Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Win32 Malware gen... and more?


  • This topic is locked This topic is locked
42 replies to this topic

#1 thraiped

thraiped

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 21 February 2010 - 10:36 AM

Hi

I unwisely clicked on a link in an email last Wednesday and picked a fake antivirus malware called "Antivirus Soft".

I found ideas here about how to get rid of it: http://deletemalware.blogspot.com/2010/01/...-soft-fake.html

I installed and ran Spybot Search and Destroy in safe mode, and did a system restore to just before I picked it up. This solved the immediate problems with the fake security alerts.

Then I installed and ran Trend Micro's House Call, and managed to update and run Avast.

Each program seemed to find and solve new and different problems.

Then on restarting, Trend Chipaway Virus started informing me that I had a boot virus - this now happens every time I start the computer. I have scheduled and run a boot-time scan with Avast, which found malware, but doesn't seem to have fixed the problem - I still get this warning when I start the computer.

House Call now reports no problems, the last Spybot S&D scan was clear.

However, Avast has now begun alerting me occasionally to the presence of Win 32 Malware-gen, usually in pairs.

Today I tried downloading Malwarebytes, but I get a runtime error: 0 when I try to install / run it. Searching for information about this error led me to bleepingcomputer... and here we are.

NB: I should also add that for a long time after a sudden power-out I've had a scandisk screen appear when I start up, which when I run it finds security errors that it can't fix. I've just kind of ignored this....

So: an ailing computer and a flailing, irresponsible & barely computer-literate owner: people like me must turn up at the site in droves every day. I'd really appreciate any help, even if it's just being told to buy a new computer.

Thanks in advance.

N

DDS (Ver_09-12-01.01) - NTFSx86
Run by Nick at 15:11:37,46 on 21/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.512.112 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 100221-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\QuickTime\QTTask.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Nick\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\archivos de programa\msn messenger\MsnMsgr.Exe" /background
mRun: [avast!] c:\archiv~1\alwils~1\avast4\ashDisp.exe
mRun: [Smapp] c:\archivos de programa\analog devices\soundmax\SMTray.exe
mRun: [WinampAgent] c:\archivos de programa\winamp\winampa.exe
mRun: [HP Software Update] c:\archivos de programa\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\archivos de programa\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1.win\menini~1\progra~1\inicio\adober~1.lnk - c:\archivos de programa\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\menini~1\progra~1\inicio\hpdigi~1.lnk - c:\archivos de programa\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\menini~1\progra~1\inicio\micros~1.lnk - c:\archivos de programa\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\archiv~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\archivos de programa\java\jre6\bin\jp2iexp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archiv~1\archiv~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\datosd~1\mozilla\firefox\profiles\lbzljzva.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\archivos de programa\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\archivos de programa\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\archivos de programa\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\archivos de programa\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\archivos de programa\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-10 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\archivos de programa\alwil software\avast4\ashServ.exe [2005-11-27 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\archivos de programa\alwil software\avast4\ashMaiSv.exe [2005-11-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\archivos de programa\alwil software\avast4\ashWebSv.exe [2005-11-27 352920]
R3 ConRT;Conceptronic Wireless 802.11b/g Driver(ConRT);c:\windows\system32\drivers\ConRT.sys [2006-5-30 190720]
S3 epcfw2k;Controlador CF de puerto paralelo SCM;c:\windows\system32\drivers\epcfw2k.sys [2005-11-27 144896]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\archivos de programa\lavalys\everest home edition\kerneld.wnt [2005-5-17 4736]

=============== Created Last 30 ================

2010-02-21 14:10:51 0 ----a-w- c:\documents and settings\nick\defogger_reenable
2010-02-17 15:18:32 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-17 13:56:57 0 d-----w- c:\docume~1\alluse~1.win\datosd~1\Spybot - Search & Destroy
2010-02-17 13:56:57 0 d-----w- c:\archivos de programa\Spybot - Search & Destroy

==================== Find3M ====================

2010-01-07 13:17:06 23376 ----a-w- c:\docume~1\nick\datosd~1\GDIPFONTCACHEV1.DAT
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:41:23 664576 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:41:16 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-17 07:59:39 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 23:42:10 90396 ----a-w- c:\windows\system32\perfc00A.dat
2009-12-16 23:42:10 504656 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-14 07:36:41 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:26:23 2060160 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:26:20 2182784 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-11-27 17:34:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:34:44 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:38:56 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:38:55 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:38:55 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:38:55 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:38:55 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 15:12:33,95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:19 AM

Posted 23 February 2010 - 05:42 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 06:10 AM

Hi Elise

Thanks so much for the prompt reply - I was expecting to wait longer judging by other posts.

Will download OTL and post new logs ASAP.

Thanks again

N

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:19 AM

Posted 23 February 2010 - 08:18 AM

Hi, at this moment we have a waiting time of only 3 days, so you got lucky (it depends on how many logs are posted any how many available helpers we have).

