2008-08-13 15:55 . 2008-08-13 15:55 <DIR> d-------- C:\Temp\_isA

2008-08-13 13:36 . 2008-05-01 11:32 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-09 03:40 . 2008-08-09 03:40 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Yahoo!

2008-08-09 03:40 . 2008-08-22 22:41 <DIR> d-------- C:\Arquivos de programas\IObit

2008-08-08 23:15 . 2008-08-08 23:15 <DIR> d-------- C:\Arquivos de programas\AnalogX

2008-08-08 23:01 . 2008-08-09 03:01 <DIR> d-------- C:\Arquivos de programas\Typle2.0v

2008-08-08 19:40 . 2008-08-08 19:40 244 --ah----- C:\sqmnoopt11.sqm

2008-08-08 19:40 . 2008-08-08 19:40 232 --ah----- C:\sqmdata11.sqm

2008-08-08 17:19 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\No-IP

2008-08-08 17:18 . 2008-08-08 17:19 <DIR> d-------- C:\srcds

2008-08-08 17:18 . 2008-08-08 17:18 <DIR> d-------- C:\Fraps

2008-08-08 17:13 . 2008-08-08 17:13 <DIR> d-------- C:\Arquivos de programas\Enigma Software Group

2008-08-08 17:09 . 2008-08-08 17:09 <DIR> d-------- C:\Arquivos de programas\Xvid

2008-08-08 16:22 . 2008-08-08 16:22 <DIR> d-------- C:\ATI

2008-08-07 18:08 . 2008-08-08 16:35 <DIR> d-------- C:\Arquivos de programas\Movie Converter V3(2)

2008-08-07 18:07 . 2008-08-07 18:07 <DIR> d-------- C:\Arquivos de programas\ezvideotools.com

2008-08-06 18:14 . 2008-08-08 16:56 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack(2)

2008-08-05 20:13 . 2008-08-05 20:13 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Apple Computer

2008-08-05 20:08 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\QuickTime

2008-08-05 20:08 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\Apple Software Update

2008-08-05 19:29 . 2008-08-08 16:57 <DIR> d-------- C:\WINDOWS\system32\codec

2008-08-05 19:29 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\avi2divx

2008-08-05 18:09 . 2008-08-05 18:09 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Media Player Classic

2008-08-05 17:40 . 2008-08-08 17:09 <DIR> d-------- C:\Arquivos de programas\VLCPortable

2008-08-05 15:10 . 2008-08-08 17:10 <DIR> d-------- C:\WINDOWS\LastGood(2)

2008-08-03 05:07 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\PowerStrip(2)

2008-08-03 04:25 . 2008-08-26 13:49 <DIR> d-------- C:\Temp\plugtmp

 

.

((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-01 16:45 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-08-31 03:26 --------- d-----w C:\Arquivos de programas\Valve

2008-08-26 01:21 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-08-24 00:09 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\Uniblue

2008-08-09 07:37 --------- d-----w C:\Arquivos de programas\1.0 CDBGHF

2008-08-08 20:19 --------- d-----w C:\Arquivos de programas\SpeedBit Video Accelerator

2008-08-08 20:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\SpeederXP

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\Gabest

2008-08-08 20:03 --------- d-----w C:\Arquivos de programas\Bonjour

2008-07-25 00:40 --------- d-----w C:\Arquivos de programas\GCH Guitar academy

2008-07-23 21:12 --------- d-----w C:\Arquivos de programas\Robster Productions

2008-07-23 16:38 --------- d-----w C:\Arquivos de programas\Auslogics

2008-07-19 04:42 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\teamspeak2

2008-07-15 18:24 --------- d-----w C:\Arquivos de programas\Cucusoft

.

 

((((((((((((((((((((((((((((( snapshot@2008-08-26_15.31.09.10 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-08-24 13:38:24 6,931,412 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat

+ 2008-08-28 00:57:30 1,093,296 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat

+ 2008-09-01 16:58:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6dc.dat

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"Picasa Media Detector"="C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2007-09-27 22:17 443968]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-06-23 12:40 124928 C:\WINDOWS\system32\advpack.dll]

 

C:\Documents and Settings\Mario\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-29 22:09:01 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"StartMenuFavorites"= 1 (0x1)

"Start_ShowHelp"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowMyPics"= 0 (0x0)

"Start_ShowNetConn"= 1 (0x1)

"Start_ShowPrinters"= 1 (0x1)

"HideRunAsVerb"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.i420"= i263_32.drv

"msacm.imc"= imc32.acm

"msacm.l3codecp"= l3codecp.acm

"VIDC.i263"= i263_32.drv

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\counter-strike\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\hltv.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\Steam.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\condition zero\\hl.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\gordix\\counter-strike source\\hl2.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Arquivos de programas\\DAP\\DAP.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\dedicated server\\hltv.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\day of defeat\\hl.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

"C:\\Arquivos de programas\\PS Monitor\\PsMon.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\freeman212\\counter-strike\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\dedicated server\\hlds.exe"=

"C:\\Arquivos de programas\\Valve\\hlds.exe"=

"C:\\Arquivos de programas\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

 

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 16:22]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 13:39]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 11:35]

R1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys [2007-05-30 11:23]

R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys [2007-05-30 11:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 11:37]

R2 NMSAccessU;NMSAccessU;C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe [2007-10-12 07:34]

R2 Ps2KSecureKeyboard;SecureKbd;C:\WINDOWS\system32\DRIVERS\psseckbd.sys [2007-05-30 11:21]

R2 sbbotdi;sbbotdi;C:\ARQUIV~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-07-28 18:51]

R2 SNMgrSvc;SNMgrSvc;C:\WINDOWS\system32\SnMgrSvc.exe [2007-05-30 11:34]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-10-24 15:07]

R2 VideoAcceleratorService;VideoAcceleratorService;C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-07-28 18:51]

R3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\DRIVERS\MusCVideo32.sys [2007-12-28 13:50]

R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys [2007-05-30 11:21]

S2 Apache2.2;Apache2.2;C:\AppServ\Apache2.2\bin\httpd.exe []

S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys []

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]

 

*Newly Created Service* - ASPI32

.

Conte£do da pasta 'Tarefas Agendadas'

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-01 14:01:37

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializ veis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

------------------------ Outros Processos em Execu‡Æo ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe

.

**************************************************************************

.

Tempo para conclusÆo: 2008-09-01 14:03:45 - Maquina reiniciou

ComboFix-quarantined-files.txt 2008-09-01 17:03:40

ComboFix2.txt 2008-08-26 18:32:52

 

Pre-Run: 22 pasta(s) 36,913,782,784 bytes disponíveis

Post-Run: 26 pasta(s) 36,930,625,536 bytes dispon¡veis

 

290 --- E O F --- 2008-08-29 11:58:12

 

Logfile of HijackThis v1.99.1

Scan saved at 14:15:54, on 1/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20861)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

C:\Arquivos de programas\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\SnMgrSvc.exe

C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe

C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe

C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Arquivos de programas\Internet Explorer\iexplore.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\WinRAR\WinRAR.exe

C:\Temp\Rar$EX00.672\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: CUOLSearchHook Object - {1FE8243E-0A3A-41B9-B9CE-EFFEE51974D3} - C:\Arquivos de programas\Arquivos comuns\uol\urlsearch\UOLSearchHook.dll

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Arquivos de programas\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: &Windows Live Search - res://C:\Arquivos de programas\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\Microsoft Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O11 - Options group: [TABS] Tabbed Browsing

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1185320123750

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://www.sisdera.com/stream/ampx2.6.1.11_en_dl.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Arquivos de programas\Windows Live\Mail\mailcomm.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)

O23 - Service: Apache2.2 - Unknown owner - C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe

O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe (file missing)

O23 - Service: NMSAccessU - Unknown owner - C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe

O23 - Service: SNMgrSvc - Open Communications Security S/A - C:\WINDOWS\system32\SnMgrSvc.exe

O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

[jgarcia 1]

Opa MAcgYvER everyONE,

 

Baixe o CCleaner.

 

1. Para efetivar a limpeza basta marcar a opção Limpeza – no alto e à esquerda – e clicar em Executar Limpeza – abaixo e à direita. Neste caso você poderá optar pela limpeza do Windows, de Programas ou de ambos;

 

2. Para a correção de erros basta escolher a opção Registro – no alto e à esquerda – clicar em Procurar erros – abaixo e à esquerda – e depois em Corrigir Erros Selecionados – abaixo e à direita (por padrão todos serão selecionados);

 

3. Em Ferramentas – no alto e à esquerda – você poderá efetivar a desinstalação de programas (os mesmos contidos em Adicionar / Remover programas) ou ainda remover processos de programas contidos na inicialização (somente para usuários experientes);

 

4. Em Opções encontram-se os dispositivos de configuração do CCleaner, os quais sugiro que permaneçam inalterados.

 

Execute as ações acima (apenas 1. e 2.) e retorne com um novo log do ComboFix.

 

Abraços.

[MAcgYvER everyONE 0]

ComboFix 08-08-31.01 - Mario 2008-09-03 13:08:39.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.552 [GMT -3:00]

Executando de: C:\Documents and Settings\Mario\Meus documentos\My Completed Downloads\ComboFix.exe

 

ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((( Ficheiros criados de 2008-08-03 to 2008-09-03 ))))))))))))))))))))))))))))))))

.

 

2008-09-03 13:10 . 53,248 C:\Temp\catchme.dll

2008-09-03 13:08 . 2008-09-03 13:08 <DIR> d-------- C:\Temp\WPDNSE

2008-09-02 23:02 . 2008-09-02 23:04 <DIR> d-------- C:\Temp\7zS2C.tmp

2008-09-02 23:01 . 2008-09-02 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\avg8

2008-09-02 23:01 . 2008-09-02 23:01 <DIR> d-------- C:\Arquivos de programas\AVG

2008-09-02 19:55 . 2008-09-02 19:59 <DIR> d-------- C:\Temp\hsperfdata_Mario

2008-09-02 18:23 . 2008-09-02 18:23 <DIR> d-------- C:\Arquivos de programas\CCleaner

2008-09-01 21:06 . 2008-09-01 21:06 <DIR> d-------- C:\Arquivos de programas\Ares

2008-09-01 18:33 . 2008-09-03 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0005

2008-09-01 18:32 . 2008-09-03 13:10 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0004

2008-09-01 13:33 . 2008-09-01 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Yahoo! Companion

2008-09-01 13:33 . 2008-09-01 13:33 <DIR> d-------- C:\Arquivos de programas\Yahoo!

2008-08-31 03:18 . 2008-08-31 03:31 <DIR> d-------- C:\Arquivos de programas\UltraVNC

2008-08-30 08:34 . 2008-08-30 08:34 <DIR> d-------- C:\Arquivos de programas\BySoft Network Monitor

2008-08-26 15:32 . 2008-09-01 14:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais

2008-08-26 15:32 . 2008-09-01 14:03 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais

2008-08-26 15:32 . 2008-09-01 14:03 <DIR> d-------- C:\Documents and Settings\Mario\Configuraþ§es locais

2008-08-26 15:32 . 2008-09-01 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais

2008-08-26 13:44 . 2008-08-26 13:44 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll

2008-08-26 13:41 . 2008-08-26 13:42 <DIR> d-------- C:\WINDOWS\ERUNT

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\system32\xircom

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\system32\npp

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\WINDOWS\srchasst

2008-08-24 10:38 . 2008-08-24 10:38 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage

2008-08-24 02:16 . 2008-08-24 10:38 <DIR> d-------- C:\Arquivos de programas\Uniblue

2008-08-23 23:26 . 2008-08-23 23:26 <DIR> d-------- C:\!KillBox

2008-08-23 22:41 . 2008-08-23 22:41 <DIR> d-------- C:\LinhaDefensiva

2008-08-23 20:45 . 2008-08-26 13:56 <DIR> d-------- C:\SDFix

2008-08-23 20:12 . 2008-08-30 17:40 <DIR> d-------- C:\VundoFix Backups

2008-08-22 22:12 . 2008-08-22 22:12 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\IObit

2008-08-22 17:06 . 2008-08-24 11:37 <DIR> d-------- C:\Perl

2008-08-22 16:04 . 2008-08-22 16:04 <DIR> d-------- C:\Arquivos de programas\ElcomSoft

2008-08-22 13:46 . 2008-08-22 13:47 <DIR> d-------- C:\Downloads

2008-08-22 13:36 . 2008-08-22 13:48 <DIR> d-------- C:\Arquivos de programas\Free Download Manager

2008-08-20 21:44 . 2008-08-20 21:51 <DIR> d-------- C:\Arquivos de programas\sXe Injected

2008-08-13 16:01 . 2008-08-13 16:01 <DIR> d-------- C:\Arquivos de programas\Microsoft IntelliPoint

2008-08-13 16:01 . 2007-08-21 05:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys

2008-08-13 13:36 . 2008-05-01 11:32 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-09 03:40 . 2008-08-09 03:40 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Yahoo!

