It replicated again. I'll need you to copy any key or register information needed for a reinstall and go ahead and uninstall Kaspersky at this point. It is not locating the malware, is not actually stopping any negative issues from occurring and in truth is blocking our progress here.
Once you have done that reboot, then install any and all external devices, from usb drives to phones to music devices - any recently used on this computer. The last error logs indicated an Apple device - if whatever that is has any type of file system you can view in Explorer include it as well.
Then Go here and run the Kaspersky online scan, and post back the log it creates.
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.
When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.
Then locate that log and copy/paste those contents back here please, along with a new OTViewIt scan log.
First let's also get copies of the ".cpx" executable files behind this checked out.
Locate the following hilighted folder and zip a copy of it (the entire folder):
c:\_OTMoveIt\MovedFiles\09122008_184804
Then go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zipped file on your computer.
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
Then continue with the steps I just posted please.
Yuuuupi,at last i could download kaspersky online(panda not yet),but......
surprise,surprise, it found two files wich I probably put in quarantine before to contac with you. It was after a kasperky scan on line too,and I
had forgotten it.
Here are the logs
Tuesday, September 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 15, 2008 20:10:26
Records in database: 1237120
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 91524
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 03:16:25
File name Threat name Threats count
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrente_Downloader_1808_CL_DW_0299.txt Infected: Trojan-Downloader.Win32.Agent.afyh 1
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrent_Downloader_1808_CL_DW_0299.txt Infected: Trojan-Downloader.Win32.Agent.afyh 1
The selected area was scanned.
OTViewIt logfile created on: 16/09/2008 9:48:17 - Run 8
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy
1014,42 Mb Total Physical Memory | 548,52 Mb Available Physical Memory | 54,07% Memory free
2,39 Gb Paging File | 2,04 Gb Available in Paging File | 85,40% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,44 Gb Free Space | 52,92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On ========== Processes - Non-Microsoft Only ==========
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) -- C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () -- C:\Archivos de programa\Power Manager\PM.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[05/17/2005 06:42 PM | 00,933,888 | ---- | M] (Brother Industries, Ltd.) -- C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
[09/13/2008 04:24 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Propietario\Mis documentos\PGMS\OTViewIt.exe ========== Win32 Services - Non-Microsoft Only ==========
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) -- C:\WINDOWS\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) -- C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped]) ========== Driver Services - Non-Microsoft Only ==========
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
File not found -- C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr [On_Demand | Running])
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[09/03/2008 02:07 PM | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () -- C:\Archivos de programa\Power Manager\WinIo.sys -- (WINIO [On_Demand | Running])
========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE (Realtek Semiconductor Corp.)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica (SupportSoft, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG) ========== Startup Folders ==========
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe ========== Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page" = %SystemRoot%\system32\blank.htm
"Search Bar" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page" = http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page" = http://www.google.es/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0 ========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found ========== Toolbars ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found ========== Shell Execute Hooks ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) ========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll -- C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
IntelWireless: "DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll -- C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation) ========== Safeboot Options ==========
"AlternateShell" = cmd.exe ========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1 ========== Autorun Files on Drives ==========
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] -- C:\autorun.inf -- [ NTFS ]
Good you got Kaspersky to run at last there. But darned if it did not locate any of the infection expected of it. You can see the download reference in the Kaspersky log that I believe matches an earlier Panda scan name. What is that software they refer to - is it installed there now?
There is an autoload function that is reset each time, and the infection brings back the same files as well. Is there some external device, usb or other, that you are using and plugging in and out of the computer?
I did receive the files, but again their contents were either the language code or a smaller one with encrypted code, so not the actual infection sources.
Go to Start - Run, type cmd (and Enter). At the prompt copy/paste the following, then press Enter.
Hi, Is this the reference that you say? : "Program database last update: Monday, September 15, 2008 20:10:26". If yes, I tried also run kaspersky the day before,but I could not. Perhaps it was the guilty.
There are three things that I plug and unplug, because I've a portable
computer. They are:the printer,the mouse and a pendrive.This is all.
Mmmmm. I forgot it, sometimes my daughter plugs her ipod.
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\Archivos de programa\Java\jre1.5.0_09\lib
12/12/2006 17:48 3.828 flavormap.properties
1 archivos 3.828 bytes
Directorio de c:\Archivos de programa\Panda Security\ActiveScan 2.0
27/11/2007 17:08 144.688 pavoe.dll
1 archivos 144.688 bytes
Directorio de c:\Documents and Settings\Administrador
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\All Users
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Default User
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Propietario
09/09/2008 21:28 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Propietario\Datos de programa\Sony\ACID Music\5.0
25/11/2007 13:37 2 ExplorerFavorites.txt
1 archivos 2 bytes
Directorio de c:\Documents and Settings\Propietario\Mis documentos\Pirateo\Photoshop Portable\Portable Adobe Photoshop CS2 v9.0 espa¤ol\Settings
14/08/2006 23:27 260 Favoritos.psp
1 archivos 260 bytes
Directorio de c:\WINDOWS\pchealth\helpctr\System\blurbs
12/12/2006 11:41 1.487 Favorites.htm
1 archivos 1.487 bytes
Directorio de c:\WINDOWS\pchealth\helpctr\System\panels\subpanels
12/12/2006 11:41 8.546 Favorites.htm
1 archivos 8.546 bytes
Directorio de c:\WINDOWS\system32\config\systemprofile
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Total de archivos en la lista:
6 archivos 1.488.094 bytes
5 dirs 42.353.905.664 bytes libres
No named infection files found, though their settings are still being recreated. This suggests the files come from somewhere else.
pendrive.This is all.
Mmmmm. I forgot it, sometimes my daughter plugs her ipod.
This infection is an autoloading one, that places it's files and functions on any external drive that is attached to this computer while it is infected. If you clean the infection from the computer, but not all infected external drives, then the next time one of them is used on it the infection is completely returned. And these external drives can then infect other computers as well. Any external drive that has a type of file system, including some PDA's and even cell phones, can be infected by this.
Please be sure now to follow these steps as posted, and include ALL (todos) external drives that have been installed on this computer recently. And they must be left in until both the computer, AND the external drives, show in our logs as clean.
First let's get what is called a "baseline", to see if in fact these removed drives are involved.
As usual, to keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Install all external drives as I have suggested. Leave them installed - your daughter will have to wait until this important work is completed.
Once you have done that Go here and run the Kaspersky online scan, and post back the log it creates.
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.
When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.
Then locate that log and copy/paste those contents back here please.
Run a new OTViewIt scan, and post that along with the Kaspersky scan please.
Friday, September 19, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 18, 2008 15:58:24
Records in database: 1247904
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 93454
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 05:22:16
File name Threat name Threats count
C:\WINDOWS\system32\11.CPX Infected: Trojan.Win32.Agent.aeag 1
OTViewIt logfile created on: 19/09/2008 0:30:37 - Run 9
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy
1014,42 Mb Total Physical Memory | 511,50 Mb Available Physical Memory | 50,42% Memory free
2,39 Gb Paging File | 2,04 Gb Available in Paging File | 85,63% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,45 Gb Free Space | 52,93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 124,33 Mb Total Space | 32,73 Mb Free Space | 26,33% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On ========== Processes - Non-Microsoft Only ==========
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) -- C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () -- C:\Archivos de programa\Power Manager\PM.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[09/13/2008 04:24 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Propietario\Mis documentos\PGMS\OTViewIt.exe ========== Win32 Services - Non-Microsoft Only ==========
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) -- C:\WINDOWS\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) -- C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped]) ========== Driver Services - Non-Microsoft Only ==========
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Running])
File not found -- C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr [On_Demand | Running])
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[09/03/2008 02:07 PM | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () -- C:\Archivos de programa\Power Manager\WinIo.sys -- (WINIO [On_Demand | Running])
========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE (Realtek Semiconductor Corp.)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica (SupportSoft, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG) ========== Startup Folders ==========
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe ========== Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page" = %SystemRoot%\system32\blank.htm
"Search Bar" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page" = http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page" = http://www.google.es/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0 ========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found ========== Toolbars ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found ========== Shell Execute Hooks ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) ========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll -- C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
IntelWireless: "DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll -- C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation) ========== Safeboot Options ==========
"AlternateShell" = cmd.exe ========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1 ========== Autorun Files on Drives ==========
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] -- C:\autorun.inf -- [ NTFS ]
Sorry frolma, I am actually about 850 Km north of my home, and drive back home tomorrow morning, so only had little opportunity to log in. I see in the results the infection was not located as I had hoped - this suggests the online scan does not have this infection's information in it's database (so not locating it for us).
When I return tomorrow I am going to review this particular infection with some people who are knowledgeable about an earlier variant of it, to get good advice on what the hidden source is there.
31/08/2008 1:21:45 Detected: Heur.Trojan.Generic C:\Documents and Settings\Propietario\Configuraci�n local\Temp\Rar$EX00.625\Bittorrent_Downloader_1808_CL_DW_0299.EXE/WISE0009.BIN
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrente_Downloader_1808_CL_DW_0299.txt Infected: Trojan-Downloader.Win32.Agent.afyh 1
That often shows as a startup in other threads, where the user complains about a "mobiswing" popup ad:
Run: [mobiswing] C:\PROGRA~1\BITTOR~1\BitP.exe
To analyze new infection I am pretty good at locating files and softwares on the internet, but I cannot locate this:
BitTorrent Fastest Tool
Or this file:
BitP.exe
I also don't see in any of our logs where the normal log report of installed softwares showed, though maybe I am overlooking that. Post back what you know about that Bit software and where it comes from (and where I can get a copy of it also). In addition, run this tool so it will show the installed software in it's info.txt log:
Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan.
If necessary allow it to locate or download a copy of HijackThis as needed.
Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\info.txt.
RSIT will also create a second log, log.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored on your desktop).
You can use separate posts here when replying and posting the log files if needed.
Hi, sorry but I can't help you ,cause I don't know from where it cames,but if you want I can zip the folder wich contains Bittorrent fastest tool and send you.It contains an install log and an exe file:Multi_Media1808.exe.
