Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

When Using Google It Redirects Me To Other Webpages Instead Of The Ones Found


  • Please log in to reply
11 replies to this topic

#1 PatoPato

PatoPato

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 02 April 2007 - 04:17 PM

i can't use any google or yahoo, when i click on the links to the webpages found it redirects me to other sites, such as btcar.com
thank you

Logfile of HijackThis v1.99.1
Scan saved at 06:10:14 p.m., on 02/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Archivos de programa\iTunes\iTunes.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Patricio\Mis documentos\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170097996703
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\administrador\Configuración local\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\.exe (file missing)

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:12 PM

Posted 02 April 2007 - 04:39 PM

Hello PatoPato and welcome to BleepingComputer :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Before we proceed, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to C:\Documents and Settings\Patricio\Mis documentos\HijackThis.exe << right click on the file and choose Rename from the menu options, rename HijackThis.exe to Pato.exe, this is important!

After you have done this, run new scan with HijackThis (now Pato.exe) and post the contents of the new scan in this thread!

Thank you!
SNOWHITE
Posted Image

#3 PatoPato

PatoPato
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 02 April 2007 - 07:30 PM

HI, SNOWHITE, first thank you very much for helping me
and second here is the new scan

Logfile of HijackThis v1.99.1
Scan saved at 09:25:48 p.m., on 02/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\iTunes\iTunes.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Patricio\Mis documentos\Pato.exe.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170097996703
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\administrador\Configuración local\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\.exe (file missing)

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:12 PM

Posted 03 April 2007 - 01:38 PM

PatoPato,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Next,
  • Locate AVG Anti-Spyware icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Next

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Please post back with AVG Anti-Spyware report scan and dss main.txt and extra.txt :thumbsup:
SNOWHITE
Posted Image

#5 PatoPato

PatoPato
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 April 2007 - 12:18 PM

well here is the avg report scan

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 01:52:00 p.m. 04/04/2007

+ Scan result:



HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_4225 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_4912 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_1941 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_1942 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_1943 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_1944 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2949 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2976 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3305 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_2782 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_3\Seqn_3390 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_3391 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_4225 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_4912 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_1941 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_1942 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_1943 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_1944 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2949 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2976 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3305 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_4225 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_4912 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_1941 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_1942 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_1943 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_1944 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2949 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2976 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3305 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_2379 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_2380 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_2405 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_2414 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_3580 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_4259 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_4925 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_8224 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_2048 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_3594 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINNT\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\delprot -> Adware.iSearch : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\delprot\Enum -> Adware.iSearch : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\delprot\Security -> Adware.iSearch : Cleaned with backup (quarantined).
C:\WINNT\system32\P2P Networking v126.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-2000478354-725345543-1000\Software\RX Toolbar -> Adware.RXToolbar : Cleaned with backup (quarantined).
[184] VM_00890000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\Documents and Settings\Patricio\Cookies\patricio@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@cz11.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@cz5.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Patricio\Cookies\patricio@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\WINNT\system32\ritjj.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
C:\WINNT\system32\sknxb.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).


::Report end

and here is the main.txt

Deckard's System Scanner v20070328.36
Run by Patricio on 2007-04-04 at 14:10:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Patricio.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 02:10:32 p.m., on 04/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Patricio\Mis documentos\dss.exe
C:\DOCUME~1\Patricio\MISDOC~1\Patricio.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170097996703
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\administrador\Configuración local\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\system32\.exe (file missing)


-- Files created between 2007-03-04 and 2007-04-04 -----------------------------

2007-04-03 22:55:03 3968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-03-21 18:00:24 0 d-------- C:\Archivos de programa\BillP Studios<BILLPS~1>
2007-03-20 01:25:58 0 --a------ C:\WINNT\system32\kernel32.exe
2007-03-13 22:03:03 0 d-------- C:\Archivos de programa\Archivos comunes\SWF Studio<SWFSTU~1>
2007-03-13 22:02:58 0 d-------- C:\Archivos de programa\Riva