2008-08-09 03:40 . 2008-08-22 22:41 <DIR> d-------- C:\Arquivos de programas\IObit

2008-08-08 23:15 . 2008-08-08 23:15 <DIR> d-------- C:\Arquivos de programas\AnalogX

2008-08-08 23:01 . 2008-08-09 03:01 <DIR> d-------- C:\Arquivos de programas\Typle2.0v

2008-08-08 19:40 . 2008-08-08 19:40 244 --ah----- C:\sqmnoopt11.sqm

2008-08-08 19:40 . 2008-08-08 19:40 232 --ah----- C:\sqmdata11.sqm

2008-08-08 17:19 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\No-IP

2008-08-08 17:18 . 2008-08-08 17:19 <DIR> d-------- C:\srcds

2008-08-08 17:18 . 2008-08-08 17:18 <DIR> d-------- C:\Fraps

2008-08-08 17:13 . 2008-08-08 17:13 <DIR> d-------- C:\Arquivos de programas\Enigma Software Group

2008-08-08 17:09 . 2008-08-08 17:09 <DIR> d-------- C:\Arquivos de programas\Xvid

2008-08-08 16:22 . 2008-08-08 16:22 <DIR> d-------- C:\ATI

2008-08-07 18:08 . 2008-08-08 16:35 <DIR> d-------- C:\Arquivos de programas\Movie Converter V3(2)

2008-08-07 18:07 . 2008-08-07 18:07 <DIR> d-------- C:\Arquivos de programas\ezvideotools.com

2008-08-06 18:14 . 2008-08-08 16:56 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack(2)

2008-08-05 20:13 . 2008-08-05 20:13 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Apple Computer

2008-08-05 20:08 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\QuickTime

2008-08-05 20:08 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\Apple Software Update

2008-08-05 19:29 . 2008-08-08 16:57 <DIR> d-------- C:\WINDOWS\system32\codec

2008-08-05 19:29 . 2008-08-08 16:57 <DIR> d-------- C:\Arquivos de programas\avi2divx

2008-08-05 18:09 . 2008-08-05 18:09 <DIR> d-------- C:\Documents and Settings\Mario\Dados de aplicativos\Media Player Classic

2008-08-05 17:40 . 2008-08-08 17:09 <DIR> d-------- C:\Arquivos de programas\VLCPortable

2008-08-05 15:10 . 2008-08-08 17:10 <DIR> d-------- C:\WINDOWS\LastGood(2)

2008-08-03 05:07 . 2008-08-08 17:19 <DIR> d-------- C:\Arquivos de programas\PowerStrip(2)

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-03 01:17 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2008-09-02 21:26 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2008-08-31 03:26 --------- d-----w C:\Arquivos de programas\Valve

2008-08-26 01:21 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe

2008-08-24 00:09 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\Uniblue

2008-08-09 07:37 --------- d-----w C:\Arquivos de programas\1.0 CDBGHF

2008-08-08 20:19 --------- d-----w C:\Arquivos de programas\SpeedBit Video Accelerator

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\Spybot - Search & Destroy

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\SpeederXP

2008-08-08 20:13 --------- d-----w C:\Arquivos de programas\Gabest

2008-08-08 20:03 --------- d-----w C:\Arquivos de programas\Bonjour

2008-07-25 00:40 --------- d-----w C:\Arquivos de programas\GCH Guitar academy

2008-07-23 21:12 --------- d-----w C:\Arquivos de programas\Robster Productions

2008-07-23 16:38 --------- d-----w C:\Arquivos de programas\Auslogics

2008-07-19 04:42 --------- d-----w C:\Documents and Settings\Mario\Dados de aplicativos\teamspeak2

2008-07-15 18:24 --------- d-----w C:\Arquivos de programas\Cucusoft

2008-07-07 20:18 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-07 20:18 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll

2008-06-24 16:30 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-24 16:30 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-23 08:23 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-06-23 08:23 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-06-23 08:23 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-06-20 17:36 247,808 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:36 247,808 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:32 225,920 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 17:59 272,384 ------w C:\WINDOWS\system32\dllcache\bthport.sys

.

 

((((((((((((((((((((((((((((( snapshot@2008-08-26_15.31.09.10 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-08-24 13:38:24 6,931,412 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat

+ 2008-08-28 00:57:30 1,093,296 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat

+ 2008-09-03 16:05:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_484.dat

+ 2006-12-02 01:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll

+ 2006-12-02 01:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll

+ 2006-12-02 01:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll

+ 2006-12-02 01:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll

+ 2006-12-02 03:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll

+ 2006-12-02 03:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll

+ 2006-12-02 03:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll

+ 2006-12-02 03:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll

+ 2006-12-02 03:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll

+ 2006-12-02 03:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll

+ 2006-12-02 03:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll

+ 2006-12-02 03:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll

+ 2006-12-02 03:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll

+ 2006-12-02 03:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll

+ 2006-12-02 03:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll

+ 2006-12-02 03:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll

+ 2006-12-02 03:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias & legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

"Picasa Media Detector"="C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe" [2007-09-27 22:17 443968]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2008-06-23 12:40 124928 C:\WINDOWS\system32\advpack.dll]

 

C:\Documents and Settings\Mario\Menu Iniciar\Programas\Inicializar\

Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-29 22:09:01 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDesktopCleanupWizard"= 1 (0x1)

"StartMenuFavorites"= 1 (0x1)

"Start_ShowHelp"= 0 (0x0)

"Start_ShowMyComputer"= 1 (0x1)

"Start_ShowMyDocs"= 1 (0x1)

"Start_ShowMyMusic"= 0 (0x0)

"Start_ShowMyPics"= 0 (0x0)

"Start_ShowNetConn"= 1 (0x1)

"Start_ShowPrinters"= 1 (0x1)

"HideRunAsVerb"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

"NoResolveSearch"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoSMMyPictures"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.i420"= i263_32.drv

"msacm.imc"= imc32.acm

"msacm.l3codecp"= l3codecp.acm

"VIDC.i263"= i263_32.drv

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\counter-strike\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\hltv.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\Steam.exe"=

"C:\\Arquivos de programas\\Valve\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\condition zero\\hl.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\gordix\\counter-strike source\\hl2.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Arquivos de programas\\DAP\\DAP.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\dedicated server\\hltv.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\day of defeat\\hl.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Arquivos de programas\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

"C:\\Arquivos de programas\\PS Monitor\\PsMon.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\freeman212\\counter-strike\\hl.exe"=

"C:\\Arquivos de programas\\Valve\\Steam\\SteamApps\\macgyver100\\dedicated server\\hlds.exe"=

"C:\\Arquivos de programas\\Valve\\hlds.exe"=

"C:\\Arquivos de programas\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=

"C:\\Arquivos de programas\\Ares\\Ares.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

 

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 16:22]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 13:39]

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 11:35]

R1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys [2007-05-30 11:23]

R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys [2007-05-30 11:35]

R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 11:37]

R2 NMSAccessU;NMSAccessU;C:\Arquivos de programas\CDBurnerXP\NMSAccessU.exe [2007-10-12 07:34]

R2 Ps2KSecureKeyboard;SecureKbd;C:\WINDOWS\system32\DRIVERS\psseckbd.sys [2007-05-30 11:21]

R2 sbbotdi;sbbotdi;C:\ARQUIV~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-07-28 18:51]

R2 SNMgrSvc;SNMgrSvc;C:\WINDOWS\system32\SnMgrSvc.exe [2007-05-30 11:34]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-10-24 15:07]

R2 VideoAcceleratorService;VideoAcceleratorService;C:\ARQUIV~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe [2008-07-28 18:51]

R3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\DRIVERS\MusCVideo32.sys [2007-12-28 13:50]

R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys [2007-05-30 11:21]

S2 Apache2.2;Apache2.2;C:\AppServ\Apache2.2\bin\httpd.exe []

S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys []

S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]

 

*Newly Created Service* - ASPI32

*Newly Created Service* - CATCHME

.

Conteúdo da pasta 'Tarefas Agendadas'

.

.

------- Ccan Suplementar -------

.

FireFox -: Profile - C:\Documents and Settings\Mario\Dados de aplicativos\Mozilla\Firefox\Profiles\1juqpct1.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://portuguese.eazel.com/index.php?rvs=hompag

FF -: plugin - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava11.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava12.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava13.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava14.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJava32.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPJPI150_11.dll

FF -: plugin - C:\Arquivos de programas\Java\jre1.5.0_11\bin\NPOJI610.dll

.

.

------- File Associations (Beta) -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-03 13:10:35

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros ocultos ...

 

Varredura completada com sucesso

Ficheiros ocultos: 0

 

**************************************************************************

.

Tempo para conclusão: 2008-09-03 13:11:29

ComboFix-quarantined-files.txt 2008-09-03 16:11:26

ComboFix2.txt 2008-09-01 17:03:46

ComboFix3.txt 2008-08-26 18:32:52

 

Pre-Run: 22 pasta(s) 36,782,551,040 bytes disponíveis

Post-Run: 26 pasta(s) 36,785,614,848 bytes disponíveis

 

254 --- E O F --- 2008-09-02 21:20:28

[jgarcia 1]

Opa MAcgYvER everyONE,

 

O Malwarebytes AntiMalware é um produto relativamente novo, porém com grande eficácia na remoção de infecções comuns. O programa é pequeno, gratuito e em português.

 

A sua instalação é o primeiro passo para a limpeza de um sistema operacional infectado.

 

Neste tutorial você aprenderá a instalá-lo e executá-lo.

 

1) Primeiramente faça o download do programa:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

2) Agora proceda a instalação do programa, conforme segue:

 

Execute o programa de instalação:

 

Logo após a execução do arquivo de instalação, será exibida a seguinte tela:

 

Agora, clique em Instalar para concluir:

 

Ao término da instalação deixe marcadas as opções de Atualização e Execução:

 

Será exibida então a tela de atualização do programa:

 

3) Essa é a tela inicial do programa. Marque a opção Verificação Completa e clique no botão Verificar.

 

Aguarde até o final da verificação:

 

Ao concluir a verificação, será exibida essa mensagem:

 

O resultado da verificação será exibido, com o nome dos arquivos e malwares encontrados.

Para efetivar a limpeza, clique em Remover selecionados:

 

Para concluir a limpeza haverá a necessidade da reinicialização do computador:

 

O programa guarda os logs das verificações feitas na pasta C:\Documents and Settings\Seu nome de Usuario\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\Logs, que também pode ser acessados na aba Logs, dentro do programa.

 

Retorne com o resultado da varredura.

 

Créditos: Fabio Assolini.

 

Link para a postagem original: aqui.

[MAcgYvER everyONE 0]

Malwarebytes' Anti-Malware 1.26

Versão do banco de dados: 1112

Windows 5.1.2600 Service Pack 2

 

4/9/2008 14:13:06

mbam-log-2008-09-04 (14-13-06).txt

 

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 197905

Tempo decorrido: 44 minute(s), 11 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 11

Valores do Registro infectados: 0

Ítens do Registro infectados: 0

Pastas infectadas: 1

Arquivos infectados: 1

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CLASSES_ROOT\acm.acmfactory (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\acm.acmfactory.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{df901432-1b9f-4f5b-9e56-301c553f9095} (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{d3073845-c655-42e7-b723-191ccfc41f0a} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenUSave) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ACM.DLL (Adware.WhenUSave) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

C:\Arquivos de programas\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.

 

Arquivos infectados:

C:\WINDOWS\system32\SnEngine.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

[jgarcia 1]

Opa MAcgYvER everyONE,

 

Como anda a performance do PC? Ainda há problemas?

[MAcgYvER everyONE 0]

bom o computador ja ta bom ate o problema eh q quando eu inicio o computador o explorer nao abre ai eu tenho q abrir

pelo gerenciador d tarefas por mim ate ta beleza

mais minha mae e meu padrasto nao sabem como fazer e ficam com raiva ^^

mais tem otro problema

algumas coisas q eu tinha antigamente como o craagle eu nao consigo mais baxar ele da net

da um erro no final

e alguns otros programas q eu tinha aki q foram deletados

[MAcgYvER everyONE 0]

poderia me ajudar como por o explorer para inicializar junto com o windows?

minha mae ta #@?$%~ da kra por causa disso e ja flo ate em xama um tecnico pra formata meu pc =X

[jgarcia 1]

Opa MAcgYvER everyONE,

 

* Baixe o VundoFix.

 

* Dê duplo-clique sobre VundoFix.exe para iniciá-lo;

 

* Quando o VundoFix abrir clique em Scan for Vundo. Aguarde o término do scan que pode demorar algum tempo. Seja paciente;

 

* Terminado o scan clique em Remove Vundo;

 

* Você receberá um alerta perguntando se deseja remover os arquivos. Clique em YES. O seu desktop irá apagar (isto é normal);

 

* Para completar o scan será necessário reinicializar a máquina. Clique em OK;

 

* Favor postar o log do VundoFix (C:\vundofix.txt) em sua próxima resposta, juntamente com um novo do ComboFix.

 

Abraços.

[MAcgYvER everyONE 0]

o vundofix nao axo nd

[jgarcia 1]

Opa MAcgYvER everyONE,

 

Baixe o SilentRunners.

 

Extraia o arquivo SilentRunners.vbs para o C. Dê duplo clique sobre o arquivo para executá-lo.

 

Após executá-lo aguarde até que seja gerado um documento denominado Startup Programs (USUÁRIO) data. Copie o conteúdo deste documento e cole em sua próxima resposta.

 

Abraços.

 

Obs.: Caso o seu AV detecte o arquivo como sendo um script malicioso não se preocupe e autorize a execução.

[MAcgYvER everyONE 0]

FICO MT GRANDE MAIS VO TENTAR POSTAR ELE EM PARTES

'Silent Runners.vbs -- find out what starts up with Windows!

'(compatible with Windows 95/98/Millennium/NT 4.0/2000 Pro/XP Home & Pro/Vista)

'

'DO NOT REMOVE THIS HEADER!

'

'Copyright Andrew ARONOFF 18 May 2008, http://www.silentrunners.org/

'This script is provided without any warranty, either express or implied

'It may not be copied or distributed without permission

'

'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! ** (END OF HEADER)

 

 

Option Explicit

 

Dim strRevNo : strRevNo = "58"

 

Public flagTest : flagTest = False 'True if in testing mode

'flagTest = True 'Uncomment to put in testing mode

Public arSecTest : arSecTest = Array() 'array of section numbers to test

 

Public intSection : intSection = 0 'section counter

 

'This script is divided into 29 sections.

