Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Spybot - Baciami


  • Please log in to reply
14 replies to this topic

#1 cspro

cspro

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 01:52 AM

Hello every one. I'm having some problems lately. Strange files appear in C:/ or in windows folder, my CPU usage reaches 100%, when I try to open a web page it redirects me to another page ( I need to click the link like 3 times to get it to work properly) and the only weird thing that I noticed is that when I try to scan my PC with spybot it gets stuck at 515 Baciami. I mean, it keeps running but wont move from that point. Then everything freezes and I need to restart the computer. Please I need help! I want to get rid of this problem whatever it is. Here's the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:32, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
C:\Archivos de programa\thomson\Dragdiag.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\thomson\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CordlessCombo] C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D83874C-5BF0-46B0-8A46-475A5D19293D}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BFBF469-217D-491B-9B45-F5D6A1C67EB0}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Inicio de sesión en red NetlogonTlntSvr (NetlogonTlntSvr) - Unknown owner - *&€|û.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2007 - 04:01 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum cspro :thumbsup:

Please disable Spybot S&D’s protection,or it may interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

***********************

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

***********************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply,along with a new Hijackthis log.
Posted Image
Posted Image

#3 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 12:42 PM

Ok, then. Here's the SDfix report:



SDFix: Version 1.79

Run by Nacho - 21/04/2007 - 14:17:47,90

Microsoft Windows XP [Versi¢n 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
C:\Documents and Settings\Nacho\Datos de programa\Install.dat - Deleted
C:\WINDOWS\system32\Kernel32.exe - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\Messenger\\msmsgs.exe"="C:\\Archivos de programa\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Archivos de programa\\Valve\\hl.exe"="C:\\Archivos de programa\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\adsmsextn.exe
C:\WINDOWS\system32\adsmsextn.exe3165537807.dat

Finished


The wareout report ( I've run wareout in normal mode, not in safe mode. Have I made the right thing? If not tell me and I'll do it again) :

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csapr.exe"
Service: "Windows Management Service" = C:\WINDOWS\System32\dmtjl.exe

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}55CA0EAA615B-5028-78F4-998F-B7A267CB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}64613C0AB84C-8148-7A34-3B6A-FE3C8553{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ljtmd" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\csapr.ren 52808 21/04/2007
C:\WINDOWS\Temp\dmtjl.ren 57858 19/08/2004



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Archivos de programa\\Java\\jre1.6.0\\bin\\jusched.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Archivos de programa\\thomson\\Dragdiag.exe\" /icon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SCANINICIO"="\"C:\\Archivos de programa\\Panda Software\\Panda Antivirus Platinum\\Inicio.exe\""
"APVXDWIN"="\"C:\\Archivos de programa\\Panda Software\\Panda Antivirus Platinum\\APVXDWIN.EXE\" /s"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ZoneAlarm Client"="\"C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Zone Labs Client"="\"C:\\Archivos de programa\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"CordlessCombo"="C:\\Archivos de programa\\MultiMedia Keyboard\\IIMAIN.Exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"MsnMsgr"="\"C:\\Archivos de programa\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


And finally the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 14:32:13, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
C:\Archivos de programa\thomson\Dragdiag.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\thomson\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CordlessCombo] C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D83874C-5BF0-46B0-8A46-475A5D19293D}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BFBF469-217D-491B-9B45-F5D6A1C67EB0}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Inicio de sesión en red NetlogonTlntSvr (NetlogonTlntSvr) - Unknown owner - *&€|û.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2007 - 01:22 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Inicio de sesión en red NetlogonTlntSvr (NetlogonTlntSvr)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D83874C-5BF0-46B0-8A46-475A5D19293D}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BFBF469-217D-491B-9B45-F5D6A1C67EB0}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O23 - Service: Inicio de sesión en red NetlogonTlntSvr (NetlogonTlntSvr) - Unknown owner - *&€|û.exe (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 02:29 PM

AVG Anti Spyware report:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 16:18:41 21/04/2007

+ Scan result:



C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0036629.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0037629.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0037691.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0037696.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0037703.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0037739.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\csapr.ren -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kltih.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88\A0037740.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\dmtjl.ren -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kernels32.exe -> Worm.Zhelatin.cx : Cleaned with backup (quarantined).


::Report end

As you can see it has found some nasty things.

HJT report:


Logfile of HijackThis v1.99.1
Scan saved at 16:26:14, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
C:\Archivos de programa\thomson\Dragdiag.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\thomson\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CordlessCombo] C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 85.255.116.66 85.255.112.80
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2007 - 02:42 PM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 85.255.116.66 85.255.112.80
Exit Hijackthis.

Still in Safe Mode,Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
* Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 04:13 PM

Here is the Dr.Web's report. Sorry I didn't notice in time,so there are some results in spanish. It eliminated everything except for the trojan.DNSchange and the tool.prockill ( weird cause it came from sdfix ) that both were showed as incurable.


RegUBP2b-Nacho.reg;C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Eliminado.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Movido.;
A0038778.reg;C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88;Trojan.StartPage.1505;Eliminado.;
A0038763.exe;C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88;Trojan.DnsChange;Incurable.Movido.;
A0038762.exe;C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88;Trojan.Packed.90;Eliminado.;
A0037665.reg;C:\System Volume Information\_restore{83EBD77A-7910-4233-9EBB-969D2B709103}\RP88;Trojan.StartPage.1505;Eliminado.;



And a new HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 18:05:05, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe
C:\Archivos de programa\thomson\Dragdiag.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\thomson\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CordlessCombo] C:\Archivos de programa\MultiMedia Keyboard\IIMAIN.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Note: when you told me to fix O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 85.255.116.66 85.255.112.80 I've already done it and in safe mode it didn't appeared. However when I restarted the PC in normal mode and scaned with HJT it appeared again. I deleted it so it won't show in the log, will it keep appearing?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2007 - 04:47 PM

Download\unzip to your desktop AVG Anti-Rootkit Free:
http://free.grisoft.com/softw/70free/setup...up-1.1.0.42.exe
Launch AVG,click on the 'Search for Rootkits' tab.
Then click on 'Perform in-depth search'.
When the scan has finished click on 'Save result to file'.
Copy and paste those results into your next reply.

***********************

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.
*NOTE*
It may take more than one reply to post the whole winpfind.txt and the AVG Anti-Rootkit log.
Posted Image
Posted Image

#9 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 06:17 PM

The AVG anti-rootkit dodn't find anything so there's no report.