I ran kaspersky online and it found Bitorrente_Downloader_CL_DW_0299.txt I changed the name and put it in
quarantine.Now it doesn't already exist I deleted it.
I received the file, thanks. Not sure why it has the Bittorrente naming, but the info and the file show it is from an aborted install of this Conduit Multi Media Toolbar. More or less redirects your searches, and has a mis-worded part of the install that says "Fix 404 errors", which means it will send the user to a Conduit related search website if an incorrect address is entered in the IE address bar. But the log you sent with the install file show the install was aborted, so you can just delete those files now.
I have asked others very knowledgeable in this malware variant for assistance. I will post back once some reviewing is completed.
Those entries are created by infection, but mountpoints2 entries indicate a device was used. For example, when you plug in a USB drive, this creates one if one for it was not already there. That dh66ln.cmd file is not being found on this computer, but by the look of the logs is located somewhere, and may be what is recreating the infection there.
Is someone installing and removing a device there still, especially a device that was not installed when the Kaspersky scan was run? That dh66ln.cmd file is known, so I expect it to be located by Kaspersky if the device that has that file is installed when the scan is run.
Do not run a new search for that file though - I do not want you creating new registry entries using that name right now. Instead do this:
Install ALL devices that have been used on this computer. ALL of them.
Go here and download Agent Ransack to your desktop, then click the downloaded file to install the program. Once installed go to Start - Programs and open Agent Ransack.
Under "Look in:", use the dropdown box to change that to:
All Drives
Under the Advanced tab, type the following, exactly as shown, into the text box next to "Containing text:"
dh66ln
Make no other changes at this time. Then click the "Start search" button (upper right corner) and allow Agent Ransack to search. This will take quite a while to complete, depending on the number of files stored on the system, so please allow the scan to complete and not use the computer while it is running.
When the scan is done go to File - Save Results, and click the "Save" button to save the information to your clipboard. The open Notepad and click Paste to copy the scan results. Save this as amigo.txt.
Zip a copy of that file, and again send it to Jintan as an attachment please.
I received the file. The bad file we are looking for shows in some locations there, but most are just copies of what we are doing here stored in temp locations. Also an AntiVir log file that indicates it found this same file on an E drive at some point, and then the information shows in a backup of the registry SDFix created. This may show where the current source location is. See if you can send as an attachment a copy of the following file - it is over 6 Mb in size so may be slow to send:
I received all files, thanks. The ntuser.dat file, as the actual source file of the registry and other user settings there, is mostly saved using machine code, so very difficult to work with. I am still reviewing the information from that, as well as have asked others to help review. In some way the information appears to suggest iTunes involvement, though very unclear on that. Has your child been inserting and removing their iTunes player as we work here? And possibly includes Pinnacle software - again just not clear yet. This tidbit of info is something you can check next from the files:
20FriendlyNameiv32ðÿÿÿXß Ø`R
May be uneventful, but use the RegSearch tool again and do a search using the following, then post back that log please:
Hi, about the question: if my daughter has used her ipod,I regret to say
that the answer is ....yes. It's difficult for young people to be obedient(she's 17)and patient.What do you need about ipod? Tha it was always connected or perhaps it was always disconnected? (it's eassiest for me
that it was always disconnected)
An AntiVir log from a scan done with that, maybe when this system first got infected, showed this dh66ln.cmd file located on an E drive there. As I have been saying it is very important that ALL drives be connected for us to locate the infection. That registry search shows a part of what I expected, but I was not detailed enough on which search tool to use. The one you used, although a fine tool, does not create the details that the other Registry Search tool by Bobbi Flekman does. For our work now rely on this one instead of the .vbs one.
If you truly did not do it yet, install ALL drives, including your daughter's iPod, and run a new Kaspersky online scan. Make sure to select My Computer so it will scan all drives. Save that log and post it back here please.
Also from the ntuser.dat file you sent there are more registry and file locations for us to check. Slowly we are getting near to how this infection is keeping itself alive there.
Again click on the regsearch.exe (Bobbi Flekman's - sharp guy) to run the tool. In the display panel, copy and paste the following into the upper box:
DisableContactEncryption
Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).
Repeat that using the following for the search:
MISVDE
6 6 l n <- note this one has spaces
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt, then press Enter:
dir /s /a "c:\*MISVDE*.*" > c:\find3.txt && notepad c:\find3.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 29, 2008 16:58:18
Records in database: 1274227
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 92125
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 03:37:57
File name Threat name Threats count
C:\WINDOWS\system32\11.CPX Infected: Trojan.Win32.Agent.aeag 1
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\Documents and Settings\All Users\Documentos
23/03/2008 23:38 <DIR> Mis v¡deos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Propietario\Mis documentos
07/05/2008 22:07 <DIR> Mis v¡deos
0 archivos 0 bytes
Total de archivos en la lista:
0 archivos 0 bytes
2 dirs 42.406.797.312 bytes libres
All the right locations and names, and no ties to the source of the infection. I am assuming your daughter's iPod was installed when the Kaspersky scan was run, of course. Make sure to delete this file using OTMoveIt - you can just use the following line and copy/paste it into OTMoveIt and click the MoveIt! button as you have been:
C:\WINDOWS\system32\11.CPX
I will review again with others as I have been. Please run and post back a current RSIT log to work with for that.
After quite a bit more review frolma the source of the infection keeps returning to installed software there, including those "null" registry keys used by Pinnacle I mentioned earlier. How long have you had this copy of Pinnacle installed there?
The significant point in much of the review is that results of logs only show part of the information - parts of the results I would expect to see are missing. This suggests null keys, or binary storage of data - but moreso null keys. And most of those related to values that include this:
"__LongTerm__"
Very little available web information on that. All I locate so far suggests this registry value is where certain softwares have hidden registration information, that can be changed to use the software without actually purchasing and registering it. Do you recognize that term?
I would also like to check this file, since it would be in binary code and could hide information. Please upload or email that if you would:
C:\Documents and Settings\Propietario\ Escritorio\PELICULES.xls
Ah amigo, that "__LongTerm__" took up a lot of research energy in this repair at my end, and only now I sense it is actually a product created in logs by forum software - it does not actually exist in your computer's data there. Like a detective without a crime. I did check that file, thanks. Yes, an innocent list you use there.
I have been asked by an expert assisting me in reviews elsewhere a few times for some files to check, and I have forgotten to ask for them. These are important in bootup instructions, and may be involved in why changes mysteriously appear here each time.
Make sure you can see hidden files still, then locate the following files, and send copies of them to me please:
It would be best if you sent them unzipped, and also zipped, so I can see the difference between those methods (zipping, or using rar, possibly changes code inside certain files).
This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead
Comments
Once you have done that reboot, then install any and all external devices, from usb drives to phones to music devices - any recently used on this computer. The last error logs indicated an Apple device - if whatever that is has any type of file system you can view in Explorer include it as well.
Then Go here and run the Kaspersky online scan, and post back the log it creates.
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.
When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.
Then locate that log and copy/paste those contents back here please, along with a new OTViewIt scan log.
Locate the following hilighted folder and zip a copy of it (the entire folder):
c:\_OTMoveIt\MovedFiles\09122008_184804
Then go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zipped file on your computer.
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
Then continue with the steps I just posted please.
Also, comprendo español un poquito. Muy poquito actually. Can you tell me what this installed software is for:
Asistente Técnico de Telefónica
And do you recognize this folder:
[03/29/2007 01:00 AM | 00,053,248 | ---- | M] () -- C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe:*isabled:Aplicación MFC awcbrwsr
If not, what I would like with those other files is a copy of this folder zipped and uploaded to SpyKiller as well:
C:\Archivos de programa\Telefonica\AsistCfg71
surprise,surprise, it found two files wich I probably put in quarantine before to contac with you. It was after a kasperky scan on line too,and I
had forgotten it.
Here are the logs
Tuesday, September 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 15, 2008 20:10:26
Records in database: 1237120
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 91524
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 03:16:25
File name Threat name Threats count
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrente_Downloader_1808_CL_DW_0299.txt Infected: Trojan-Downloader.Win32.Agent.afyh 1
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrent_Downloader_1808_CL_DW_0299.txt Infected: Trojan-Downloader.Win32.Agent.afyh 1
The selected area was scanned.