 

'malware launch points:

' registry keys (1-12, 15)

' INI/INF-files (16-18)

' folders (19)

' enabled scheduled tasks (20)

' Winsock2 service provider DLLs (21)

' IE toolbars, explorer bars, extensions (22)

' started services (26)

' accessibility tools (27)

' keyboard driver filters (28)

' printer monitors (29)

 

'hijack points:

' System/Group Policies (14)

' prefixes for IE URLs (23)

' misc IE points (24)

' HOSTS file (25)

 

'Output is suppressed if deemed normal unless the -all parameter is used

'Section XVIII is skipped unless the -supp/-all parameters are used or

'the first message box is answered "No" and the next message box "Yes"

 

' 1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx

' HKLM... RunServices/RunServicesOnce

' HKCU/HKLM... Policies\Explorer\Run

' 2. HKLM... Active Setup\Installed Components\

' HKCU... Active Setup\Installed Components\

' (StubPath <> "" And HKLM version # > HKCU version #)

' 3. HKLM... Explorer\Browser Helper Objects\

' 4. HKLM... Shell Extensions\Approved\

' 5. HKLM... Explorer\DeviceNotificationCallbacks/SharedTaskScheduler/ShellExecuteHooks

' 6. HKCU/HKLM... ShellServiceObjectDelayLoad\

' 7. HKCU/HKLM... Command Processor\AutoRun

' HKCU... Policies\System\Shell (W2K/WXP/WVa only)

' HKCU... Windows\load & run

' HKLM... Windows\AppInit_DLLs

' HKLM... Windows NT... Aedebug\

' HKCU/HKLM... Windows NT... Winlogon\Shell

' HKLM... Windows NT... Winlogon\Userinit, System, Ginadll, Taskman, VmApplet

' HKLM... Control\BootVerificationProgram\ImagePath

' HKLM... Control\Lsa\Authentication Packages

' HKLM... Control\SafeBoot\Option\UseAlternateShell

' HKLM... Control\SecurityProviders\SecurityProviders

' HKLM... Control\Session Manager\BootExecute

' HKLM... Control\Session Manager\Execute

' HKLM... Control\Session Manager\SetupExecute

' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline

' 8. HKLM... Windows NT... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)

' 9. HKLM... Windows NT... Image File Execution Options ("Debugger" subkeys)

'10. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff scripts (W2K/WXP/WVa)

'11. HKCU/HKLM Protocols\Filter

'12. Context menu shell extensions

'13. HKCU/HKLM executable file type (bat/cmd/com/exe/hta/pif/scr)

'14. System/Group Policies

'15. Enabled Wallpaper & Screen Saver

'16. WIN.INI load/run, SYSTEM.INI shell/scrnsave.exe, WINSTART.BAT, IniFileMapping

'17. AUTORUN.INF in root directory of local fixed disks

'18. HKLM... Explorer\AutoplayHandlers\Handlers

'19. DESKTOP.INI in any local fixed disk directory (section skipped by default)

'20. Startup Directories

'21. Enabled Scheduled Tasks

'22. Winsock2 Service Provider DLLs

'23. Internet Explorer Toolbars, Explorer Bars, Extensions

'24. Internet Explorer URL Prefixes

'25. Misc. IE Hijack Points

'26. HOSTS file

'27. Started Services

'28. Accessibility Tools

'29. Keyboard Driver Filters

'30. Print Monitors

 

Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell")

Dim WshoArgs : Set WshoArgs = WScript.Arguments

Dim intErrNum, intMB, intMB1 'Err.Number, MsgBox return value x 2

 

Const DQ = """"

 

'Configuration Detection Section

 

' FileSystemObject creation error (117)

' CScript/WScript (155)

' Dim (171)

' GetFileVersion(WinVer.exe) (VBScript 5.1) (186)

' OS version (233)

' WMI (294)

' Dim (390)

' command line arguments (463)

' supplementary search MsgBox (561)

' startup MsgBox (598)

' CreateTextFile error (627)

' output file header (663)

' WXP SP2 (677)

 

On Error Resume Next

Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject")

intErrNum = Err.Number : Err.Clear

On Error Goto 0

 

If intErrNum <> 0 Then

 

strURL = "http://tinyurl.com/7nn6"

 

intMB = MsgBox (DQ & "Silent Runners" & DQ &_

" cannot access file services critical to" & vbCRLF &_

"proper script operation." & vbCRLF & vbCRLF &_

"If you are running Windows XP, make sure that the" &_

vbCRLF & DQ & "Cryptographic Services" & DQ &_

" service is started." & vbCRLF & vbCRLF &_

"You can also try reinstalling the latest version of the MS" &_

vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_

"Press " & DQ & "OK" & DQ & " to direct your browser to " &_

"the download site or" & vbCRLF & Space(10) & DQ & "Cancel" &_

DQ & " to quit.", vbOKCancel + vbCritical, _

"Can't access the FileSystemObject!")

 

'if dl wanted now, send browser to dl site

If intMB = 1 Then Wshso.Run strURL

 

WScript.Quit

 

End If

 

Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network")

 

Const HKLM = &H80000002, HKCU = &H80000001

Const strHKLM = "HKLM", strHKCU = "HKCU"

Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7

Const REG_SZ_NO_CN=9 'create this reg value type to avoid CoName

'search for strings that are not file names

Const REG_QWORD = 11

Const MS = " [MS]"

Const LBr = "{"

Const IWarn = "<<!>> ", HWarn = "<<H>> "

 

'determine whether output is via MsgBox/PopUp or Echo

Dim flagOut

If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then

flagOut = "W" 'WScript

ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then

flagOut = "C" 'CScript

Else 'echo and continue if it works

flagOut = "C" 'assume CScript-compatible

WScript.Echo "Neither " & DQ & "WSCRIPT.EXE" & DQ & " nor " &_

DQ & "CSCRIPT.EXE" & DQ & " was detected as " &_

"the script host." & vbCRLF & DQ & "Silent Runners" & DQ &_

" will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_

"use WScript.Echo for all messages."

End If 'script host

 

Dim strflagTest : strflagTest = ""

If flagTest Then

strflagTest = "TEST "

 

If flagOut = "W" Then

Wshso.Popup "Silent Runners is in testing mode.",1, _

"Testing, testing, 1-2-3...", vbOKOnly + vbExclamation

Else

WScript.Echo "Silent Runners is in testing mode." & vbCRLF

End If 'flagOut?

End If 'flagTest?

 

Const SysFolder = 1 : Const WinFolder = 0

Public strOS : strOS = "Unknown"

Public strOSLong : strOSLong = "Unknown"

Public strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro

Public strWinDir : strWinDir = Wshso.ExpandEnvironmentStrings("%WINDIR%")

Public strPgmFilesDir : strPgmFilesDir = Wshso.ExpandEnvironmentStrings("%PROGRAMFILES%")

Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder

Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder

Public strExeBareName 'bare file name w/o windows or system folder prefixes

Dim strSysVer 'Winver.exe version number

Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number

Dim intLenValue 'value length

Dim strURL 'download URL

'assume Group Policies cannot be set in the O/S

Dim flagGP : flagGP = False

'HKCU/HKLM CLSID Lower Limit, default is HKLM for O/S <= NT4

Dim intCLL : intCLL = 1

 

'Winver.exe is in \Windows under W98, but in \System32 for other O/S's

'trap GetFileVersion error for VBScript version < 5.1

On Error Resume Next

If Fso.FileExists (strFPSF & "\Winver.exe") Then

strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")

Else

strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")

End If

intErrNum = Err.Number : Err.Clear

On Error Goto 0

 

'if GetFileVersion returns error due to old WSH version

If intErrNum <> 0 Then

 

'store dl URL

strURL = "http://tinyurl.com/7zh0"

 

'if using WScript

If flagOut = "W" Then

 

'explain the problem

intMB = MsgBox ("This script requires Windows Script Host (WSH) 5.1 " &_

"or higher to run." & vbCRLF & vbCRLF & "Press " & DQ & "OK" &_

DQ & " to direct your browser to the WSH download site or " &_

DQ & "Cancel" & DQ & " to quit." & vbCRLF & vbCRLF &_

"(WMI is also required. If it's missing, download instructions " &_

"will appear later.)", vbOKCancel + vbExclamation, _

"Unsupported Windows Script Host Version!")

 

'if dl wanted now, send browser to dl site

If intMB = 1 Then Wshso.Run strURL

 

'if using CScript

Else 'flagOut = "C"

 

'explain the problem

WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_

"Windows Script Host 5.1 or higher to run." & vbCRLF & vbCRLF &_

"It can be downloaded at: " & strURL

 

End If 'WScript or CScript?

 

'quit the script

WScript.Quit

 

End If 'VBScript version error encountered?

 

'use WINVER.EXE file version to determine O/S

If Instr(Left(strSysVer,3),"4.1") > 0 Then

strOS = "W98" : strOSLong = "Windows 98"

 

ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then

strOS = "NT4" : strOSLong = "Windows NT 4.0"

 

ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then

strOS = "W98" : strOSLong = "Windows 95"

 

ElseIf Instr(Left(strSysVer,8),"4.0.0.11") > 0 Then

strOS = "W98" : strOSLong = "Windows 95 SR2 (OEM)"

 

ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then

strOS = "W2K" : strOSLong = "Windows 2000" : : intCLL = 0 : flagGP = True

 

ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then

'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180

strOS = "WXP" : strOSLong = "Windows XP" : intCLL = 0

 

If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2"

 

ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then

strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)"

 

ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then

strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)"

flagGP = True : intCLL = 0

 

ElseIf Instr(Left(strSysVer,3),"6.0") > 0 Then

strOS = "WVA" : strOSLong = "Windows Vista"

flagGP = True : intCLL = 0

 

Else 'unknown strSysVer

 

If flagOut = "W" Then

 

intMB = MsgBox ("The " & DQ & "Silent Runners" & DQ &_

" script cannot determine the operating system." & vbCRLF & vbCRLF &_

"Click " & DQ & "OK" & DQ & " to send an e-mail to the " &_

"author, providing the following information:" & vbCRLF & vbCRLF &_

"WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_

"or click " & DQ & "Cancel" & DQ & " to quit.", _

49,"O/S Unknown!")

 

If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_

"<%6F%73.%76%65%72.%65%72%72%6F%72@%73%69%6C%65%6E%74%72%75%6E%6E%65%72%73.%6F%72%67>?" &_

"subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_

"%20file%20version%20=%20" & strSysVer

 

Else 'flagOut = "C"

 

WScript.Echo DQ & "Silent Runners" & DQ & " cannot " &_

"determine the operating system." & vbCRLF & vbCRLF & "This script will exit."

 

End If 'flagOut?

 

WScript.Quit

 

End If 'OS id'd from strSysVer?

 

'use WMI to connect to the registry

On Error Resume Next

Dim oReg : Set oReg = GetObject("winmgmts:\root\default:StdRegProv")

intErrNum = Err.Number : Err.Clear

On Error Goto 0

 

'detect WMI connection error

If intErrNum <> 0 Then

 

strURL = ""

 

'for W98/NT4, assume WMI not installed and direct to d/l URL

If strOS = "W98" Or strOS = "NT4" Then

 

If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe"

If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7"

 

'invite user to download WMI & quit

If flagOut = "W" Then

 

intMB = MsgBox ("This script requires " & DQ & "WMI" &_

DQ & ", Windows Management Instrumentation, to run." &_

vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_

vbCRLF & vbCRLF & "Press " & DQ & "OK" & DQ &_

" to direct your browser to the download site or " &_

DQ & "Cancel" & DQ & " to quit.",_

vbOKCancel + vbCritical,"WMI Not Installed!")

 

If intMB = 1 Then Wshso.Run strURL

 

'at command line, explain & quit

Else 'flagOut = "C"

 

WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_

DQ & "WMI" & DQ & ", Windows Management Instrumentation, " &_

"to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL

 

End If

 

'for W2K/WXP/WVa, explain how to start the WMI service

ElseIf strOS = "W2K" Or strOS = "WXP" or strOS = "WVA" Then

 

If strOS = "W2K" Then strLine = "Settings | Control Panel | "

If strOS = "WXP" Then strLine = "Control Panel | "

If strOS = "WVA" Then strLine = "Control Panel | Classic View | "

 

'explain how to turn on WMI service

If flagOut = "W" Then

 

MsgBox "This script requires Windows Management Instrumentation" &_

" to run." & vbCRLF & vbCRLF & "Click on Start | " & strLine &_

"Administrative Tools | Services," & vbCRLF &_

"and start the " & DQ & "Windows Management Instrumentation" &_

DQ & " service.",vbOKOnly + vbCritical,"WMI Service not running!"

 

'at command line, explain & quit

Else 'flagOut = "C"

 

WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_

"Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_

"Click on Start | " & strLine & "Administrative " &_

"Tools | Services" & vbCRLF & "and start the " & DQ &_

"Windows Management Instrumentation" & DQ & " service."

 

End If 'flagOut?

 

Else 'WMe

 

'say there's a WMI problem

If flagOut = "W" Then

 

MsgBox "This script requires WMI (Windows Management Instrumentation)" &_

" to run," & vbCRLF & "but WMI is not running correctly.", _

vbOKOnly + vbCritical,"WMI problem!"

 

'at command line, explain & quit

Else 'flagOut = "C"

 

WScript.Echo DQ & "Silent Runners" & DQ & " requires " &_

"WMI (Windows Management Instrumentation) to run," & vbCRLF &_

"but WMI is not running correctly."

 

End If 'flagOut?

 

End If 'which O/S?

 

WScript.Quit

 

End If 'WMI execution error

 

'array of Run keys, counter x 10, hive member, startup folder file,

'startup file shortcut, IERESET.INF file

Dim arRunKeys, i, j, k, l, ii, jj, kk, ll, mm, nn, oHiveElmt, oSUFi, oSUSC

'dictionary, keys, items, hard disk collection

Dim arSK, arSKk, arSKi, colDisks

 

'arrays: Run key names, keys, sub-keys, value type, SecurityProviders,

' Protocol filters, values

Dim arNames(), arKeys(), arSubKeys(), arType, arSP, arFilter(), arValues

'Sub-Directory DeskTop.Ini array, Sub-Directory Error array, Error array

'Recognized GP names, allowed GP names, accessibility tools

Public arSDDTI(), arSDErr(), arErr(), arRecNames(), arAllowedNames(), arAcc()

 

'DeskTop.Ini counter, Error counter x 2, Classes data Hive counter

Public ctrArDTI, ctrArErr, ctrErr, ctrCH

Public ctrFo : ctrFo = 0 'folder counter

 

'name member, key array member x 4, O/S, drive root directory, work file

Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk

'values x 11

Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6

Dim strVal, intValue, intValue1, intValue2, strCmd

'name, single character, startup folder name & display name,

'startup folder, array member, temp var

Dim strName, strChr, arSUFN, arSUFDN, oSUF, strArMember, strTmp, strTmp2

'output string x 3

Public strOut, strOut1, strOut2

 

'output file msg x 2, warning string, title line

Dim strLine, strLine1, strLine2, strWarn, strTitleLine

'infection/hijack warning detection flags -- add footer note if True

Public flagIWarn : flagIWarn = False

Public flagHWarn : flagHWarn = False

'register key x 4, sub-key, CLSID key

Dim strKey, strKey1, strKey2, strKey3, strSubKey, strCLSIDKey

'output file name string (incl. path), file name (wo path),

'PIF path string, single binary character

Dim strFN, strFNNP, strPIFTgt, bin1C

Public datLaunch : datLaunch = Now 'script launch time

Public intCnt 'counter

'ref time, time taken by 2 pop-up boxes

Public datRef : datRef = 0

Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0

 

'TRUE if show all output (default values not filtered)

Public flagShowAll : flagShowAll = False

Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_

"except where indicated by " & DQ & "{++}" & DQ 'output file string

Public strTitle : strTitle = ""

Public strSubTitle : strSubTitle = ""

Public strSubSubTitle : strSubSubTitle = ""

Public flagNVP : flagNVP = False 'existence of name/value pairs in a key

Public flagInfect : flagInfect = False 'flag infected condition

Dim flagMatch 'flag matching keys

Dim flagAllow 'flag key on approved list

Dim flagFound 'flag something that exists

Public flagValueFound 'flag value that exists in Registry

Dim flagDirArg : flagDirArg = False 'presence of output directory argument

Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format

Dim flagTitle 'True if title has already been written

Dim flagAllArg : flagAllArg = False 'presence of all output argument

Dim flagArray 'flag array containing elements

Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all

'directories of local fixed disks

Dim intLBSP 'Last BackSlash Position in path string

Dim intSS 'lowest sort subscript

Dim intType 'value type

Dim strDLL, strCN 'DLL name, company name

'string to signal all output by default

Public strAllOutDefault : strAllOutDefault = ""

 

Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName)

If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\"

'initialize Path of Output File Folder to script path

Dim strPathOFFo : strPathOFFo = ScrPath

 

'hive array

Public arHives(1,1)

arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"

arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002

 

'set up argument usage message string

 

Dim strLSp, strCSp 'Leading Spaces, Centering Spaces

strLSp = Space(4) : strCSp = Space(33) 'WScript spacing

If flagOut = "C" Then 'CScript spacing

strLsp = Space(3) : strCSp = Space(28)

End If

 

Dim strMsg : strMsg = "Only two arguments are permitted:" &_

vbCRLF & vbCRLF &_

"1. the name of an existing directory for the output report" &_

vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_

vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_

"2. " & DQ & "-supp" & DQ & " to search " &_

"all directories for DESKTOP.INI DLL" & vbCRLF &_

strLSp & "launch points" &_

vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_

"3. " & DQ & "-all" & DQ & " to output all non-empty " &_

"values and all launch" & vbCRLF & strLSp & "points checked"

 

'check if output directory or "-all" or "-supp" was supplied as argument

If WshoArgs.length > 0 And WshoArgs.length <= 2 Then

 

For i = 0 To WshoArgs.length-1

 

'if directory arg not already passed and arg directory exists

If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then

 

'get the path & toggle the directory arg flag

Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i))

strPathOFFo = oOFFo.Path : flagDirArg = True

If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\"

Set oOFFo=Nothing

 

'if -all arg not already passed and is this arg

ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then

 

'toggle ShowAll flag, toggle the all arg flag, fill report string

flagShowAll = True : flagAllArg = True

strRptOutput = "Output of all locations checked and all values found."