I will wait for your logs smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 12:41 PM

Hi Elise

Sorry about the delay, I lost internet and phone today for 4 hours. I seem to be jinxed this month.

OK: first, the OTL log.

OTL logfile created on: 23/02/2010 15:20:01 - Run 3
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Nick\Escritorio
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

512,00 Mb Total Physical Memory | 131,00 Mb Available Physical Memory | 26,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 70,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 37,26 Gb Total Space | 6,64 Gb Free Space | 17,82% Space Free | Partition Type: NTFS
Drive D: | 124,70 Mb Total Space | 123,76 Mb Free Space | 99,24% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICK-1QB2TUVUJC
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/23 09:47:56 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Escritorio\OTL.exe
PRC - [2009/11/25 00:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/17 12:16:41 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Archivos de programa\Java\jre6\bin\jqs.exe
PRC - [2009/11/17 12:16:41 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Archivos de programa\Java\jre6\bin\jusched.exe
PRC - [2008/03/30 09:36:40 | 000,267,048 | ---- | M] (Apple Inc.) -- C:\Archivos de programa\iTunes\iTunesHelper.exe
PRC - [2008/03/30 09:36:30 | 000,504,104 | ---- | M] (Apple Inc.) -- C:\Archivos de programa\iPod\bin\iPodService.exe
PRC - [2008/03/28 22:37:20 | 000,413,696 | ---- | M] (Apple Inc.) -- C:\Archivos de programa\QuickTime\QTTask.exe
PRC - [2007/06/13 14:22:28 | 001,035,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/08 15:24:20 | 000,054,840 | ---- | M] (Hewlett-Packard) -- C:\Archivos de programa\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/02/19 05:24:52 | 000,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
PRC - [2006/02/19 04:21:22 | 000,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2005/11/15 20:31:04 | 000,033,792 | ---- | M] () -- C:\Archivos de programa\Winamp\winampa.exe
PRC - [2002/10/11 18:26:56 | 000,098,304 | ---- | M] (Analog Devices, Inc.) -- C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/02/23 09:47:56 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Escritorio\OTL.exe
MOD - [2006/08/25 16:46:26 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/17 12:16:41 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Archivos de programa\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/03/30 09:36:30 | 000,504,104 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Archivos de programa\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/08/09 08:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/11/25 00:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/25 00:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/25 00:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/25 00:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/25 00:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/25 00:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/01/29 11:01:28 | 000,016,168 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/11/13 11:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/02/01 01:48:57 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2006/02/01 01:48:56 | 000,049,664 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2006/02/01 01:48:53 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2005/05/31 23:36:01 | 000,020,640 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2005/05/17 00:00:00 | 000,004,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Archivos de programa\Lavalys\EVEREST Home Edition\kerneld.wnt -- (EverestDriver)
DRV - [2004/08/19 15:20:16 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/03 23:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2003/06/15 19:32:00 | 000,190,720 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ConRT.sys -- (ConRT) Conceptronic Wireless 802.11b/g Driver(ConRT)
DRV - [2003/02/20 02:18:36 | 000,036,608 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/12/05 16:39:56 | 000,534,976 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/10/21 05:40:04 | 000,006,016 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\siside.sys -- (SiSide)
DRV - [2002/10/17 08:14:46 | 000,049,024 | R--- | M] (Windows ® 2000 DDK provider) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\sisidex.sys -- (sisidex)
DRV - [2002/08/20 10:19:08 | 000,009,472 | R--- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sisperf.sys -- (sisperf)
DRV - [2002/07/10 16:39:34 | 000,032,256 | R--- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2002/04/01 06:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/09/28 13:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 21:50:20 | 000,144,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\epcfw2k.sys -- (epcfw2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-527237240-2000478354-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-527237240-2000478354-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-527237240-2000478354-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-527237240-2000478354-725345543-1003\S-1-5-21-527237240-2000478354-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Archivos de programa\Mozilla Firefox\components [2010/02/19 13:48:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Archivos de programa\Mozilla Firefox\plugins [2010/02/19 13:48:48 | 000,000,000 | ---D | M]