OTViewIt logfile created on: 16/09/2008 9:48:17 - Run 8
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy
1014,42 Mb Total Physical Memory | 548,52 Mb Available Physical Memory | 54,07% Memory free
2,39 Gb Paging File | 2,04 Gb Available in Paging File | 85,40% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,44 Gb Free Space | 52,92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
========== Processes - Non-Microsoft Only ==========
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) -- C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () -- C:\Archivos de programa\Power Manager\PM.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[05/17/2005 06:42 PM | 00,933,888 | ---- | M] (Brother Industries, Ltd.) -- C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe
[09/13/2008 04:24 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Propietario\Mis documentos\PGMS\OTViewIt.exe
========== Win32 Services - Non-Microsoft Only ==========
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) -- C:\WINDOWS\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) -- C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped])
========== Driver Services - Non-Microsoft Only ==========
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
File not found -- C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr [On_Demand | Running])
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[09/03/2008 02:07 PM | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () -- C:\Archivos de programa\Power Manager\WinIo.sys -- (WINIO [On_Demand | Running])
========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE (Realtek Semiconductor Corp.)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica (SupportSoft, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG)
========== Startup Folders ==========
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
========== Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page" = %SystemRoot%\system32\blank.htm
"Search Bar" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page" = http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page" = http://www.google.es/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Toolbars ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Shell Execute Hooks ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll -- C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
IntelWireless: "DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll -- C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
========== Safeboot Options ==========
"AlternateShell" = cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] -- C:\autorun.inf -- [ NTFS ]
========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\AutoRun\command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore\Command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open\Command]
"" = dh66ln.cmd
========== DNS Name Servers ==========
{472F2256-6B58-4784-9CD8-32BD2E21A4F7} (Servers: | Description: Intel(R) PRO/Wireless 2200BG Network Connection)
{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2} (Servers: 80.58.61.254,80.58.61.250 | Description: Broadcom 440x 10/100 Integrated Controller)
{A5175BD6-662B-46EA-A446-EECCE2055DAC} (Servers: 80.58.61.254,80.58.61.250 | Description: Adaptador de red 1394)
========== Hosts File ==========
HOSTS File = (792 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
========== Files/Folders - Created Within 30 days ==========
[08/30/2008 11:11 AM | ---D | C] -- C:\_OTMoveIt
[08/30/2008 11:18 AM | ---D | C] -- C:\SDFix
[09/08/2008 06:27 PM | 00,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\RegDelNull.exe
[09/12/2008 06:42 PM | RHSD | C] -- C:\autorun.inf
[09/13/2008 04:55 PM | -HSD | C] -- C:\RECYCLER
[08/30/2008 11:37 AM | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[08/30/2008 11:37 AM | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[09/12/2008 07:10 PM | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/28/2008 10:21 AM | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[09/14/2008 11:30 PM | 00,000,286 | ---- | C] () -- C:\WINDOWS\System32\112.CPX
[09/14/2008 11:30 PM | 00,000,411 | ---- | C] () -- C:\WINDOWS\System32\121.CPX
[5 C:\WINDOWS\*.tmp files]
[08/30/2008 11:19 AM | ---D | C] -- C:\WINDOWS\ERUNT
[09/06/2008 07:42 PM | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[09/06/2008 07:42 PM | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[09/06/2008 07:42 PM | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[09/13/2008 10:13 PM | 00,000,006 | -H-- | C] () -- C:\WINDOWS\tasks\SA.DAT
[08/20/2008 01:40 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[08/23/2008 03:17 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[09/14/2008 09:01 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
[09/14/2008 09:01 PM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\SUPERAntiSpyware.com
[08/30/2008 11:46 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\LOGS
[08/31/2008 10:43 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\Quarantine
[09/07/2008 06:51 PM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\PGMS
[08/30/2008 11:37 AM | 00,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/14/2008 09:01 PM | 00,000,829 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\SUPERAntiSpyware Free Edition.lnk
[09/05/2008 11:29 AM | ---D | C] -- C:\Documents and Settings\Propietario\Escritorio\ZIPS
[08/20/2008 01:40 PM | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy
[08/20/2008 01:49 AM | ---D | C] -- C:\Archivos de programa\Trend Micro
[08/23/2008 06:35 PM | ---D | C] -- C:\Archivos de programa\BitTorrent Fastest Tool
[08/30/2008 11:37 AM | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[09/02/2008 05:09 PM | ---D | C] -- C:\Archivos de programa\EsetOnlineScanner
[09/12/2008 07:09 PM | ---D | C] -- C:\Archivos de programa\Panda Security
[09/14/2008 09:01 PM | ---D | C] -- C:\Archivos de programa\SUPERAntiSpyware
========== Files - Modified Within 30 days ==========
[09/10/2008 06:25 PM | 00,000,211 | -HS- | M] () -- C:\boot.ini
[09/02/2008 12:16 AM | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/23/2008 02:40 AM | 00,064,706 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[08/23/2008 02:40 AM | 00,084,476 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[08/23/2008 02:40 AM | 00,409,566 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[08/23/2008 02:40 AM | 00,473,274 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[08/23/2008 02:40 AM | 01,043,160 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[09/14/2008 11:30 PM | 00,000,286 | ---- | M] () -- C:\WINDOWS\System32\112.CPX
[09/14/2008 11:30 PM | 00,000,411 | ---- | M] () -- C:\WINDOWS\System32\121.CPX
[09/16/2008 08:33 AM | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[5 C:\WINDOWS\*.tmp files]
[08/18/2008 12:27 PM | 00,000,350 | ---- | M] () -- C:\WINDOWS\BeatBox.INI
[08/18/2008 12:27 PM | 00,000,456 | ---- | M] () -- C:\WINDOWS\musicmaker.INI
[08/29/2008 02:08 PM | 00,000,028 | ---- | M] () -- C:\WINDOWS\Robota.INI
[09/06/2008 07:42 PM | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[09/08/2008 02:25 PM | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[09/10/2008 06:25 PM | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[09/10/2008 06:25 PM | 00,000,799 | ---- | M] () -- C:\WINDOWS\win.ini
[09/13/2008 06:32 PM | 00,000,474 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[09/14/2008 01:32 AM | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[09/15/2008 01:06 AM | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[09/16/2008 08:32 AM | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[09/09/2008 10:25 AM | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/16/2008 08:32 AM | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[09/13/2008 11:00 PM | 00,161,280 | ---- | M] () -- C:\Documents and Settings\Propietario\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[09/15/2008 01:06 AM | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documentos\PCLECHAL.INI
[09/14/2008 04:06 PM | 00,000,595 | ---- | M] () -- C:\Documents and Settings\Propietario\Mis documentos\Mis carpetas para compartir.lnk
[08/30/2008 11:37 AM | 00,000,731 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/14/2008 09:01 PM | 00,000,829 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\SUPERAntiSpyware Free Edition.lnk
[09/15/2008 04:37 PM | 00,002,165 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\iTunes.lnk
[08/19/2008 04:53 PM | 00,002,543 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Excel 2003 (2).lnk
[08/23/2008 07:45 PM | 00,002,271 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Copia de PaperPort.lnk
[09/12/2008 09:29 AM | 00,002,565 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Word 2003 (2).lnk
[09/13/2008 06:27 PM | 00,065,536 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\PELICULES .xls
< End of report >
About "Asistente técnico de telefónica" it's a software provides by a telephon company,which sold me the router.
It bassically is an assistant to configure correctly the router.
Yes,I recognize folder Telefonica.
There is an autoload function that is reset each time, and the infection brings back the same files as well. Is there some external device, usb or other, that you are using and plugging in and out of the computer?
I did receive the files, but again their contents were either the language code or a smaller one with encrypted code, so not the actual infection sources.
Go to Start - Run, type cmd (and Enter). At the prompt copy/paste the following, then press Enter.
(dir /s "c:\*dh66ln*.*" & dir /s "c:\*avo*.*") >c:\find2.txt && notepad c:\find2.txt
A quick scan will run and then notepad will open - copy/paste those contents back here please (these will also be located at c:\find2.txt)
There are three things that I plug and unplug, because I've a portable
computer. They are:the printer,the mouse and a pendrive.This is all.
Mmmmm. I forgot it, sometimes my daughter plugs her ipod.
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\Archivos de programa\Java\jre1.5.0_09\lib
12/12/2006 17:48 3.828 flavormap.properties
1 archivos 3.828 bytes
Directorio de c:\Archivos de programa\Panda Security\ActiveScan 2.0
27/11/2007 17:08 144.688 pavoe.dll
1 archivos 144.688 bytes
Directorio de c:\Documents and Settings\Administrador
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\All Users
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Default User
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Propietario
09/09/2008 21:28 <DIR> Favoritos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Propietario\Datos de programa\Sony\ACID Music\5.0
25/11/2007 13:37 2 ExplorerFavorites.txt
1 archivos 2 bytes
Directorio de c:\Documents and Settings\Propietario\Mis documentos\Pirateo\Photoshop Portable\Portable Adobe Photoshop CS2 v9.0 espa¤ol\Settings
14/08/2006 23:27 260 Favoritos.psp
1 archivos 260 bytes
Directorio de c:\WINDOWS\pchealth\helpctr\System\blurbs
12/12/2006 11:41 1.487 Favorites.htm
1 archivos 1.487 bytes
Directorio de c:\WINDOWS\pchealth\helpctr\System\panels\subpanels
12/12/2006 11:41 8.546 Favorites.htm
1 archivos 8.546 bytes
Directorio de c:\WINDOWS\system32\config\systemprofile
12/12/2006 11:31 <DIR> Favoritos
0 archivos 0 bytes
Total de archivos en la lista:
6 archivos 1.488.094 bytes
5 dirs 42.353.905.664 bytes libres
This infection is an autoloading one, that places it's files and functions on any external drive that is attached to this computer while it is infected. If you clean the infection from the computer, but not all infected external drives, then the next time one of them is used on it the infection is completely returned. And these external drives can then infect other computers as well. Any external drive that has a type of file system, including some PDA's and even cell phones, can be infected by this.
Please be sure now to follow these steps as posted, and include ALL (todos) external drives that have been installed on this computer recently. And they must be left in until both the computer, AND the external drives, show in our logs as clean.
First let's get what is called a "baseline", to see if in fact these removed drives are involved.
As usual, to keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Install all external drives as I have suggested. Leave them installed - your daughter will have to wait until this important work is completed.
Once you have done that Go here and run the Kaspersky online scan, and post back the log it creates.
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.
When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.
Then locate that log and copy/paste those contents back here please.
Run a new OTViewIt scan, and post that along with the Kaspersky scan please.
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 18, 2008 15:58:24
Records in database: 1247904
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 93454
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 05:22:16
File name Threat name Threats count
C:\WINDOWS\system32\11.CPX Infected: Trojan.Win32.Agent.aeag 1
C:\_OTMoveIt\MovedFiles\09142008_221251\WINDOWS\system32\11.CPX Infected: Trojan.Win32.Agent.aeag 1
The selected area was scanned.