 

'if -all arg not already passed and is this arg

ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-supp" Then

flagSupp = True : flagAllArg = True

strRptOutput = "Search enabled of all directories on local fixed " &_

"drives for DESKTOP.INI" & vbCRLF & " DLL launch points" &_

vbCRLF & strRptOutput

 

'argument can't be interpreted, so explain & quit

Else

 

If flagOut = "W" Then 'pop up a message window

 

Wshso.Popup "The argument:" & vbCRLF &_

DQ & UCase(WshoArgs(i)) & DQ & vbCRLF &_

"... can't be interpreted." & vbCRLF & vbCRLF &_

strMsg,10,"Bad Script Argument", vbOKOnly + vbExclamation

 

Else 'flagOut = "C" 'write the message to the console

 

WScript.Echo vbCRLF & "The argument: " &_

DQ & UCase(WshoArgs(i)) & DQ &_

" can't be interpreted." & vbCRLF & vbCRLF &_

strMsg & vbCRLF

 

End If 'WScript host?

 

WScript.Quit

 

End If 'argument can be interpreted?

 

Next 'argument

 

'too many args passed

ElseIf WshoArgs.length > 2 Then

 

'explain & quit

If flagOut = "W" Then 'pop up a message window

 

Wshso.Popup "Too many arguments (" & WshoArgs.length & ") were passed." &_

vbCRLF & vbCRLF & strMsg,10,"Too Many Arguments",_

vbOKOnly + vbCritical

 

Else 'flagOut = "C" 'write the message to the console

 

WScript.Echo "Too many arguments (" & WshoArgs.length & ") were passed." &_

vbCRLF & vbCRLF & strMsg & vbCRLF

 

End If 'WScript host?

 

WScript.Quit

 

End If 'directory arguments passed?

 

Set WshoArgs=Nothing

 

datRef = Now

 

'if no cmd line argument for flagSupp and not testing, show popup

If Not flagTest And Not flagShowAll And Not flagSupp And flagOut = "W" Then

 

intMB = Wshso.Popup ("Do you want to skip the supplementary search?" &_

vbCRLF & "(It typically takes several minutes.)" & vbCRLF & vbCRLF &_

"Press " & DQ & "Yes" & DQ & Space(5) &_

" to skip the supplementary search (default)" & vbCRLF & vbCRLF &_

Space(10) & DQ & "No" & DQ & Space(6) &_

" to perform it, or" & vbCRLF & vbCRLF &_

Space(10) & DQ & "Cancel" & DQ &_

" to get more information at the web site" & vbCRLF &_

Space(25) & "and exit the script.",_

15,"Skip supplementary search?",_

vbYesNoCancel + vbQuestion + vbDefaultButton1 + vbSystemModal)

 

If intMB = vbNo Then

 

flagSupp = True

 

intMB1 = MsgBox ("Are you SURE you want to run the supplementary " &_

"search?" & vbCRLF & vbCRLF & "It's _rarely_ necessary " &_

"and it takes a *long* time." & vbCRLF & vbCRLF & "Press " & DQ &_

"Yes" & DQ & " to confirm running the supplementary search, " &_

"or" & vbCRLF & Space(10) & DQ & "No" & DQ & " to run without it.", _

vbYesNo + vbQuestion + vbDefaultButton2 + vbSystemModal,"Are you sure?")

 

If intMB1 = vbNo Then flagSupp = False

 

ElseIf intMB = vbCancel Then

Wshso.Run "http://www.silentrunners.org/sr_thescript.html#supp"

WScript.Quit

End If

 

End If

[MAcgYvER everyONE 0]

datPUB1 = DateDiff("s",datRef,Now) : datRef = Now

 

'inform user that script has started

If Not flagTest Then

If flagOut = "W" Then

Wshso.PopUp DQ & "Silent Runners" & DQ & " has started." &_

vbCRLF & vbCRLF & "A message box like this one will appear " &_

"when it's done." & vbCRLF & vbCRLF & "Please be patient...",3,_

"Silent Runners R" & strRevNo & " startup", _

vbOKOnly + vbInformation + vbSystemModal

Else

WScript.Echo DQ & "Silent Runners" & DQ & " has started." &_

" Please be patient..." & vbCRLF

End If 'flagOut?

End If 'flagTest?

 

datPUB2 = DateDiff("s",datRef,Now)

 

'create output file name with computer name & today's date

'Startup Programs (pc_name_here) yyyy-mm-dd.txt

 

strFNNP = "Startup Programs (" & oNetwk.ComputerName & ") " &_

FmtDate(datLaunch) & " " & FmtHMS(datLaunch) & ".txt"

strFN = strPathOFFo & strflagTest & strFNNP

On Error Resume Next

If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN)

Err.Clear

Public oFN : Set oFN = Fso.CreateTextFile(strFN,True)

intErrNum = Err.Number : Err.Clear

On Error Goto 0

 

'if can't create report file

If intErrNum > 0 Then

 

strURL = "http://www.silentrunners.org/Silent%20Runners%20RED.vbs"

 

'invite user to run RED version & quit

If flagOut = "W" Then

 

intMB = MsgBox ("The script cannot create its report file. " &_

"This is a known, intermittent" & vbCRLF & "problem under " &_

strOSLong & "." & vbCRLF & vbCRLF &_

"An alternative script version is available for download. " &_

"After it runs, " & vbCRLF & "the script you're using now will " &_

"run correctly." & vbCRLF & vbCRLF &_

"Press " & DQ & "OK" & DQ & " to direct your browser " &_

"to the alternate script location, or" & vbCRLF & Space(10) &_

DQ & "Cancel" & DQ & " to quit.",49,"CreateTextFile Error!")

 

'if alternative script wanted now, send browser to dl site

If intMB = 1 Then Wshso.Run strURL

 

'explain & quit

Else 'flagOut = "C"

 

WScript.Echo DQ & "Silent Runners" & DQ & " cannot " &_

"create the report file." & vbCRLF & vbCRLF &_

"An alternative script is available. Run it, then rerun this version." &_

vbCRLF & "The alternative script can be downloaded at: " & vbCRLF &_

vbCRLF & strURL

 

End If

 

WScript.Quit

 

End If 'report file creation error?

 

'add report header

Set oNetwk=Nothing

 

oFN.WriteLine DQ & "Silent Runners.vbs" & DQ &_

", revision " & strRevNo & ", http://www.silentrunners.org/" &_

vbCRLF & "Operating System: " & strOSLong & vbCRLF & strRptOutput

 

'test for WMI corruption and use WMI to differentiate between

'WXP Home & WXP Pro

 

'get the O/S collection

Dim colOS : Set colOS = GetObject("winmgmts:\root\cimv2").ExecQuery _

("Select * from Win32_OperatingSystem")

 

On Error Resume Next

 

Err.Clear

 

For Each oOS in colOS

 

If strOS = "WXP" Then

 

'modify strOSXP if O/S = Pro

If InStr(1,LCase(oOS.Name),"professional",1) > 0 Then

strOSXP = "Windows XP Professional"

flagGP = True

End If

'modify strOSXP if SP2

If Right(strOSLong,3) = "SP2" Then strOSXP = strOSXP & " SP2"

 

End If 'WXP?

 

Next 'oOS

 

If Err.Number <> 0 Then

 

strURL = "http://go.microsoft.com/fwlink/?LinkId=62562"

 

oFN.WriteLine vbCRLF & "FATAL ERROR!" & vbCRLF & String(12,"-") &_

vbCRLF & vbCRLF & DQ & "Silent Runners" & DQ &_

" cannot use WMI to identify the operating system." &_

vbCRLF & "This is caused by corruption of the WMI installation." &_

vbCRLF & vbCRLF &_

"WMI is complex and it is recommended that you use a Microsoft" &_

vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_

"on your system." & vbCRLF & vbCRLF & "It can be downloaded here:" &_

vbCRLF & vbCRLF & strURL

 

intMB = MsgBox (DQ & "Silent Runners" & DQ & " cannot use WMI to " &_

"identify the operating system." & vbCRLF & "This is caused by " &_

"corruption of the WMI installation." &_

vbCRLF & vbCRLF &_

"WMI is complex and it is recommended that you use a Microsoft" &_

vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_

"on your system." &_

vbCRLF & vbCRLF &_

"Press " & DQ & "OK" & DQ & " to direct your browser to the " &_

"WMIDiag download site or" &_

vbCRLF & Space(10) & DQ & "Cancel" & DQ & " to quit.",_

vbOKCancel + vbCritical + + vbSystemModal + vbDefaultButton2,_

"Can't iterate Win32_OperatingSystem!")

 

'if dl wanted now, send browser to dl site

If intMB = 1 Then Wshso.Run strURL

 

WScript.Quit

 

End If 'Err.Number<>0?

 

On Error Goto 0

 

Set colOS=Nothing

 

 

 

 

'#1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx

' HKLM... RunServices/RunServicesOnce

' HKCU/HKLM... Policies\Explorer\Run

 

intSection = intSection + 1

 

'execute section if not in testing mode or (in testing mode And this section selected for testing)

If Not flagTest Or (flagTest And SecTest) Then

 

'write registry header lines to file

strTitle = "Startup items buried in registry:"

TitleLineWrite

 

'put keys in array (Key Index 0 - 6)

arRunKeys = Array ("Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _

"Software\Microsoft\Windows\CurrentVersion\Run", _

"Software\Microsoft\Windows\CurrentVersion\RunOnce", _

"Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _

"Software\Microsoft\Windows\CurrentVersion\RunOnceEx", _

"Software\Microsoft\Windows\CurrentVersion\RunServices", _

"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce")

 

'Key Execution Flag/Subkey Recursion Flag array

'

'first number in the ordered pair in the array immediately below

' pertains to execution of the key:

'0: not executed (ignore)

'1: may be executed so display with EXECUTION UNLIKELY warning

'2: executable

'

'second number in the ordered pair pertains to subkey recursion

'0: subkeys not used

'1: subkey recursion necessary

 

'0 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

'1 Software\Microsoft\Windows\CurrentVersion\Run

'2 Software\Microsoft\Windows\CurrentVersion\RunOnce

'3 Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

'4 Software\Microsoft\Windows\CurrentVersion\RunOnceEx

'5 Software\Microsoft\Windows\CurrentVersion\RunServices

'6 Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

'Hive HKCU - 0 HKLM - 1

'

'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6

'Index

 

'O/S:

'W95 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 2,0 2,0

'W98 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0

'WMe 2,1 2,1 2,0 2,0 2,1 0,0 0,0 2,1 2,1 2,0 2,0 2,1 2,0 2,0

'NT4 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 0,0 0,0

'W2K 2,1 2,1 2,1 0,0 2,1 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0

'WXP 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0

'WS2K3 ??? <-------------------- ??? --------------------> ???

'WVa 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0

 

'arRegFlag(i,j,k): put flags in array by O/S:

'hive = i (0 or 1), key_# = j (0-6),

' flags (key execution/subkey recursion) = k (0 or 1)

' k = 0 holds key execution value = 0/1/2

' 1 holds subkey recursion value = 0/1

Dim arRegFlag()

ReDim arRegFlag(1,6,1)

 

'initialize entire array to zero

For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1

arRegFlag(i,j,k) = 0

Next : Next : Next

 

'add data to array for O/S that's running

 

'W98

If strOS = "W98" Then

arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn

arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn

arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn

arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys

arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn

arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn

'don't set HKLM,RunOnce\Setup for W95

If strOSLong = "Windows 98" Then _

arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn

arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn

arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys

arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn

arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn

End If

 

If strOS = "WME" Then

arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn

arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys

arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn

arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys

arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn

arRegFlag(0,3,0) = 2 'HKCU,RunOnce\Setup = no-warn

arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn

arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys

arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn

arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys

arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn

arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys

arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn

arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn

arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn

arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys

arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn

arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn

End If

 

'NT4

If strOS = "NT4" Then

arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn

arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn

arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn

arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys

arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn

arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn

arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn

arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys

End If

 

'W2K

If strOs = "W2K" Then

arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn

arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys

arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn

arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys

arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn

arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys (incl. Setup)

arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn

arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys

arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn

arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys

arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn

arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys

arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn

arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys (incl. Setup)

arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn

arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys

End If

 

'WXP/WVa

If strOs = "WXP" Or strOS = "WVA" Then

arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn

arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn

arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn

arRegFlag(0,4,0) = 2 'HKLM,RunOnceEx = no-warn

arRegFlag(0,4,1) = 1 'HKLM,RunOnceEx = sub-keys

arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn

arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn

arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn

arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn

arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys

End If

 

'for each hive

For i = 0 To 1

 

'for each key

For j = 0 To 6

 

'if not ShowAll, show all output for Run keys

If j = 1 And Not flagShowAll Then strAllOutDefault = " {++}"

 

'if key is not ignored

If arRegFlag(i,j,0) > 0 Then

 

flagNVP = False

 

'intialize string with warning if necessary

strWarn = ""

If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: "

 

'INFO

'with no name/value pairs (sub-keys are identical)

' IsArray TypeName UBound

'W98 True "Variant()" -1

'WMe True "Variant()" -1

'NT4 True "Variant()" -1

'W2K False "Null" error (--)

'WXP False "Null" error (--)

'WS2K3 True "Variant()" error (--)

'WVa False "Null" error (--)

 

EnumNVP arHives(i,1), arRunKeys(j), arNames, arType

 

If flagNVP Then 'name/value pairs exist

 

'write the full key name

oFN.WriteLine vbCRLF & SOCA(arHives(i,0) & "\" & arRunKeys(j) &_

"\" & strAllOutDefault)

 

'for each data type in the names array

For k = LBound(arNames) To UBound(arNames)

 

'use the type to find the value

strValue = RtnValue (arHives(i,1), arRunKeys(j), arNames(k), arType(k))

'write the name & value

WriteValueData arNames(k), strValue, arType(k), strWarn

 

Next 'member of names array

 

Else 'no name/value pairs

 

If flagShowAll Then _

oFN.WriteLine vbCRLF & SOCA(arHives(i,0) & "\" & arRunKeys(j) & "\")

 

End If 'flagNVP?