[2009/01/09 10:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Datos de programa\Mozilla\Extensions
[2010/02/23 12:28:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Datos de programa\Mozilla\Firefox\Profiles\lbzljzva.default\extensions
[2009/09/11 20:08:32 | 000,000,000 | ---D | M] (Hyperwords) -- C:\Documents and Settings\Nick\Datos de programa\Mozilla\Firefox\Profiles\lbzljzva.default\extensions\{9A752782-D706-479b-98F8-3F66BF921692}
[2009/01/31 20:02:44 | 000,000,000 | ---D | M] (CustomizeGoogle) -- C:\Documents and Settings\Nick\Datos de programa\Mozilla\Firefox\Profiles\lbzljzva.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2009/09/11 20:08:51 | 000,004,440 | ---- | M] () -- C:\Documents and Settings\Nick\Datos de programa\Mozilla\Firefox\Profiles\lbzljzva.default\searchplugins\hyperwords.xml
[2010/02/23 15:01:14 | 000,000,000 | ---D | M] -- C:\Archivos de programa\Mozilla Firefox\extensions
[2010/01/16 01:55:13 | 000,001,538 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/16 01:55:13 | 000,000,947 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/16 01:55:13 | 000,000,769 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/16 01:55:13 | 000,001,135 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/02/17 15:56:52 | 000,380,207 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13098 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-527237240-2000478354-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-527237240-2000478354-725345543-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Archivos de programa\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-527237240-2000478354-725345543-1003..\Run: [MsnMsgr] C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe File not found
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menú Inicio\Programas\Inicio\Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menú Inicio\Programas\Inicio\HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menú Inicio\Programas\Inicio\Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-527237240-2000478354-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Archivos de programa\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\npjpi160_15.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (Mi página de inicio actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Nick\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nick\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/30 08:26:44 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/02/23 09:53:34 | 000,000,483 | RHS- | M] () - D:\autorun.inf -- [ FAT ]
O33 - MountPoints2\{fd441abb-7d7b-11dd-a959-000c6edc839c}\Shell\AutoRun\command - "" = D:\lcmqm.exe -- File not found
O33 - MountPoints2\{fd441abb-7d7b-11dd-a959-000c6edc839c}\Shell\explore\Command - "" = D:\lcmqm.exe -- File not found
O33 - MountPoints2\{fd441abb-7d7b-11dd-a959-000c6edc839c}\Shell\open\Command - "" = D:\lcmqm.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/23 15:02:40 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nick\Escritorio\OTL.exe
[2010/02/21 18:49:05 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Trend Micro
[2010/02/21 18:48:52 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Nick\Escritorio\HJTInstall.exe
[2010/02/21 16:38:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Escritorio\Malware logs
[2010/02/21 13:46:14 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Nick\Escritorio\mbam-setup.exe
[2010/02/19 14:11:53 | 001,840,232 | ---- | C] (Trend Micro) -- C:\Documents and Settings\Nick\Escritorio\HousecallLauncher.exe
[2010/02/19 14:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Mis documentos\Downloads
[2010/02/19 13:44:31 | 008,152,912 | ---- | C] (Mozilla) -- C:\Documents and Settings\Nick\Escritorio\Firefox Setup 3.6.exe
[2010/02/17 14:56:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
[2010/02/17 14:56:57 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy
[2010/02/17 14:55:38 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Nick\Escritorio\iexplore.exe
[2010/02/17 14:42:13 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/02/17 14:12:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\yiduxj
[2008/11/09 13:12:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Datos de programa\Microsoft
[2007/12/21 16:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Apple
[2006/11/22 12:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Datos de programa\HP
[2005/11/28 14:33:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft
[2005/11/27 18:01:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft
[2005/11/27 17:14:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Datos de programa\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/23 15:18:34 | 009,175,040 | ---- | M] () -- C:\Documents and Settings\Nick\ntuser.dat
[2010/02/23 15:11:17 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Nick\Escritorio\~$o-Dubbing website.doc
[2010/02/23 12:07:43 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/02/23 12:07:07 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/02/23 12:05:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/23 12:05:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/23 12:05:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/23 09:52:00 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\q56bictc.exe
[2010/02/23 09:47:56 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Escritorio\OTL.exe
[2010/02/22 08:59:45 | 000,000,304 | -HS- | M] () -- C:\Documents and Settings\Nick\ntuser.ini
[2010/02/22 08:59:24 | 005,898,768 | -H-- | M] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\IconCache.db
[2010/02/21 18:49:05 | 000,001,801 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\HijackThis.lnk
[2010/02/21 18:48:54 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Nick\Escritorio\HJTInstall.exe
[2010/02/21 15:21:56 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\gmer.zip
[2010/02/21 15:10:51 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Nick\defogger_reenable
[2010/02/21 15:05:25 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\dds.scr
[2010/02/21 15:04:15 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\Defogger.exe