Here's the winpfind report:

WinPFind logfile created on: 21/04/2007 20:04:08
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\Nacho\Escritorio\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

511,48 Mb Total Physical Memory | 225,14 Mb Available Physical Memory | 44,02% Memory free
1,22 Gb Paging File | 0,93 Gb Available in Paging File | 76,40% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 38,28 Gb Total Space | 23,33 Gb Free Space | 60,95% Space Free
Drive D: | 591,33 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: NACHO-FC29182B1
Current User Name: Nacho
Logged in as Administrator.
Current Boot Mode: Normal

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe (Hewlett-Packard Co.)
C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Archivos de programa\MultiMedia Keyboard\Iimain.exe ()
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\apvxdwin.exe (Panda Software International)
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Avengine.exe (Panda Software)
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\Pavfires.exe (Panda Software)
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Pavproxy.exe (Panda Software)
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Pavsrv51.exe (Panda Software)
C:\Archivos de programa\thomson\dragdiag.exe (THOMSON Telecom Belgium)
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
C:\Documents and Settings\Nacho\Escritorio\WinPFind\WinPFind.exe (OldTimer Tools)
C:\WINDOWS\system32\HPZipm12.exe (HP)
C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running]
= C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)

(dmadmin) Servicio del administrador de discos lógicos [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., VERITAS Software)

(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped]
= C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)

(NetlogonTlntSvr) Inicio de sesión en red NetlogonTlntSvr [Win32_Own | Disabled | Stopped]
= *&€|û (File not found)

(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

(PAVFIRES) Panda Firewall Service [Win32_Own | Auto | Running]
= C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Firewall\Pavfires.exe (Panda Software)

(PAVSRV) Panda anti-virus service [Win32_Shared | Auto | Running]
= C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Pavsrv51.exe (Panda Software)

(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\HPZipm12.exe (HP)

(SoundMAX Agent Service (default)) SoundMAX Agent Service [Win32_Own | Auto | Running]
= C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
!AVG Anti-Spyware = C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)
APVXDWIN = C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\apvxdwin.exe (Panda Software International)
CordlessCombo = C:\Archivos de programa\MultiMedia Keyboard\Iimain.exe ()
KernelFaultCheck = umprep 0 (File not found)
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
NvCplDaemon = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
NvMediaCenter = C:\WINDOWS\system32\nvmctray.dll (NVIDIA Corporation)
nwiz = C:\WINDOWS\system32\nwiz.exe ()
SCANINICIO = C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\Inicio.exe (Panda Software)
SpeedTouch USB Diagnostics = C:\Archivos de programa\thomson\dragdiag.exe (THOMSON Telecom Belgium)
SunJavaUpdateSched = C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)
Zone Labs Client = C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
ZoneAlarm Client = C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Steam = (File not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio >
C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\desktop.ini ()

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\HP Digital Imaging Monitor.lnk
= C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

< User Startup Folder = C:\Documents and Settings\Nacho\Menú Inicio\Programas\Inicio >
C:\Documents and Settings\Nacho\Menú Inicio\Programas\Inicio\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
SpybotSD TeaTimer = C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = AVG Anti-Spyware 7.5 ( HKLM = C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.) )


>>>>> Winlogon Keys <<<<<


>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 23 bytes | Modified Date: 21/04/2007 14:31:02)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = Mi página de inicio actual
Source = About:Home
SubscribedURL = About:Home

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.google.com.ar/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
- ( HKLM = C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKCU Internet Explorer Bars <<<<<

>>>>> HKLM Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8192 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8195

>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Consola de Sun Java
ClsidExtension = {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - Java Plug-in 1.6.0 ( HKLM C:\Archivos de programa\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - Java Plug-in 1.6.0 ( HKCU C:\Archivos de programa\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}]
ButtonText = Referencia

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Interfaz de reproducción automática para mostrar presentaciones ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Barra de tareas y menú Inicio ( HKLM = Reg Data - Key not found (File not found) )
{1CDB2949-8F65-4355-8456-263E7C208A5D} = Desktop Explorer ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = Desktop Explorer Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} = nView Desktop Context Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll () )
{23170F69-40C1-278A-1000-000100020000} = 7-Zip Shell Extension ( HKLM = C:\Archivos de programa\7-Zip\7-zip.dll () )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Extensión de paneo de pantalla del Panel de control ( HKLM = deskpan.dll (File not found) )
{65756541-C65C-11CD-0000-4B656E696100} = Panda Antivirus ( HKLM = C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavOLE.dll (Panda Software) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Extensiones del shell para compresión de archivos ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = Cuentas de usuario ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Menú de contexto de cifrado ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{A70C977A-BF00-412C-90B7-034C51DA2439} = DesktopContext Class ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Archivos de programa\WinRAR\rarext.dll () )
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = ZLAVShExt Class ( HKLM = C:\Archivos de programa\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC) )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} = NVIDIA CPL Extension ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

>>>>> HKCU Approved Shell Extensions <<<<<

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shell\Set to "My Favority 1"\command]
@ = C:\WINDOWS\system32\savekey.exe -1 %1 (C:\WINDOWS\system32\SaveKey.exe ())

[HKEY_LOCAL_MACHINE\Software\Classes\*\shell\Set to "My Favority 2"\command]
@ = C:\WINDOWS\system32\savekey.exe -2 %1 (C:\WINDOWS\system32\SaveKey.exe ())

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip]
@ = {23170F69-40C1-278A-1000-000100020000} ( HKLM = C:\Archivos de programa\7-Zip\7-zip.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Panda Antivirus]
@ = {65756541-C65C-11CD-0000-4B656E696100} ( HKLM = C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavOLE.dll (Panda Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Archivos de programa\WinRAR\rarext.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\ZLAVShExt]
@ = {D9872D13-7651-4471-9EEE-F0A00218BEBB} ( HKLM = C:\Archivos de programa\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip]
@ = {23170F69-40C1-278A-1000-000100020000} ( HKLM = C:\Archivos de programa\7-Zip\7-zip.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Archivos de programa\WinRAR\rarext.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\00nView]
@ = {1E9B04FB-F9E5-4718-997B-B8DA88302A48} ( HKLM = C:\WINDOWS\system32\nvshell.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\NvCplDesktopContext]
@ = {A70C977A-BF00-412C-90B7-034C51DA2439} ( HKLM = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\Panda Antivirus]
@ = {65756541-C65C-11CD-0000-4B656E696100} ( HKLM = C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\pavOLE.dll (Panda Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Archivos de programa\WinRAR\rarext.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\ZLAVShExt]
@ = {D9872D13-7651-4471-9EEE-F0A00218BEBB} ( HKLM = C:\Archivos de programa\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC) )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
DisableRegistryTools = 0