 

'recurse subkeys if necessary

If arRegFlag(i,j,1) = 1 Then

 

'put all subkeys into array

oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys

 

'excludes W2K/WXP/WVa with no sub-keys

If IsArray(arKeys) Then

 

'excludes W98/WMe/NT4/WS2K3 with no sub-keys

For Each strMemKey in arKeys

 

flagNVP = False

strSubKey = arRunKeys(j) & "\" & strMemKey

 

EnumNVP arHives(i,1), arRunKeys(j) & "\" & strMemKey,arNames,arType

 

If flagNVP Then 'if name/value pairs exist

 

'write the full key name

oFN.WriteLine vbCRLF & SOCA(arHives(i,0) & "\" & strSubKey &_

"\" & strAllOutDefault)

 

'for each data type in the names array

For k = LBound(arNames) To UBound(arNames)

 

'use the type to find the value

strValue = RtnValue (arHives(i,1), strSubKey, arNames(k), arType(k))

'write the name & value

WriteValueData arNames(k), strValue, arType(k), strWarn

 

Next 'member of names array

 

Else 'no name/value pairs

 

If flagShowAll Then _

oFN.WriteLine vbCRLF & SOCA(arHives(i,0) & "\" & strSubKey & "\")

 

End If 'flagNVP?

 

Next 'sub-key

 

End If 'sub-keys exist? W2K/WXP/WS2K3/WVa

 

End If 'enum sub-keys?

 

End If 'arRegFlag(i,j,0) > 0

 

Next 'Run key

 

Next 'Hive

 

strAllOutDefault = "" : flagNVP = False

 

'recover array memory

ReDim arRunKeys(0)

ReDim arKeys(0)

ReDim arRegFlag(0)

 

End If 'flagTest And SecTest?

 

 

 

 

'#2. HKLM... Active Setup\Installed Components\

' HKCU... Active Setup\Installed Components\

 

intSection = intSection + 1

 

'execute section if not in testing mode or (in testing mode And this section selected for testing)

If Not flagTest Or (flagTest And SecTest) Then

 

'flags True if only numeric & comma chrs in Version values

Dim flagHKLMVer, flagHKCUVer

'StubPath Value string, HKLM Version value, HKCU Version value, HKLM program name

Dim strSPV, strHKLMVer, strHKCUVer, strPgmName

Dim arHKLMKeys, arHKCUKeys, strHKLMKey, strHKCUKey

 

strKey = "Software\Microsoft\Active Setup\Installed Components"

 

strSubTitle = SOCA("HKLM" & "\" & strKey & "\")

 

'find all the subkeys

oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM

oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU

 

'enumerate HKLM keys if present

If IsArray(arHKLMKeys) Then

 

'for each HKLM key

For Each strHKLMKey In arHKLMKeys

 

'INFO

'Default Value not set:

'W98/WMe: returns 0, strValue = ""

'NT4/W2K/WXP/WVa: returns non-zero, strValue = Null

 

'Non-Default name inexistent:

'W98/WMe/NT4/W2K/WXP/WVa: returns non-zero, strValue = Null

 

'Non-Default Value not set:

'W2K: returns 0, strValue = unwritable string

'W98/WMe/NT4/WXP/WVa: returns 0, strValue = ""

 

'get the StubPath value

intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"StubPath",strSPV)

 

'if the StubPath name exists And value set (exc for W2K!)

If intErrNum = 0 And strSPV <> "" Then

 

flagMatch = False

 

'if HKCU keys present

If IsArray(arHKCUKeys) Then

 

'for each HKCU key

For Each strHKCUKey in arHKCUKeys

 

'if identical HKLM key exists

If LCase(strHKLMKey) = LCase(strHKCUKey) Then

 

'assume Version fmts are OK

flagHKLMVer = True : flagHKCUVer = True

 

'get HKLM & HKCU Version values

intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey, _

"Version",strHKLMVer) 'HKLM Version #

intErrNum2 = oReg.GetStringValue (HKCU,strKey & "\" & strHKCUKey, _

"Version",strHKCUVer) 'HKCU Version #

 

'if HKLM Version name exists And value set (exc for W2K!)

If intErrNum1 = 0 And strHKLMVer <> "" Then

 

'the next two loops check for allowed chars (numeric & comma)

' in returned Version values

 

For i = 1 To Len(strHKLMVer)

strChr = Mid(strHKLMVer,i,1)

If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False

Next

 

'if HKCU Version name exists And value set (exc for W2K!)

If intErrNum2 = 0 And strHKCUVer <> "" Then

 

'check that value consists only of numeric & comma chrs

For i = 1 To Len(strHKCUVer)

strChr = Mid(strHKCUVer,i,1)

If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False

Next

 

End If 'HKCU Version null or MT?

 

'if HKLM Ver # has illegal fmt (i.e., is not assigned) or doesn't exist (is Null)

' or is empty, match = True

'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True

'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output

' but StubPath will not launch

If Not flagHKLMVer Then flagMatch = True

If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True

 

Else 'HKLM Version name doesn't exist Or value not set (exc for W2K!)

 

flagMatch = True

 

End If 'HKLM Version name exists And value set (exc for W2K!)?

 

End If 'HKCU key=HKLM key?

 

Next 'HKCU Installed Components key

 

End If 'HKCU Installed Components subkeys exist?

 

'if the StubPath will launch

If Not flagMatch Then

 

flagAllow = False 'assume StubPath DLL not on approved list

strCN = CoName(IDExe(strSPV))

 

'test for approved StubPath DLL

If LCase(strHKLMKey) = ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" And _

(InStr(LCase(strSPV),"wmpocm.exe") > 0 Or _

InStr(LCase(strSPV),"unregmp2.exe") > 0) And _

strCN = MS And Not flagShowAll Then flagAllow = True

 

'StubPath DLL not approved

If Not flagAllow Then

 

'get the default value (program name)

intErrNum3 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"",strPgmName)

'enclose pgm name in quotes if name exists and default value isn't empty

If intErrNum3 = 0 And strPgmName <> "" Then

strPgmName = DQ & strPgmName & DQ

Else

strPgmName = "(no title provided)"

End If

 

TitleLineWrite

 

'output the CLSID & pgm name

oFN.WriteLine strHKLMKey & "\(Default) = " &_

StringFilter(strPgmName,False)

 

On Error Resume Next

'output the StubPath value

oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_

DQ & strSPV & DQ & strCN

'error check for W2K if StubPath value not set

If Err.Number <> 0 Then oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_

"(value not set)"

Err.Clear

On Error GoTo 0

 

End If 'flagAllow false?

 

End If 'flagMatch false?

 

End If 'StubPath value exists?

 

Next 'HKLM Installed Components subkey

 

End If 'HKLM Installed Components subkeys exist?

 

If flagShowAll Then TitleLineWrite

 

'recover array memory

ReDim arHKLMKeys(0)

ReDim arHKCUKeys(0)

 

strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

 

End If 'SecTest?

 

 

 

 

'#3. HKLM... Explorer\Browser Helper Objects\

 

intSection = intSection + 1

 

'execute section if not in testing mode or (in testing mode And this section selected for testing)

If Not flagTest Or (flagTest And SecTest) Then

 

strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"

strSubTitle = SOCA("HKLM" & "\" & strKey & "\")

 

'find all the subkeys

oReg.EnumKey HKLM, strKey, arSubKeys

 

'enumerate data if present

If IsArray(arSubKeys) Then

 

'for each key

For Each strSubKey In arSubKeys

 

flagTitle = False

 

CLSIDLocTitle HKLM, strKey & "\" & strSubKey, "", strLocTitle

 

For ctrCH = intCLL To 1

 

ResolveCLSID strSubKey, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL

 

If strIPSDLL <> "" Then

 

'output the title line if not already done

TitleLineWrite

 

If Not flagTitle Then

 

'error check for W2K if value not set

On Error Resume Next

oFN.WriteLine strSubKey & "\(Default) = " & strLocTitle

intErrNum = Err.Number : Err.Clear

If intErrNum <> 0 Then oFN.WriteLine strSubKey &_

"\(Default) = (no title provided)"

flagTitle = True

On Error GoTo 0

 

End If

 

'output CLSID title, InProcServer32 DLL & CoName

oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_

strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_

StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL))

 

End If 'strIPSDLL exists?

 

Next 'CLSID hive

 

Next 'BHO subkey

 

End If 'BHO subkeys exist?

 

'if ShowAll, output the key name if not already done

If flagShowAll Then TitleLineWrite

strTitle = "" : strSubTitle = "" : strSubSubTitle = ""

 

'recover array memory

ReDim arSubKeys(0)

 

End If 'SecTest?

 

 

 

 

'#4. HKLM... Shell Extensions\Approved\

 

intSection = intSection + 1

 

'execute section if not in testing mode or (in testing mode And this section selected for testing)

If Not flagTest Or (flagTest And SecTest) Then

 

'CLSID value, InProcessServer32 DLL name & output file version,

'CLSID Key Title display flag

Dim strCLSID, strIPSDLL, strIPSDLLOut, strCLSIDTitle, strLocTitle

 

'Shell Extension Approved array

Dim arSEA()

ReDim arSEA(418,1)

'WXP

arSEA(0,0) = "{00022613-0000-0000-C000-000000000046}" : arSEA(0,1) = "mmsys.cpl"

arSEA(1,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(1,1) = "icmui.dll"

arSEA(2,0) = "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" : arSEA(2,1) = "rshx32.dll"

arSEA(3,0) = "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" : arSEA(3,1) = "docprop.dll"

arSEA(4,0) = "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" : arSEA(4,1) = "ntshrui.dll"

arSEA(5,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(5,1) = "themeui.dll"

arSEA(6,0) = "{42071712-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(6,1) = "deskadp.dll"

arSEA(7,0) = "{42071713-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(7,1) = "deskmon.dll"

arSEA(8,0) = "{42071714-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(8,1) = "deskpan.dll"

arSEA(9,0) = "{4E40F770-369C-11d0-8922-00A024AB2DBB}" : arSEA(9,1) = "dssec.dll"

arSEA(10,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(10,1) = "SlayerXP.dll"

arSEA(11,0) = "{56117100-C0CD-101B-81E2-00AA004AE837}" : arSEA(11,1) = "shscrap.dll"

arSEA(12,0) = "{59099400-57FF-11CE-BD94-0020AF85B590}" : arSEA(12,1) = "diskcopy.dll"

arSEA(13,0) = "{59be4990-f85c-11ce-aff7-00aa003ca9f6}" : arSEA(13,1) = "ntlanui2.dll"

arSEA(14,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(14,1) = "icmui.dll"

arSEA(15,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(15,1) = "icmui.dll"

arSEA(16,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(16,1) = ""

arSEA(17,0) = "{77597368-7b15-11d0-a0c2-080036af3f03}" : arSEA(17,1) = "printui.dll"

arSEA(18,0) = "{7988B573-EC89-11cf-9C00-00AA00A14F56}" : arSEA(18,1) = "dskquoui.dll"

arSEA(19,0) = "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" : arSEA(19,1) = ""

arSEA(20,0) = "{85BBD920-42A0-1069-A2E4-08002B30309D}" : arSEA(20,1) = "syncui.dll"

arSEA(21,0) = "{88895560-9AA2-1069-930E-00AA0030EBC8}" : arSEA(21,1) = "hticons.dll"

arSEA(22,0) = "{BD84B380-8CA2-1069-AB1D-08000948F534}" : arSEA(22,1) = "fontext.dll"

arSEA(23,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(23,1) = "icmui.dll"

arSEA(24,0) = "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" : arSEA(24,1) = "rshx32.dll"

arSEA(25,0) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" : arSEA(25,1) = "ntshrui.dll"

arSEA(26,0) = "{f92e8c40-3d33-11d2-b1aa-080036a75b03}" : arSEA(26,1) = "deskperf.dll"

arSEA(27,0) = "{7444C717-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(27,1) = "cryptext.dll"

arSEA(28,0) = "{7444C719-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(28,1) = "cryptext.dll"

arSEA(29,0) = "{7007ACC7-3202-11D1-AAD2-00805FC1270E}" : arSEA(29,1) = "NETSHELL.dll"

arSEA(30,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(30,1) = "NETSHELL.dll"

arSEA(31,0) = "{E211B736-43FD-11D1-9EFB-0000F8757FCD}" : arSEA(31,1) = "wiashext.dll"

arSEA(32,0) = "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" : arSEA(32,1) = "wiashext.dll"

arSEA(33,0) = "{905667aa-acd6-11d2-8080-00805f6596d2}" : arSEA(33,1) = "wiashext.dll"

arSEA(34,0) = "{3F953603-1008-4f6e-A73A-04AAC7A992F1}" : arSEA(34,1) = "wiashext.dll"

arSEA(35,0) = "{83bbcbf3-b28a-4919-a5aa-73027445d672}" : arSEA(35,1) = "wiashext.dll"

arSEA(36,0) = "{F0152790-D56E-4445-850E-4F3117DB740C}" : arSEA(36,1) = "remotepg.dll"

arSEA(37,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(37,1) = "wuaucpl.cpl"

arSEA(38,0) = "{60254CA5-953B-11CF-8C96-00AA00B8708C}" : arSEA(38,1) = "wshext.dll"

arSEA(39,0) = "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" : arSEA(39,1) = "oledb32.dll"

arSEA(40,0) = "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" : arSEA(40,1) = "mstask.dll"

arSEA(41,0) = "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" : arSEA(41,1) = "mstask.dll"

arSEA(42,0) = "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" : arSEA(42,1) = "mstask.dll"

arSEA(43,0) = "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" : arSEA(43,1) = ""

arSEA(44,0) = "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(44,1) = "shdocvw.dll"