[2010/02/21 14:09:47 | 000,002,958 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/21 13:47:02 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Nick\Escritorio\mbam-setup.exe
[2010/02/20 21:05:11 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/19 14:12:18 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\housecall.guid.cache
[2010/02/19 14:12:10 | 001,840,232 | ---- | M] (Trend Micro) -- C:\Documents and Settings\Nick\Escritorio\HousecallLauncher.exe
[2010/02/19 13:48:55 | 000,001,669 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Escritorio\Mozilla Firefox.lnk
[2010/02/19 13:47:18 | 008,152,912 | ---- | M] (Mozilla) -- C:\Documents and Settings\Nick\Escritorio\Firefox Setup 3.6.exe
[2010/02/18 22:56:48 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\rosita stuff.doc
[2010/02/18 17:52:10 | 000,120,320 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\Pro-Dubbing website.doc
[2010/02/17 14:57:03 | 000,000,986 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\Spybot - Search & Destroy.lnk
[2010/02/17 14:55:38 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Nick\Escritorio\iexplore.exe
[2010/02/16 18:17:08 | 004,124,332 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\FileZilla_3.3.1_win32-setup.exe
[2010/02/16 12:42:08 | 001,104,384 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\WFMU.doc
[2010/02/15 22:58:50 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\Hola Clotilde.doc
[2010/02/15 22:56:59 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Nick\Mis documentos\Wild Mushroom Potato Latkes.doc
[2010/02/11 21:57:30 | 001,797,467 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\P1020140.JPG
[2010/02/10 23:51:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/09 12:12:08 | 000,066,861 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\P1020135.jpg
[2010/02/09 07:46:55 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\Things I.doc
[2010/02/05 14:22:58 | 000,037,376 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\ESPORT PARC LOCUTORA_300110l.doc
[2010/01/27 18:08:01 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\Nick\Escritorio\Gros pressrelease.doc
[2010/01/27 14:30:50 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/23 15:11:17 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Nick\Escritorio\~$o-Dubbing website.doc
[2010/02/23 15:02:44 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\q56bictc.exe
[2010/02/21 18:49:05 | 000,001,801 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\HijackThis.lnk
[2010/02/21 15:21:55 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\gmer.zip
[2010/02/21 15:10:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Nick\defogger_reenable
[2010/02/21 15:05:24 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\dds.scr
[2010/02/21 15:04:15 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\Defogger.exe
[2010/02/19 14:12:18 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\housecall.guid.cache
[2010/02/18 22:56:48 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\rosita stuff.doc
[2010/02/17 14:57:03 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\Spybot - Search & Destroy.lnk
[2010/02/16 21:16:46 | 009,175,040 | ---- | C] () -- C:\Documents and Settings\Nick\ntuser.dat
[2010/02/16 18:16:54 | 004,124,332 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\FileZilla_3.3.1_win32-setup.exe
[2010/02/15 22:58:01 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\Hola Clotilde.doc
[2010/02/15 22:57:19 | 000,120,320 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\Pro-Dubbing website.doc
[2010/02/15 22:56:59 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Nick\Mis documentos\Wild Mushroom Potato Latkes.doc
[2010/02/15 00:21:58 | 001,104,384 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\WFMU.doc
[2010/02/11 21:54:32 | 001,797,467 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\P1020140.JPG
[2010/02/09 12:12:03 | 000,066,861 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\P1020135.jpg
[2010/02/09 07:46:55 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\Things I.doc
[2010/02/05 14:22:55 | 000,037,376 | ---- | C] () -- C:\Documents and Settings\Nick\Escritorio\ESPORT PARC LOCUTORA_300110l.doc
[2008/11/08 18:39:46 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\fusioncache.dat
[2008/10/23 14:51:17 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/10/23 14:51:15 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2008/10/23 14:51:12 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/10/23 14:51:12 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/10/23 14:51:11 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/10/23 14:51:09 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/10/23 14:51:09 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/04/23 09:57:24 | 000,087,800 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2007/04/15 17:38:02 | 000,000,323 | ---- | C] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\DelUnist.bat
[2006/12/01 01:57:26 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/11/22 12:22:33 | 000,001,099 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Datos de programa\hpzinstall.log
[2006/11/22 12:22:19 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2006/11/09 10:46:19 | 000,000,059 | ---- | C] () -- C:\WINDOWS\sview.ini
[2006/02/06 10:19:02 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Nick\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/09 12:59:21 | 000,002,911 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Datos de programa\QTSBandwidthCache
[2005/12/14 20:27:41 | 000,001,434 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/11/27 18:04:28 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2005/11/27 18:03:30 | 000,139,264 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2005/11/27 18:02:23 | 000,003,473 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005/11/27 18:02:16 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2005/11/27 17:59:03 | 000,000,482 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2001/07/07 03:00:02 | 000,003,269 | ---- | C] () -- C:\WINDOWS\System32\HPTCPMON.INI
< End of report >