-- Find3M Report ---------------------------------------------------------------

2007-04-03 23:00:36 1371668 ---h----- C:\WINNT\ShellIconCache<SHELLI~1>
2007-03-29 11:08:07 0 d-------- C:\Archivos de programa\Google
2007-03-24 22:47:08 0 d-------- C:\Documents and Settings\Patricio\Datos de programa\AVG7
2007-03-21 18:00:26 0 d-------- C:\Documents and Settings\Patricio\Datos de programa\WinPatrol<WINPAT~1>
2007-03-13 22:03:03 0 d-a------ C:\Archivos de programa\Archivos comunes<ARCHIV~1>
2007-03-08 20:52:06 445 --a------ C:\WINNT\EntPack.dat
2007-02-27 23:20:00 0 d-------- C:\Archivos de programa\Terminal Services Client<TERMIN~1>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"iTunesHelper"="C:\\Archivos de programa\\iTunes\\iTunesHelper.exe"
"Zone Labs Client"="\"C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Archivos de programa\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Patricio^Menú Inicio^Programas^Inicio^PowerReg Scheduler V3.exe]
"path"="C:\\Documents and Settings\\Patricio\\Menú Inicio\\Programas\\Inicio\\PowerReg Scheduler V3.exe"
"backup"="C:\\WINNT\\pss\\PowerReg Scheduler V3.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Patricio\\Menú Inicio\\Programas\\Inicio\\PowerReg Scheduler V3.exe"
"item"="PowerReg Scheduler V3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="points manager"
"hkey"="HKLM"
"command"="c:\\program files\\altnet\\points manager\\points manager.exe -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="farmmext"
"hkey"="HKLM"
"command"="C:\\WINNT\\farmmext.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://mindbrix.co.uk/alanaldridge/images/...-Revolution.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0



-- End of Deckard's System Scanner: finished at 2007-04-04 at 14:10:45 ---------

i had a problem, i run the dss before running any other program (i just confused), so i run it again afterwards, but i deleted the old extra.txt and now the dss doesn't seem to generate an extra.txt, so this is all i got

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:12 PM

Posted 06 April 2007 - 09:06 AM

PatoPato,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Step 1

Please download FixWareout from one of these mirrors:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

Step 2


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

P2P Networking
AltnetPointsManager


Please note any other programs that you don't recognize in that list in your next response

Step 3

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Patricio^Menú Inicio^Programas^Inicio^PowerReg Scheduler V3.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Step 4

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\program files\altnet << This folder
C:\WINNT\system32\P2P Networking << This folder

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINNT\farmmext.exe << This file

Step 5

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINNT\system32\kernel32.exe
  • Click on the submit button
  • Repeat the same istructions for this file too
    • C:\WINNT\EntPack.dat
  • Please post the results in your next reply.
Step 6

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Step 7

Please delete your current dss program and this folder too C:\Deckard then follow the same instructions about downloading and running scan with dss, post the main.txt and extra.txt. There is information that only appear on first run, so please make sure this time not to delete extra.txt and post the first main.txt after running dss scan. :thumbsup:

Please post back with FixWareout report, jotti scan results, dss scan reports main.txt and extra.txt and let me know hows the computer running.
SNOWHITE
Posted Image

#7 PatoPato

PatoPato
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 09 April 2007 - 12:18 PM

Hello again,
well im glad to say that my computer seems to be ok now
i could use google without any problems

when i was running the test i encountered some problems
i couldn't find fammext.exe, i only found farmmext.ini (so i didn't delete it)
i couldn't finde kernel32.exe, i found kernel32.dll (i checked it anyways and it was ok)
and i still couldnt get an extra.txt

well but here are the results

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csnyo.exe"
Service: "Windows Management Service" = C:\WINNT\System32\dmbfe.exe

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7F1B30820ABD-3269-B3D4-E863-0E566514{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F22FBB5BC179-745B-0B34-F02E-8206D196{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "efbmd" Deleted
....
»»»»» Misc files.
C:\WINNT\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINNT\Temp\csnyo.ren 52790 20/03/07
C:\WINNT\Temp\dmbfe.ren 57929 19/06/03



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"iTunesHelper"="C:\\Archivos de programa\\iTunes\\iTunesHelper.exe"
"Zone Labs Client"="\"C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Archivos de programa\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

the jotti scan said that kernel32.dll and entpack.dat were ok, nothing was found

and here is main.txt


Deckard's System Scanner v20070328.36
Run by Patricio on 2007-04-09 at 13:53:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Patricio.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:53:58 p.m., on 09/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\msiexec.exe
C:\Documents and Settings\Patricio\Escritorio\dss.exe
C:\DOCUME~1\Patricio\MISDOC~1\Patricio.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170097996703
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\administrador\Configuración local\Temp\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab30149.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