arSEA(45,0) = "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(45,1) = "shdocvw.dll"

arSEA(46,0) = "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(46,1) = "shdocvw.dll"

arSEA(47,0) = "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(47,1) = "shdocvw.dll"

arSEA(48,0) = "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(48,1) = "shdocvw.dll"

arSEA(49,0) = "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(49,1) = "shdocvw.dll"

arSEA(50,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524152}" : arSEA(50,1) = "shdocvw.dll"

arSEA(51,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524153}" : arSEA(51,1) = "shdocvw.dll"

arSEA(52,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(52,1) = "shmedia.dll"

arSEA(53,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(53,1) = "shmedia.dll"

arSEA(54,0) = "{E4B29F9D-D390-480b-92FD-7DDB47101D71}" : arSEA(54,1) = "shmedia.dll"

arSEA(55,0) = "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" : arSEA(55,1) = "shmedia.dll"

arSEA(56,0) = "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" : arSEA(56,1) = "shmedia.dll"

arSEA(57,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(57,1) = "shmedia.dll"

arSEA(58,0) = "{5E6AB780-7743-11CF-A12B-00AA004AE837}" : arSEA(58,1) = "browseui.dll"

arSEA(59,0) = "{22BF0C20-6DA7-11D0-B373-00A0C9034938}" : arSEA(59,1) = "browseui.dll"

arSEA(60,0) = "{91EA3F8B-C99B-11d0-9815-00C04FD91972}" : arSEA(60,1) = "browseui.dll"

arSEA(61,0) = "{6413BA2C-B461-11d1-A18A-080036B11A03}" : arSEA(61,1) = "browseui.dll"

arSEA(62,0) = "{F61FFEC1-754F-11d0-80CA-00AA005B4383}" : arSEA(62,1) = "browseui.dll"

arSEA(63,0) = "{7BA4C742-9E81-11CF-99D3-00AA004AE837}" : arSEA(63,1) = "browseui.dll"

arSEA(64,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(64,1) = "browseui.dll"

arSEA(65,0) = "{32683183-48a0-441b-a342-7c2a440a9478}" : arSEA(65,1) = "browseui.dll"

arSEA(66,0) = "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" : arSEA(66,1) = "browseui.dll"

arSEA(67,0) = "{07798131-AF23-11d1-9111-00A0C98BA67D}" : arSEA(67,1) = "browseui.dll"

arSEA(68,0) = "{AF4F6510-F982-11d0-8595-00AA004CD6D8}" : arSEA(68,1) = "browseui.dll"

arSEA(69,0) = "{01E04581-4EEE-11d0-BFE9-00AA005B4383}" : arSEA(69,1) = "browseui.dll"

arSEA(70,0) = "{A08C11D2-A228-11d0-825B-00AA005B4383}" : arSEA(70,1) = "browseui.dll"

arSEA(71,0) = "{00BB2763-6A77-11D0-A535-00C04FD7D062}" : arSEA(71,1) = "browseui.dll"

arSEA(72,0) = "{7376D660-C583-11d0-A3A5-00C04FD706EC}" : arSEA(72,1) = "browseui.dll"

arSEA(73,0) = "{6756A641-DE71-11d0-831B-00AA005B4383}" : arSEA(73,1) = "browseui.dll"

arSEA(74,0) = "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" : arSEA(74,1) = "browseui.dll"

arSEA(75,0) = "{7e653215-fa25-46bd-a339-34a2790f3cb7}" : arSEA(75,1) = "browseui.dll"

arSEA(76,0) = "{acf35015-526e-4230-9596-becbe19f0ac9}" : arSEA(76,1) = "browseui.dll"

arSEA(77,0) = "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" : arSEA(77,1) = "browseui.dll"

arSEA(78,0) = "{00BB2764-6A77-11D0-A535-00C04FD7D062}" : arSEA(78,1) = "browseui.dll"

arSEA(79,0) = "{03C036F1-A186-11D0-824A-00AA005B4383}" : arSEA(79,1) = "browseui.dll"

arSEA(80,0) = "{00BB2765-6A77-11D0-A535-00C04FD7D062}" : arSEA(80,1) = "browseui.dll"

arSEA(81,0) = "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" : arSEA(81,1) = "browseui.dll"

arSEA(82,0) = "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" : arSEA(82,1) = "browseui.dll"

arSEA(83,0) = "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" : arSEA(83,1) = "browseui.dll"

arSEA(84,0) = "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" : arSEA(84,1) = "browseui.dll"

arSEA(85,0) = "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" : arSEA(85,1) = "browseui.dll"

arSEA(86,0) = "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" : arSEA(86,1) = "browseui.dll"

arSEA(87,0) = "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" : arSEA(87,1) = "shdocvw.dll"

arSEA(88,0) = "{0A89A860-D7B1-11CE-8350-444553540000}" : arSEA(88,1) = "shdocvw.dll"

arSEA(89,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(89,1) = "shdocvw.dll"

arSEA(90,0) = "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" : arSEA(90,1) = "shdocvw.dll"

arSEA(91,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(91,1) = "shdocvw.dll"

arSEA(92,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(92,1) = "shdocvw.dll"

arSEA(93,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(93,1) = "shdocvw.dll"

arSEA(94,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(94,1) = "shdocvw.dll"

arSEA(95,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(95,1) = "shdocvw.dll"

arSEA(96,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(96,1) = "shdocvw.dll"

arSEA(97,0) = "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" : arSEA(97,1) = "shdocvw.dll"

arSEA(98,0) = "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" : arSEA(98,1) = "shdocvw.dll"

arSEA(99,0) = "{131A6951-7F78-11D0-A979-00C04FD705A2}" : arSEA(99,1) = "shdocvw.dll"

arSEA(100,0) = "{9461b922-3c5a-11d2-bf8b-00c04fb93661}" : arSEA(100,1) = "shdocvw.dll"

arSEA(101,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(101,1) = "shdocvw.dll"

arSEA(102,0) = "{871C5380-42A0-1069-A2EA-08002B30309D}" : arSEA(102,1) = "shdocvw.dll"

arSEA(103,0) = "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" : arSEA(103,1) = "shdocvw.dll"

arSEA(104,0) = "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(104,1) = "sendmail.dll"

arSEA(105,0) = "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(105,1) = "sendmail.dll"

arSEA(106,0) = "{88C6C381-2E85-11D0-94DE-444553540000}" : arSEA(106,1) = "occache.dll"

arSEA(107,0) = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" : arSEA(107,1) = "webcheck.dll"

arSEA(108,0) = "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" : arSEA(108,1) = "webcheck.dll"

arSEA(109,0) = "{F5175861-2688-11d0-9C5E-00AA00A45957}" : arSEA(109,1) = "webcheck.dll"

arSEA(110,0) = "{08165EA0-E946-11CF-9C87-00AA005127ED}" : arSEA(110,1) = "webcheck.dll"

arSEA(111,0) = "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" : arSEA(111,1) = "webcheck.dll"

arSEA(112,0) = "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" : arSEA(112,1) = "webcheck.dll"

arSEA(113,0) = "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" : arSEA(113,1) = "webcheck.dll"

arSEA(114,0) = "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" : arSEA(114,1) = "webcheck.dll"

arSEA(115,0) = "{D8BD2030-6FC9-11D0-864F-00AA006809D9}" : arSEA(115,1) = "webcheck.dll"

arSEA(116,0) = "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" : arSEA(116,1) = "webcheck.dll"

arSEA(117,0) = "{352EC2B7-8B9A-11D1-B8AE-006008059382}" : arSEA(117,1) = "appwiz.cpl"

arSEA(118,0) = "{0B124F8F-91F0-11D1-B8B5-006008059382}" : arSEA(118,1) = "appwiz.cpl"

arSEA(119,0) = "{CFCCC7A0-A282-11D1-9082-006008059382}" : arSEA(119,1) = "appwiz.cpl"

arSEA(120,0) = "{e84fda7c-1d6a-45f6-b725-cb260c236066}" : arSEA(120,1) = "shimgvw.dll"

arSEA(121,0) = "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" : arSEA(121,1) = "shimgvw.dll"

arSEA(122,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(122,1) = "shimgvw.dll"

arSEA(123,0) = "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" : arSEA(123,1) = "shimgvw.dll"

arSEA(124,0) = "{EAB841A0-9550-11cf-8C16-00805F1408F3}" : arSEA(124,1) = "shimgvw.dll"

arSEA(125,0) = "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" : arSEA(125,1) = "shimgvw.dll"

arSEA(126,0) = "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" : arSEA(126,1) = "netplwiz.dll"

arSEA(127,0) = "{add36aa8-751a-4579-a266-d66f5202ccbb}" : arSEA(127,1) = "netplwiz.dll"

arSEA(128,0) = "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" : arSEA(128,1) = "netplwiz.dll"

arSEA(129,0) = "{58f1f272-9240-4f51-b6d4-fd63d1618591}" : arSEA(129,1) = "netplwiz.dll"

arSEA(130,0) = "{7A9D77BD-5403-11d2-8785-2E0420524153}" : arSEA(130,1) = ""

arSEA(131,0) = "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" : arSEA(131,1) = "zipfldr.dll"

arSEA(132,0) = "{BD472F60-27FA-11cf-B8B4-444553540000}" : arSEA(132,1) = "zipfldr.dll"

arSEA(133,0) = "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" : arSEA(133,1) = "zipfldr.dll"

arSEA(134,0) = "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" : arSEA(134,1) = "cdfview.dll"

arSEA(135,0) = "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" : arSEA(135,1) = "cdfview.dll"

arSEA(136,0) = "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" : arSEA(136,1) = "cdfview.dll"

arSEA(137,0) = "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" : arSEA(137,1) = "cdfview.dll"

arSEA(138,0) = "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" : arSEA(138,1) = "cdfview.dll"

arSEA(139,0) = "{63da6ec0-2e98-11cf-8d82-444553540000}" : arSEA(139,1) = "msieftp.dll"

arSEA(140,0) = "{883373C3-BF89-11D1-BE35-080036B11A03}" : arSEA(140,1) = "docprop2.dll"

arSEA(141,0) = "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" : arSEA(141,1) = "docprop2.dll"

arSEA(142,0) = "{8EE97210-FD1F-4B19-91DA-67914005F020}" : arSEA(142,1) = "docprop2.dll"

arSEA(143,0) = "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" : arSEA(143,1) = "docprop2.dll"

arSEA(144,0) = "{6A205B57-2567-4A2C-B881-F787FAB579A3}" : arSEA(144,1) = "docprop2.dll"

arSEA(145,0) = "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" : arSEA(145,1) = "docprop2.dll"

arSEA(146,0) = "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" : arSEA(146,1) = "dsquery.dll"

arSEA(147,0) = "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" : arSEA(147,1) = "dsquery.dll"

arSEA(148,0) = "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" : arSEA(148,1) = "dsquery.dll"

arSEA(149,0) = "{F020E586-5264-11d1-A532-0000F8757D7E}" : arSEA(149,1) = "dsquery.dll"

arSEA(150,0) = "{0D45D530-764B-11d0-A1CA-00AA00C16E65}" : arSEA(150,1) = "dsuiext.dll"

arSEA(151,0) = "{62AE1F9A-126A-11D0-A14B-0800361B1103}" : arSEA(151,1) = "dsuiext.dll"

arSEA(152,0) = "{ECF03A33-103D-11d2-854D-006008059367}" : arSEA(152,1) = "mydocs.dll"

arSEA(153,0) = "{ECF03A32-103D-11d2-854D-006008059367}" : arSEA(153,1) = "mydocs.dll"

arSEA(154,0) = "{4a7ded0a-ad25-11d0-98a8-0800361b1103}" : arSEA(154,1) = "mydocs.dll"

arSEA(155,0) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}" : arSEA(155,1) = "cscui.dll"

arSEA(156,0) = "{10CFC467-4392-11d2-8DB4-00C04FA31A66}" : arSEA(156,1) = "cscui.dll"

arSEA(157,0) = "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" : arSEA(157,1) = "cscui.dll"

arSEA(158,0) = "{143A62C8-C33B-11D1-84FE-00C04FA34A14}" : arSEA(158,1) = "agentpsh.dll"

arSEA(159,0) = "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" : arSEA(159,1) = "dfsshlex.dll"

arSEA(160,0) = "{60fd46de-f830-4894-a628-6fa81bc0190d}" : arSEA(160,1) = "photowiz.dll"

arSEA(161,0) = "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" : arSEA(161,1) = "mmcshext.dll"

arSEA(162,0) = "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" : arSEA(162,1) = "cabview.dll"

arSEA(163,0) = "{32714800-2E5F-11d0-8B85-00AA0044F941}" : arSEA(163,1) = "wabfind.dll"

arSEA(164,0) = "{8DD448E6-C188-4aed-AF92-44956194EB1F}" : arSEA(164,1) = "wmpshell.dll"

arSEA(165,0) = "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" : arSEA(165,1) = "wmpshell.dll"

arSEA(166,0) = "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" : arSEA(166,1) = "wmpshell.dll"