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =
PendingFileRenameOperations = \??\C:\Archivos de programa\Grisoft\AVG Anti-Rootkit Free\21HcMTTFg.exe;


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\system32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\Archivos de programa\Panda Software\Panda Antivirus Platinum\
"C:\Archivos de programa\Zone Labs\ZoneAlarm\MailFrontier"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Archivos de programa\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Archivos de programa\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Archivos de programa\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Archivos de programa\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> "C:\Archivos de programa\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

https [open] -> "C:\Archivos de programa\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> C:\ARCHIV~1\PANDAS~1\PANDAA~1\PavScrip.exe "%1" %* ()
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> C:\ARCHIV~1\PANDAS~1\PANDAA~1\PavScrip.exe "%1" %* ()
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> C:\ARCHIV~1\PANDAS~1\PANDAA~1\PavScrip.exe "%1" %* ()
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> C:\ARCHIV~1\PANDAS~1\PANDAA~1\PavScrip.exe "%1" %* ()
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> C:\ARCHIV~1\PANDAS~1\PANDAA~1\PavScrip.exe "%1" %* ()
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> C:\ARCHIV~1\PANDAS~1\PANDAA~1\PavScrip.exe "%1" %* ()

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Archivos de programa\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Archivos de programa\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1D83874C-5BF0-46B0-8A46-475A5D19293D}] ( SpeedTouch™ USB ADSL RFC1483 )
DefaultGateway =
DhcpIPAddress = 169.254.156.170
DhcpServer = 255.255.255.255
DhcpSubnetMask = 255.255.0.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 169.254.156.170
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6BFBF469-217D-491B-9B45-F5D6A1C67EB0}] ( Adaptador Fast Ethernet compatible VIA )
DefaultGateway =
DhcpNameServer = 85.255.116.66,85.255.112.80
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Intranet local
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = Mi PC

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

»»»»»»»»»»»»»»»»»»»» Files / Folders Created Within 30 Days »»»»»»»»»»»»»