#6 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 12:43 PM

Now the OTL Extras - this is from the first time I ran it. I ran it again because I hadn't checked Scan All Users, but it didn't make any more Extras logs.

OTL Extras logfile created on: 23/02/2010 15:03:05 - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Nick\Escritorio
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

512,00 Mb Total Physical Memory | 166,00 Mb Available Physical Memory | 32,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 73,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 37,26 Gb Total Space | 6,64 Gb Free Space | 17,82% Space Free | Partition Type: NTFS
Drive D: | 124,70 Mb Total Space | 123,76 Mb Free Space | 99,24% Space Free | Partition Type: FAT
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICK-1QB2TUVUJC
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Archivos de programa\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Archivos de programa\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Archivos de programa\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Archivos de programa\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Archivos de programa\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Archivos de programa\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Archivos de programa\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Archivos de programa\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Archivos de programa\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Archivos de programa\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"6584:TCP" = 6584:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"6584:TCP" = 6584:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe" = C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Archivos de programa\Internet Explorer\iexplore.exe" = C:\Archivos de programa\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Archivos de programa\Real\RealPlayer\realplay.exe" = C:\Archivos de programa\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- File not found
"C:\Archivos de programa\Soulseek\slsk.exe" = C:\Archivos de programa\Soulseek\slsk.exe:*:Enabled:SoulSeek -- ()
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe" = C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5 -- File not found
"C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hposfx08.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hposid01.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Archivos de programa\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Archivos de programa\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Archivos de programa\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Archivos de programa\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Archivos de programa\HP\Digital Imaging\bin\hpoews01.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Archivos de programa\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Archivos de programa\Mozilla Firefox\firefox.exe" = C:\Archivos de programa\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)
"C:\Archivos de programa\Pando Networks\Pando\pando.exe" = C:\Archivos de programa\Pando Networks\Pando\pando.exe:*:Enabled:pando -- File not found
"C:\Archivos de programa\iTunes\iTunes.exe" = C:\Archivos de programa\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Archivos de programa\uTorrent\uTorrent.exe" = C:\Archivos de programa\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Archivos de programa\ATRIL\Deja Vu X\DejaVuX.exe" = C:\Archivos de programa\ATRIL\Deja Vu X\DejaVuX.exe:*:Enabled:DejaVuX.exe -- File not found
"C:\Archivos de programa\Skype\Phone\Skype.exe" = C:\Archivos de programa\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{30120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for Microsoft Office 2007 File Formats (Beta) (Beta)
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B9-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{5124C146-1B05-47C6-A584-2ECCF2A37014}" = Lexibase Collins Español-Inglés - Versión especial para Grijalbo
"{5676E8F9-B222-49FB-81B7-7998D17EDC4B}" = Digidesign DigiDelivery
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{7C3C895B-AE02-4F30-8A6A-051D37A38DD0}" = Final Draft
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9FC8D8F8-AF3A-4488-98AF-51C6DEC732F2}" = c3100_Help
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}" = HP Photosmart and Deskjet 7.0.A
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB8C9964-09AC-48bf-8B98-027609C78251}" = C3100
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{fd9c522b-f8cd-4113-83b6-15870a11f4fc}.sdb" = Rapid Resizer Compatibility Fix
"7-Zip" = 7-Zip 4.42
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AsusUpdate" = AsusUpdate
"avast!" = avast! Antivirus
"CutePDF Writer Installation" = CutePDF Writer 2.7
"DivXLand Media Subtitler" = DivXLand Media Subtitler
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.00
"FileZilla Client" = FileZilla Client 3.3.1
"Flickr Uploadr" = Flickr Uploadr 2.5.0.15
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.2.5 (Full)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"Rapid Resizer_is1" = Rapid Resizer
"RealPlayer 6.0" = RealPlayer
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"Soulseek" = SoulSeek Client 156c
"SubtitleWorkshop" = Subtitle Workshop 2.51
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Reproductor de Windows Media 10
"Windows XP Energy Blue Theme Pack" = Windows XP Energy Blue Theme Pack
"Windows XP Service Pack" = Windows XP Service Pack 2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-527237240-2000478354-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 15/11/2006 12:15:55 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Nick\Configuración local\Archivos temporales de Internet\Content.IE5\KH23CTYB\AnchorPosition[1].htm
failed, 0000A474.

Error - 15/11/2006 12:17:32 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\WINDOWS\system32\KsUser.dll failed, 0000A474.

Error - 15/11/2006 12:18:30 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Nick\Configuración local\Archivos temporales de Internet\Content.IE5\J2BDT9NN\Cookies[1].js
failed, 0000A474.

Error - 15/11/2006 12:18:43 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Nick\Configuración local\Archivos temporales de Internet\Content.IE5\WLKJ83GV\AC_RunActiveContent_securemedia[1].js
failed, 0000A474.

Error - 15/11/2006 12:18:48 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Nick\Configuración local\Archivos temporales de Internet\Content.IE5\KH23CTYB\36fabdd127ec9f97[1].swf
failed, 0000A474.

Error - 15/11/2006 12:18:55 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\All Users.WINDOWS\Menú Inicio\Programas\Microsoft Word.lnk
failed, 0000A474.

Error - 09/11/2009 5:44:39 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.freudbox.com/player/rtplaylist....q=0&start=0 failed, 0000A413.


Error - 09/11/2009 9:10:27 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...odels&cp=21
failed, 0000A413.

Error - 09/11/2009 14:25:54 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...p;q=ki&cp=2
failed, 0000A413.

Error - 10/11/2009 6:19:22 | Computer Name = NICK-1QB2TUVUJC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.google.com/reader/api/0/user-in...croll&hl=en
failed, 0000A413.