'W2K

arSEA(167,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(167,1) = "plustab.dll"

arSEA(168,0) = "{1A9BA3A0-143A-11CF-8350-444553540000}" : arSEA(168,1) = "shell32.dll"

arSEA(169,0) = "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" : arSEA(169,1) = "shell32.dll"

arSEA(170,0) = "{86747AC0-42A0-1069-A2E6-08002B30309D}" : arSEA(170,1) = "shell32.dll"

arSEA(171,0) = "{0AFACED1-E828-11D1-9187-B532F1E9575D}" : arSEA(171,1) = "shell32.dll"

arSEA(172,0) = "{12518493-00B2-11d2-9FA5-9E3420524153}" : arSEA(172,1) = "shell32.dll"

arSEA(173,0) = "{21B22460-3AEA-1069-A2DC-08002B30309D}" : arSEA(173,1) = "shell32.dll"

arSEA(174,0) = "{B091E540-83E3-11CF-A713-0020AFD79762}" : arSEA(174,1) = "shell32.dll"

arSEA(175,0) = "{FBF23B41-E3F0-101B-8488-00AA003E56F8}" : arSEA(175,1) = "shell32.dll"

arSEA(176,0) = "{C2FBB630-2971-11d1-A18C-00C04FD75D13}" : arSEA(176,1) = "shell32.dll"

arSEA(177,0) = "{C2FBB631-2971-11d1-A18C-00C04FD75D13}" : arSEA(177,1) = "shell32.dll"

arSEA(178,0) = "{13709620-C279-11CE-A49E-444553540000}" : arSEA(178,1) = "shell32.dll"

arSEA(179,0) = "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" : arSEA(179,1) = "shell32.dll"

arSEA(180,0) = "{4622AD11-FF23-11d0-8D34-00A0C90F2719}" : arSEA(180,1) = "shell32.dll"

arSEA(181,0) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}" : arSEA(181,1) = "shell32.dll"

arSEA(182,0) = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" : arSEA(182,1) = "shell32.dll"

arSEA(183,0) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}" : arSEA(183,1) = "shell32.dll"

arSEA(184,0) = "{3FC0B520-68A9-11D0-8D77-00C04FD70822}" : arSEA(184,1) = "shell32.dll"

arSEA(185,0) = "{75048700-EF1F-11D0-9888-006097DEACF9}" : arSEA(185,1) = "shell32.dll"

arSEA(186,0) = "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}" : arSEA(186,1) = "shell32.dll"

arSEA(187,0) = "{57651662-CE3E-11D0-8D77-00C04FC99D61}" : arSEA(187,1) = "shell32.dll"

arSEA(188,0) = "{4657278A-411B-11d2-839A-00C04FD918D0}" : arSEA(188,1) = "shell32.dll"

arSEA(189,0) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}" : arSEA(189,1) = "shell32.dll"

arSEA(190,0) = "{568804CA-CBD7-11d0-9816-00C04FD91972}" : arSEA(190,1) = "browseui.dll"

arSEA(191,0) = "{5b4dae26-b807-11d0-9815-00c04fd91972}" : arSEA(191,1) = "browseui.dll"

arSEA(192,0) = "{8278F931-2A3E-11d2-838F-00C04FD918D0}" : arSEA(192,1) = "browseui.dll"

arSEA(193,0) = "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" : arSEA(193,1) = "browseui.dll"

arSEA(194,0) = "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" : arSEA(194,1) = "browseui.dll"

arSEA(195,0) = "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" : arSEA(195,1) = "browseui.dll"

arSEA(196,0) = "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" : arSEA(196,1) = "browseui.dll"

arSEA(197,0) = "{7487cd30-f71a-11d0-9ea7-00805f714772}" : arSEA(197,1) = "browseui.dll"

arSEA(198,0) = "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" : arSEA(198,1) = "thumbvw.dll"

arSEA(199,0) = "{EAB841A0-9550-11CF-8C16-00805F1408F3}" : arSEA(199,1) = "thumbvw.dll"

arSEA(200,0) = "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" : arSEA(200,1) = "thumbvw.dll"

arSEA(201,0) = "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}" : arSEA(201,1) = "thumbvw.dll"

arSEA(202,0) = "{500202A0-731E-11D0-B829-00C04FD706EC}" : arSEA(202,1) = "thumbvw.dll"

arSEA(203,0) = "{0B124F8C-91F0-11D1-B8B5-006008059382}" : arSEA(203,1) = "appwiz.cpl"

arSEA(204,0) = "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}" : arSEA(204,1) = "dsfolder.dll"

arSEA(205,0) = "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" : arSEA(205,1) = "dsfolder.dll"

arSEA(206,0) = "{450D8FBA-AD25-11D0-98A8-0800361B1103}" : arSEA(206,1) = "mydocs.dll"

'WXP SP2

arSEA(207,0) = "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(207,1) = "shdocvw.dll"

arSEA(208,0) = "{596AB062-B4D2-4215-9F74-E9109B0A8153}" : arSEA(208,1) = "twext.dll"

arSEA(209,0) = "{9DB7A13C-F208-4981-8353-73CC61AE2783}" : arSEA(209,1) = "twext.dll"

arSEA(210,0) = "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" : arSEA(210,1) = "extmgr.dll"

'NT4

arSEA(211,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(211,1) = "shcompui.dll"

arSEA(212,0) = "{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}" : arSEA(212,1) = "thumbvw.dll"

arSEA(213,0) = "{13709620-C279-11CE-A49E-444553540000}" : arSEA(213,1) = "SHDOC401.DLL"

arSEA(214,0) = "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" : arSEA(214,1) = "SHDOC401.DLL"

arSEA(215,0) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}" : arSEA(215,1) = "SHDOC401.DLL"

arSEA(216,0) = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" : arSEA(216,1) = "SHDOC401.DLL"

arSEA(217,0) = "{4622AD11-FF23-11d0-8D34-00A0C90F2719}" : arSEA(217,1) = "SHDOC401.DLL"

arSEA(218,0) = "{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}" : arSEA(218,1) = "SHDOCVW.DLL"

arSEA(219,0) = "{57651662-CE3E-11D0-8D77-00C04FC99D61}" : arSEA(219,1) = "SHDOC401.DLL"

arSEA(220,0) = "{B091E540-83E3-11CF-A713-0020AFD79762}" : arSEA(220,1) = "SHDOC401.DLL"

arSEA(221,0) = "{3FC0B520-68A9-11D0-8D77-00C04FD70822}" : arSEA(221,1) = "SHDOC401.DLL"

arSEA(222,0) = "{7D688A77-C613-11D0-999B-00C04FD655E1}" : arSEA(222,1) = "SHELL32.dll"

arSEA(223,0) = "{BDEADF00-C265-11d0-BCED-00A0C90AB50F}" : arSEA(223,1) = "MSONSEXT.DLL"

arSEA(224,0) = "{C2FBB630-2971-11d1-A18C-00C04FD75D13}" : arSEA(224,1) = "SHDOC401.DLL"

arSEA(225,0) = "{C2FBB631-2971-11d1-A18C-00C04FD75D13}" : arSEA(225,1) = "SHDOC401.DLL"

arSEA(226,0) = "{75048700-EF1F-11D0-9888-006097DEACF9}" : arSEA(226,1) = "SHDOC401.DLL"

arSEA(227,0) = "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}" : arSEA(227,1) = "SHDOC401.DLL"

arSEA(228,0) = "{FBF23B41-E3F0-101B-8488-00AA003E56F8}" : arSEA(228,1) = "SHDOC401.DLL"

arSEA(229,0) = "{5a61f7a0-cde1-11cf-9113-00aa00425c62}" : arSEA(229,1) = "w3ext.dll"

'WMe

arSEA(230,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(230,1) = "THUMBVW.DLL" 'see (122)

arSEA(231,0) = "{53C74826-AB99-4d33-ACA4-3117F51D3788}" : arSEA(231,1) = "SHELL32.DLL"

arSEA(232,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(232,1) = "rnaui.dll" 'see (30)

arSEA(233,0) = "{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}" : arSEA(233,1) = "SHELL32.DLL"

'MS PowerToys

arSEA(234,0) = "{AA7C7080-860A-11CE-8424-08002B2CFF76}" : arSEA(234,1) = "SENDTOX.DLL"

arSEA(235,0) = "{7BB70120-6C78-11CF-BFC7-444553540000}" : arSEA(235,1) = "SENDTOX.DLL"

arSEA(236,0) = "{7BB70122-6C78-11CF-BFC7-444553540000}" : arSEA(236,1) = "SENDTOX.DLL"

arSEA(237,0) = "{7BB70121-6C78-11CF-BFC7-444553540000}" : arSEA(237,1) = "SENDTOX.DLL"

arSEA(238,0) = "{7BB70123-6C78-11CF-BFC7-444553540000}" : arSEA(238,1) = "SENDTOX.DLL"

arSEA(239,0) = "{9E56BE62-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(239,1) = "SENDTOX.DLL"

arSEA(240,0) = "{90A756E0-AFCF-11CE-927B-0800095AE340}" : arSEA(240,1) = "target.dll"

arSEA(241,0) = "{afc638f0-e8a4-11ce-9ade-00aa00a42d2e}" : arSEA(241,1) = "TTFExtNT.dll"

'etc

arSEA(242,0) = "{1D2680C9-0E2A-469d-B787-065558BC7D43}" : arSEA(242,1) = "mscoree.dll"

arSEA(243,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(243,1) = "wuaueng.dll"

'WXP IE 7

arSEA(244,0) = "{07C45BB1-4A8C-4642-A1F5-237E7215FF66}" : arSEA(244,1) = "ieframe.dll"

arSEA(245,0) = "{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" : arSEA(245,1) = "ieframe.dll"

arSEA(246,0) = "{205D7A97-F16D-4691-86EF-F3075DCCA57D}" : arSEA(246,1) = "ieframe.dll"

arSEA(247,0) = "{3028902F-6374-48b2-8DC6-9725E775B926}" : arSEA(247,1) = "ieframe.dll"

arSEA(248,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(248,1) = "ieframe.dll"

arSEA(249,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(249,1) = "ieframe.dll"

arSEA(250,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(250,1) = "ieframe.dll"

arSEA(251,0) = "{43886CD5-6529-41c4-A707-7B3C92C05E68}" : arSEA(251,1) = "ieframe.dll"

arSEA(252,0) = "{44C76ECD-F7FA-411c-9929-1B77BA77F524}" : arSEA(252,1) = "ieframe.dll"

arSEA(253,0) = "{4B78D326-D922-44f9-AF2A-07805C2A3560}" : arSEA(253,1) = "ieframe.dll"

arSEA(254,0) = "{6038EF75-ABFC-4e59-AB6F-12D397F6568D}" : arSEA(254,1) = "ieframe.dll"

arSEA(255,0) = "{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" : arSEA(255,1) = "ieframe.dll"

arSEA(256,0) = "{6CF48EF8-44CD-45d2-8832-A16EA016311B}" : arSEA(256,1) = "ieframe.dll"

arSEA(257,0) = "{73CFD649-CD48-4fd8-A272-2070EA56526B}" : arSEA(257,1) = "ieframe.dll"

arSEA(258,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(258,1) = "ieframe.dll"

arSEA(259,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(259,1) = "ieframe.dll"

arSEA(260,0) = "{871C5380-42A0-1069-A2EA-08002B30309D}" : arSEA(260,1) = "ieframe.dll"

arSEA(261,0) = "{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}" : arSEA(261,1) = "ieframe.dll"

arSEA(262,0) = "{9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e}" : arSEA(262,1) = "ieframe.dll"

arSEA(263,0) = "{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}" : arSEA(263,1) = "ieframe.dll"

arSEA(264,0) = "{B31C5FAE-961F-415b-BAF0-E697A5178B94}" : arSEA(264,1) = "ieframe.dll"

arSEA(265,0) = "{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" : arSEA(265,1) = "ieframe.dll"

arSEA(266,0) = "{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}" : arSEA(266,1) = "ieframe.dll"

arSEA(267,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(267,1) = "ieframe.dll"

arSEA(268,0) = "{E6EE9AAC-F76B-4947-8260-A9F136138E11}" : arSEA(268,1) = "ieframe.dll"

arSEA(269,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(269,1) = "ieframe.dll"

arSEA(270,0) = "{F0353E1D-FEEC-474e-A984-1E5C6865E380}" : arSEA(270,1) = "ieframe.dll"

arSEA(271,0) = "{F2CF5485-4E02-4f68-819C-B92DE9277049}" : arSEA(271,1) = "ieframe.dll"

arSEA(272,0) = "{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}" : arSEA(272,1) = "ieframe.dll"

arSEA(273,0) = "{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" : arSEA(273,1) = "ieframe.dll"

arSEA(274,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(274,1) = "ieframe.dll"

arSEA(275,0) = "{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}" : arSEA(275,1) = "ieframe.dll"

arSEA(276,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(276,1) = "ieframe.dll"

'WVa

arSEA(277,0) = "{00021401-0000-0000-C000-000000000046}" : arSEA(277,1) = "shell32.dll"

arSEA(278,0) = "{00f20eb5-8fd6-4d9d-b75e-36801766c8f1}" : arSEA(278,1) = "PhotoAcq.dll"

arSEA(279,0) = "{025A5937-A6BE-4686-A844-36FE4BEC8B6D}" : arSEA(279,1) = "shdocvw.dll"

arSEA(280,0) = "{056440FD-8568-48e7-A632-72157243B55B}" : arSEA(280,1) = "browseui.dll"

arSEA(281,0) = "{0a4286ea-e355-44fb-8086-af3df7645bd9}" : arSEA(281,1) = "wmpband.dll"

arSEA(282,0) = "{0AFCCBA6-BF90-4A4E-8482-0AC960981F5B}" : arSEA(282,1) = "shell32.dll"

arSEA(283,0) = "{0BFCF7B7-E7B6-433a-B205-2904FCF040DD}" : arSEA(283,1) = "appwiz.cpl"

arSEA(284,0) = "{11dbb47c-a525-400b-9e80-a54615a090c0}" : arSEA(284,1) = "ExplorerFrame.dll"

arSEA(285,0) = "{13D3C4B8-B179-4ebb-BF62-F704173E7448}" : arSEA(285,1) = "wab32.dll"

arSEA(286,0) = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" : arSEA(286,1) = "shell32.dll"

arSEA(287,0) = "{15D633E2-AD00-465b-9EC7-F56B7CDF8E27}" : arSEA(287,1) = "TipBand.dll"

arSEA(288,0) = "{15eae92e-f17a-4431-9f28-805e482dafd4}" : arSEA(288,1) = "appwiz.cpl"

arSEA(289,0) = "{16C2C29D-0E5F-45f3-A445-03E03F587B7D}" : arSEA(289,1) = "wab32.dll"

arSEA(290,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(290,1) = "colorui.dll"

arSEA(291,0) = "{17cd9488-1228-4b2f-88ce-4298e93e0966}" : arSEA(291,1) = "shdocvw.dll"

arSEA(292,0) = "{1a184871-359e-4f67-aad9-5b9905d62232}" : arSEA(292,1) = "fontext.dll"

arSEA(293,0) = "{1FA9085F-25A2-489B-85D4-86326EEDCD87}" : arSEA(293,1) = "wlanpref.dll"

arSEA(294,0) = "{21569614-B795-46b1-85F4-E737A8DC09AD}" : arSEA(294,1) = "browseui.dll"

arSEA(295,0) = "{21ec2020-3aea-1069-a2dd-08002b30309d}" : arSEA(295,1) = "shell32.dll"

arSEA(296,0) = "{25336920-03f9-11cf-8fd0-00aa00686f13}" : arSEA(296,1) = "mshtml.dll"

arSEA(297,0) = "{25585dc7-4da0-438d-ad04-e42c8d2d64b9}" : arSEA(297,1) = "shell32.dll"

arSEA(298,0) = "{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(298,1) = "shdocvw.dll"

arSEA(299,0) = "{2781761E-28E0-4109-99FE-B9D127C57AFE}" : arSEA(299,1) = "MpOav.dll"

arSEA(300,0) = "{289978AC-A101-4341-A817-21EBA7FD046D}" : arSEA(300,1) = "SyncCenter.dll"

arSEA(301,0) = "{2BC0DA0E-F1BC-43AB-B4B5-738EB6B51E7E}" : arSEA(301,1) = "fontext.dll"

arSEA(302,0) = "{2E9E59C0-B437-4981-A647-9C34B9B90891}" : arSEA(302,1) = "SyncCenter.dll"