C:\ARENA [Folder | Created Date = 20/04/2007 15:04:53 | Attr = ]
C:\fixwareout [Folder | Created Date = 21/04/2007 14:27:41 | Attr = ]
C:\hiberfil.sys [Ver = | Size = 536399872 bytes | Created Date = 01/01/1601 3:00:00 | Attr = HS]
C:\SDFix [Folder | Created Date = 21/04/2007 14:13:14 | Attr = ]
C:\Sierra [Folder | Created Date = 20/04/2007 19:43:38 | Attr = ]
C:\Documents and Settings\Nacho\Datos de programa\MailFrontier [Folder | Created Date = 31/03/2007 1:00:36 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\Ahead [Folder | Created Date = 29/03/2007 19:17:47 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\Oblivion [Folder | Created Date = 29/03/2007 19:26:43 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\WMTools Downloaded Files [Folder | Created Date = 12/04/2007 23:45:45 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\{0CA2BA8D-5DD3-4D92-8680-AE1A7C823B9A} [Folder | Created Date = 09/04/2007 22:14:25 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\07acadebaabe.pdf [Ver = | Size = 23539 bytes | Created Date = 11/04/2007 9:05:19 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\07acadebaabe.pdf:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Arena106.exe [Ver = | Size = 9190807 bytes | Created Date = 17/04/2007 22:22:29 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Arena106.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Caballo.rtf [Ver = | Size = 2122 bytes | Created Date = 18/04/2007 9:04:15 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Cta.Cte 1236-6 016-1 Años 2001 y 2002.xls [Ver = | Size = 32768 bytes | Created Date = 30/03/2007 12:03:54 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Cuadroanexo.xls [Ver = | Size = 105472 bytes | Created Date = 30/03/2007 15:09:05 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\DOSBox0.70-win32-installer.exe [Ver = | Size = 1482255 bytes | Created Date = 12/04/2007 16:41:19 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\DOSBox0.70-win32-installer.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Ground_Control_GSI.EXE [Ver = | Size = 490547380 bytes | Created Date = 20/04/2007 19:28:01 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Ground_Control_GSI.EXE:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\gwsetup [Folder | Created Date = 28/03/2007 20:55:50 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\hijackthis_sfx.exe [Ver = | Size = 282601 bytes | Created Date = 21/04/2007 3:37:55 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\img.jpg&v=P [Ver = | Size = 8175 bytes | Created Date = 05/04/2007 9:54:44 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\img[5].jpg&v=P [Ver = | Size = 8175 bytes | Created Date = 05/04/2007 9:52:21 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Linterna 12 Leds 2.jpg [Ver = | Size = 7863 bytes | Created Date = 12/04/2007 12:49:22 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\MercadoLibre Remo Abdominales Gluteos POWER RIDER - $ desde 1_00.htm [Ver = | Size = 91485 bytes | Created Date = 12/04/2007 12:47:42 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\MercadoLibre Remo Abdominales Gluteos POWER RIDER - $ desde 1_00_archivos [Folder | Created Date = 12/04/2007 12:47:44 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF [Folder | Created Date = 20/04/2007 16:14:44 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF.ZIP [Ver = | Size = 14507 bytes | Created Date = 10/04/2007 23:25:44 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF.ZIP:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Mis carpetas para compartir.lnk [Ver = | Size = 589 bytes | Created Date = 20/04/2007 0:09:46 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Mis vídeos [Folder | Created Date = 12/04/2007 23:41:11 | Attr = R ]
C:\Documents and Settings\Nacho\Mis documentos\Modelo Informe .doc [Ver = | Size = 502272 bytes | Created Date = 29/03/2007 12:36:15 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Modelo Informe 2.doc [Ver = | Size = 348160 bytes | Created Date = 29/03/2007 19:19:29 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\My Games [Folder | Created Date = 26/03/2007 19:20:10 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\nball [Folder | Created Date = 15/04/2007 20:14:41 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\nball.zip [Ver = | Size = 4467444 bytes | Created Date = 15/04/2007 17:20:41 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\nball.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Parfaitdeoreo.doc [Ver = | Size = 19968 bytes | Created Date = 19/04/2007 0:41:40 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Parfaitdeoreo.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\PROTESIS FLEXIBLESS DeRemate_com_ar.htm [Ver = | Size = 83634 bytes | Created Date = 20/04/2007 13:10:33 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\PROTESIS FLEXIBLESS DeRemate_com_ar_archivos [Folder | Created Date = 20/04/2007 13:10:34 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Puerto Rico y canal de panamá.doc [Ver = | Size = 27648 bytes | Created Date = 19/04/2007 23:57:24 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters [Folder | Created Date = 14/04/2007 14:29:22 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters.zip [Ver = | Size = 5595968 bytes | Created Date = 14/04/2007 14:28:36 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Rejas, herrería, escaleras, entrepisos, protección DeRemate_com_ar.htm [Ver = | Size = 94995 bytes | Created Date = 19/04/2007 9:00:29 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Rejas, herrería, escaleras, entrepisos, protección DeRemate_com_ar_archivos [Folder | Created Date = 19/04/2007 9:00:30 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\spacejam-ibelieveicanfly.mp3 [Ver = | Size = 5153566 bytes | Created Date = 17/04/2007 15:22:55 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\spacejam-ibelieveicanfly.mp3:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\spacejamtheme.mp3 [Ver = | Size = 3713985 bytes | Created Date = 19/04/2007 0:42:12 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\spacejamtheme.mp3:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\stealball_win [Folder | Created Date = 14/04/2007 21:45:54 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\stealball_win.zip [Ver = | Size = 3223089 bytes | Created Date = 14/04/2007 21:45:43 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\stealball_win.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0 [Folder | Created Date = 17/04/2007 13:12:17 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0.rar [Ver = | Size = 1045907 bytes | Created Date = 17/04/2007 13:02:38 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0.rar:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\TP Nº1 caratula.doc [Ver = | Size = 19968 bytes | Created Date = 17/04/2007 20:57:10 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\TP Nº1 quimica.doc [Ver = | Size = 22016 bytes | Created Date = 17/04/2007 20:39:43 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\TPNº1Fisicoquimica.doc [Ver = | Size = 24064 bytes | Created Date = 18/04/2007 22:45:51 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\TPNº1Fisicoquimica.