-- Files created between 2007-03-09 and 2007-04-09 -----------------------------

2007-04-09 13:45:34 0 d-------- C:\Archivos de programa\Archivos comunes\Java
2007-04-03 22:55:03 3968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-03-21 18:00:24 0 d-------- C:\Archivos de programa\BillP Studios<BILLPS~1>
2007-03-13 22:03:03 0 d-------- C:\Archivos de programa\Archivos comunes\SWF Studio<SWFSTU~1>
2007-03-13 22:02:58 0 d-------- C:\Archivos de programa\Riva


-- Find3M Report ---------------------------------------------------------------

2007-04-09 13:46:00 0 d-------- C:\Archivos de programa\Java
2007-04-09 13:45:34 0 d-a------ C:\Archivos de programa\Archivos comunes<ARCHIV~1>
2007-04-04 19:35:07 1371884 ---h----- C:\WINNT\ShellIconCache<SHELLI~1>
2007-03-29 11:08:07 0 d-------- C:\Archivos de programa\Google
2007-03-24 22:47:08 0 d-------- C:\Documents and Settings\Patricio\Datos de programa\AVG7
2007-03-21 18:00:26 0 d-------- C:\Documents and Settings\Patricio\Datos de programa\WinPatrol<WINPAT~1>
2007-03-08 20:52:06 445 --a------ C:\WINNT\EntPack.dat
2007-02-27 23:20:00 0 d-------- C:\Archivos de programa\Terminal Services Client<TERMIN~1>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"iTunesHelper"="C:\\Archivos de programa\\iTunes\\iTunesHelper.exe"
"Zone Labs Client"="\"C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Archivos de programa\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Archivos de programa\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://mindbrix.co.uk/alanaldridge/images/...-Revolution.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0



-- End of Deckard's System Scanner: finished at 2007-04-09 at 13:54:09 ---------


good bye and thank you

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:12 PM

Posted 10 April 2007 - 04:36 PM

Hello Patopato :flowers:

Step 1

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

farmmext.ini << Search for this file and delete it.

Close Windows Explorer.

i couldn't finde kernel32.exe, i found kernel32.dll (i checked it anyways and it was ok)

kernel32.exe got deleted by wareout fix, so don't worry about it, and kernel32.dll is legit file :huh:

Step 2

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filenames: C:\WINNT\Temp\csnyo.ren
    • C:\WINNT\Temp\dmbfe.ren
  • In the comments, please mention that I asked you to upload this files
  • Click on Send File
Step 3Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Step 4

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Please post back with uninstall_list.txt, and F-Secure scan report :thumbsup:
SNOWHITE
Posted Image

#9 PatoPato

PatoPato
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 16 April 2007 - 05:39 PM