arSEA(303,0) = "{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}" : arSEA(303,1) = "mshtml.dll"

arSEA(304,0) = "{3080F90D-D7AD-11D9-BD98-0000947B0257}" : arSEA(304,1) = "shdocvw.dll"

arSEA(305,0) = "{3080F90E-D7AD-11D9-BD98-0000947B0257}" : arSEA(305,1) = "shdocvw.dll"

arSEA(306,0) = "{328B0346-7EAF-4BBE-A479-7CB88A095F5B}" : arSEA(306,1) = "shell32.dll"

arSEA(307,0) = "{335a31dd-f04b-4d76-a925-d6b47cf360df}" : arSEA(307,1) = "shdocvw.dll"

arSEA(308,0) = "{35786D3C-B075-49b9-88DD-029876E11C01}" : arSEA(308,1) = "wpdshext.dll"

arSEA(309,0) = "{36eef7db-88ad-4e81-ad49-0e313f0c35f8}" : arSEA(309,1) = "shdocvw.dll"

arSEA(310,0) = "{3c2654c6-7372-4f6b-b310-55d6128f49d2}" : arSEA(310,1) = "shell32.dll"

arSEA(311,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(311,1) = "PhotoMetadataHandler.dll"

arSEA(312,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(312,1) = "mediametadatahandler.dll"

arSEA(313,0) = "{4336a54d-038b-4685-ab02-99bb52d3fb8b}" : arSEA(313,1) = "shdocvw.dll"

arSEA(314,0) = "{437ff9c0-a07f-4fa0-af80-84b6c6440a16}" : arSEA(314,1) = "shell32.dll"

arSEA(315,0) = "{44121072-A222-48f2-A58A-6D9AD51EBBE9}" : arSEA(315,1) = "XPSSHHDR.DLL"

arSEA(316,0) = "{44f3dab6-4392-4186-bb7b-6282ccb7a9f6}" : arSEA(316,1) = "mydocs.dll"

arSEA(317,0) = "{45670FA8-ED97-4F44-BC93-305082590BFB}" : arSEA(317,1) = "XPSSHHDR.DLL"

arSEA(318,0) = "{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" : arSEA(318,1) = "cscui.dll"

arSEA(319,0) = "{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486}" : arSEA(319,1) = "icsigd.dll"

arSEA(320,0) = "{4B534112-3AF6-4697-A77C-D62CE9B9E7CF}" : arSEA(320,1) = "SyncCenter.dll"

arSEA(321,0) = "{4D1209BD-36E2-4e2f-840D-6C7FB879DD9E}" : arSEA(321,1) = "shdocvw.dll"

arSEA(322,0) = "{4d5c8c2a-d075-11d0-b416-00c04fb90376}" : arSEA(322,1) = "browseui.dll"

arSEA(323,0) = "{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A}" : arSEA(323,1) = "gameux.dll"

arSEA(324,0) = "{4E77131D-3629-431c-9818-C5679DC83E81}" : arSEA(324,1) = "cscui.dll"

arSEA(325,0) = "{4F58F63F-244B-4c07-B29F-210BE59BE9B4}" : arSEA(325,1) = "wab32.dll"

arSEA(326,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(326,1) = "acppage.dll"

arSEA(327,0) = "{53BEDF0B-4E5B-4183-8DC9-B844344FA104}" : arSEA(327,1) = "mssvp.dll"

arSEA(328,0) = "{576C9E85-1300-4EF5-BF6B-D00509F4EDCD}" : arSEA(328,1) = "SyncCenter.dll"

arSEA(329,0) = "{58E3C745-D971-4081-9034-86E34B30836A}" : arSEA(329,1) = "shdocvw.dll"

arSEA(330,0) = "{596742A5-1393-4e13-8765-AE1DF71ACAFB}" : arSEA(330,1) = "browseui.dll"

arSEA(331,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(331,1) = "colorui.dll"

arSEA(332,0) = "{5FA29220-36A1-40f9-89C6-F4B384B7642E}" : arSEA(332,1) = "inetcomm.dll"

arSEA(333,0) = "{60632754-c523-4b62-b45c-4172da012619}" : arSEA(333,1) = "shdocvw.dll"

arSEA(334,0) = "{640167b4-59b0-47a6-b335-a6b3c0695aea}" : arSEA(334,1) = "audiodev.dll"

arSEA(335,0) = "{66742402-F9B9-11D1-A202-0000F81FEDEE}" : arSEA(335,1) = "shell32.dll"

arSEA(336,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(336,1) = "colorui.dll"

arSEA(337,0) = "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" : arSEA(337,1) = "shwebsvc.dll"

arSEA(338,0) = "{6b9228da-9c15-419e-856c-19e768a13bdc}" : arSEA(338,1) = "sbdrop.dll"

arSEA(339,0) = "{6D8BB3D3-9D87-4a91-AB56-4F30CFFEFE9F}" : arSEA(339,1) = "browseui.dll"

arSEA(340,0) = "{708e1662-b832-42a8-bbe1-0a77121e3908}" : arSEA(340,1) = "shell32.dll"

arSEA(341,0) = "{71D99464-3B6B-475C-B241-E15883207529}" : arSEA(341,1) = "SyncCenter.dll"

arSEA(342,0) = "{71f96385-ddd6-48d3-a0c1-ae06e8b055fb}" : arSEA(342,1) = "shell32.dll"

arSEA(343,0) = "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" : arSEA(343,1) = "devmgr.dll"

arSEA(344,0) = "{78F3955E-3B90-4184-BD14-5397C15F1EFC}" : arSEA(344,1) = "shdocvw.dll"

arSEA(345,0) = "{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}" : arSEA(345,1) = "SyncCenter.dll"

arSEA(346,0) = "{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" : arSEA(346,1) = "appwiz.cpl"

arSEA(347,0) = "{7D4734E6-047E-41e2-AEAA-E763B4739DC4}" : arSEA(347,1) = "wmpshell.dll"

arSEA(348,0) = "{7EFA68C6-086B-43e1-A2D2-55A113531240}" : arSEA(348,1) = "cscui.dll"

arSEA(349,0) = "{8082C5E6-4C27-48ec-A809-B8E1122E8F97}" : arSEA(349,1) = "wab32.dll"

arSEA(350,0) = "{865e5e76-ad83-4dca-a109-50dc2113ce9a}" : arSEA(350,1) = "shell32.dll"

arSEA(351,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(351,1) = "mediametadatahandler.dll"

arSEA(352,0) = "{877ca5ac-cb41-4842-9c69-9136e42d47e2}" : arSEA(352,1) = "sdshext.dll"

arSEA(353,0) = "{8856f961-340a-11d0-a96b-00c04fd705a2}" : arSEA(353,1) = "ieframe.dll"

arSEA(354,0) = "{89D83576-6BD1-4c86-9454-BEB04E94C819}" : arSEA(354,1) = "mssvp.dll"

arSEA(355,0) = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" : arSEA(355,1) = "wmpshell.dll"

arSEA(356,0) = "{8a7cae0e-5951-49cb-bf20-ab3fa1e44b01}" : arSEA(356,1) = "fontext.dll"

arSEA(357,0) = "{8E25992B-373E-486E-80E5-BD23AE417E66}" : arSEA(357,1) = "SyncCenter.dll"

arSEA(358,0) = "{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}" : arSEA(358,1) = "shdocvw.dll"

arSEA(359,0) = "{90b9bce2-b6db-4fd3-8451-35917ea1081b}" : arSEA(359,1) = "ExplorerFrame.dll"

arSEA(360,0) = "{90f8c90b-04e0-4e92-a186-e6e9c125d664}" : arSEA(360,1) = "shdocvw.dll"

arSEA(361,0) = "{91ADC906-6722-4B05-A12B-471ADDCCE132}" : arSEA(361,1) = "TouchX.dll"

arSEA(362,0) = "{92337A8C-E11D-11D0-BE48-00C04FC30DF6}" : arSEA(362,1) = "oleprn.dll"

arSEA(363,0) = "{92dbad9f-5025-49b0-9078-2d78f935e341}" : arSEA(363,1) = "inetcomm.dll"

arSEA(364,0) = "{96AE8D84-A250-4520-95A5-A47A7E3C548B}" : arSEA(364,1) = "shdocvw.dll"

arSEA(365,0) = "{97e467b4-98c6-4f19-9588-161b7773d6f6}" : arSEA(365,1) = "propsys.dll"

arSEA(366,0) = "{9C60DE1E-E5FC-40f4-A487-460851A8D915}" : arSEA(366,1) = "shdocvw.dll"

arSEA(367,0) = "{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}" : arSEA(367,1) = "SyncCenter.dll"

arSEA(368,0) = "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" : arSEA(368,1) = "shell32.dll"

arSEA(369,0) = "{a38b883c-1682-497e-97b0-0a3a9e801682}" : arSEA(369,1) = "PhotoMetadataHandler.dll"

arSEA(370,0) = "{a42c2ccb-67d3-46fa-abe6-7d2f3488c7a3}" : arSEA(370,1) = "shell32.dll"

arSEA(371,0) = "{a542e116-8088-4146-a352-b0d06e7f6af6}" : arSEA(371,1) = "browseui.dll"

arSEA(372,0) = "{add36aa8-751a-4579-a266-d66f5202ccbb}" : arSEA(372,1) = "shwebsvc.dll"

arSEA(373,0) = "{b155bdf8-02f0-451e-9a26-ae317cfd7779}" : arSEA(373,1) = "shdocvw.dll"

arSEA(374,0) = "{b2952b16-0e07-4e5a-b993-58c52cb94cae}" : arSEA(374,1) = "shell32.dll"

arSEA(375,0) = "{B32D3949-ED98-4DBB-B347-17A144969BBA}" : arSEA(375,1) = "SyncCenter.dll"

arSEA(376,0) = "{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}" : arSEA(376,1) = "zipfldr.dll"

arSEA(377,0) = "{b9815375-5d7f-4ce2-9245-c9d4da436930}" : arSEA(377,1) = "inetcomm.dll"

arSEA(378,0) = "{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}" : arSEA(378,1) = "shdocvw.dll"

arSEA(379,0) = "{BB6B2374-3D79-41DB-87F4-896C91846510}" : arSEA(379,1) = "emdmgmt.dll"

arSEA(380,0) = "{BC48B32F-5910-47F5-8570-5074A8A5636A}" : arSEA(380,1) = "SyncCenter.dll"

arSEA(381,0) = "{BC65FB43-1958-4349-971A-210290480130}" : arSEA(381,1) = "NcdProp.dll"

arSEA(382,0) = "{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}" : arSEA(382,1) = "mssvp.dll"

arSEA(383,0) = "{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}" : arSEA(383,1) = "shdocvw.dll"

arSEA(384,0) = "{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B}" : arSEA(384,1) = "comdlg32.dll"

arSEA(385,0) = "{C4EC38BD-4E9E-4b5e-935A-D1BFF237D980}" : arSEA(385,1) = "browseui.dll"

arSEA(386,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(386,1) = "mediametadatahandler.dll"

arSEA(387,0) = "{C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9}" : arSEA(387,1) = "shdocvw.dll"

arSEA(388,0) = "{C7657C4A-9F68-40fa-A4DF-96BC08EB3551}" : arSEA(388,1) = "PhotoMetadataHandler.dll"

arSEA(389,0) = "{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1}" : arSEA(389,1) = "oobefldr.dll"

arSEA(390,0) = "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" : arSEA(390,1) = "shwebsvc.dll"

arSEA(391,0) = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" : arSEA(391,1) = "appwiz.cpl"

arSEA(392,0) = "{CF67796C-F57F-45F8-92FB-AD698826C602}" : arSEA(392,1) = "wab32.dll"

arSEA(393,0) = "{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}" : arSEA(393,1) = "shdocvw.dll"

arSEA(394,0) = "{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd}" : arSEA(394,1) = "appwiz.cpl"

arSEA(395,0) = "{D555645E-D4F8-4c29-A827-D93C859C4F2A}" : arSEA(395,1) = "shdocvw.dll"

arSEA(396,0) = "{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" : arSEA(396,1) = "wpdshext.dll"

arSEA(397,0) = "{D9EF8727-CAC2-4e60-809E-86F80A666C91}" : arSEA(397,1) = "shdocvw.dll"

arSEA(398,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(398,1) = "colorui.dll"

arSEA(399,0) = "{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7}" : arSEA(399,1) = "comdlg32.dll"

arSEA(400,0) = "{DFFACDC5-679F-4156-8947-C5C76BC0B67F}" : arSEA(400,1) = "shdocvw.dll"

arSEA(401,0) = "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" : arSEA(401,1) = "dfshim.dll"

arSEA(402,0) = "{E413D040-6788-4C22-957E-175D1C513A34}" : arSEA(402,1) = "SyncCenter.dll"

arSEA(403,0) = "{E598560B-28D5-46aa-A14A-8A3BEA34B576}" : arSEA(403,1) = "PhotoViewer.dll"

arSEA(404,0) = "{E7DE9B1A-7533-4556-9484-B26FB486475E}" : arSEA(404,1) = "shdocvw.dll"

arSEA(405,0) = "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" : arSEA(405,1) = "dfshim.dll"

arSEA(406,0) = "{E95A4861-D57A-4be1-AD0F-35267E261739}" : arSEA(406,1) = "shdocvw.dll"

arSEA(407,0) = "{eb124705-128b-40d4-8dd8-d93ed12589a4}" : arSEA(407,1) = "shdocvw.dll"

arSEA(408,0) = "{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60}" : arSEA(408,1) = "gameux.dll"

arSEA(409,0) = "{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}" : arSEA(409,1) = "gameux.dll"

arSEA(410,0) = "{ed50fc29-b964-48a9-afb3-15ebb9b97f36}" : arSEA(410,1) = "shdocvw.dll"

arSEA(411,0) = "{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}" : arSEA(411,1) = "shdocvw.dll"

arSEA(412,0) = "{ed9d80b9-d157-457b-9192-0e7280313bf0}" : arSEA(412,1) = "zipfldr.dll"

arSEA(413,0) = "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" : arSEA(413,1) = "NetworkExplorer.dll"

arSEA(414,0) = "{F04CC277-03A2-4277-96A9-77967471BDFF}" : arSEA(414,1) = "SyncCenter.dll"

arSEA(415,0) = "{f8b8412b-dea3-4130-b36c-5e8be73106ac}" : arSEA(415,1) = "inetcomm.dll"

arSEA(416,0) = "{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C}" : arSEA(416,1) = "SyncCenter.dll"

arSEA(417,0) = "{fccf70c8-f4d7-4d8b-8c17-cd6715e37fff}" : arSEA(417,1) = "browseui.dll"

arSEA(418,0) = "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}" : arSEA(418,1) = "PhotoViewer.dll"