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD [Folder | Created Date = 31/03/2007 17:58:36 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD.ZIP [Ver = | Size = 752572 bytes | Created Date = 31/03/2007 17:58:04 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD.ZIP:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\winxpdaggerinstall.exe [Ver = | Size = 43073024 bytes | Created Date = 20/04/2007 16:04:07 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\winxpdaggerinstall.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\www.losreyesdelastareas.com.doc [Ver = | Size = 20992 bytes | Created Date = 17/04/2007 12:51:54 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\AVG Anti-Rootkit Free.lnk [Ver = | Size = 863 bytes | Created Date = 21/04/2007 19:50:44 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\AVG Anti-Spyware.lnk [Ver = | Size = 898 bytes | Created Date = 21/04/2007 15:33:50 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\Morrowind.lnk [Ver = | Size = 781 bytes | Created Date = 12/04/2007 22:52:31 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\The Elder Scrolls Construction Set.lnk [Ver = | Size = 1705 bytes | Created Date = 12/04/2007 22:55:15 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\Acceso directo a hlds.lnk [Ver = | Size = 730 bytes | Created Date = 15/04/2007 16:01:46 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\ATF-Cleaner.exe Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 26/03/2007 15:34:38 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\ATF-Cleaner.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\avgarkt-setup-1.1.0.42.exe [Ver = | Size = 423736 bytes | Created Date = 21/04/2007 19:49:59 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\avgarkt-setup-1.1.0.42.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\avgas-setup-7.5.0.50.exe [Ver = | Size = 6469352 bytes | Created Date = 21/04/2007 15:33:07 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\avgas-setup-7.5.0.50.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\drweb-cureit.exe [Ver = | Size = 6249040 bytes | Created Date = 21/04/2007 16:47:19 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\drweb-cureit.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\DrWeb.csv [Ver = | Size = 717 bytes | Created Date = 21/04/2007 17:53:50 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\Fixwareout.exe [Ver = 1.0.0.5 | Size = 494822 bytes | Created Date = 21/04/2007 14:25:55 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\Fixwareout.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\SDFix.exe [Ver = | Size = 707904 bytes | Created Date = 21/04/2007 14:09:27 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\SDFix.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\sXe Injected.lnk [Ver = | Size = 1675 bytes | Created Date = 17/04/2007 13:12:29 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\WinPFind [Folder | Created Date = 21/04/2007 20:03:07 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\winpfind.exe [Ver = | Size = 267222 bytes | Created Date = 21/04/2007 19:50:13 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\winpfind.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\zlsSetup_70_337_000_es.exe [Ver = | Size = 41669784 bytes | Created Date = 30/03/2007 1:33:18 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\zlsSetup_70_337_000_es.exe:Zone.Identifier (26 bytes)
C:\WINDOWS\BlendSettings.ini [Ver = | Size = 23 bytes | Created Date = 29/03/2007 19:52:08 | Attr = ]
C:\WINDOWS\d3dx.dat [Ver = | Size = 4096 bytes | Created Date = 20/04/2007 19:50:11 | Attr = ]
C:\WINDOWS\Minidump [Folder | Created Date = 17/04/2007 13:03:44 | Attr = ]
C:\WINDOWS\NeroDigital.ini [Ver = | Size = 116 bytes | Created Date = 12/04/2007 23:41:37 | Attr = ]
C:\WINDOWS\SynCor.exe Analog Devices, Inc. [Ver = 3, 0, 10, 0 | Size = 380928 bytes | Created Date = 03/04/2007 20:23:30 | Attr = ]
C:\WINDOWS\SynthCoreA.Dll Analog Devices, Inc. [Ver = 3, 0, 9, 0 | Size = 978944 bytes | Created Date = 03/04/2007 20:23:30 | Attr = ]
C:\WINDOWS\VirtualEar [Folder | Created Date = 03/04/2007 20:23:26 | Attr = ]
C:\WINDOWS\zllsputility.exe Zone Labs, LLC [Ver = 7.0.337.000 | Size = 75512 bytes | Created Date = 30/03/2007 1:35:25 | Attr = ]
C:\WINDOWS\zllsputility_loc0c0a.dll Zone Labs Inc. [Ver = 5.3.017.000 | Size = 42648 bytes | Created Date = 30/03/2007 1:35:31 | Attr = ]
C:\WINDOWS\System32\adsmsextn.exe3165537807.dat [Ver = | Size = 53 bytes | Created Date = 21/04/2007 1:44:47 | Attr = HS]
C:\WINDOWS\System32\Audio3d.dll Sensaura Ltd [Ver = 4.12.01.2008 | Size = 720896 bytes | Created Date = 03/04/2007 20:23:26 | Attr = ]
C:\WINDOWS\System32\CleanUp.exe adi [Ver = 1, 0, 0, 2 | Size = 45056 bytes | Created Date = 03/04/2007 20:23:23 | Attr = ]
C:\WINDOWS\System32\DRVSTORE [Folder | Created Date = 20/04/2007 0:08:18 | Attr = ]
C:\WINDOWS\System32\DSndUp.exe Analog Devices Inc. [Ver = 1, 0, 0, 10 | Size = 49152 bytes | Created Date = 03/04/2007 20:23:23 | Attr = ]
C:\WINDOWS\System32\imsinstall_loc0c0a.dll [Ver = | Size = 22168 bytes | Created Date = 30/03/2007 1:35:31 | Attr = ]
C:\WINDOWS\System32\imslsp_install_loc0c0a.dll [Ver = | Size = 18072 bytes | Created Date = 30/03/2007 1:35:31 | Attr = ]
C:\WINDOWS\System32\keyconf.cfg [Ver = | Size = 44 bytes | Created Date = 10/04/2007 18:33:14 | Attr = ]
C:\WINDOWS\System32\keyconf.exe [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Created Date = 10/04/2007 18:33:14 | Attr = ]
C:\WINDOWS\System32\objkey.cfg [Ver = | Size = 1932 bytes | Created Date = 10/04/2007 18:33:14 | Attr = ]
C:\WINDOWS\System32\S11thk32.dll SoundMAX [Ver = 1.2.3 | Size = 49152 bytes | Created Date = 03/04/2007 20:23:28 | Attr = ]
C:\WINDOWS\System32\SaveKey.exe [Ver = | Size = 32768 bytes | Created Date = 10/04/2007 18:33:14 | Attr = ]
C:\WINDOWS\System32\SMMedia.dll Analog Devices [Ver = 1, 0, 0, 8 | Size = 1285632 bytes | Created Date = 03/04/2007 20:23:31 | Attr = ]
C:\WINDOWS\System32\Syncor11.dll SoundMAX [Ver = 1.2.3 | Size = 40820 bytes | Created Date = 03/04/2007 20:23:28 | Attr = ]
C:\WINDOWS\System32\SynthCore11Resources.dll Analog Devices, Inc. [Ver = 3, 0, 8, 0 | Size = 45056 bytes | Created Date = 03/04/2007 20:23:28 | Attr = ]
C:\WINDOWS\System32\virtear.dll Sensaura [Ver = 1, 0, 0, 6 | Size = 991232 bytes | Created Date = 03/04/2007 20:23:25 | Attr = ]
C:\WINDOWS\System32\wdmioctl.dll Analog Devices Inc. [Ver = 2, 0, 0, 3 | Size = 30208 bytes | Created Date = 03/04/2007 20:23:32 | Attr = ]
C:\WINDOWS\System32\zpeng24.dll Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 30/03/2007 1:35:11 | Attr = ]
C:\WINDOWS\System32\_r_a_p_.tmp [Ver = | Size = 0 bytes | Created Date = 31/03/2007 17:52:33 | Attr = ]
C:\WINDOWS\System32\drivers\aeaudio.sys Andrea Electronics Corporation [Ver = 1.0.0.2 (STUB) | Size = 4816 bytes | Created Date = 03/04/2007 20:23:32 | Attr = ]
C:\WINDOWS\System32\drivers\AvgArCln.sys GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 21/04/2007 19:50:43 | Attr = ]
C:\WINDOWS\System32\drivers\AvgAsCln.sys GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 21/04/2007 15:33:48 | Attr = ]
C:\WINDOWS\System32\drivers\dump_wmimmc.sys [Ver = | Size = 153925 bytes | Created Date = 28/03/2007 19:52:21 | Attr = ]
C:\WINDOWS\System32\drivers\smsens.sys Analog Devices, Inc. [Ver = 5.12.01.0000 | Size = 3744 bytes | Created Date = 03/04/2007 20:23:32 | Attr = ]
C:\WINDOWS\System32\drivers\smwdm.sys Analog Devices, Inc. [Ver = 5.12.01.3663 | Size = 578368 bytes | Created Date = 03/04/2007 20:23:24 | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files / Folders Modified Within 30 Days »»»»»»»»»»»»»