OTViewIt logfile created on: 19/09/2008 0:30:37 - Run 9
OTViewIt by OldTimer - Version 1.0.3.1 Folder = C:\Documents and Settings\Propietario\Mis documentos\PGMS
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy
1014,42 Mb Total Physical Memory | 511,50 Mb Available Physical Memory | 50,42% Memory free
2,39 Gb Paging File | 2,04 Gb Available in Paging File | 85,63% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 74,53 Gb Total Space | 39,45 Gb Free Space | 52,93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 124,33 Mb Total Space | 32,73 Mb Free Space | 26,33% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ORGANIZA-6EEEB6
Current User Name: Propietario
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
========== Processes - Non-Microsoft Only ==========
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
[12/13/2001 01:01 AM | 00,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe
[06/03/2005 02:26 AM | 00,245,760 | ---- | M] (Intel) -- C:\Archivos de programa\Intel\Wireless\Bin\1XConfig.exe
[07/05/2005 10:47 PM | 00,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[08/08/2005 11:13 AM | 00,163,840 | ---- | M] () -- C:\Archivos de programa\Power Manager\PM.exe
[03/18/2005 11:52 AM | 00,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
[09/13/2008 04:24 PM | 00,379,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Propietario\Mis documentos\PGMS\OTViewIt.exe
========== Win32 Services - Non-Microsoft Only ==========
[01/23/2007 10:00 PM | 00,077,944 | ---- | M] (Autodesk) -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service [On_Demand | Stopped])
[04/12/2002 01:00 AM | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
[03/02/2006 02:00 PM | 00,225,792 | ---- | M] (Microsoft Corp., VERITAS Software) -- C:\WINDOWS\system32\dmadmin.exe -- (dmadmin [On_Demand | Stopped])
[11/17/2005 03:18 PM | 01,527,900 | ---- | M] (MAGIX®) -- C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped])
========== Driver Services - Non-Microsoft Only ==========
[10/15/2004 01:50 PM | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Running])
File not found -- C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys -- (catchme [On_Demand | Stopped])
[01/14/2005 11:22 AM | 00,005,504 | R--- | M] (EnE Technology Inc.) -- C:\WINDOWS\system32\drivers\EKBfltr.sys -- (EKBfltr [On_Demand | Running])
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[09/20/2005 05:27 PM | 00,010,368 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[06/19/2008 05:24 PM | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[05/30/2008 06:30 PM | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (pcouffin [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[09/03/2008 02:07 PM | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[09/03/2008 02:07 PM | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[07/05/2005 10:54 PM | 00,840,100 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[06/03/2005 11:50 PM | 00,162,176 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
File not found -- C:\WINDOWS\system32\drivers\klif.sys -- (TSP [On_Demand | Stopped])
[03/02/2002 12:21 AM | 00,004,944 | ---- | M] () -- C:\Archivos de programa\Power Manager\WinIo.sys -- (WINIO [On_Demand | Running])
========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr" = ALCMTR.EXE (Realtek Semiconductor Corp.)
"ControlCenter2.0" = C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun (Brother Industries, Ltd.)
"EOUApp" = C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
"High Definition Audio Property Page Shortcut" = HDAShCut.exe (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
"IndexSearch" = C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
"IntelWireless" = C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless (Intel Corporation)
"IntelZeroConfig" = C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
"PaperPort PTD" = C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"PowerDVD" = C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart (CyberLink Corp.)
"PowerManager" = C:\Archivos de programa\Power Manager\PM.exe ()
"QuickTime Task" = "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"RTHDCPL" = RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SetDefPrt" = C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe (Brother Industories, Ltd.)
"SMSERIAL" = sm56hlpr.exe (Motorola Inc.)
"SSBkgdUpdate" = "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Scansoft, Inc.)
"SunJavaUpdateSched" = "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc.)
"Telefonica" = "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica (SupportSoft, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchList" = C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe (Pinnacle Systems)
"NBJ" = "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG)
========== Startup Folders ==========
[03/05/2006 03:43 PM | 00,011,000 | ---- | M] (Autodesk, Inc) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
[09/23/2005 11:05 PM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[04/23/2005 08:12 PM | 00,802,816 | ---- | M] (Brother Industries, Ltd.) -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
========== Internet Explorer ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL" = http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page" = %SystemRoot%\system32\blank.htm
"Search Bar" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
"Search Page" = http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page" = http://go.microsoft.com/fwlink/?LinkId=69157
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page" = http://www.google.es/
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Toolbars ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
========== Shell Execute Hooks ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll -- C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
IntelWireless: "DllName" = C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll -- C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
========== Safeboot Options ==========
"AlternateShell" = cmd.exe
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT [SET PATH=C:\Archivos de programa\Pinnacle\Shared Files;C:\Archivos de programa\Pinnacle\Shared Files\Filter | ]
[03/23/2008 11:37 PM | 00,000,109 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]
autorun.inf []
[09/12/2008 06:42 PM | RHSD | M] -- C:\autorun.inf -- [ NTFS ]
========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\AutoRun\command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore\Command]
"" = dh66ln.cmd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\open\Command]
"" = dh66ln.cmd
========== DNS Name Servers ==========
{472F2256-6B58-4784-9CD8-32BD2E21A4F7} (Servers: | Description: Intel(R) PRO/Wireless 2200BG Network Connection)
{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2} (Servers: 80.58.61.254,80.58.61.250 | Description: Broadcom 440x 10/100 Integrated Controller)
{A5175BD6-662B-46EA-A446-EECCE2055DAC} (Servers: 80.58.61.254,80.58.61.250 | Description: Adaptador de red 1394)
========== Hosts File ==========
HOSTS File = (792 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
========== Files/Folders - Created Within 30 days ==========
[08/30/2008 11:11 AM | ---D | C] -- C:\_OTMoveIt
[08/30/2008 11:18 AM | ---D | C] -- C:\SDFix
[09/08/2008 06:27 PM | 00,162,616 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\RegDelNull.exe
[09/12/2008 06:42 PM | RHSD | C] -- C:\autorun.inf
[09/13/2008 04:55 PM | -HSD | C] -- C:\RECYCLER
[08/30/2008 11:37 AM | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[08/30/2008 11:37 AM | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[09/12/2008 07:10 PM | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/28/2008 10:21 AM | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[09/14/2008 11:30 PM | 00,000,286 | ---- | C] () -- C:\WINDOWS\System32\112.CPX
[09/14/2008 11:30 PM | 00,000,411 | ---- | C] () -- C:\WINDOWS\System32\121.CPX
[5 C:\WINDOWS\*.tmp files]
[08/30/2008 11:19 AM | ---D | C] -- C:\WINDOWS\ERUNT
[09/06/2008 07:42 PM | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[09/06/2008 07:42 PM | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[09/06/2008 07:42 PM | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[09/18/2008 12:57 AM | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[09/18/2008 12:57 AM | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[09/13/2008 10:13 PM | 00,000,006 | -H-- | C] () -- C:\WINDOWS\tasks\SA.DAT
[08/20/2008 01:40 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[08/23/2008 03:17 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[09/14/2008 09:01 PM | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
[08/30/2008 11:37 AM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
[09/14/2008 09:01 PM | ---D | C] -- C:\Documents and Settings\Propietario\Datos de programa\SUPERAntiSpyware.com
[08/30/2008 11:46 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\LOGS
[08/31/2008 10:43 AM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\Quarantine
[09/07/2008 06:51 PM | ---D | C] -- C:\Documents and Settings\Propietario\Mis documentos\PGMS
[08/30/2008 11:37 AM | 00,000,731 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/14/2008 09:01 PM | 00,000,829 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\SUPERAntiSpyware Free Edition.lnk
[09/05/2008 11:29 AM | ---D | C] -- C:\Documents and Settings\Propietario\Escritorio\ZIPS
[08/20/2008 01:40 PM | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy
[08/20/2008 01:49 AM | ---D | C] -- C:\Archivos de programa\Trend Micro
[08/23/2008 06:35 PM | ---D | C] -- C:\Archivos de programa\BitTorrent Fastest Tool
[08/30/2008 11:37 AM | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[09/02/2008 05:09 PM | ---D | C] -- C:\Archivos de programa\EsetOnlineScanner
[09/12/2008 07:09 PM | ---D | C] -- C:\Archivos de programa\Panda Security
[09/14/2008 09:01 PM | ---D | C] -- C:\Archivos de programa\SUPERAntiSpyware
========== Files - Modified Within 30 days ==========
[09/10/2008 06:25 PM | 00,000,211 | -HS- | M] () -- C:\boot.ini
[09/02/2008 12:16 AM | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[09/02/2008 12:16 AM | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[09/06/2008 07:42 PM | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/23/2008 02:40 AM | 00,064,706 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[08/23/2008 02:40 AM | 00,084,476 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[08/23/2008 02:40 AM | 00,409,566 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[08/23/2008 02:40 AM | 00,473,274 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[08/23/2008 02:40 AM | 01,043,160 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[09/14/2008 11:30 PM | 00,000,286 | ---- | M] () -- C:\WINDOWS\System32\112.CPX
[09/14/2008 11:30 PM | 00,000,411 | ---- | M] () -- C:\WINDOWS\System32\121.CPX
[09/18/2008 06:32 PM | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[5 C:\WINDOWS\*.tmp files]
[08/29/2008 02:08 PM | 00,000,028 | ---- | M] () -- C:\WINDOWS\Robota.INI
[09/06/2008 07:42 PM | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[09/06/2008 07:42 PM | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[09/08/2008 02:25 PM | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[09/10/2008 06:25 PM | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[09/10/2008 06:25 PM | 00,000,799 | ---- | M] () -- C:\WINDOWS\win.ini
[09/14/2008 01:32 AM | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[09/15/2008 01:06 AM | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[09/16/2008 10:53 PM | 00,000,474 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[09/18/2008 06:32 PM | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[09/18/2008 12:57 AM | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[09/18/2008 12:57 AM | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[09/16/2008 10:25 AM | 00,000,298 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/18/2008 06:32 PM | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[09/13/2008 11:00 PM | 00,161,280 | ---- | M] () -- C:\Documents and Settings\Propietario\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[09/15/2008 01:06 AM | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documentos\PCLECHAL.INI
[09/17/2008 04:54 PM | 00,000,595 | ---- | M] () -- C:\Documents and Settings\Propietario\Mis documentos\Mis carpetas para compartir.lnk
[08/30/2008 11:37 AM | 00,000,731 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Malwarebytes' Anti-Malware.lnk
[09/02/2008 01:02 AM | 00,001,007 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Nero Online Upgrade.lnk
[09/14/2008 09:01 PM | 00,000,829 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\SUPERAntiSpyware Free Edition.lnk
[09/15/2008 04:37 PM | 00,002,165 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\iTunes.lnk
[08/23/2008 07:45 PM | 00,002,271 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Copia de PaperPort.lnk
[09/13/2008 06:27 PM | 00,065,536 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\PELICULES .xls
[09/17/2008 07:42 PM | 00,002,565 | ---- | M] () -- C:\Documents and Settings\Propietario\Escritorio\Microsoft Office Word 2003 (2).lnk
< End of report >
When I return tomorrow I am going to review this particular infection with some people who are knowledgeable about an earlier variant of it, to get good advice on what the hidden source is there.