[ Application Events ]
Error - 18/02/2010 4:55:18 | Computer Name = NICK-1QB2TUVUJC | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 18/02/2010 4:55:18 | Computer Name = NICK-1QB2TUVUJC | Source = crypt32 | ID = 131083
Description = Error en la extracción de la lista raíz de terceros del archivo .CAB
actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
con el error: Un certificado requerido no se encuentra dentro del periodo de validez
cuando se ha realizado la comprobación con el reloj de sistema actual o con la
marca de fecha y hora en el archivo firmado.

Error - 18/02/2010 4:57:21 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: regsvr32.exe, versión 5.1.2600.2180, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 18/02/2010 4:57:21 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: regsvr32.exe, versión 5.1.2600.2180, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 18/02/2010 4:57:21 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: regsvr32.exe, versión 5.1.2600.2180, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 18/02/2010 4:57:41 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1001
Description = Depósito 129562297 incorrecto.

Error - 18/02/2010 4:57:54 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1001
Description = Depósito 129562297 incorrecto.

Error - 18/02/2010 4:57:55 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1001
Description = Depósito 129562297 incorrecto.

Error - 19/02/2010 10:10:38 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: winamp.exe, versión 5.1.1.168, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 21/02/2010 15:10:45 | Computer Name = NICK-1QB2TUVUJC | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: winamp.exe, versión 5.1.1.168, módulo
que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

[ System Events ]
Error - 17/02/2010 5:11:32 | Computer Name = NICK-1QB2TUVUJC | Source = SideBySide | ID = 16842784
Description = No se encontró el ensamblaje dependiente Microsoft.VC80.MFCLOC y el
error final fue El ensamblaje referido no está instalado en su sistema.

Error - 17/02/2010 5:11:32 | Computer Name = NICK-1QB2TUVUJC | Source = SideBySide | ID = 16842811
Description = Error en Resolve Partial Assembly para Microsoft.VC80.MFCLOC. Mensaje
de error referencia: El ensamblaje referido no está instalado en su sistema. .

Error - 17/02/2010 5:11:32 | Computer Name = NICK-1QB2TUVUJC | Source = SideBySide | ID = 16842811
Description = Error en Generate Activation Context para C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\MFC80.DLL.
Mensaje
de error referencia: La operación se ha completado correctamente. .


< End of report >



#7 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 12:48 PM

Finally the GMER log, done with the Avast Antirus disabled and everything closed.

Standing by for further instructions! (Not really, I've got loads of work to do).

Thanks for everything.

N

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 16:08:23
Windows 5.1.2600 Service Pack 2
Running: q56bictc.exe; Driver: C:\DOCUME~1\Nick\CONFIG~1\Temp\kwxiipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6CDA6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6CDA574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6CDAA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6CDA14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6CDA64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6CDA08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6CDA0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6CDA76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6CDA72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6CDA8AE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 37D 804E29E9 3 Bytes [A7, CD, B6] {CMPSD ; INT 0xb6}