Hello
here is the uninstal...
Actualización del sistema del Reproductor de Windows Media (9 Series)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Advanced Grapher 2.11
Analizador y SDK de Microsoft XML
Ares 2.0.8
AVG Anti-Spyware 7.5
AVG Free Edition
Battlefield 1942
BitTorrent 5.0.3
Canon Camera TWAIN Driver 6.0
Canon Camera Window para ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Diablo II
DivX
DivX Player
EA SPORTS online 2004
Fallout2
FEAR SP Demo
FLV Player 1.3.3
Free Spider
Google Earth
Google Toolbar for Internet Explorer
Grand Theft Auto Vice City
Graph 4.1
Graphmatica
GrindEQ Math Utilities (remove only)
Half-Life
HijackThis 1.99.1
Intel® PRO Network Adapters and Drivers
iPod for Windows User Guide
iPod System Software Updater 2.1
iPod Update 2004-04-28
iTunes
Java™ SE Runtime Environment 6 Update 1
Kazaa 3.0
L&H TTS3000 Español
LimeWire
LimeWire 4.8.1
Macromedia Flash MX
Macromedia Shockwave Player
MathType 5
Max Payne 2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Premium
Microsoft Rise Of Nations
Microsoft VGX Q833989
Microsoft Windows Journal Viewer
MouSing
MSN Messenger 7.0
MSXML4 Parser
Need For Speed Underground
NetoDragon 56K Voice Modem
Neverwinter Nights
NVIDIA Display Driver
Outlook Express Q823353
PANDA-glGo
POD-Bot 2.5
Pro Evolution Soccer 3
QuickTime
Revisión de Windows 2000 - KB822831
Revisión de Windows 2000 - KB823182
Revisión de Windows 2000 - KB823559
Revisión de Windows 2000 - KB824105
Revisión de Windows 2000 - KB824141
Revisión de Windows 2000 - KB824146
Revisión de Windows 2000 - KB825119
Revisión de Windows 2000 - KB826232
Revisión de Windows 2000 - KB828035
Revisión de Windows 2000 - KB828741
Revisión de Windows 2000 - KB828749
Revisión de Windows 2000 - KB835732
Revisión de Windows 2000 - KB837001
Revisión de Windows 2000 - KB839645
Revisión de Windows 2000 - KB840315
Revisión de Windows 2000 - KB840987
Revisión de Windows 2000 - KB841356
Revisión de Windows 2000 - KB841533
Revisión de Windows 2000 - KB841872
Revisión de Windows 2000 - KB841873
Revisión de Windows 2000 - KB842526
Revisión de Windows 2000 - KB873339
Revisión de Windows 2000 - KB885835
Revisión de Windows 2000 - KB885836
Revisión de Windows 2000 - KB889293
Revisión de Windows 2000 (SP5) KB820888
Revisión de Windows 2000 (SP5) Q818043
Riva FLV Encoder 2.0
Shockwave
Sierra Utilities
SimIsle
Sony Sound Forge 7.0
Sony Sound Forge 8.0b
Spider-Man 2
Spybot - Search & Destroy 1.4
Star Wars JK II Jedi Outcast
Star Wars™: Caballeros de la Antigua Repûblica ™
TegNet 1.3.5
Terminal Services Client
The Hypnogenic Screen Saver
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
WinRAR archiver
WinZip
ZoneAlarm



the Fsecure is an anti-virus program??? i already have the avg, i run it and i don't have any virus infections
thank you
pato

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:12 PM

Posted 17 April 2007 - 10:48 AM

Hi Pato,


Thanks for the files, you can delete them from your system now :thumbsup:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINNT\Temp\csnyo.ren << Delete this file
C:\WINNT\Temp\dmbfe.ren << Delete this file

Close Windows Explorer.

Remove Deckard's System Scanner (DSS) and FixWareout.

Next, let's hide system files:

1. Click 'Start'.
2. Open 'My Computer'.
3. Select 'Tools' menu
4. Click 'Folder Options'
5. Select the 'View' Tab.
6. Uncheck 'Show hidden files and folders' in the Hidden files and folders section.
7. Select 'Hide protected operating system files (recommended)' option.
8. Check the 'Hide file extensions for known file types' option.
9. Click 'Yes'.
10. Click 'OK'.

The next programs are very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this programs from your system.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


BitTorrent 5.0.3
Ares 2.0.8
Kazaa 3.0
LimeWire
LimeWire 4.8.1



the Fsecure is an anti-virus program??? i already have the avg, i run it and i don't have any virus infections
thank you
pato


F-Secure Online Scanner - it is online scanner, you only install ActiveX, not the whole antivirus program. We use online scans for second opinion, because there a no antivirus programs that are 100% accurate.

If you like, you can follow the steps for running online scan with F-Secure and post the results, i'll take a look at them. Otherwise if you don't have anymore malware related problems, please read my recommendations bellow. :huh:

The following is a list of tools that I recommend to people for better protections and preventing from re-infecting of the computer.
  • SpywareBlaster - Helps preventing spyware from installing in the first place.
  • SpywareGuard - To catch and block spyware before it can execute.
  • IESpy-Ad - Blocks access to malicious websites so you cannot be redirected to them from an infected site or email.
  • MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • SUPERAntiSpyware Home Edition (free version) – Another effective program for helping remove some of the more difficult infections
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Also see So how did I get infected in the first place? :flowers:
SNOWHITE
Posted Image

#11 PatoPato

PatoPato
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 17 April 2007 - 12:34 PM

OK, and thank you very much SNOWHITE

#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:12 PM

Posted 18 April 2007 - 11:18 AM

OK, and thank you very much SNOWHITE

I am glad i could help you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users