C:\Archivos de programa [Folder | Modified Date = 21/04/2007 15:33:46 | Attr = R ]
C:\ARENA [Folder | Modified Date = 20/04/2007 16:30:46 | Attr = ]
C:\fixwareout [Folder | Modified Date = 21/04/2007 14:31:10 | Attr = ]
C:\hiberfil.sys [Ver = | Size = 536399872 bytes | Modified Date = 21/04/2007 19:52:30 | Attr = HS]
C:\Program Files [Folder | Modified Date = 21/04/2007 3:38:12 | Attr = ]
C:\SDFix [Folder | Modified Date = 21/04/2007 14:23:16 | Attr = ]
C:\Sierra [Folder | Modified Date = 20/04/2007 19:43:40 | Attr = ]
C:\WINDOWS [Folder | Modified Date = 21/04/2007 14:12:10 | Attr = ]
C:\Documents and Settings\All Users\Datos de programa\Microsoft [Folder | Modified Date = 20/04/2007 0:07:58 | Attr = S]
C:\Documents and Settings\Nacho\Datos de programa\Image Zone Express [Folder | Modified Date = 12/04/2007 20:26:56 | Attr = ]
C:\Documents and Settings\Nacho\Datos de programa\MailFrontier [Folder | Modified Date = 03/04/2007 20:17:24 | Attr = ]
C:\Documents and Settings\Nacho\Datos de programa\Microsoft [Folder | Modified Date = 20/04/2007 0:09:16 | Attr = S]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\Ahead [Folder | Modified Date = 29/03/2007 19:17:48 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\GDIPFONTCACHEV1.DAT [Ver = | Size = 42168 bytes | Modified Date = 01/04/2007 11:32:02 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\IconCache.db [Ver = | Size = 3778396 bytes | Modified Date = 21/04/2007 19:51:06 | Attr = H ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\Microsoft [Folder | Modified Date = 20/04/2007 0:09:34 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\Oblivion [Folder | Modified Date = 29/03/2007 19:38:08 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\Pando [Folder | Modified Date = 09/04/2007 22:38:36 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\WMTools Downloaded Files [Folder | Modified Date = 12/04/2007 23:45:46 | Attr = ]
C:\Documents and Settings\Nacho\Configuración local\Datos de programa\{0CA2BA8D-5DD3-4D92-8680-AE1A7C823B9A} [Folder | Modified Date = 09/04/2007 22:14:26 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\07acadebaabe.pdf [Ver = | Size = 23539 bytes | Modified Date = 11/04/2007 9:05:24 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\07acadebaabe.pdf:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Arena106.exe [Ver = | Size = 9190807 bytes | Modified Date = 17/04/2007 22:22:30 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Arena106.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Caballo.rtf [Ver = | Size = 2122 bytes | Modified Date = 18/04/2007 9:04:16 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Cta.Cte 1236-6 016-1 Años 2001 y 2002.xls [Ver = | Size = 32768 bytes | Modified Date = 02/04/2007 15:45:50 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Cuadroanexo.xls [Ver = | Size = 105472 bytes | Modified Date = 03/04/2007 15:49:00 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\DOSBox0.70-win32-installer.exe [Ver = | Size = 1482255 bytes | Modified Date = 12/04/2007 16:41:20 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\DOSBox0.70-win32-installer.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Ground_Control_GSI.EXE [Ver = | Size = 490547380 bytes | Modified Date = 20/04/2007 19:29:08 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Ground_Control_GSI.EXE:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\gwsetup [Folder | Modified Date = 28/03/2007 20:55:52 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\hijackthis_sfx.exe [Ver = | Size = 282601 bytes | Modified Date = 21/04/2007 3:38:00 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\img.jpg&v=P [Ver = | Size = 8175 bytes | Modified Date = 05/04/2007 9:48:44 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\img[5].jpg&v=P [Ver = | Size = 8175 bytes | Modified Date = 05/04/2007 9:48:44 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\MercadoLibre Remo Abdominales Gluteos POWER RIDER - $ desde 1_00.htm [Ver = | Size = 91485 bytes | Modified Date = 12/04/2007 12:47:48 | Attr = ]