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!send 71A3428A 5 Bytes JMP 013F2781
.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 013F2873
.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!recv 71A3615A 5 Bytes JMP 013F27B9
.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 013F27F1
.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 013F28F5
.text C:\Archivos de programa\Java\jre6\bin\jqs.exe[1612] WS2_32.dll!send 71A3428A 5 Bytes JMP 02062781
.text C:\Archivos de programa\Java\jre6\bin\jqs.exe[1612] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 02062873
.text C:\Archivos de programa\Java\jre6\bin\jqs.exe[1612] WS2_32.dll!recv 71A3615A 5 Bytes JMP 020627B9
.text C:\Archivos de programa\Java\jre6\bin\jqs.exe[1612] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 020627F1
.text C:\Archivos de programa\Java\jre6\bin\jqs.exe[1612] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 020628F5
.text C:\Archivos de programa\iPod\bin\iPodService.exe[1800] WS2_32.dll!send 71A3428A 5 Bytes JMP 00B52781
.text C:\Archivos de programa\iPod\bin\iPodService.exe[1800] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 00B52873
.text C:\Archivos de programa\iPod\bin\iPodService.exe[1800] WS2_32.dll!recv 71A3615A 5 Bytes JMP 00B527B9
.text C:\Archivos de programa\iPod\bin\iPodService.exe[1800] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 00B527F1
.text C:\Archivos de programa\iPod\bin\iPodService.exe[1800] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00B528F5
.text C:\WINDOWS\system32\wdfmgr.exe[1804] WS2_32.dll!send 71A3428A 5 Bytes JMP 008E2781
.text C:\WINDOWS\system32\wdfmgr.exe[1804] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 008E2873
.text C:\WINDOWS\system32\wdfmgr.exe[1804] WS2_32.dll!recv 71A3615A 5 Bytes JMP 008E27B9
.text C:\WINDOWS\system32\wdfmgr.exe[1804] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 008E27F1
.text C:\WINDOWS\system32\wdfmgr.exe[1804] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 008E28F5
.text C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe[2000] WS2_32.dll!send 71A3428A 5 Bytes JMP 02242781
.text C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe[2000] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 02242873
.text C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe[2000] WS2_32.dll!recv 71A3615A 5 Bytes JMP 022427B9
.text C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe[2000] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 022427F1
.text C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe[2000] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 022428F5
.text C:\WINDOWS\System32\alg.exe[2540] WS2_32.dll!send 71A3428A 5 Bytes JMP 00892781
.text C:\WINDOWS\System32\alg.exe[2540] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 00892873
.text C:\WINDOWS\System32\alg.exe[2540] WS2_32.dll!recv 71A3615A 5 Bytes JMP 008927B9
.text C:\WINDOWS\System32\alg.exe[2540] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 008927F1
.text C:\WINDOWS\System32\alg.exe[2540] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 008928F5
.text C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe[3216] WS2_32.dll!send 71A3428A 5 Bytes JMP 01602781
.text C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe[3216] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 01602873
.text C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe[3216] WS2_32.dll!recv 71A3615A 5 Bytes JMP 016027B9
.text C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe[3216] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 016027F1
.text C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe[3216] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 016028F5
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[3384] WS2_32.dll!send 71A3428A 5 Bytes JMP 01502781
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[3384] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 01502873
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[3384] WS2_32.dll!recv 71A3615A 5 Bytes JMP 015027B9
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[3384] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 015027F1
.text C:\Archivos de programa\iTunes\iTunesHelper.exe[3384] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 015028F5
.text C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe[3628] WS2_32.dll!send 71A3428A 5 Bytes JMP 00B32781
.text C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe[3628] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 00B32873
.text C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe[3628] WS2_32.dll!recv 71A3615A 5 Bytes JMP 00B327B9
.text C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe[3628] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 00B327F1
.text C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe[3628] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00B328F5
.text C:\WINDOWS\system32\wuauclt.exe[3920] WS2_32.dll!send 71A3428A 5 Bytes JMP 00C72781
.text C:\WINDOWS\system32\wuauclt.exe[3920] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 00C72873
.text C:\WINDOWS\system32\wuauclt.exe[3920] WS2_32.dll!recv 71A3615A 5 Bytes JMP 00C727B9
.text C:\WINDOWS\system32\wuauclt.exe[3920] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 00C727F1
.text C:\WINDOWS\system32\wuauclt.exe[3920] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00C728F5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002
IAT C:\WINDOWS\system32\services.exe[780] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\00000041 81ADC680
Device \Driver\ACPI \Device\00000043 81ADC680
Device \Driver\ACPI \Device\00000050 81ADC680
Device \Driver\ACPI \Device\00000051 81ADC680
Device \Driver\ACPI \Device\00000052 81ADC680

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\00000056 81ADC680
Device \Driver\ACPI \Device\00000057 81ADC680
Device \Driver\ACPI \Device\00000058 81ADC680
Device \Driver\ACPI \Device\00000059 81ADC680
Device \Driver\ACPI \Device\0000003b 81ADC680
Device \Driver\ACPI \Device\0000003e 81ADC680
Device \Driver\ACPI \Device\0000004b 81ADC680
Device \Driver\ACPI \Device\0000004e 81ADC680
Device \Driver\ACPI \Device\0000004f 81ADC680

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


#8 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 12:50 PM

PS, sorry, lots of posts: because the Internet was down, I had to download OTL and GMER onto a USB and copy them from there onto the infected computer, I guess the USB shows up in the logs. When I connected it, Avast found a Trojan and Win 32 Malware gen on the USB.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:19 AM

Posted 23 February 2010 - 02:04 PM

Hello thraiped,

No worries, you posted all of them, so everything is fine smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 04:19 PM

Hi Elise

OK, I ran Combofix. It downloaded and installed Microsoft Windows Recovery Console.

It started scanning, completing stages, but then I got a message:"Findstr.exe Application Error (0xc0000142) the application was unable to initialize properly."

I got a message that "DLL C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6515664144ccfldf_6.0.2600_x-ww_ac3f9c63\comct132.dll is not a valid Windows image"

Another Application error: "sed.cfxxe" (same message as above)

Also "NirCmd.cfxxe"

Then ComboFix got to Stage 50, flashed up a message ("insufficient quota to process this command") and quit.

Trying to call up Task Manager to see if ComboFix is still working, I also get an Application error (0xc0000017)

Not sure what to do, maybe the whole thing is beyond repair.

TTFN

N








#11 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 February 2010 - 04:58 PM

Hi Elsie

OK, I restarted the computer witha bit of a struggle, then ran ComboFix - this time it zipped through the scan, deleted files and up popped the log.

So here you go!