[08/23/2008 06:35 PM | ---D | C] -- C:\Archivos de programa\BitTorrent Fastest Tool
31/08/2008 1:21:45 Detected: Heur.Trojan.Generic C:\Documents and Settings\Propietario\Configuraci�n local\Temp\Rar$EX00.625\Bittorrent_Downloader_1808_CL_DW_0299.EXE/WISE0009.BIN
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrente_Downloader_1808_CL_DW_0299.txt Infected: Trojan-Downloader.Win32.Agent.afyh 1
That often shows as a startup in other threads, where the user complains about a "mobiswing" popup ad:
Run: [mobiswing] C:\PROGRA~1\BITTOR~1\BitP.exe
To analyze new infection I am pretty good at locating files and softwares on the internet, but I cannot locate this:
BitTorrent Fastest Tool
Or this file:
BitP.exe
I also don't see in any of our logs where the normal log report of installed softwares showed, though maybe I am overlooking that. Post back what you know about that Bit software and where it comes from (and where I can get a copy of it also). In addition, run this tool so it will show the installed software in it's info.txt log:
Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan.
If necessary allow it to locate or download a copy of HijackThis as needed.
Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\info.txt.
RSIT will also create a second log, log.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored on your desktop).
You can use separate posts here when replying and posting the log files if needed.
info.txt logfile of random's system information tool 1.02 2008-09-21 14:06:53
======Uninstall list======
Sansa Media Converter-->"C:\Archivos de programa\InstallShield Installation Information\{FC053571-8507-44E4-8B6D-AACEAB8CA57C}\setup.exe" --u:{FC053571-8507-44E4-8B6D-AACEAB8CA57C}
-->C:\Archivos de programa\DivX\ConverterUninstall.exe /CONVERTER
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actualización de seguridad para el Reproductor de Windows Media (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Actualización de seguridad para el Reproductor de Windows Media 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Actualización de seguridad para el Reproductor de Windows Media 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Actualización de seguridad para Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Actualización de seguridad para Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Actualización para Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Actualización para Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Actualización para Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Actualización para Windows XP (KB900930)-->"C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
Actualización para Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Actualización para Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Actualización para Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Actualización para Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Actualización para Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Actualización para Windows XP (KB920342)-->"C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Actualización para Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Actualización para Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Actualización para Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Actualización para Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Actualización para Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Actualización para Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Actualización para Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Actualización para Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Actualización para Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Actualización para Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Actualización para Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Actualización para Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Ad-Aware SE Personal-->C:\ARCHIV~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\ARCHIV~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 - Español-->MsiExec.exe /I{AC76BA86-7AD7-1034-7B44-A70800000002}
Apple Mobile Device Support-->MsiExec.exe /I{8FC46258-0843-4D79-B7F0-F2B82FE6173B}
Apple Software Update-->MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Asistente Técnico de Telefónica-->MsiExec.exe /X{689FCC19-5582-4D88-BDC6-490EB7DAFB82}
AutoCAD 2007 - Español-->MsiExec.exe /I{5783F2D7-5001-040A-0002-0060B0CE6BBA}
Autodesk DWF Viewer-->C:\ARCHIV~1\Autodesk\AUTODE~1\Setup.exe /remove /q0
Avanquest update-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0xa
Broadcom 440x 10/100 Integrated Controller-->C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1034
Brother MFL-Pro Suite-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{BB9AC6BF-71B6-42A4-9689-C17D9F44E79A}\Setup.exe" -l0xa Brunin03.dllBrunin03.dll
Canon Camera Access Library-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\G726Decoder\G726DecUnInstall.ini"
CANON iMAGE GATEWAY Task for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Archivos de programa\Archivos comunes\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Archivos de programa\Canon\ZoomBrowser EX\Program\Uninst.ini"
Cliente de Windows Rights Management con Service Pack 2-->MsiExec.exe /X{169A15A0-6131-4274-8A8B-7E50702A1F52}
Compresor WinRAR-->C:\Archivos de programa\WinRAR\uninstall.exe
Cucusoft AVI to DVD/VCD/SVCD/MPEG Converter Pro 4.29-->"C:\Archivos de programa\Cucusoft\avi-dvd-pro\unins000.exe"
DivX Codec-->C:\Archivos de programa\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Archivos de programa\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Archivos de programa\DivX\ConverterUninstall.exe /CONVERTER
DivX Player-->C:\Archivos de programa\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Archivos de programa\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DP-Book 2.1.2.6-->"C:\Archivos de programa\DP-Book\unins000.exe"
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Firebird SQL Server - MAGIX Edition-->C:\Archivos de programa\MAGIX\Common\Database\unwise.exe
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Guitar Pro 5.2-->"C:\Archivos de programa\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
iTunes-->MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Learn to Play Magic Demo-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{14D84464-5919-4BA7-B51F-B2EFAE95DCC8}\setup.exe"
Loquendo TTS: Carmen (Spanish)-->"C:\Archivos de programa\Loquendo\LTTS\unins000.exe"
Los Sims Superstar-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{1A7F8DF6-5A3E-4CDF-BC82-BE26B407E21B}\setup.exe" -l000a
Macromedia Dreamweaver 3 Es-->C:\WINDOWS\IsUn040a.exe -f"c:\archivos de programa\dreamweaver 3.0\Dreamweaver 3\Uninst.isu"
MAGIX music maker 2006 e-version (ES)-->C:\MAGIX\mm2006_e-version\instslct.exe
MAGIX Screenshare 4.3.6.1987 (ES)-->C:\Archivos de programa\MAGIX\PCVisit\unwise.exe
Malwarebytes' Anti-Malware-->"C:\Archivos de programa\Malwarebytes' Anti-Malware\unins000.exe"
Martin ProSceniumDMX-->C:\WINDOWS\ST5UNST.EXE -n "c:\MartinPS\ST5UNST.LOG"
mCore-->MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver-->MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi-->MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi-->MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1 Spanish Language Pack-->MsiExec.exe /X{83169D43-4660-4347-BC95-E9D6E6BE65CE}
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110C0A-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA-->MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Motorola Phone Tools-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0xa -removeonly
Motorola SM56 Data Fax Modem-->rundll32.exe sm56co.dll,SM56UnInstaller
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN-->C:\Archivos de programa\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig-->MsiExec.exe /I{7CD7A451-7224-49C8-95EF-9A1859C66607}
Nero OEM-->C:\Archivos de programa\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Panda ActiveScan 2.0-->C:\Archivos de programa\Panda Security\ActiveScan 2.0\as2uninst.exe
PaperPort-->MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Paquete de idioma de Microsoft .NET Framework 2.0 - ESN-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - ESN\install.exe
Paquete de proveedor base de servicios de cifrado para tarjetas inteligentes de Microsoft-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Pinnacle Instant DVD Recorder-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0xa UNINSTALL
Pla de Renovació d'Electrodomèstics a Catalunya (O)-->"C:\Archivos de programa\ICAEN\Pla de Renovació d'Electrodomèstics a Catalunya (O)\unins000.exe"
Power Manager 1.9.6-->"C:\Archivos de programa\Power Manager\unins000.exe"
PowerDVD-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RCT3 Soaked-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\Setup.exe" -l0xa
Realtek High Definition Audio Driver-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0xa -removeonly
Reproductor de Windows Media 11-->"C:\Archivos de programa\Windows Media Player\Setup_wm.exe" /Uninstall
Revisión de Windows XP - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Revisión de Windows XP - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Revisión de Windows XP - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Revisión de Windows XP - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Revisión de Windows XP - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Revisión de Windows XP - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Revisión de Windows XP - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Revisión de Windows XP - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Revisión para el Reproductor de Windows Media 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Revisión para Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Revisión para Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Revisión para Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Revisión para Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
RollerCoaster Tycoon 3-->RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\Setup.exe" -l0xa
Router monopuerto-->C:\Archivos de programa\Telefonica\AsistCfg71\Uninstal.exe
SP2 con compatibilidad hacia atrás con cliente de Windows Rights Management-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Studio 11-->C:\Archivos de programa\InstallShield Installation Information\{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}\Setup2.exe -runfromtemp -l0x000a UNINSTALL -removeonly
SUPER © Version 2007.bld.23 (July 4, 2007)-->C:\ARCHIV~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Texas Instruments PCIxx21/x515 drivers.-->C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{406A5ABF-CA65-4E11-95C7-52228FE48F58} /l1034
Text-To-Speech-Runtime-->MsiExec.exe /X{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}
The KMPlayer (remove only)-->"C:\Archivos de programa\The KMPlayer\uninstall.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{1692CC0E-8798-493A-9580-23555E21C14B}
Windows Live Sign-in Assistant-->MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime-->"C:\Archivos de programa\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Xvid 1.1.3 final uninstall-->"C:\Archivos de programa\Xvid\unins000.exe"
Yahoo! Desktop Login-->MsiExec.exe /I{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Archivos de programa\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Archivos de programa\Java\jre1.5.0_09\lib\ext\QTJava.zip
"QTJAVA"=C:\Archivos de programa\Java\jre1.5.0_09\lib\ext\QTJava.zip
EOF
Run by Propietario at 2008-09-21 14:06:48
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 40 GB (53%) free of 76 GB
Total RAM: 1014 MB (54% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:06:51, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Canon\CAL\CALMAIN.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Power Manager\PM.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Telefonica\bin\sprtcmd.exe
C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Propietario\Mis documentos\PGMS\RSIT.exe
C:\Archivos de programa\Trend Micro\HijackThis\Propietario.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÃnculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PowerManager] C:\Archivos de programa\Power Manager\PM.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Telefonica] "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica
O4 - HKLM\..\Run: [PowerDVD] C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaunchList] C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ES-ES/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165920465979
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2}: NameServer = 80.58.61.254,80.58.61.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5175BD6-662B-46EA-A446-EECCE2055DAC}: NameServer = 80.58.61.254,80.58.61.250