Edited by cspro, 21 April 2007 - 06:22 PM.


#10 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 06:22 PM

C:\Documents and Settings\Nacho\Mis documentos\MercadoLibre Remo Abdominales Gluteos POWER RIDER - $ desde 1_00_archivos [Folder | Modified Date = 12/04/2007 12:47:48 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF [Folder | Modified Date = 20/04/2007 16:14:46 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF.ZIP [Ver = | Size = 14507 bytes | Modified Date = 10/04/2007 23:25:46 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF.ZIP:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Mis archivos recibidos [Folder | Modified Date = 19/04/2007 20:15:52 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Mis carpetas para compartir.lnk [Ver = | Size = 589 bytes | Modified Date = 20/04/2007 13:53:26 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Mis escaneos [Folder | Modified Date = 02/04/2007 21:29:30 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Mis imágenes [Folder | Modified Date = 20/04/2007 14:04:40 | Attr = R ]
C:\Documents and Settings\Nacho\Mis documentos\Mis vídeos [Folder | Modified Date = 12/04/2007 23:41:12 | Attr = R ]
C:\Documents and Settings\Nacho\Mis documentos\Modelo Informe .doc [Ver = | Size = 502272 bytes | Modified Date = 04/04/2007 8:38:08 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Modelo Informe 2.doc [Ver = | Size = 348160 bytes | Modified Date = 04/04/2007 9:18:50 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\My Games [Folder | Modified Date = 29/03/2007 19:26:44 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\nball [Folder | Modified Date = 15/04/2007 20:14:48 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\nball.zip [Ver = | Size = 4467444 bytes | Modified Date = 15/04/2007 17:20:44 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\nball.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Parfaitdeoreo.doc [Ver = | Size = 19968 bytes | Modified Date = 19/04/2007 0:41:42 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Parfaitdeoreo.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\PROTESIS FLEXIBLESS DeRemate_com_ar.htm [Ver = | Size = 83634 bytes | Modified Date = 20/04/2007 13:10:40 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\PROTESIS FLEXIBLESS DeRemate_com_ar_archivos [Folder | Modified Date = 20/04/2007 13:10:40 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Puerto Rico y canal de panamá.doc [Ver = | Size = 27648 bytes | Modified Date = 19/04/2007 23:57:26 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters [Folder | Modified Date = 14/04/2007 14:29:38 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters.zip [Ver = | Size = 5595968 bytes | Modified Date = 14/04/2007 14:28:38 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\Rejas, herrería, escaleras, entrepisos, protección DeRemate_com_ar.htm [Ver = | Size = 94995 bytes | Modified Date = 19/04/2007 9:00:34 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\Rejas, herrería, escaleras, entrepisos, protección DeRemate_com_ar_archivos [Folder | Modified Date = 19/04/2007 9:00:34 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\spacejam-ibelieveicanfly.mp3 [Ver = | Size = 5153566 bytes | Modified Date = 17/04/2007 15:23:00 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\spacejam-ibelieveicanfly.mp3:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\spacejamtheme.mp3 [Ver = | Size = 3713985 bytes | Modified Date = 19/04/2007 0:42:14 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\spacejamtheme.mp3:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\stealball_win [Folder | Modified Date = 14/04/2007 21:46:00 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\stealball_win.zip [Ver = | Size = 3223089 bytes | Modified Date = 14/04/2007 21:45:46 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\stealball_win.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0 [Folder | Modified Date = 17/04/2007 13:12:18 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0.rar [Ver = | Size = 1045907 bytes | Modified Date = 17/04/2007 13:02:40 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0.rar:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\TP Nº1 caratula.doc [Ver = | Size = 19968 bytes | Modified Date = 17/04/2007 20:57:12 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\TP Nº1 quimica.doc [Ver = | Size = 22016 bytes | Modified Date = 17/04/2007 20:59:52 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\TPNº1Fisicoquimica.doc [Ver = | Size = 24064 bytes | Modified Date = 18/04/2007 22:45:54 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\TPNº1Fisicoquimica.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD [Folder | Modified Date = 31/03/2007 17:58:38 | Attr = ]
C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD.ZIP [Ver = | Size = 752572 bytes | Modified Date = 31/03/2007 17:58:06 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD.ZIP:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\winxpdaggerinstall.exe [Ver = | Size = 43073024 bytes | Modified Date = 20/04/2007 16:04:16 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\winxpdaggerinstall.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Mis documentos\www.losreyesdelastareas.com.doc [Ver = | Size = 20992 bytes | Modified Date = 17/04/2007 12:56:38 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\Ad-Aware SE Personal.lnk [Ver = | Size = 2433 bytes | Modified Date = 21/04/2007 1:59:12 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\AVG Anti-Rootkit Free.lnk [Ver = | Size = 863 bytes | Modified Date = 21/04/2007 19:50:46 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\AVG Anti-Spyware.lnk [Ver = | Size = 898 bytes | Modified Date = 21/04/2007 15:33:52 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\Morrowind.lnk [Ver = | Size = 781 bytes | Modified Date = 12/04/2007 22:52:32 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk [Ver = | Size = 1007 bytes | Modified Date = 12/04/2007 22:28:36 | Attr = ]
C:\Documents and Settings\All Users\Escritorio\The Elder Scrolls Construction Set.lnk [Ver = | Size = 1705 bytes | Modified Date = 12/04/2007 22:55:16 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\Acceso directo a hlds.lnk [Ver = | Size = 730 bytes | Modified Date = 16/04/2007 21:22:14 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\ATF-Cleaner.exe Atribune.org [Ver = 3.00.0002 | Size = 50688 bytes | Modified Date = 26/03/2007 15:34:40 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\ATF-Cleaner.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\avgarkt-setup-1.1.0.42.exe [Ver = | Size = 423736 bytes | Modified Date = 21/04/2007 19:50:06 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\avgarkt-setup-1.1.0.42.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\avgas-setup-7.5.0.50.exe [Ver = | Size = 6469352 bytes | Modified Date = 21/04/2007 15:33:08 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\avgas-setup-7.5.0.50.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\drweb-cureit.exe [Ver = | Size = 6249040 bytes | Modified Date = 21/04/2007 16:47:20 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\drweb-cureit.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\DrWeb.csv [Ver = | Size = 717 bytes | Modified Date = 21/04/2007 17:53:52 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\Fixwareout.exe [Ver = 1.0.0.5 | Size = 494822 bytes | Modified Date = 21/04/2007 14:26:02 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\Fixwareout.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\SDFix.exe [Ver = | Size = 707904 bytes | Modified Date = 21/04/2007 14:09:36 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\SDFix.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\sXe Injected.lnk [Ver = | Size = 1675 bytes | Modified Date = 17/04/2007 13:12:30 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\WinPFind [Folder | Modified Date = 21/04/2007 20:03:08 | Attr = ]
C:\Documents and Settings\Nacho\Escritorio\winpfind.exe [Ver = | Size = 267222 bytes | Modified Date = 21/04/2007 19:50:18 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\winpfind.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Nacho\Escritorio\zlsSetup_70_337_000_es.exe [Ver = | Size = 41669784 bytes | Modified Date = 30/03/2007 1:33:22 | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\zlsSetup_70_337_000_es.exe:Zone.Identifier (26 bytes)
C:\Archivos de programa\Archivos comunes\InstallShield [Folder | Modified Date = 26/03/2007 18:50:38 | Attr = ]
C:\WINDOWS\Ascd_tmp.ini [Ver = | Size = 3754 bytes | Modified Date = 03/04/2007 20:23:08 | Attr = ]
C:\WINDOWS\BlendSettings.ini [Ver = | Size = 23 bytes | Modified Date = 29/03/2007 20:02:44 | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 21/04/2007 19:52:34 | Attr = S]
C:\WINDOWS\d3dx.dat [Ver = | Size = 4096 bytes | Modified Date = 20/04/2007 19:50:12 | Attr = ]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 21/04/2007 15:47:10 | Attr = S]
C:\WINDOWS\inf [Folder | Modified Date = 20/04/2007 7:17:46 | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 20/04/2007 0:08:24 | Attr = HS]
C:\WINDOWS\Internet Logs [Folder | Modified Date = 21/04/2007 19:45:18 | Attr = ]
C:\WINDOWS\Minidump [Folder | Modified Date = 17/04/2007 13:03:46 | Attr = ]
C:\WINDOWS\NeroDigital.ini [Ver = | Size = 116 bytes | Modified Date = 13/04/2007 0:04:26 | Attr = ]
C:\WINDOWS\Prefetch [Folder | Modified Date = 21/04/2007 20:04:06 | Attr = ]
C:\WINDOWS\system [Folder | Modified Date = 03/04/2007 20:23:28 | Attr = ]
C:\WINDOWS\system32 [Folder | Modified Date = 21/04/2007 16:18:14 | Attr = ]
C:\WINDOWS\Temp [Folder | Modified Date = 21/04/2007 20:01:22 | Attr = ]
C:\WINDOWS\VirtualEar [Folder | Modified Date = 03/04/2007 20:23:28 | Attr = ]
C:\WINDOWS\win.ini [Ver = | Size = 659 bytes | Modified Date = 06/04/2007 16:58:04 | Attr = ]
C:\WINDOWS\WinSxS [Folder | Modified Date = 20/04/2007 0:08:00 | Attr = ]
C:\WINDOWS\System32\adsmsextn.exe3165537807.dat [Ver = | Size = 53 bytes | Modified Date = 21/04/2007 1:44:50 | Attr = HS]
C:\WINDOWS\System32\CatRoot [Folder | Modified Date = 03/04/2007 20:23:36 | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 21/04/2007 19:52:58 | Attr = ]
C:\WINDOWS\System32\DirectX [Folder | Modified Date = 29/03/2007 19:42:12 | Attr = ]
C:\WINDOWS\System32\dllcache [Folder | Modified Date = 10/04/2007 18:41:54 | Attr = RHS]
C:\WINDOWS\System32\drivers [Folder | Modified Date = 21/04/2007 19:50:44 | Attr = ]
C:\WINDOWS\System32\DRVSTORE [Folder | Modified Date = 20/04/2007 0:08:20 | Attr = ]
C:\WINDOWS\System32\FNTCACHE.DAT [Ver = | Size = 189000 bytes | Modified Date = 28/03/2007 23:24:14 | Attr = ]
C:\WINDOWS\System32\keyconf.cfg [Ver = | Size = 44 bytes | Modified Date = 13/04/2007 20:53:10 | Attr = ]
C:\WINDOWS\System32\msssc.dll [Ver = | Size = 44 bytes | Modified Date = 03/04/2007 20:23:24 | Attr = ]
C:\WINDOWS\System32\nvapps.xml [Ver = | Size = 63804 bytes | Modified Date = 21/04/2007 19:53:06 | Attr = ]
C:\WINDOWS\System32\vsconfig.xml [Ver = | Size = 55080 bytes | Modified Date = 21/04/2007 19:53:08 | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2206 bytes | Modified Date = 14/04/2007 10:15:40 | Attr = ]
C:\WINDOWS\System32\zllictbl.dat [Ver = | Size = 4212 bytes | Modified Date = 30/03/2007 1:36:18 | Attr = H ]
C:\WINDOWS\System32\ZoneLabs [Folder | Modified Date = 30/03/2007 1:38:20 | Attr = ]
C:\WINDOWS\System32\_r_a_p_.tmp [Ver = | Size = 0 bytes | Modified Date = 05/04/2007 21:10:18 | Attr = ]
C:\WINDOWS\System32\drivers\dump_wmimmc.sys [Ver = | Size = 153925 bytes | Modified Date = 28/03/2007 19:52:22 | Attr = ]
C:\WINDOWS\System32\drivers\etc [Folder | Modified Date = 21/04/2007 14:18:28 | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\07acadebaabe.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\7z442.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\93.71_forceware_winxp2k_english_whql.exe:Zone.Identifier (26 bytes)
[WSUD , ]C:\Documents and Settings\Nacho\Mis documentos\93.71_forceware_winxp2k_english_whql.exe (NVIDIA Corporation )
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ANDERSEN.pps:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Arena106.exe:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\Documents and Settings\Nacho\Mis documentos\Arena106.exe ()
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\DOSBox0.70-win32-installer.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Elmundoanocheciendo.pps:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Golden Sun.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Ground_Control_GSI.EXE:Zone.Identifier (26 bytes)
File scan skipped for file C:\Documents and Settings\Nacho\Mis documentos\Ground_Control_GSI.EXE. File size too big (490547380 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\gwsetup.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\lula 110[1].jpg:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ME_DAGRF.ZIP:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\nball.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\Parfaitdeoreo.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\plano_casa[1].doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\ragdollmasters.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\spacejam-ibelieveicanfly.mp3:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\spacejamtheme.mp3:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\stealball_win.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\SteamInstall.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient2.6F1.0xx.rar:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\sXeInjectedClient3.2Fix2.0.rar:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\TPNº1Fisicoquimica.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\UnDeadPatch[1].2.00-SASiO.rar:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\UNDYING_10_NOCD.ZIP:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\VisualBoyAdvance-1.7.2.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Mis documentos\winxpdaggerinstall.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\ATF-Cleaner.exe:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\Documents and Settings\Nacho\Escritorio\ATF-Cleaner.exe (Atribune.org)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\avgarkt-setup-1.1.0.42.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\avgas-setup-7.5.0.50.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\drweb-cureit.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\Fixwareout.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\SDFix.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\winpfind.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Nacho\Escritorio\zlsSetup_70_337_000_es.exe:Zone.Identifier (26 bytes)
[UPX0 , ]C:\Documents and Settings\Nacho\Escritorio\zlsSetup_70_337_000_es.exe ()
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()
[UPX0 , WSUD , ]C:\WINDOWS\System32\dllcache\hwxjpn.dll ()

< End of report >



O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 85.255.116.66 85.255.112.80 keeps appearing on the HJT scan every time I restart the machine.

Edited by cspro, 21 April 2007 - 06:28 PM.


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 21 April 2007 - 06:47 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\adsmsextn.exe
C:\WINDOWS\system32\adsmsextn.exe3165537807.dat

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

****************************

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.
Copy and paste those results into your next reply.
Posted Image
Posted Image

#12 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 21 April 2007 - 07:58 PM

After I rebooted the pc a dialog box appeared. It said: "Avenger.txt file does not exist. Would you like to create a new one?" or something like that. So I clicked yes and notepad opened up with the name avenger but there was nothing in it. Neither in C:\avenger or in the avenger folder on my desktop.

CounterSpy report:



Scan History Details
Start Date: 22/04/2007 0:22:40
End Date: 22/04/2007 0:43:14
Total Time: 20 Min 34 Sec
Detected security risks

Cookie: Com.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\nacho\cookies\nacho@com[1].txt


Another problem that appeared recently (and I think its related to that DNSchange trojan) was that when I try to go to any webpage it won't let me do it, and at the bottomo I can see in a quick glance some lines contaigning something about DNS error. The only way to fix this is to disconnect and then connect again.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 22 April 2007 - 03:17 AM

Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer,let me know whats happening now.
Posted Image
Posted Image

#14 cspro

cspro
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 22 April 2007 - 02:00 PM

Many, many thanks Richie!!! :flowers: It seems tha my PC its running fine now, as well as IE. :thumbsup:

But, I have some questions though. What should I do with all the backups that have been made and the quarentined items?, and what is NetlogonTlntSvr that you told me to disable at startup? Is it important?



Now when I scan with HJT there is O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 200.51.211.7 200.51.212.7 What's this?

Edited by cspro, 22 April 2007 - 02:05 PM.


#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 22 April 2007 - 03:42 PM

and what is NetlogonTlntSvr that you told me to disable at startup? Is it important?

NetlogonTlntSvr service is added by either a trojan or virus.

Now when I scan with HJT there is O17 - HKLM\System\CCS\Services\Tcpip\..\{9D075C59-34AC-4506-B84C-9D3BF4C798E1}: NameServer = 200.51.211.7 200.51.212.7 What's this?

That should be your Internet Service Provider,if its not and you definitely do not recognise it,fix it with Hijackthis..

*******************

Your log is clean :thumbsup:
If all's ok,please do the following:

Re-enable Spybot Search and Destroy's protection.

Find and delete:
C:\SDFix
C:\QooBox
C:\DrWeb-CureIt
C:\Winpfind V2.0.2
C:\Fixwareout


Uninstall/remove Counterspy V2 and AVG Anti-Rootkit Free via Control Panel/Add or Remove Programs,then restart your pc.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users