Cheers

N

ComboFix 10-02-23.02 - Nick 23/02/2010 22:41:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.512.203 [GMT 1:00]
Running from: c:\documents and settings\Nick\Escritorio\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100223-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\nv5nv5\Local Settings\Temporary Internet Files\search.html
c:\recycler\S-1-5-21-823518204-1284227242-725345543-1000

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-21 17:49 . 2010-02-21 17:49 -------- d-----w- c:\archivos de programa\Trend Micro
2010-02-17 15:18 . 2010-02-17 15:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-17 13:56 . 2010-02-17 14:01 -------- d-----w- c:\archivos de programa\Spybot - Search & Destroy
2010-02-17 13:56 . 2010-02-17 13:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 20:42 . 2006-11-22 11:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Datos de programa\HP
2010-02-20 10:59 . 2008-09-23 11:15 -------- d-----w- c:\documents and settings\Nick\Datos de programa\FileZilla
2010-02-18 21:20 . 2007-10-09 18:06 -------- d-----w- c:\documents and settings\Nick\Datos de programa\Skype
2010-02-18 15:14 . 2008-11-07 16:43 -------- d-----w- c:\documents and settings\Nick\Datos de programa\skypePM
2010-02-16 17:18 . 2008-09-23 11:13 -------- d-----w- c:\archivos de programa\FileZilla FTP Client
2010-02-11 20:51 . 2007-01-23 19:03 -------- d-----w- c:\documents and settings\Nick\Datos de programa\Image Zone Express
2009-12-31 16:14 . 2001-09-28 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:41 . 2001-09-28 12:00 664576 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:41 . 2005-11-27 16:50 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-17 07:59 . 2005-11-27 16:04 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 23:42 . 2001-09-28 12:00 90396 ----a-w- c:\windows\system32\perfc00A.dat
2009-12-16 23:42 . 2001-09-28 12:00 504656 ----a-w- c:\windows\system32\perfh00A.dat
2009-12-14 07:36 . 2001-09-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:26 . 2001-08-22 21:41 2060160 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:26 . 2001-09-28 12:00 2182784 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-04 14:41 . 2001-09-28 12:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:34 . 2001-09-28 12:00 1297408 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:34 . 2001-08-22 22:15 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:38 . 2001-08-22 22:15 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:38 . 2001-09-28 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:38 . 2001-09-28 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:38 . 2001-09-28 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:38 . 2001-08-22 22:15 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\archiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Smapp"="c:\archivos de programa\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]
"WinampAgent"="c:\archivos de programa\Winamp\winampa.exe" [2005-11-15 33792]
"HP Software Update"="c:\archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\archivos de programa\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\archivos de programa\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-11-17 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users.WINDOWS\Men£ Inicio\Programas\Inicio\
Adobe Reader Speed Launch.lnk - c:\archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Soulseek\\slsk.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Archivos de programa\\Mozilla Firefox\\firefox.exe"=
"c:\\Archivos de programa\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"6584:TCP"= 6584:TCP:Services

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/04/2008 14:42 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/04/2008 14:42 20560]
R3 ConRT;Conceptronic Wireless 802.11b/g Driver(ConRT);c:\windows\system32\drivers\ConRT.sys [30/05/2006 8:50 190720]
S3 epcfw2k;Controlador CF de puerto paralelo SCM;c:\windows\system32\drivers\epcfw2k.sys [27/11/2005 17:00 144896]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\archivos de programa\Lavalys\EVEREST Home Edition\kerneld.wnt [17/05/2005 4736]
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-02-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 20:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nick\Datos de programa\Mozilla\Firefox\Profiles\lbzljzva.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\archivos de programa\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\archivos de programa\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\archivos de programa\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\archivos de programa\MSN Messenger\MsnMsgr.Exe
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 22:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x81A9E518]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8579fc3
\Driver\ACPI -> 0x81a9e518
\Driver\atapi -> atapi.sys @ 0xf847d7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x8175d330
PacketIndicateHandler -> NDIS.sys @ 0xf8396b21
SendHandler -> NDIS.sys @ 0xf838b938
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A85300
malicious code @ sector 0x04A85303 !
PE file found in sector at 0x04A85319 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\archivos de programa\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
Completion time: 2010-02-23 22:53:22
ComboFix-quarantined-files.txt 2010-02-23 21:53

Pre-Run: 9.648.918.528 bytes libres
Post-Run: 10.349.727.744 bytes libres

- - End Of File - - FDA2F1305C4B62A30335DA6347BE0E5E


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:19 AM

Posted 24 February 2010 - 03:29 AM

Hello again,

Please click Start > Run, and type c:\windows\mbr.exe -f in the runbox, press enter (note the space between e and - ).
If you receive a security warning, click run.

You will see a command window flashing.

Afterwards, navigate to c:\windows\mbr.exe and doubleclick on it to run it. After its run, you will find the log at c:\windows\mbr.log. Post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 24 February 2010 - 03:36 AM

Hi Elise

Starting up, will post ASAP

Thanks

N

#14 thraiped

thraiped
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 24 February 2010 - 03:47 AM

Hi!

That went quicker than I expected.

Here is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x81a7ef08
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x8174f330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x04A85300
malicious code @ sector 0x04A85303 !
PE file found in sector at 0x04A85319 !
Use "Recovery Console" command "fixmbr" to clear infection !


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:19 AM

Posted 24 February 2010 - 04:24 AM

Hello thraiped,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
MBR::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users