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Archivos de programa\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: RegSrvc - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 9752 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 434279]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 324416]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"SMSERIAL"=C:\WINDOWS\sm56hlpr.exe [2005-07-05 544768]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-06-08 14565376]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"PowerManager"=C:\Archivos de programa\Power Manager\PM.exe [2005-08-08 163840]
"IntelZeroConfig"=C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe [2005-05-31 401408]
"IntelWireless"=C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe [2005-06-03 385024]
"EOUApp"=C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe [2005-05-31 356352]
"SunJavaUpdateSched"=C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe [2006-10-12 49263]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"SSBkgdUpdate"=C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe [2005-03-18 57393]
"IndexSearch"=C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe [2005-03-18 40960]
"SetDefPrt"=C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe [2005-01-26 49152]
"ControlCenter2.0"=C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe [2005-05-17 933888]
"QuickTime Task"=C:\Archivos de programa\QuickTime\qttask.exe [2007-04-27 282624]
"Telefonica"=C:\Archivos de programa\Telefonica\bin\sprtcmd.exe [2005-10-06 192512]
"PowerDVD"=C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe [2002-06-13 389120]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-01-13 131072]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-01-13 163840]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-01-13 135168]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2006-03-02 15360]
"MSMSGS"=C:\Archivos de programa\Messenger\msmsgs.exe [2004-10-13 1694208]
"LaunchList"=C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe [2007-03-21 145496]
"NBJ"=C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe [2005-10-11 1961984]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Archivos de programa\iTunes\iTunesHelper.exe [2007-06-28 270648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^ WinCinema Manager.lnk]
C:\ARCHIV~1\Sandisk\Common\Bin\WINCIN~1.EXE [2006-09-26 303104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Propietario^Menú Inicio^Programas^Inicio^OpenOffice.org 2.0.lnk]
C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe []
C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acelerador de inicio de AutoCAD.lnk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
Inicio rápido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Monitor de estado.lnk - C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-01-13 204800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll [2005-05-31 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll schannel.dll digest.dll msnsspc.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe"="C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe:*:Disabled:Aplicación MFC awcbrwsr"
"C:\Archivos de programa\Kazaa Lite K++\KazaaLite.kpp"="C:\Archivos de programa\Kazaa Lite K++\KazaaLite.kpp:*:Disabled:KazaaLite"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Disabled:enable"
"C:\Archivos de programa\Internet Explorer\iexplore.exe"="C:\Archivos de programa\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\Archivos de programa\iTunes\iTunes.exe"="C:\Archivos de programa\iTunes\iTunes.exe:*:Disabled:iTunes"
"C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE"="C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE:*:Disabled:OUTLOOK.EXE"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:*:Disabled:PMSRegisterFile"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe:*:Disabled:Render Manager"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe:*:Disabled:Studio"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe:*:Disabled:umi"
"C:\Archivos de programa\MSN Messenger\msncall.exe"="C:\Archivos de programa\MSN Messenger\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\Archivos de programa\Messenger\msmsgs.exe"="C:\Archivos de programa\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Archivos de programa\MSN Messenger\msncall.exe"="C:\Archivos de programa\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}]
shell\AutoRun\command - dh66ln.cmd
shell\explore\command - dh66ln.cmd
shell\open\command - dh66ln.cmd
======File associations======
.scr - open - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"
.scr - install -
.scr - config -
======List of files/folders created in the last 1 months======
2008-09-21 14:06:48 ----D---- C:\rsit
2008-09-14 22:19:27 ----A---- C:\find2.txt
2008-09-14 21:01:54 ----D---- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
2008-09-14 21:01:38 ----D---- C:\Documents and Settings\Propietario\Datos de programa\SUPERAntiSpyware.com
2008-09-14 21:01:38 ----D---- C:\Archivos de programa\SUPERAntiSpyware
2008-09-14 01:32:31 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-14 01:32:09 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-09-13 16:55:31 ----SHD---- C:\RECYCLER
2008-09-12 19:09:53 ----D---- C:\Archivos de programa\Panda Security
2008-09-12 18:42:08 ----RASHD---- C:\autorun.inf
2008-09-08 18:27:47 ----A---- C:\RegDelNull.exe
2008-09-08 14:13:16 ----A---- C:\InfoSat.txt
2008-09-06 19:42:46 ----A---- C:\WINDOWS\gmer.ini
2008-09-06 19:42:43 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-09-06 19:42:43 ----A---- C:\WINDOWS\gmer.exe
2008-09-06 19:42:43 ----A---- C:\WINDOWS\gmer.dll
2008-09-02 17:09:20 ----D---- C:\Archivos de programa\EsetOnlineScanner
2008-08-30 11:37:48 ----D---- C:\Documents and Settings\Propietario\Datos de programa\Malwarebytes
2008-08-30 11:37:43 ----D---- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
2008-08-30 11:37:43 ----D---- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-08-30 11:19:09 ----D---- C:\WINDOWS\ERUNT
2008-08-30 11:18:11 ----D---- C:\SDFix
2008-08-30 11:11:50 ----D---- C:\_OTMoveIt
2008-08-28 10:21:26 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 18:35:13 ----D---- C:\Archivos de programa\BitTorrent Fastest Tool
2008-08-23 03:17:47 ----D---- C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab Setup Files
======List of files/folders modified in the last 1 months======
2008-09-21 14:04:22 ----D---- C:\Archivos de programa\iTunes
2008-09-21 13:47:07 ----D---- C:\WINDOWS\Prefetch
2008-09-21 13:19:12 ----D---- C:\WINDOWS\Temp
2008-09-21 13:18:46 ----D---- C:\WINDOWS\system32\Lang
2008-09-21 13:18:34 ----D---- C:\WINDOWS\system32
2008-09-20 01:57:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-09-18 00:57:51 ----D---- C:\WINDOWS
2008-09-16 22:53:10 ----A---- C:\WINDOWS\BRWMARK.INI
2008-09-16 22:39:05 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-15 01:06:15 ----A---- C:\WINDOWS\NeroDigital.ini
2008-09-14 22:12:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-09-14 21:01:43 ----SHD---- C:\WINDOWS\Installer
2008-09-14 21:01:38 ----AD---- C:\Archivos de programa
2008-09-14 21:01:06 ----D---- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-09-14 01:32:33 ----HD---- C:\WINDOWS\inf
2008-09-14 01:32:32 ----D---- C:\WINDOWS\WinSxS
2008-09-14 01:32:23 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-14 01:32:14 ----A---- C:\WINDOWS\imsins.BAK
2008-09-13 22:13:51 ----SD---- C:\WINDOWS\Tasks
2008-09-13 16:12:25 ----D---- C:\WINDOWS\system32\drivers
2008-09-13 12:55:28 ----A---- C:\DTSHDSpOut.txt
2008-09-12 18:54:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-10 18:25:19 ----SH---- C:\boot.ini
2008-09-10 18:25:19 ----A---- C:\WINDOWS\win.ini
2008-09-10 18:25:19 ----A---- C:\WINDOWS\system.ini
2008-09-10 13:46:18 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-08 20:11:22 ----D---- C:\WINDOWS\system32\Restore
2008-09-08 18:14:34 ----D---- C:\WINDOWS\Minidump
2008-09-07 02:43:19 ----D---- C:\Documents and Settings
2008-09-02 18:09:05 ----D---- C:\Archivos de programa\DVDFab 5
2008-08-29 14:10:57 ----D---- C:\WINDOWS\system32\MAGIX
2008-08-29 14:08:00 ----A---- C:\WINDOWS\Robota.INI
2008-08-28 19:54:47 ----D---- C:\WINDOWS\pss
2008-08-28 11:05:20 ----D---- C:\WINDOWS\system32\CatRoot
2008-08-28 10:21:25 ----D---- C:\WINDOWS\Debug
2008-08-28 10:11:06 ----D---- C:\WINDOWS\Help
2008-08-26 22:28:12 ----A---- C:\WINDOWS\system32\MRT.exe
2008-08-25 01:26:33 ----HD---- C:\Archivos de programa\Drivers
2008-08-23 03:19:28 ----D---- C:\Archivos de programa\Spybot - Search & Destroy
2008-08-23 03:19:26 ----D---- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
2008-08-23 02:40:48 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-08-22 19:45:41 ----D---- C:\Archivos de programa\AntiVir PersonalEdition Classic
2008-08-22 19:40:51 ----D---- C:\Documents and Settings\All Users\Datos de programa\AntiVir PersonalEdition Classic
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Controlador de procesador Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2006-03-02 40320]
R1 SASDIFSV;SASDIFSV; \??\C:\Archivos de programa\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-12-12 17801]
R2 s24trans;Transporte WLAN; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-05-03 11354]
R3 Arp1394;Protocolo de cliente ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2006-03-02 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2004-10-11 45056]
R3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2004-10-15 15295]
R3 CmBatt;Controlador de baterÃa de método de control ACPI de Microsoft; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 EKBfltr;ENE Keyboard Controller; C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 5504]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Controlador de clases HID de Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-01-13 5672032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-06-08 3160576]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2005-09-20 10368]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2007-01-04 171520]
R3 mouhid;Controlador HID de mouse; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-22 12416]
R3 NIC1394;Controlador de red 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2006-03-02 61824]
R3 pfc;PADUS ASPI SHELL; C:\WINDOWS\system32\drivers\pfc.sys [2002-06-13 14604]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2006-03-02 67584]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2005-07-05 840100]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-06-03 162176]
R3 usbccgp;Controlador primario genérico USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Concentrador habilitado USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Clase de impresora USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 USBSTOR;Dispositivo de almacenamiento masivo de datos USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Controlador minipuerto de la controladora de host universal USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 w29n51;Controlador de la Conexión de red Intel(R) PRO/Wireless 2200BG para Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2005-04-30 3281408]
R3 WINIO;WINIO; \??\C:\Archivos de programa\Power Manager\winio.sys []
R3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
R3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 catchme;catchme; \??\C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-06 85969]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-05-30 47360]
S3 SASENUM;SASENUM; \??\C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS []
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbscan;Controlador de escáner USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS\system32\DRIVERS\usbsermpt.sys [2007-01-26 22768]
S4 sr;Controlador de filtro de Restaurar sistema; C:\WINDOWS\system32\DRIVERS\sr.sys [2006-03-02 73600]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-06-28 106496]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-12 57344]
R2 CCALib8;Canon Camera Access Library 8; C:\Archivos de programa\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 EvtEng;EvtEng; C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe [2005-06-03 86016]
R2 OwnershipProtocol;OwnershipProtocol; C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe [2005-05-31 98304]
R2 RegSrvc;RegSrvc; C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe [2005-06-03 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe [2005-06-03 372809]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2006-03-02 14336]
S2 PCLEPCI;PCLEPCI; C:\WINDOWS\system32\drivers\pclepci.sys [2005-02-09 14165]
S3 aspnet_state;Servicio de estado de ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe [2007-01-23 77944]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 iPod Service;Servicio del iPod; C:\Archivos de programa\iPod\bin\iPodService.exe [2007-06-28 501048]
S3 ose;Office Source Engine; C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Servicio Lector del diario USN de Carpetas para compartir de Messenger; C:\Archivos de programa\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WMPNetworkSvc;Servicio de uso compartido de red del Reproductor de Windows Media; C:\Archivos de programa\Windows Media Player\WMPNetwk.exe [2006-11-03 916480]
EOF
C:\Documents and Settings\Propietario\Mis documentos\Quarantine\Bittorrente_Downloader_1808_CL_DW_0299.txt
I am not quite sure what created that "Quarantine" folder it is stored in.
Then either upload them as you have done or send them as attachments to [noparse]jintan@cfl.rr.com[/noparse].
It was created by me. I followed yours advices : "Steps To Take Before Posting a HijackThis Log! " and "The "How To" Thread "
I ran kaspersky online and it found Bitorrente_Downloader_CL_DW_0299.txt I changed the name and put it in
quarantine.Now it doesn't already exist I deleted it.
I've sent you the zip folder
I have asked others very knowledgeable in this malware variant for assistance. I will post back once some reviewing is completed.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints 2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}\Shell\explore\Command]
"" = dh66ln.cmd
Those entries are created by infection, but mountpoints2 entries indicate a device was used. For example, when you plug in a USB drive, this creates one if one for it was not already there. That dh66ln.cmd file is not being found on this computer, but by the look of the logs is located somewhere, and may be what is recreating the infection there.
Is someone installing and removing a device there still, especially a device that was not installed when the Kaspersky scan was run? That dh66ln.cmd file is known, so I expect it to be located by Kaspersky if the device that has that file is installed when the scan is run.
Install ALL devices that have been used on this computer. ALL of them.
Go here and download Agent Ransack to your desktop, then click the downloaded file to install the program. Once installed go to Start - Programs and open Agent Ransack.
Under "Look in:", use the dropdown box to change that to:
All Drives
Under the Advanced tab, type the following, exactly as shown, into the text box next to "Containing text:"
dh66ln
Make no other changes at this time. Then click the "Start search" button (upper right corner) and allow Agent Ransack to search. This will take quite a while to complete, depending on the number of files stored on the system, so please allow the scan to complete and not use the computer while it is running.
When the scan is done go to File - Save Results, and click the "Save" button to save the information to your clipboard. The open Notepad and click Paste to copy the scan results. Save this as amigo.txt.
Zip a copy of that file, and again send it to Jintan as an attachment please.
C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
20FriendlyNameiv32ðÿÿÿXß Ø`R
May be uneventful, but use the RegSearch tool again and do a search using the following, then post back that log please:
iv32
that the answer is ....yes. It's difficult for young people to be obedient(she's 17)and patient.What do you need about ipod? Tha it was always connected or perhaps it was always disconnected? (it's eassiest for me
that it was always disconnected)
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "iv32" 28/09/2008 23:08:12
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.iv32"="ir32_32.dll"
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\ActiveMovie\devenum\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iv32]
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\ActiveMovie\devenum\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iv32]
"FccHandler"="iv32"
If you truly did not do it yet, install ALL drives, including your daughter's iPod, and run a new Kaspersky online scan. Make sure to select My Computer so it will scan all drives. Save that log and post it back here please.
Also from the ntuser.dat file you sent there are more registry and file locations for us to check. Slowly we are getting near to how this infection is keeping itself alive there.
Again click on the regsearch.exe (Bobbi Flekman's - sharp guy) to run the tool. In the display panel, copy and paste the following into the upper box:
DisableContactEncryption
Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).
Repeat that using the following for the search:
MISVDE
6 6 l n <- note this one has spaces
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt, then press Enter:
dir /s /a "c:\*MISVDE*.*" > c:\find3.txt && notepad c:\find3.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Once that Notepad textbox opens, also click at the prompt in the still open command console window and type exit to close that.
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 29, 2008 16:58:18
Records in database: 1274227
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 92125
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 03:37:57
File name Threat name Threats count
C:\WINDOWS\system32\11.CPX Infected: Trojan.Win32.Agent.aeag 1
C:\_OTMoveIt\MovedFiles\09142008_221251\WINDOWS\system32\11.CPX Infected: Trojan.Win32.Agent.aeag 1
The selected area was scanned.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "DisableContactEncryption" 30/09/2008 19:32:27
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\1137476314]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\1457479864]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\1689847770]
"DisableContactEncryption"=dword:00000000
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\1813097281]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\1814784178]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\2208902307]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\2707989751]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\2710156302]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\3262091864]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\3419243273]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\4138893379]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\4140820327]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\870950700]
"DisableContactEncryption"=hex:00,00,00,00
[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1003\Software\Microsoft\Windows Live\Communications Clients\Shared\897330043]
"DisableContactEncryption"=hex:00,00,00,00
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: F084-9B57
Directorio de c:\Documents and Settings\All Users\Documentos
23/03/2008 23:38 <DIR> Mis v¡deos
0 archivos 0 bytes
Directorio de c:\Documents and Settings\Propietario\Mis documentos
07/05/2008 22:07 <DIR> Mis v¡deos
0 archivos 0 bytes
Total de archivos en la lista:
0 archivos 0 bytes
2 dirs 42.406.797.312 bytes libres
C:\WINDOWS\system32\11.CPX
I will review again with others as I have been. Please run and post back a current RSIT log to work with for that.
Logfile of random's system information tool 1.02 (written by random/random)
Run by Propietario at 2008-10-01 19:36:49
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 40 GB (53%) free of 76 GB
Total RAM: 1014 MB (52% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:52, on 01/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\ARCHIV~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Power Manager\PM.exe
C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe
C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe
C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Telefonica\bin\sprtcmd.exe
C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Java\jre1.5.0_09\bin\jucheck.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Propietario\Mis documentos\PGMS\RSIT.exe
C:\Archivos de programa\Trend Micro\HijackThis\Propietario.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÃnculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PowerManager] C:\Archivos de programa\Power Manager\PM.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Telefonica] "C:\Archivos de programa\Telefonica\bin\sprtcmd.exe" /P Telefonica
O4 - HKLM\..\Run: [PowerDVD] C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LaunchList] C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor de estado.lnk = C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/ES-ES/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165920465979
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59B3C720-E9B0-45FE-B97C-2BD8CCDC2EB2}: NameServer = 80.58.61.254,80.58.61.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5175BD6-662B-46EA-A446-EECCE2055DAC}: NameServer = 80.58.61.254,80.58.61.250
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Archivos de programa\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: RegSrvc - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 9976 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 434279]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 324416]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"SMSERIAL"=C:\WINDOWS\sm56hlpr.exe [2005-07-05 544768]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-06-08 14565376]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"PowerManager"=C:\Archivos de programa\Power Manager\PM.exe [2005-08-08 163840]
"IntelZeroConfig"=C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe [2005-05-31 401408]
"IntelWireless"=C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe [2005-06-03 385024]
"EOUApp"=C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe [2005-05-31 356352]
"SunJavaUpdateSched"=C:\Archivos de programa\Java\jre1.5.0_09\bin\jusched.exe [2006-10-12 49263]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"SSBkgdUpdate"=C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Archivos de programa\ScanSoft\PaperPort\pptd40nt.exe [2005-03-18 57393]
"IndexSearch"=C:\Archivos de programa\ScanSoft\PaperPort\IndexSearch.exe [2005-03-18 40960]
"SetDefPrt"=C:\Archivos de programa\Brother\Brmfl05a\BrStDvPt.exe [2005-01-26 49152]
"ControlCenter2.0"=C:\Archivos de programa\Brother\ControlCenter2\brctrcen.exe [2005-05-17 933888]
"QuickTime Task"=C:\Archivos de programa\QuickTime\qttask.exe [2007-04-27 282624]
"Telefonica"=C:\Archivos de programa\Telefonica\bin\sprtcmd.exe [2005-10-06 192512]
"PowerDVD"=C:\Archivos de programa\CyberLink\PowerDVD\PowerDVD.exe [2002-06-13 389120]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-01-13 131072]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-01-13 163840]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-01-13 135168]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2006-03-02 15360]
"MSMSGS"=C:\Archivos de programa\Messenger\msmsgs.exe [2004-10-13 1694208]
"LaunchList"=C:\Archivos de programa\Pinnacle\Studio 11\LaunchList2.exe [2007-03-21 145496]
"NBJ"=C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe [2005-10-11 1961984]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Archivos de programa\iTunes\iTunesHelper.exe [2007-06-28 270648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^ WinCinema Manager.lnk]
C:\ARCHIV~1\Sandisk\Common\Bin\WINCIN~1.EXE [2006-09-26 303104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Propietario^Menú Inicio^Programas^Inicio^OpenOffice.org 2.0.lnk]
C:\Archivos de programa\OpenOffice.org 2.0\program\quickstart.exe []
C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acelerador de inicio de AutoCAD.lnk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
Inicio rápido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Monitor de estado.lnk - C:\Archivos de programa\Brother\Brmfcmon\BrMfcWnd.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-01-13 204800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Archivos de programa\Intel\Wireless\Bin\LgNotify.dll [2005-05-31 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll schannel.dll digest.dll msnsspc.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe"="C:\Archivos de programa\Telefonica\AsistCfg71\awcbrwsr.exe:*:Disabled:Aplicación MFC awcbrwsr"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Disabled:enable"
"C:\Archivos de programa\Internet Explorer\iexplore.exe"="C:\Archivos de programa\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\Archivos de programa\iTunes\iTunes.exe"="C:\Archivos de programa\iTunes\iTunes.exe:*:Disabled:iTunes"
"C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE"="C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE:*:Disabled:OUTLOOK.EXE"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:*:Disabled:PMSRegisterFile"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\RM.exe:*:Disabled:Render Manager"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\Studio.exe:*:Disabled:Studio"
"C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe"="C:\Archivos de programa\Pinnacle\Studio 11\programs\umi.exe:*:Disabled:umi"
"C:\Archivos de programa\MSN Messenger\msncall.exe"="C:\Archivos de programa\MSN Messenger\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\Archivos de programa\Messenger\msmsgs.exe"="C:\Archivos de programa\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Archivos de programa\MSN Messenger\msncall.exe"="C:\Archivos de programa\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Archivos de programa\MSN Messenger\msnmsgr.exe"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Archivos de programa\MSN Messenger\livecall.exe"="C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b3388ea-eecb-11dc-b2d4-00166f4e7cbd}]
shell\AutoRun\command - dh66ln.cmd
shell\explore\command - dh66ln.cmd
shell\open\command - dh66ln.cmd
======File associations======
.reg - open - regedit.exe "%1" %*
.scr - open - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"
.scr - install -
.scr - config -
======List of files/folders created in the last 1 months======
2008-09-30 21:04:49 ----A---- C:\find3.txt
2008-09-25 19:49:50 ----D---- C:\Archivos de programa\Mythicsoft
2008-09-21 14:06:48 ----D---- C:\rsit
2008-09-14 22:19:27 ----A---- C:\find2.txt
2008-09-14 21:01:54 ----D---- C:\Documents and Settings\All Users\Datos de programa\SUPERAntiSpyware.com
2008-09-14 21:01:38 ----D---- C:\Documents and Settings\Propietario\Datos de programa\SUPERAntiSpyware.com
2008-09-14 21:01:38 ----D---- C:\Archivos de programa\SUPERAntiSpyware
2008-09-14 01:32:31 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-14 01:32:09 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-09-13 16:55:31 ----SHD---- C:\RECYCLER
2008-09-12 19:09:53 ----D---- C:\Archivos de programa\Panda Security
2008-09-12 18:42:08 ----RASHD---- C:\autorun.inf
2008-09-08 18:27:47 ----A---- C:\RegDelNull.exe
2008-09-08 14:13:16 ----A---- C:\InfoSat.txt
2008-09-06 19:42:46 ----A---- C:\WINDOWS\gmer.ini
2008-09-06 19:42:43 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-09-06 19:42:43 ----A---- C:\WINDOWS\gmer.exe
2008-09-06 19:42:43 ----A---- C:\WINDOWS\gmer.dll
2008-09-02 17:09:20 ----D---- C:\Archivos de programa\EsetOnlineScanner
======List of files/folders modified in the last 1 months======
2008-10-01 19:23:05 ----D---- C:\WINDOWS\system32
2008-10-01 18:35:23 ----D---- C:\WINDOWS\Temp
2008-10-01 17:25:41 ----D---- C:\WINDOWS\Prefetch
2008-10-01 16:00:06 ----D---- C:\WINDOWS
2008-10-01 13:56:52 ----D---- C:\WINDOWS\system32\Lang
2008-10-01 00:40:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-09-30 22:35:16 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-28 20:27:47 ----A---- C:\WINDOWS\NeroDigital.ini
2008-09-25 19:49:50 ----AD---- C:\Archivos de programa
2008-09-23 20:57:42 ----D---- C:\WINDOWS\Minidump
2008-09-21 14:04:22 ----D---- C:\Archivos de programa\iTunes
2008-09-16 22:53:10 ----A---- C:\WINDOWS\BRWMARK.INI
2008-09-14 22:12:51 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-09-14 21:01:43 ----SHD---- C:\WINDOWS\Installer
2008-09-14 21:01:06 ----D---- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2008-09-14 01:32:33 ----HD---- C:\WINDOWS\inf
2008-09-14 01:32:32 ----D---- C:\WINDOWS\WinSxS
2008-09-14 01:32:23 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-14 01:32:14 ----A---- C:\WINDOWS\imsins.BAK
2008-09-13 22:13:51 ----SD---- C:\WINDOWS\Tasks
2008-09-13 16:12:25 ----D---- C:\WINDOWS\system32\drivers
2008-09-13 12:55:28 ----A---- C:\DTSHDSpOut.txt
2008-09-12 18:54:04 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-10 18:25:19 ----SH---- C:\boot.ini
2008-09-10 18:25:19 ----A---- C:\WINDOWS\win.ini
2008-09-10 18:25:19 ----A---- C:\WINDOWS\system.ini
2008-09-10 13:46:18 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-08 20:11:22 ----D---- C:\WINDOWS\system32\Restore
2008-09-07 02:43:19 ----D---- C:\Documents and Settings
2008-09-07 01:50:56 ----D---- C:\Archivos de programa\Malwarebytes' Anti-Malware
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Controlador de procesador Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2006-03-02 40320]
R1 SASDIFSV;SASDIFSV; \??\C:\Archivos de programa\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Archivos de programa\SUPERAntiSpyware\SASKUTIL.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-12-12 17801]
R2 s24trans;Transporte WLAN; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2005-05-03 11354]
R3 Arp1394;Protocolo de cliente ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2006-03-02 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2004-10-11 45056]
R3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2004-10-15 15295]
R3 CmBatt;Controlador de baterÃa de método de control ACPI de Microsoft; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 EKBfltr;ENE Keyboard Controller; C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 5504]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Controlador de clases HID de Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-01-13 5672032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-06-08 3160576]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2005-09-20 10368]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2007-01-04 171520]
R3 mouhid;Controlador HID de mouse; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-22 12416]
R3 NIC1394;Controlador de red 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2006-03-02 61824]
R3 pfc;PADUS ASPI SHELL; C:\WINDOWS\system32\drivers\pfc.sys [2002-06-13 14604]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2006-03-02 67584]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2005-07-05 840100]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-06-03 162176]
R3 usbccgp;Controlador primario genérico USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Concentrador habilitado USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Clase de impresora USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 USBSTOR;Dispositivo de almacenamiento masivo de datos USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Controlador minipuerto de la controladora de host universal USB de Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 w29n51;Controlador de la Conexión de red Intel(R) PRO/Wireless 2200BG para Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2005-04-30 3281408]
R3 WINIO;WINIO; \??\C:\Archivos de programa\Power Manager\winio.sys []
R3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
R3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 catchme;catchme; \??\C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-09-06 85969]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-05-30 47360]
S3 SASENUM;SASENUM; \??\C:\Archivos de programa\SUPERAntiSpyware\SASENUM.SYS []
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbscan;Controlador de escáner USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS\system32\DRIVERS\usbsermpt.sys [2007-01-26 22768]
S4 sr;Controlador de filtro de Restaurar sistema; C:\WINDOWS\system32\DRIVERS\sr.sys [2006-03-02 73600]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-06-28 106496]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-12 57344]
R2 CCALib8;Canon Camera Access Library 8; C:\Archivos de programa\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 EvtEng;EvtEng; C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe [2005-06-03 86016]
R2 OwnershipProtocol;OwnershipProtocol; C:\Archivos de programa\Intel\Wireless\Bin\OProtSvc.exe [2005-05-31 98304]
R2 RegSrvc;RegSrvc; C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe [2005-06-03 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe [2005-06-03 372809]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2006-03-02 14336]
R3 iPod Service;Servicio del iPod; C:\Archivos de programa\iPod\bin\iPodService.exe [2007-06-28 501048]
R3 usnjsvc;Servicio Lector del diario USN de Carpetas para compartir de Messenger; C:\Archivos de programa\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 PCLEPCI;PCLEPCI; C:\WINDOWS\system32\drivers\pclepci.sys [2005-02-09 14165]
S3 aspnet_state;Servicio de estado de ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe [2007-01-23 77944]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance; C:\Archivos de programa\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 ose;Office Source Engine; C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Servicio de uso compartido de red del Reproductor de Windows Media; C:\Archivos de programa\Windows Media Player\WMPNetwk.exe [2006-11-03 916480]
EOF
The significant point in much of the review is that results of logs only show part of the information - parts of the results I would expect to see are missing. This suggests null keys, or binary storage of data - but moreso null keys. And most of those related to values that include this:
"__LongTerm__"
Very little available web information on that. All I locate so far suggests this registry value is where certain softwares have hidden registration information, that can be changed to use the software without actually purchasing and registering it. Do you recognize that term?
I would also like to check this file, since it would be in binary code and could hide information. Please upload or email that if you would:
C:\Documents and Settings\Propietario\ Escritorio\PELICULES.xls
About "__LongTerm__" I don't recognize it.
PELICULES.xls has been sent to Jintan. It's a evaluation film list.
I don't think that it was a problem I have it since a long time ago.
I have been asked by an expert assisting me in reviews elsewhere a few times for some files to check, and I have forgotten to ask for them. These are important in bootup instructions, and may be involved in why changes mysteriously appear here each time.
Make sure you can see hidden files still, then locate the following files, and send copies of them to me please:
C:\WINDOWS\system.ini
C:\WINDOWS\win.ini
C:\WINDOWS\bootstat.dat
It would be best if you sent them unzipped, and also zipped, so I can see the difference between those methods (zipping, or using rar, possibly changes code inside certain files).
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead