PDA

View Full Version : problems with win32.agent.at and smitfraud-C.toolbar888


cbehrends
2007-03-27, 14:08
Hi!

I have problems with win32.agent.at and smitfraud-C.toolbar888.

I followed these steps:

1) Scan with updated Spybot: Every time I scan, the problem seems fixed with exception of just one point of the win32.agent. However, after a new scan all problems reapear. Here is the log:

--------------------------------------------------------------------------

--- Report generated: 2007-03-26 21:36 ---

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\aldd

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15

Win32.Agent.At: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\PsapiAnalyzer.PsapiAnalyzer

Win32.Agent.At: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\PsapiAnalyzer.PsapiAnalyzer.1

Win32.Agent.At: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0A07916B-B841-4184-AAD5-06FE2F75788C}

Win32.Agent.At: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A07916B-B841-4184-AAD5-06FE2F75788C}

Win32.Agent.At: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{871A54C1-1EB3-48BD-A879-5DBA4EF16BE6}

Win32.Agent.At: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

Win32.Agent.At: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

BFast: Tracking cookie (Internet Explorer: Andy) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-03-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-21 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-03-21 Includes\DialerC.sbi (*)
2007-03-21 Includes\Hijackers.sbi (*)
2007-03-21 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-21 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-21 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-03-21 Includes\PUPSC.sbi (*)
2007-03-21 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-21 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-03-21 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\Trojans.sbi (*)
2007-03-21 Includes\TrojansC.sbi (*)

--------------------------------------------------------------------------

2) Run an on-line Anti Virus scan.
I ran Panda on-line. Here is the log;
--------------------------------------------------------------------------

Incident Status Location

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\blkhlwwg.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\bpevxhuh.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\cknkpevn.dll
Adware:Adware/WebSearch Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\dbxcxubj.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\gaswwrsv.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\hnnkbfoe.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\jlpvxxng.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\lrhtbykh.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\nreiayxk.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\oexorxyx.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\uklfjbpy.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\xhpkfefk.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\yhxvgemp.dll
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Andy\Cookies\andy@bfast[1].txt
Potentially unwanted tool:Application/Reboot.A Not disinfected C:\WINDOWS\pss\Reboot.exeCommon Startup
--------------------------------------------------------------------------


3) Run Spybot in Safe Mode:
I ran SpyBot several times, but the result is similar as in normal mode.

4) HiJackThis log
I ran HijackThis. Here goes the log file:

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:46:01 p.m., on 26/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\qkkvkupe.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--------------------------------------------------------------------------

I appreciate very much your support!

Carlos
Shaba
2007-03-28, 19:13
Hi cbehrends

Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)
cbehrends
2007-04-01, 02:25
Hi shaba,

You asked me to rename the HiJackThis.exe file to HJT.exe and to generate a fresh log.

Here it goes:
Logfile of HijackThis v1.99.1
Scan saved at 09:22:24 p.m., on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PsapiAnalyzer Object - {0A07916B-B841-4184-AAD5-06FE2F75788C} - c:\windows\taskwave.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O20 - Winlogon Notify: taskwave - c:\windows\taskwave.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Sorry for delaying the answer, I was on a trip!

Regards,

Carlos
Shaba
2007-04-01, 10:57
Hi

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
cbehrends
2007-04-01, 17:42
Hi Shaba,

I downlodade Vundo, I ran it, and this is the log:

--------------------------------------------------------------------------
VundoFix V6.3.18

Checking Java version...

Sun Java not detected
Scan started at 11:50:46 a.m. 01/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\ldmyocjo.dll
C:\WINDOWS\system32\xajcvcrd.dll
c:\windows\taskwave.dll

Beginning removal...

Attempting to delete c:\windows\taskwave.dll
c:\windows\taskwave.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\taskwave.dll
c:\windows\taskwave.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Sun Java not detected
Scan started at 12:17:56 p.m. 01/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\ldmyocjo.dll

Beginning removal...

Performing Repairs to the registry.
Done!

--------------------------------------------------------------------------

Then I ran HJT.exe, resulting in this log file:

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:38:38 p.m., on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

-------------------------------------------------------------------------

Seems that still there is a problem, as Vundo shows a file that appeared after rebooting .

Regards,

Carlos
Shaba
2007-04-01, 18:30
Hi

Upload these files to VirusTotal (http://www.virustotal.com/en/indexf.html) and post back results here:

C:\WINDOWS\Driver Cache\i386\cabsvr.dll
C:\WINDOWS\system32\gnqybxsf.dll
cbehrends
2007-04-02, 00:40
Hi Shaba,

Thanks for the quick answer!

Here it goes the result for C:\WINDOWS\Driver Cache\i386\cabsvr.dll

--------------------------------------------------------------------------
Antivirus Version Update Result
AhnLab-V3 2007.3.31.0 04.01.2007 no virus found
AntiVir 7.3.1.47 04.01.2007 TR/Vundo.Gen
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 03.31.2007 no virus found
AVG 7.5.0.447 04.01.2007 no virus found
BitDefender 7.2 04.02.2007 no virus found
CAT-QuickHeal 9.00 03.31.2007 no virus found
ClamAV devel-20070312 04.01.2007 no virus found
DrWeb 4.33 04.01.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.01.2007 no virus found
eTrust-Vet 30.6.3527 03.31.2007 no virus found
Ewido 4.0 04.01.2007 no virus found
FileAdvisor 1 04.02.2007 no virus found
Fortinet 2.85.0.0 04.01.2007 suspicious
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.01.2007 no virus found
Ikarus T3.1.1.3 04.01.2007 no virus found
Kaspersky 4.0.2.24 04.01.2007 no virus found
McAfee 4997 03.31.2007 no virus found
Microsoft 1.2306 04.01.2007 no virus found
NOD32v2 2161 04.01.2007 no virus found
Norman 5.80.02 03.31.2007 no virus found
Panda 9.0.0.4 04.01.2007 Suspicious file
Prevx1 V2 04.02.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 no virus found
Symantec 10 04.02.2007 no virus found
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 04.01.2007 no virus found
Webwasher-Gateway 6.0.1 04.01.2007 Trojan.Vundo.Gen


Aditional Information
File size: 253746 bytes
MD5: f6d8711eeaee5953fcf5ee61d11832d1
SHA1: ee0eeefd9bf668c34a65fe6b1c48fad428f75f89


------------------------------------------------------------------------

And now for C:\WINDOWS\system32\gnqybxsf.dll

-------------------------------------------------------------------------

Antivirus Version Update Result
AhnLab-V3 2007.3.31.0 04.01.2007 no virus found
AntiVir 7.3.1.47 04.01.2007 TR/Crypt.ULPM.Gen
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 03.31.2007 no virus found
AVG 7.5.0.447 04.01.2007 no virus found
BitDefender 7.2 04.02.2007 Trojan.Virtumod.GM
CAT-QuickHeal 9.00 03.31.2007 no virus found
ClamAV devel-20070312 04.01.2007 no virus found
DrWeb 4.33 04.01.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.01.2007 no virus found
eTrust-Vet 30.6.3527 03.31.2007 no virus found
Ewido 4.0 04.01.2007 no virus found
FileAdvisor 1 04.02.2007 no virus found
Fortinet 2.85.0.0 04.01.2007 suspicious
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.01.2007 no virus found
Ikarus T3.1.1.3 04.01.2007 no virus found
Kaspersky 4.0.2.24 04.01.2007 no virus found
McAfee 4997 03.31.2007 no virus found
Microsoft 1.2306 04.01.2007 no virus found
NOD32v2 2161 04.01.2007 no virus found
Norman 5.80.02 03.31.2007 no virus found
Panda 9.0.0.4 04.01.2007 Suspicious file
Prevx1 V2 04.02.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 no virus found
Symantec 10 04.02.2007 Trojan Horse
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 04.01.2007 no virus found
Webwasher-Gateway 6.0.1 04.01.2007 Trojan.Crypt.ULPM.Gen


Aditional Information
File size: 43796 bytes
MD5: b6d40074bd6a9216c40f1ea3ef847a00
SHA1: 5237985c40dab3744f5551f026e22bd82b84f061

-------------------------------------------------------------------------

Thanks!

Carlos
Shaba
2007-04-02, 08:11
Hi

Both are vundo as expected

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Driver Cache\i386\cabsvr.dll
C:\WINDOWS\system32\gnqybxsf.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Post a fresh HijackThis log.
cbehrends
2007-04-03, 00:23
Hi Shaba,

I ran the KillBox Tool. It was a little confusing as it was unclear if both files were registered to delete, so I did it twice. It was not necessary to run missingfilesetup.exe.

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 07:15:17 p.m., on 02/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\kmvfrtgl.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--------------------------------------------------------------------------

Is it OK?

thanks,

Carlos
Shaba
2007-04-03, 08:45
Hi

More research is needed

Create a Startup List
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)

Post:

- startuplist
- blacklight log
cbehrends
2007-04-04, 00:26
Hi Shaba,

Mmm... it seems is a difficult case. here it goes the startup list of HJT:

------------------------------------------------------------------------

StartupList report, 03/04/2007, 07:15:33 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andy\Menú Inicio\Programas\Inicio]
HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
iTunesHelper = "C:\Archivos de programa\iTunes\iTunesHelper.exe"
mHotKey = C:\ARCHIV~1\GENIUS~2\mHotkey.exe
SoundService = rundll32.exe "C:\WINDOWS\system32\hmcwqpws.dll",setvm

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
MSMSGS = "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Skype = "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\gnqybxsf.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\ldmyocjo.dll (file missing) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ManagerActiveXBKB Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveXBKB.dll
CODEBASE = https://www.bankboston.com.br/download/ActiveXBKBCab.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6.627 bytes
Report generated in 0,234 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


------------------------------------------------------------------------

The fsbl log sounds cryptic to me:

-------------------------------------------------------------------------

04/03/07 19:18:48 [Info]: BlackLight Engine 1.0.61 initialized
04/03/07 19:18:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/03/07 19:18:48 [Note]: 7019 4
04/03/07 19:18:48 [Note]: 7005 0
04/03/07 19:19:14 [Note]: 7006 0
04/03/07 19:19:14 [Note]: 7011 1384
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:18 [Note]: FSRAW library version 1.7.1021
04/03/07 19:19:18 [Note]: 2000 1012
04/03/07 19:22:33 [Note]: 2000 1012
04/03/07 19:25:41 [Note]: 7007 0

-------------------------------------------------------------------------

That is for now, thanks!

Carlos
Shaba
2007-04-04, 08:10
Hi

Did you check those two boxes next to next to the Box that says "Generate StartupList log"? I ask because startuplist is incomplete.
cbehrends
2007-04-05, 04:41
Hi Shaba,

I thought that I have answered this yesterday, but it seems I have done something wrong, because I do not see my post with the reply. So now it goes:

Startup list

-------------------------------------------------------------------
StartupList report, 03/04/2007, 07:15:33 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andy\Menú Inicio\Programas\Inicio]
HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
iTunesHelper = "C:\Archivos de programa\iTunes\iTunesHelper.exe"
mHotKey = C:\ARCHIV~1\GENIUS~2\mHotkey.exe
SoundService = rundll32.exe "C:\WINDOWS\system32\hmcwqpws.dll",setvm

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
MSMSGS = "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Skype = "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\gnqybxsf.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\ldmyocjo.dll (file missing) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ManagerActiveXBKB Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveXBKB.dll
CODEBASE = https://www.bankboston.com.br/download/ActiveXBKBCab.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6.627 bytes
Report generated in 0,234 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
--------------------------------------------------------------------------



F-Secure Blacklight

--------------------------------------------------------------------


04/03/07 19:18:48 [Info]: BlackLight Engine 1.0.61 initialized
04/03/07 19:18:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/03/07 19:18:48 [Note]: 7019 4
04/03/07 19:18:48 [Note]: 7005 0
04/03/07 19:19:14 [Note]: 7006 0
04/03/07 19:19:14 [Note]: 7011 1384
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:18 [Note]: FSRAW library version 1.7.1021
04/03/07 19:19:18 [Note]: 2000 1012
04/03/07 19:22:33 [Note]: 2000 1012
04/03/07 19:25:41 [Note]: 7007 0


-------------------------------------------------------------------------


Thanks!

Carlos
Shaba
2007-04-05, 10:31
Hi

Still incomplete, we'll try another tool:

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
cbehrends
2007-04-05, 23:34
Hi Shaba,

My fault, sorry! You asked me to generate a startup list. I posted the answer but I have not noticed that it was in a second page of the post! So I have not seen your comment in page 2, and I posted EXACTLY the same log. sorry!

So now:
1) I rechecked the HJT, please find below the log.
2) I ran DSS, find below the log.

Log of the HJT
------------------------------------------------------------------------------------------------------

StartupList report, 05/04/2007, 06:13:01 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andy\Menú Inicio\Programas\Inicio]
HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
iTunesHelper = "C:\Archivos de programa\iTunes\iTunesHelper.exe"
mHotKey = C:\ARCHIV~1\GENIUS~2\mHotkey.exe
SoundService = rundll32.exe "C:\WINDOWS\system32\nkpxeqpc.dll",setvm

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
MSMSGS = "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Skype = "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\gnqybxsf.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\ldmyocjo.dll (file missing) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ManagerActiveXBKB Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveXBKB.dll
CODEBASE = https://www.bankboston.com.br/download/ActiveXBKBCab.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6.844 bytes
Report generated in 0,500 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

------------------------------------------------------------------------------------------------------------

Log of the DSS *********************************************************************************************

MAIN
------------------------------------------------------------------------------------------------------------

Deckard's System Scanner v20070328.36
Run by Andy on 2007-04-05 at 18:19:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2007-04-05 21:19:15 UTC - RP111 - Deckard's System Scanner Restore Point
58: 2007-04-05 14:22:15 UTC - RP110 - Punto de control del sistema
57: 2007-04-04 14:21:09 UTC - RP109 - Punto de control del sistema
56: 2007-04-02 22:54:09 UTC - RP108 - Punto de control del sistema
55: 2007-04-01 01:21:38 UTC - RP107 - Punto de control del sistema


-- First Restore Point --
1: 2007-01-15 22:46:35 UTC - RP53 - Punto de control del sistema


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 06:20:17 p.m., on 05/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Andy\Escritorio\dss.exe
C:\DOCUME~1\Andy\ESCRIT~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\nkpxeqpc.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys
R1 nod32drv - c:\windows\system32\drivers\nod32drv.sys
R2 AMON - c:\windows\system32\drivers\amon.sys
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys
R3 genmcmn (Genius Wireless Mouse Driver) - c:\windows\system32\drivers\gmfiltr.sys
R3 SiS315 - c:\windows\system32\drivers\sisgrp.sys
R3 SISNIC (Controlador de adaptador Fast Ethernet SiS PCI) - c:\windows\system32\drivers\sisnic.sys
R3 smwdm - c:\windows\system32\drivers\smwdm.sys

S3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 StarWindService (StarWind iSCSI Service) - c:\archivos de programa\alcohol soft\alcohol 120\starwind\starwindservice.exe
R3 usnsvc (Servicio Messenger Sharing USN Journal Reader) - c:\windows\system32\svchost.exe -k usnsvc


-- Scheduled Tasks -------------------------------------------------------------

2007-04-05 17:28:02 354 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job<HPUSGD~1.JOB>
2007-03-23 11:41:04 298 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2006-11-05 01:28:57 332 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job<HPDARC~1.JOB>

LOG FOLLOWS IN NEXT POST (TOO LONG FOR ONE POST)
cbehrends
2007-04-05, 23:36
COMES FROM PREVIEWS POST (LOG TOO LONG FOR ONE PAGE)



-- Files created between 2007-03-05 and 2007-04-05 -----------------------------

2007-04-04 23:32:51 125716 --a------ C:\WINDOWS\system32\nkpxeqpc.dll
2007-04-03 20:14:34 1693696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2007-04-03 20:14:34 155648 --a------ C:\WINDOWS\system32\lftif13n.dll
2007-04-03 20:14:34 98304 --a------ C:\WINDOWS\system32\lffax13n.dll
2007-04-03 20:13:17 69632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-04-03 20:13:16 462848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-04-03 20:13:16 450560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-04-03 20:13:16 163840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-04-03 20:13:16 206336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-04-03 20:13:16 299008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-04-03 20:13:16 401408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-04-03 20:13:16 57344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-04-02 19:00:17 0 d-------- C:\!KillBox
2007-04-01 19:03:59 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-01 12:55:52 0 d-------- C:\Archivos de programa\SpywareBlaster<SPYWAR~1>
2007-04-01 11:50:46 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-31 20:54:13 125716 --a------ C:\WINDOWS\system32\csxckwwx.dll
2007-03-28 18:34:08 125716 --a------ C:\WINDOWS\system32\yasphwio.dll
2007-03-26 16:13:39 4208 ---hs---- C:\WINDOWS\ntp2.ini2<NTP2~1.INI>
2007-03-25 18:35:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-11 17:39:51 0 d-------- C:\Archivos de programa\Enigma Software Group<ENIGMA~1>


-- Find3M Report ---------------------------------------------------------------

2007-04-05 18:20:33 0 d-------- C:\Documents and Settings\Andy\Datos de programa\Skype
2007-04-05 10:47:39 5075 --ahs---- C:\Documents and Settings\Andy\Datos de programa\57781143122241A5B2841A48E1EC0100.sta<577811~1.STA>
2007-04-05 10:47:39 18679 --ahs---- C:\Documents and Settings\Andy\Datos de programa\57781143122241A5B2841A48E1EC0100.rul<577811~1.RUL>
2007-04-04 09:44:57 0 d-------- C:\Archivos de programa\QUICKEN
2007-03-26 20:07:21 0 d-------- C:\Archivos de programa\Palm
2007-03-26 20:04:50 0 d-------- C:\Archivos de programa\Messenger<MESSEN~1>
2007-03-26 20:04:39 0 d-------- C:\Archivos de programa\iTunes
2007-03-26 19:56:27 0 d-------- C:\Archivos de programa\Archivos comunes\System
2007-03-25 21:47:12 0 d-------- C:\Archivos de programa\Genius TwinTouch Wireless<GENIUS~2>
2007-03-25 18:51:05 0 d-------- C:\Archivos de programa\MSN Messenger<MSNMES~1>
2007-03-25 17:56:21 0 d-------- C:\Archivos de programa\Cordless USB Phone<CORDLE~1>
2007-03-05 15:41:18 16 --a------ C:\WINDOWS\popcinfo.dat
2007-02-26 19:27:28 0 d-------- C:\Archivos de programa\Bejeweled 2 Deluxe<BEJEWE~1>
2007-02-21 16:11:03 0 d-------- C:\Archivos de programa\GenoPro
2007-02-21 14:52:09 0 d-------- C:\Archivos de programa\ReflexiveArcade<REFLEX~1>
2007-02-17 14:43:14 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-02-12 19:17:00 0 d-------- C:\Documents and Settings\Andy\Datos de programa\AdobeUM


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Archivos de programa\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Archivos de programa\\Eset\\nod32kui.exe\" /WAITSERVICE"
"iTunesHelper"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
"mHotKey"="C:\\ARCHIV~1\\GENIUS~2\\mHotkey.exe"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\nkpxeqpc.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Google\\GOOGLE~2\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Reboot.exe]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Reboot.exe"
"backup"="C:\\WINDOWS\\pss\\Reboot.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Reboot.exe"
"item"="Reboot"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbuaqnix"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\kbuaqnix.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb09"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon05"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon05.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd05"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mouseElf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mouseElf"
"hkey"="HKLM"
"command"="C:\\ARCHIV~1\\GENIUS~2\\mouseElf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.2.1128.2480\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINDOWS\system32\gnqybxsf.dll"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cabsvr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-05 at 18:21:10 ---------


---------------------------------------------------------------------------------------

EXTRA

----------------------------------------------------------------------------------------


Deckard's System Scanner v20070328.36
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Spanish

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 255.53 MiB / 65 MiB
Pagefile Memory (total/avail): 617.54 MiB / 396.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1997.45 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 40 GiB total, 11.84 GiB free.
D: is Fixed (NTFS) - 34.55 GiB total, 29.57 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Andy\Datos de programa
CLASSPATH=.;C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Archivos de programa\Archivos comunes
COMPUTERNAME=ANDREA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Andy
LOGONSERVER=\\ANDREA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Archivos de programa\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Archivos de programa
PROMPT=$P$G
QTJAVA=C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Andy\CONFIG~1\Temp
TMP=C:\DOCUME~1\Andy\CONFIG~1\Temp
USERDOMAIN=ANDREA
USERNAME=Andy
USERPROFILE=C:\Documents and Settings\Andy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Andy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actualización para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Ad-Aware SE Personal --> C:\ARCHIV~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\ARCHIV~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.0 (solo quitar) --> "C:\Archivos de programa\Archivos comunes\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 7.0.8 - Español --> MsiExec.exe /I{AC76BA86-7AD7-1034-7B44-A70800000002}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
Bejeweled 2 Deluxe --> "C:\Archivos de programa\Bejeweled 2 Deluxe\ReflexiveArcade\unins000.exe"
Disco de recuerdos de HP --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
EvidenceEraser add-in --> rundll32.exe C:\WINDOWS\Driver Cache\i386\cabsvr.dll,Uninstall
Genius TwinTouch Wireless --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{B5D58380-99A9-11D6-8606-00C0DF22A91A}\setup.exe"
GenoPro 2.0.0.2 --> C:\Archivos de programa\GenoPro\Uninstall.exe
Google Earth --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0xa -removeonly
Google Updater --> "C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 1.99.1 --> C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HijackThis.exe /uninstall
HP Software Update --> MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010416-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (2.0.0.2) --> C:\ARCHIV~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.3) --> C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Archivos de programa\MSN\MsnInstaller\msninst.exe /Action:ARP
NOD32 antivirus system --> C:\Archivos de programa\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Archivos de programa\Eset\unins000.exe"
Palm Desktop --> MsiExec.exe /X{72765AF7-BEA5-4C62-9EC9-A9E386305D04}
Palm VersaMail(tm) --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{73945E25-F26E-462F-8018-915DDBCF9DE3}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Archivos de programa\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pocket Quicken --> C:\WINDOWS\IsUninst.exe -f"C:\Archivos de programa\Pocket Quicken\Uninst.isu"
PocketMirror 3.1.3 (Edición estándar) --> C:\WINDOWS\IsUn040a.exe -f"C:\Archivos de programa\Palm\Chapura\PocketMirror\DeIsL1.isu" -cC:\ARCHIV~1\Palm\Chapura\POCKET~1\UninstEx.dll
Quicken 2003 Premier --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{359BF8A1-CB4C-4212-A174-BD63F052EE33} anything
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
SierraAddressBook 3.0 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{7CE979C6-E5FF-41C5-B6CC-4EE18071563B}\setup.exe"
SierraHome Print Artist 15.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Sierra\Print Artist 15.0\HiUninst.isu" -c"C:\Sierra\Print Artist 15.0\Uninstpa.DLL"
Skype 2.5 --> "C:\Archivos de programa\Skype\Phone\unins000.exe"
SpamBayes 1.1a1 --> "C:\Archivos de programa\SpamBayes\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Archivos de programa\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Archivos de programa\SpywareBlaster\unins000.exe"
VNC Enterprise Edition 4.1.9 --> "C:\Archivos de programa\RealVNC4\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{FD3FEE11-A03E-47DC-971B-60F73D7128A4}


-- End of Deckard's System Scanner: finished at 2007-04-05 at 18:21:10 ---------

------------------------------------------------------------------------------------------------

Again, sorry for the mistake by posting twice the same HJT startup log, one by April 3 and the other by April 4.


Happy Eastern!

Carlos
Shaba
2007-04-06, 10:20
Hi

Let's try this next:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundService"=-

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\csxckwwx.dll
C:\WINDOWS\system32\yasphwio.dll
C:\WINDOWS\system32\nkpxeqpc.dll
C:\WINDOWS\Driver Cache\i386\cabsvr.dll
C:\WINDOWS\system32\gnqybxsf.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
cbehrends
2007-04-06, 14:20
Hi Shaba,

Here it goes the Avenger.txt

*********************************************************

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pgsrpxiv

*******************

Script file located at: \??\C:\WINDOWS\system32\frvuanwq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\csxckwwx.dll deleted successfully.
File C:\WINDOWS\system32\yasphwio.dll deleted successfully.
File C:\WINDOWS\system32\nkpxeqpc.dll deleted successfully.
File C:\WINDOWS\Driver Cache\i386\cabsvr.dll deleted successfully.


File C:\WINDOWS\system32\gnqybxsf.dll not found!
Deletion of file C:\WINDOWS\system32\gnqybxsf.dll failed!

Could not process line:
C:\WINDOWS\system32\gnqybxsf.dll
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

*********************************************************

And now the HJT log

*********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 09:17:25 a.m., on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

*******************************************************

That is! Bye!

Carlos
Shaba
2007-04-06, 14:25
Hi

Looks like a success :)

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll (file missing)

Close all windows including browser and press fix checked,

Reboot

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
cbehrends
2007-04-07, 03:13
Hi,

It seems good news, but the Kaspersky is not that positive:

Here it follows the log:

******************************************************

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 06, 2007 10:07:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/04/2007
Kaspersky Anti-Virus database records: 292207
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 76966
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:44:26

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-04-06.20-05-05.log Object is locked skipped
C:\Archivos de programa\Eset\cache\CACHE.NDB Object is locked skipped
C:\Archivos de programa\Eset\infected\3AFYXTBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Archivos de programa\Eset\infected\43ZO4YAA.NQF Infected: Trojan-Downloader.Win32.Agent.bac skipped
C:\Archivos de programa\Eset\infected\BCQJ3XBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Archivos de programa\Eset\infected\EWQ2TXBA.NQF Infected: Trojan.Win32.BHO.g skipped
C:\Archivos de programa\Eset\infected\SPDQGGCA.NQF Infected: Trojan.Win32.BHO.g skipped
C:\Archivos de programa\Eset\infected\ZSWEGTCA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Archivos de programa\Eset\logs\virlog.dat Object is locked skipped
C:\Archivos de programa\Eset\logs\warnlog.dat Object is locked skipped
C:\Archivos de programa\RealVNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Andy\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\call256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chat512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\index2.dat Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\profile256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user1024.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user16384.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user4096.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Andy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andy\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP111\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd9133.sys Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007321.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007322.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007323.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

Scan process completed.


********************************************************

And here a fresh HJT

********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:13:10 p.m., on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

********************************************************

What do you think?

Carlos
Shaba
2007-04-07, 10:28
Hi

Well it doesn't look bad either :)

All viruses are in either NOD32 quarantine or system restore.

Empty this folder:

C:\Archivos de programa\Eset\infected\

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
cbehrends
2007-04-08, 03:04
Hi!

Here it goes the Kaspersky:

**********************************************************

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 07, 2007 10:00:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/04/2007
Kaspersky Anti-Virus database records: 292309
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 76853
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:42:44

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-04-07.08-13-41.log Object is locked skipped
C:\Archivos de programa\Eset\cache\CACHE.NDB Object is locked skipped
C:\Archivos de programa\Eset\logs\virlog.dat Object is locked skipped
C:\Archivos de programa\Eset\logs\warnlog.dat Object is locked skipped
C:\Archivos de programa\RealVNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Andy\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Historial\History.IE5\MSHist012007040720070408\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\call256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chat512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\index2.dat Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\profile256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user1024.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user16384.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user4096.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Andy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andy\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP111\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd9133.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP111\change.log Object is locked skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007321.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007322.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007323.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

Scan process completed.

********************************************************

And here the HJT

********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:03:22 p.m., on 07/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

********************************************************
This is for the time being! I hope the rabbit brought you also some eggs (I guess this costume is known also in Finland!)

Carlos
Shaba
2007-04-08, 10:51
Hi

Yes, it's known also in Finland :)

Logs look good.

Do you have any problems left?
cbehrends
2007-04-08, 22:22
Hi Shaba,

Still something is not good :sad: . Look at spybot report, splitted in many posts as it is toooooo long:


--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\aldd

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15

Win32.Agent.At: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{871A54C1-1EB3-48BD-A879-5DBA4EF16BE6}

BFast: Tracking cookie (Internet Explorer: Andy) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-03-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-04-04 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-04-04 Includes\DialerC.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-04 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-04-04 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-04-04 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-04-04 Includes\PUPSC.sbi (*)
2007-04-04 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-04-04 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-04 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-04 Includes\Trojans.sbi (*)
2007-04-04 Includes\TrojansC.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Actualización para Windows XP (KB898461)


--- Startup entries list ---
Located: HK_LM:Run, iTunesHelper
command: "C:\Archivos de programa\iTunes\iTunesHelper.exe"
file: C:\Archivos de programa\iTunes\iTunesHelper.exe
size: 256576
MD5: d2ed7af383aab672cb7e135040967954

Located: HK_LM:Run, mHotKey
command: C:\ARCHIV~1\GENIUS~2\mHotkey.exe
file: C:\ARCHIV~1\GENIUS~2\mHotkey.exe
size: 471552
MD5: 252057751c4d039cc17e25c46be3fe10

Located: HK_LM:Run, nod32kui
command: "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Archivos de programa\Eset\nod32kui.exe
size: 949376
MD5: 66bc5f3ad50fe6225d3fd1964a749d38

Located: HK_CU:Run, CTFMON.EXE
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 25ecfa69af1563fde8dfd31f9954497a

Located: HK_CU:Run, MSMSGS
command: "C:\Archivos de programa\Messenger\msmsgs.exe" /background
file: C:\Archivos de programa\Messenger\msmsgs.exe
size: 1667584
MD5: 8a6df5f9eb43d48d647d65377181f2ab

Located: HK_CU:Run, Skype
command: "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
file: C:\Archivos de programa\Skype\Phone\Skype.exe
size: 20058152
MD5: 32cc2915fcc207086d9b43ccece298f7

Located: HK_CU:Run, updateMgr
command: "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
file: C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
size: 313472
MD5: 43f3f6d33c793089a7c32b45da16094b

Located: Startup (common), Quicken Startup.lnk
command: C:\Archivos de programa\QUICKEN\QWDLLS.EXE
file: C:\Archivos de programa\QUICKEN\QWDLLS.EXE
size: 36864
MD5: a487993675ca6d98eb1a66904c0eafc4

Located: Startup (user), HotSync Manager.lnk
command: C:\Archivos de programa\Palm\HOTSYNC.EXE
file: C:\Archivos de programa\Palm\HOTSYNC.EXE
size: 299008
MD5: 7fb566c5816d8959c9f3ab918c00cd1f

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---


--- ActiveX list ---
{CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class)
DPF name:
CLSID name: ManagerActiveXBKB Class
Installer:
Codebase: https://www.bankboston.com.br/download/ActiveXBKBCab.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ActiveXBKB.dll



--- Process list ---
PID: 0 ( 0) [System]
PID: 500 ( 4) \SystemRoot\System32\smss.exe
PID: 564 ( 500) \??\C:\WINDOWS\system32\csrss.exe
PID: 588 ( 500) \??\C:\WINDOWS\system32\winlogon.exe
PID: 636 ( 588) C:\WINDOWS\system32\services.exe
size: 108544
MD5: F9852F505E0699BB83D5C6321917040B
PID: 648 ( 588) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 2B0B88652C9F6714FD4886839B3B0442
PID: 800 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 876 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 952 ( 636) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 996 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 1052 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 1376 (1336) C:\WINDOWS\Explorer.EXE
size: 1034752
MD5: 89C8DD146CEAF482D82822766437D93F
PID: 1384 ( 636) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 1CF5AF263287CF6FEBF31539833EAF4A
PID: 1512 (1376) C:\Archivos de programa\Eset\nod32kui.exe
size: 949376
MD5: 66BC5F3AD50FE6225D3FD1964A749D38
PID: 1520 (1376) C:\Archivos de programa\iTunes\iTunesHelper.exe
size: 256576
MD5: D2ED7AF383AAB672CB7E135040967954
PID: 1532 (1376) C:\ARCHIV~1\GENIUS~2\mHotkey.exe
size: 471552
MD5: 252057751C4D039CC17E25C46BE3FE10
PID: 1540 (1376) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 25ECFA69AF1563FDE8DFD31F9954497A
PID: 1556 (1376) C:\Archivos de programa\Messenger\msmsgs.exe
size: 1667584
MD5: 8A6DF5F9EB43D48D647D65377181F2AB
PID: 1564 (1376) C:\Archivos de programa\Skype\Phone\Skype.exe
size: 20058152
MD5: 32CC2915FCC207086D9B43CCECE298F7
PID: 1632 (1376) C:\Archivos de programa\Palm\HOTSYNC.EXE
size: 299008
MD5: 7FB566C5816D8959C9F3AB918C00CD1F
PID: 200 ( 636) C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
size: 138168
MD5: A6608E72FD1F6EBA0AAA11D7C76C2DB5
PID: 268 ( 636) C:\Archivos de programa\Eset\nod32krn.exe
size: 552064
MD5: 5300E3715347A5DA5B94AEC3177F5F31
PID: 456 ( 636) C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
size: 217600
MD5: AB2B9349ADA4AC5EC74B622B8303FE23
PID: 1884 ( 636) C:\Archivos de programa\iPod\bin\iPodService.exe
size: 492608
MD5: 688B773BA6074D5E9695EF1886FDCD3E
PID: 2136 ( 636) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 906D6932D533F1591CAA84E846B9BA06
PID: 2632 ( 636) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 2844 ( 952) C:\WINDOWS\system32\wuauclt.exe
size: 125208
MD5: C6A0849CE73B5CFEBA3AAE6DD52AAC94
PID: 1724 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: FA03E1FC17F38FBDBA81470D08B3E416
PID: 3688 (1376) C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
size: 93184
MD5: 2E47EC1812526240B1F9E00FB9E5036D
PID: 1600 (1376) C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
cbehrends
2007-04-08, 22:23
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 08/04/2007 05:21:26 p.m.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.clarin.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {BECBCD49-AB58-4A40-9914-0DB9D1446D5D}
Filename: imon.dll

Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {E26C3A44-9A95-483B-AA31-B4EDCEA633B8}
Filename: imon.dll

Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {9F55F6D4-6EBF-4B8F-AC38-88171F420F99}
Filename: imon.dll

Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {ACEC2E2C-4799-4323-ABAC-C68301A11E38}
Filename: imon.dll

Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {EF1B65CF-0D02-402E-930B-ACE0024636E8}
Filename: imon.dll

Protocol 16: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: imon.dll



--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\ARCHIV~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\ARCHIV~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AddressBook)

Adobe Download Manager 2.0 (solo quitar) 2.0 (AdobeESD)
uninstall cmd: "C:\Archivos de programa\Archivos comunes\Adobe\ESD\uninst.exe"

Bejeweled 2 Deluxe (Bejeweled 2 Deluxe_is1)
install location: C:\Archivos de programa\Bejeweled 2 Deluxe\
uninstall cmd: "C:\Archivos de programa\Bejeweled 2 Deluxe\ReflexiveArcade\unins000.exe"

(Branding)

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

(DXM_Runtime)

EvidenceEraser add-in (EvidenceEraser add-in)
uninstall cmd: rundll32.exe C:\WINDOWS\Driver Cache\i386\cabsvr.dll,Uninstall

(Fontcore)

GenoPro 2.0.0.2 (GenoPro)
uninstall cmd: C:\Archivos de programa\GenoPro\Uninstall.exe
publisher: GenoPro Inc.
help link: http://support.genopro.com/

Google Updater 2.0.739.41483 (Google Updater)
uninstall cmd: "C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe" -uninstall
publisher: Google Inc.
help link: http://pack.google.com:80/pack-support?hl=es&gl=es

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(InstallShield Uninstall Information)

Quicken 2003 Premier 12.00.0000 (InstallShield_{359BF8A1-CB4C-4212-A174-BD63F052EE33})
version: 201326592
version (major): 12
estimated size: 76048
install date: 20061105
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\pft17F.tmp\DISK1\
uninstall cmd: C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{359BF8A1-CB4C-4212-A174-BD63F052EE33} anything
publisher: Intuit
comments: All URL's valid as of October 2001
contact: Customer Support Department
help link: http://www.intuit.com/support/quicken
help telephone: 1-900-555-4932
readme: Readme.txt

Palm VersaMail(tm) 2.5.1100 (InstallShield_{73945E25-F26E-462F-8018-915DDBCF9DE3})
version: 33883212
version (major): 2
version (minor): 5
estimated size: 3922
install date: 20061124
install source: C:\WINDOWS\Downloaded Installations\{551BA63A-A4D1-4272-ABD0-FE6F70EB82BC}\
uninstall cmd: C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{73945E25-F26E-462F-8018-915DDBCF9DE3}
publisher: Palm, Inc.
comments: Palm VersaMail(tm) Setup
contact: Departamento de atención al cliente
help link: http://www.palm.com/support
help telephone:
readme:

Kaspersky Online Scanner 5.0 (Kaspersky Online Scanner)
install location: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner
uninstall cmd: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
publisher: Kaspersky Lab
contact: Customer Support Department
help link: http://support.kaspersky.com/helpdesk.html?LANG=en

(KB884016)

(KB893803)

Windows Installer 3.1 (KB893803) 3.1 (KB893803v2)
uninstall cmd: "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=42467

Actualización para Windows XP (KB898461) 1 (KB898461)
uninstall cmd: "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=898461

Microsoft .NET Framework 2.0 (Microsoft .NET Framework 2.0)
install location: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\
uninstall cmd: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=45396

(MobileOptionPack)

Mozilla Firefox (2.0.0.2) 2.0.0.2 (es-AR) (Mozilla Firefox (2.0.0.2))
install location: C:\ARCHIV~1\Mozilla Firefox
uninstall cmd: C:\ARCHIV~1\Mozilla Firefox\uninstall\helper.exe
publisher: Mozilla
comments: Mozilla Firefox

Mozilla Firefox (2.0.0.3) 2.0.0.3 (es-AR) (Mozilla Firefox (2.0.0.3))
install location: C:\Archivos de programa\Mozilla Firefox
uninstall cmd: C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe
publisher: Mozilla
comments: Mozilla Firefox

(MPlayer2)

(MSI30-Beta1)

(MSI30-Beta2)

(MSI30-KB884016)

(MSI30-RC1)

(MSI30-RC2)

(MSI30a-KB884016)

(MSI31-Beta)

(MSI31-RC1)

(MsJavaVM)

MSN (MSNINST)
uninstall cmd: C:\Archivos de programa\MSN\MsnInstaller\msninst.exe /Action:ARP

(NetMeeting)

NOD32 antivirus system (NOD32)
uninstall cmd: C:\Archivos de programa\Eset\Setup\setup.exe /UNINSTALL

(OutlookExpress)

Panda ActiveScan (Panda ActiveScan)
uninstall cmd: C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
publisher: Panda Software S.L.

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Pocket Quicken (Pocket Quicken)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Archivos de programa\Pocket Quicken\Uninst.isu"

SierraHome Print Artist 15.0 (Print Artist 15.0)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Sierra\Print Artist 15.0\HiUninst.isu" -c"C:\Sierra\Print Artist 15.0\Uninstpa.DLL"

VNC Enterprise Edition 4.1.9 E4.1.9 (RealVNC_is1)
install location: C:\Archivos de programa\RealVNC4\
uninstall cmd: "C:\Archivos de programa\RealVNC4\unins000.exe"
publisher: RealVNC Ltd.
help link: http://www.realvnc.com/products/enterprise

(SchedulingAgent)

Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
publisher: Adobe Systems
help link: http://www.adobe.com/go/flashplayer_support/

Skype 2.5 2.5 (Skype_is1)
install location: C:\Archivos de programa\Skype\Phone\
uninstall cmd: "C:\Archivos de programa\Skype\Phone\unins000.exe"
publisher: Skype Technologies S.A.
help link: http://ui.skype.com/ui/0/2.5.0.151/en/help

SpamBayes 1.1a1 1.1a1 (SpamBayes_is1)
install location: C:\Archivos de programa\SpamBayes\
uninstall cmd: "C:\Archivos de programa\SpamBayes\unins000.exe"

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Archivos de programa\Spybot - Search & Destroy\
uninstall cmd: "C:\Archivos de programa\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

SpywareBlaster v3.5.1 3.5.1 (SpywareBlaster_is1)
install location: C:\Archivos de programa\SpywareBlaster\
uninstall cmd: "C:\Archivos de programa\SpywareBlaster\unins000.exe"
publisher: Javacool Software LLC

Microsoft Office 2000 Professional 9.00.2720 ({00010416-78E1-11D2-B60F-006097C998E7})
version: 150997664
version (major): 9
estimated size: 290656
install date: 20061105
install source: D:\CD de reintalación\Office Portugues\CD1\
uninstall cmd: MsiExec.exe /I{00010416-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Archivos de programa\Microsoft Office\Office\ofread9.txt

WebFldrs XP 9.50.7523 ({350C9C0A-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154279267
version (major): 9
version (minor): 50
estimated size: 2604
install date: 20061104
install source: C:\WINDOWS\system32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Quicken 2003 Premier 12.00.0000 ({359BF8A1-CB4C-4212-A174-BD63F052EE33})
version: 201326592
version (major): 12
estimated size: 76048
install date: 20061105
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\pft17F.tmp\DISK1\
publisher: Intuit
comments: All URL's valid as of October 2001
contact: Customer Support Department
help link: http://www.intuit.com/support/quicken
help telephone: 1-900-555-4932
readme: Readme.txt

Google Earth 4.0.2722 ({3DE5E7D4-7B88-403C-A3FD-2017A8240C5B})
version: 67111586
install date: 20070121
install location: C:\Archivos de programa\Google\Google Earth
install source: C:\Documents and Settings\All Users\Datos de programa\Google Updater\cache\installers_ci_earth_es_4.0.2722.0_setup_2007.01.10_20.11.19.exe
uninstall cmd: RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0xa -removeonly
publisher: Google

iTunes 7.0.2.16 ({446DBFFA-4088-48E3-8932-74316BA4CAE4})
version: 117440514
version (major): 7
estimated size: 48883
install date: 20061105
install location: C:\Archivos de programa\iTunes\
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\IXP566.TMP\
uninstall cmd: MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
publisher: Apple Computer, Inc.
contact: Soporte AppleCare
help link: http://www.apple.com/es/support/
help telephone: (34) 902 151 992

Photosmart 140,240,7200,7600,7700,7900 Series 2.0 ({45B6180B-DCAB-4093-8EE8-6164457517F0})
uninstall cmd: C:\Archivos de programa\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
publisher: Hewlett-Packard
help link: http://www.hp.com/cposupport/eschome.html

QuickTime 7.1.3.170 ({50D8FFDD-90CD-4859-841F-AA1961C7767A})
version: 117506051
version (major): 7
version (minor): 1
estimated size: 71803
install date: 20061105
install location: C:\Archivos de programa\QuickTime\
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\IXP566.TMP\
uninstall cmd: MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
publisher: Apple Computer, Inc.
contact: Soporte AppleCare
help link: http://www.apple.com/es/support/
help telephone: (34) 902 151 992

DigitImg 2.00.0000 ({517B8FB2-26EE-43B0-AE1B-07408860AA69})
version: 33554432
version (major): 2
estimated size: 53714
install date: 20061105
install source: E:\DigitImg\
publisher: Nombre de su organización
comments: 0
contact: 0
help link: 0
help telephone: 0
readme: 0

PSShortcuts 1.00.0000 ({60758250-C8CF-47EB-8CB6-E0C3B84D8207})
version: 16777216
version (major): 1
estimated size: 3046
install date: 20061105
install source: E:\PSShortcuts\
publisher: Nombre de su organización

HP Software Update 1.0.3.1 ({6FA269F8-38CB-4DF7-AA0D-36E3CE789485})
version: 16777219
version (major): 1
estimated size: 1021
install date: 20061105
install source: E:\WEBU\
uninstall cmd: MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
publisher: Hewlett-Packard

Microsoft .NET Framework 2.0 2.0.50727 ({7131646D-CD3C-40F4-97B9-CD9E4E6262EF})
version: 33605159
version (major): 2
estimated size: 213932
install date: 20061121
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\IXP000.TMP\
publisher: Microsoft Corporation

Palm Desktop 4.1 ({72765AF7-BEA5-4C62-9EC9-A9E386305D04})
version: 67174400
version (major): 4
version (minor): 1
estimated size: 37220
install date: 20070131
install source: E:\Palm Desktop\
uninstall cmd: MsiExec.exe /X{72765AF7-BEA5-4C62-9EC9-A9E386305D04}
publisher: Palm, Inc.
comments: Sus comentarios
contact: Departamento de atención al cliente
help link: http://www.palm.com/support/globalsupport
help telephone: 1-555-555-4505
readme: Leame.txt

Palm VersaMail(tm) 2.5.1100 ({73945E25-F26E-462F-8018-915DDBCF9DE3})
version: 33883212
version (major): 2
version (minor): 5
estimated size: 3922
install date: 20061124
install source: C:\WINDOWS\Downloaded Installations\{551BA63A-A4D1-4272-ABD0-FE6F70EB82BC}\
publisher: Palm, Inc.
comments: Palm VersaMail(tm) Setup
contact: Departamento de atención al cliente
help link: http://www.palm.com/support
help telephone:
readme:

SierraAddressBook 3.0 ({7CE979C6-E5FF-41C5-B6CC-4EE18071563B})
uninstall cmd: RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{7CE979C6-E5FF-41C5-B6CC-4EE18071563B}\setup.exe"

Apple Software Update 1.0.2.1 ({A50C25D7-62E9-4511-AD70-8E2DA5E79B7D})
version: 16777218
version (major): 1
estimated size: 2460
install date: 20061105
install location: C:\Archivos de programa\Apple Software Update\
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\IXP566.TMP\
uninstall cmd: MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
publisher: Apple Computer, Inc.
contact: Soporte AppleCare
help link: http://www.apple.com/es/support/
help telephone: 900 150 503

Adobe Reader 7.0.8 - Español 7.0.8 ({AC76BA86-7AD7-1034-7B44-A70800000002})
version: 117440520
version (major): 7
estimated size: 77839
install date: 20061108
install location: C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\
install source: C:\Archivos de programa\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ESP\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1034-7B44-A70800000002}
publisher: Adobe Systems Incorporated
comments:
contact:
help link: http://www.adobe.es/products/acrobat/main.html
help telephone:
readme: C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\Readme.htm

Disco de recuerdos de HP 1.0.4.805 ({B376402D-58EA-45EA-BD50-DD924EB67A70})
version: 16777220
version (major): 1
estimated size: 23248
install date: 20061105
install source: E:\HPMD\
uninstall cmd: MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
publisher: Hewlett-Packard Company
comments: software de creación de discos de recuerdos de HP
help link: http://www.hp.com
help telephone: (208) 323-2551

Genius TwinTouch Wireless ({B5D58380-99A9-11D6-8606-00C0DF22A91A})
uninstall cmd: RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{B5D58380-99A9-11D6-8606-00C0DF22A91A}\setup.exe"

NOD32 FiX 2.2 ({DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1)
install date: 20070217
install location: C:\Archivos de programa\Eset\
uninstall cmd: "C:\Archivos de programa\Eset\unins000.exe"
publisher: nsane productions
help link: http://nsaneproductions.com/forums/?showforum=20

PSUsage 1.20.0000 ({DE4997B5-55AD-4878-97A7-C9FA84FE23C7})
version: 18087936
version (major): 1
version (minor): 20
estimated size: 6286
install date: 20061105
install source: E:\PExpress\
publisher: Nombre de su organización
comments: 0
contact: 0
help link: 0
help telephone: 0
readme: 0

1.9.5.3105 ({E9F81423-211E-46B6-9AE0-38568BC5CF6F})
version: 17367045
version (major): 1
version (minor): 9
estimated size: 5113
install date: 20061104
install source: D:\Backup\Alcohol\
uninstall cmd: MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
help link: support_team@alcohol-soft.com

PS7200 1.00.0000 ({F8282D32-0924-47CB-B6E8-001B3C5716A0})
version: 16777216
version (major): 1
estimated size: 1240
install date: 20061105
install source: C:\Archivos de programa\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\PS7200\
publisher: Nombre de su organización
comments: 0
contact: 0
help link: 0
help telephone: 0
readme: 0

Windows Live Messenger 8.0.0812.00 ({FD3FEE11-A03E-47DC-971B-60F73D7128A4})
version: 134218540
version (major): 8
estimated size: 28285
install date: 20061104
install source: C:\DOCUME~1\Andy\CONFIG~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{FD3FEE11-A03E-47DC-971B-60F73D7128A4}
publisher: Microsoft Corporation
cbehrends
2007-04-08, 22:25
--- System Services ---
Service (registry key): .NET CLR Data
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NET CLR Networking
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NET Data Provider for Oracle
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NET Data Provider for SqlServer
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NETFramework
Start: 0
Type: 0
Error Control: 0

Service (registry key): Abiosdsk
Start: 4
Type: 1
Error Control: 0

Service (registry key): abp480n5
Start: 4
Type: 1
Error Control: 1

Service (registry key): ACPI
Display name: Controlador Microsoft ACPI
Image path: system32\DRIVERS\ACPI.sys
Image size: 189056
Image MD5: 33D1373EE875CE8B063777F7E77815B7
Start: 0
Type: 1
Error Control: 1

Service (registry key): ACPIEC
Start: 4
Type: 1
Error Control: 1

Service (registry key): adpu160m
Start: 4
Type: 1
Error Control: 1

Service (registry key): aeaudio
Image path: system32\drivers\aeaudio.sys
Image size: 4816
Image MD5: 11C04B17ED2ABBB4833694BCD644AC90
Start: 3
Type: 1
Error Control: 1

Service (registry key): aec
Display name: Eliminador de eco acústico de núcleo de Microsoft
Image path: system32\drivers\aec.sys
Image size: 142464
Image MD5: 841F385C6CFAF66B58FBD898722BB4F0
Start: 3
Type: 1
Error Control: 1

Service (registry key): AFD
Display name: AFD
Description: Entorno de compatibilidad de funciones de red AFD
Image path: \SystemRoot\System32\drivers\afd.sys
Start: 1
Type: 1
Error Control: 1

Service (registry key): AFS2K
Display name: AFS2k
Start: 1
Type: 1
Error Control: 1

Service (registry key): Aha154x
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78u2
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78xx
Start: 4
Type: 1
Error Control: 1

Service (registry key): Alerter
Display name: Servicio de alerta
Description: Notifica a usuarios y equipos seleccionados de alertas administrativas. Si se detiene el servicio, los programas que utilizan alertas administrativas no las recibirán. Si el servicio se deshabilita, no se podrá iniciar ninguno de los servicios que dependen explícitamente dependen de él.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 4
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): ALG
Display name: Servicio de puerta de enlace de capa de aplicación
Description: Proporciona compatibilidad para complementos de protocolo de terceros para Conexión compartida a Internet y para Firewall de Windows.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\alg.exe
Image size: 44544
Image MD5: 906D6932D533F1591CAA84E846B9BA06
Start: 3
Type: 16
Error Control: 1

Service (registry key): AliIde
Start: 4
Type: 1
Error Control: 1

Service (registry key): AMON
Display name: AMON
Image path: \SystemRoot\system32\drivers\amon.sys
Start: 2
Type: 1
Error Control: 1

Service (registry key): amsint
Start: 4
Type: 1
Error Control: 1

Service (registry key): AppMgmt
Display name: Administración de aplicaciones
Description: Ofrece servicios de instalación de software como Asignar, Publicar y Quitar.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1

Service (registry key): asc
Start: 4
Type: 1
Error Control: 1

Service (registry key): asc3350p
Start: 4
Type: 1
Error Control: 1

Service (registry key): asc3550
Start: 4
Type: 1
Error Control: 1

Service (registry key): ASP.NET
Start: 0
Type: 0
Error Control: 0

Service (registry key): ASP.NET_2.0.50727
Start: 0
Type: 0
Error Control: 0

Service (registry key): Aspi32
Start: 0
Type: 0
Error Control: 0

Service (registry key): aspnet_state
Display name: ASP.NET State Service
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
Image size: 29896
Image MD5: D33C507942299753868204CC7642FA27
Start: 3
Type: 16
Error Control: 1

Service (registry key): AsyncMac
Display name: Controlador de medios asíncronos de RAS
Description: Controlador de medios asíncronos de RAS
Image path: system32\DRIVERS\asyncmac.sys
Image size: 14336
Image MD5: 02000ABF34AF4C218C35D257024807D6
Start: 3
Type: 1
Error Control: 1

Service (registry key): atapi
Display name: Controladora estándar IDE/ESDI de disco duro
Image path: system32\DRIVERS\atapi.sys
Image size: 95360
Image MD5: CDFE4411A69C224BD1D11B2DA92DAC51
Start: 0
Type: 1
Error Control: 1

Service (registry key): Atdisk
Start: 4
Type: 1
Error Control: 0

Service (registry key): Atmarpc
Display name: Protocolo cliente ATM ARP
Description: Protocolo cliente ATM ARP
Image path: system32\DRIVERS\atmarpc.sys
Image size: 59904
Image MD5: EC88DA854AB7D7752EC8BE11A741BB7F
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): AudioSrv
Display name: Audio de Windows
Description: Administra dispositivos de audio para programas basados en Windows. Si se detiene este servicio, los dispositivos de audio y efectos no funcionarán correctamente. Si se deshabilita este servicio, cualquier servicio que dependa explícitamente de él tendrá un error al iniciar.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: PlugPlay,RpcSs

Service (registry key): audstub
Display name: Controlador auxiliar de audio
Image path: system32\DRIVERS\audstub.sys
Image size: 3072
Image MD5: D9F724AA26C010A217C97606B160ED68
Start: 3
Type: 1
Error Control: 1

Service (registry key): BattC
Start: 0
Type: 0
Error Control: 0

Service (registry key): Beep
Start: 1
Type: 1
Error Control: 1

Service (registry key): BITS
Display name: Servicio de transferencia inteligente en segundo plano
Description: Transfiere datos entre clientes y servidores en segundo plano. Si está deshabilitado BITS, hay características como Windows Update que no funcionarán correctamente.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): Browser
Display name: Examinador de equipos
Description: Mantiene una lista actualizada de equipos en la red y proporciona esta lista a los equipos designados como exploradores. Si se detiene este servicio, esta lista no se actualizará o mantendrá. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation,LanmanServer

Service (registry key): cbidf2k
Start: 4
Type: 1
Error Control: 1

Service (registry key): cd20xrnt
Start: 4
Type: 1
Error Control: 1

Service (registry key): Cdaudio
Start: 1
Type: 1
Error Control: 0

Service (registry key): Cdfs
Start: 4
Type: 2
Error Control: 1
Depends On group: "SCSI CDROM Class"

Service (registry key): Cdrom
Display name: Controlador de CD-ROM
Image path: system32\DRIVERS\cdrom.sys
Image size: 49536
Image MD5: AF9C19B3100FE010496B1A27181FBF72
Start: 1
Type: 1
Error Control: 1
Depends On group: "SCSI miniport"

Service (registry key): Changer
Start: 1
Type: 1
Error Control: 0

Service (registry key): CiSvc
Display name: Servicio de Index Server
Description: Indiza el contenido y las propiedades de archivos en equipos locales y remotos; ofrece acceso inmediato a archivos a través de un lenguaje de consulta flexible.
Object name: LocalSystem
Image path: %SystemRoot%\system32\cisvc.exe
Image size: 5632
Image MD5: C2991BBEF6836C9B3ABCE7F87B19B0E8
Start: 3
Type: 288
Error Control: 1
Depends On services: RPCSS

Service (registry key): ClipSrv
Display name: Portafolios
Description: Habilita el Visor del Portafolios para almacenar información y compartirla con equipos remotos. Si se detiene el servicio, el Visor del Portafolios no podrá compartir información con los equipos remotos. Si se deshabilita este servicio, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\system32\clipsrv.exe
Image size: 33280
Image MD5: 7931F88DB9B42B3F7B5D9978BBACB22A
Start: 4
Type: 16
Error Control: 1
Depends On services: NetDDE

Service (registry key): clr_optimization_v2.0.50727_32
Display name: .NET Runtime Optimization Service v2.0.50727_X86
Description: Microsoft .NET Framework NGEN
Object name: LocalSystem
Image path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Image size: 66240
Image MD5: 3C4D595E7F9B747325AEF28B4ADCAAE5
Start: 3
Type: 16
Error Control: 0

Service (registry key): CmdIde
Start: 4
Type: 1
Error Control: 1

Service (registry key): COMSysApp
Display name: Aplicación del sistema COM+
Description: Administra la configuración y el seguimiento de los componentes del Modelo de objetos componentes (COM+). Si se detiene el servicio, la mayoría de los componentes COM+ no funcionarán correctamente. Si se deshabilita este servicio, no se podrá iniciar ningún servicio que dependa específicamente de él.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Image size: 5120
Image MD5: E7B97B5564D8362F95C4227A196DA4E1
Start: 3
Type: 16
Error Control: 1
Depends On services: rpcss

Service (registry key): ContentFilter
Start: 0
Type: 0
Error Control: 0

Service (registry key): ContentIndex
Start: 0
Type: 0
Error Control: 0

Service (registry key): Cpqarray
Start: 4
Type: 1
Error Control: 1

Service (registry key): CryptSvc
Display name: Servicios de cifrado
Description: Proporciona tres servicios de administración: Servicio de catálogo de base de datos, que confirma las firmas de archivos de Windows; Servicio de raíz protegida, que agrega y quita certificados de entidades emisoras de raíz de confianza de este equipo; y el Servicio de claves, que ayuda a inscribir este equipo a certificados. Si se detiene este servicio, sus servicios de administración mencionados no funcionarán correctamente. Si se deshabilita este servicio, no se podrán iniciar ninguno de los servicios que dependen explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): dac2w2k
Start: 4
Type: 1
Error Control: 0

Service (registry key): dac960nt
Start: 4
Type: 1
Error Control: 1

Service (registry key): DcomLaunch
Display name: Iniciador de procesos de servidor DCOM
Description: Ofrece el inicio de funcionalidad para los servicios DCOM.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost -k DcomLaunch
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): Dhcp
Display name: Cliente DHCP
Description: Administra la configuración de la red registrando y actualizando direcciones IP y nombres DNS.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: Tcpip,Afd,NetBT

Service (registry key): Disk
Display name: Controlador de disco
Image path: system32\DRIVERS\disk.sys
Image size: 36352
Image MD5: 00CA44E4534865F8A3B64F7C0984BFF0
Start: 0
Type: 1
Error Control: 1
Depends On group: "SCSI miniport"

Service (registry key): dmadmin
Display name: Servicio del administrador de discos lógicos
Description: Configura las unidades de disco duro y volúmenes. El servicio sólo se ejecuta para procesos de configuración y a continuación se detiene.
Object name: LocalSystem
Image path: %SystemRoot%\System32\dmadmin.exe /com
Image size: 225792
Image MD5: 3A34E50142E8917D33DD8531C75884F9
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs,PlugPlay,DmServer

Service (registry key): dmboot
Image path: System32\drivers\dmboot.sys
Image size: 800256
Image MD5: 9FB634A0ED429AA64DE57C53DD10CCF9
Start: 4
Type: 1
Error Control: 1

Service (registry key): dmio
Display name: Controlador del administrador de discos lógicos
Image path: System32\drivers\dmio.sys
Image size: 154240
Image MD5: 67DECFAF3B6CDB34B3FA77D965281BB5
Start: 0
Type: 1
Error Control: 1

Service (registry key): dmload
Image path: System32\drivers\dmload.sys
Image size: 5888
Image MD5: E9317282A63CA4D188C0DF5E09C6AC5F
Start: 0
Type: 1
Error Control: 1

Service (registry key): dmserver
Display name: Administrador de discos lógicos
Description: Detecta y supervisa unidades de disco duro nuevas y envía información del volumen de disco al Servicio de administración de discos lógicos para su configuración. Si se detiene este servicio, la información de estado y configuración de discos dinámicos puede quedar desactualizada. Si se deshabilita este servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs,PlugPlay

Service (registry key): DMusic
Display name: Sintetizador DLS Kernel de Microsoft
Image path: system32\drivers\DMusic.sys
Image size: 52864
Image MD5: A6F881284AC1150E37D9AE47FF601267
Start: 3
Type: 1
Error Control: 1

Service (registry key): Dnscache
Display name: Cliente DNS
Description: Resuelve y almacena en caché los nombres del sistema de nombres de dominio (DNS) para este equipo. Si se detiene este servicio, este equipo no podrá resolver nombres DNS ni ubicar controladores de dominio en Active Directory. Si se deshabilita este servicio, no se podrá iniciar ninguno de los servicios que dependen explícitamente de él.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\system32\svchost.exe -k NetworkService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: Tcpip

Service (registry key): dpti2o
Start: 4
Type: 1
Error Control: 1

Service (registry key): drmkaud
Display name: Descodificador de audio DRM del núcleo de Microsoft
Image path: system32\drivers\drmkaud.sys
Image size: 2944
Image MD5: 1ED4DBBAE9F5D558DBBA4CC450E3EB2E
Start: 3
Type: 1
Error Control: 1

Service (registry key): ERSvc
Display name: Servicio de informe de errores
Description: Permite informar de errores para servicios y aplicaciones que se ejecutan en entornos no estándar.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 0
Depends On services: RpcSs

Service (registry key): Eventlog
Display name: Registro de sucesos
Description: Habilita mensajes de registro de sucesos emitidos por programas basados en Windows y componentes para que se vean en Visor de sucesos. Este servicio no se puede detener.
Object name: LocalSystem
Image path: %SystemRoot%\system32\services.exe
Image size: 108544
Image MD5: F9852F505E0699BB83D5C6321917040B
Start: 2
Type: 32
Error Control: 1
cbehrends
2007-04-08, 22:26
Service (registry key): EventSystem
Display name: Sistema de sucesos COM+
Description: Admite el Servicio de notificación de eventos del sistema (SENS), que proporciona la distribución automática de eventos a los componentes del Modelo de objetos componentes (COM). Si se detiene este servicio, SENS se cerrará y no podrá ofrecer notificaciones de inicio ni de cierre de sesión. Si se deshabilita el servicio, no se podrá iniciar ningún servicio que dependa específicamente de él.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): Fastfat
Start: 4
Type: 2
Error Control: 1

Service (registry key): FastUserSwitchingCompatibility
Display name: Compatibilidad de cambio rápido de usuario
Description: Proporciona administración para aplicaciones que necesitan asistencia en un entorno de usuarios múltiples.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: TermService

Service (registry key): Fdc
Display name: Controlador de la unidad de disquete
Image path: system32\DRIVERS\fdc.sys
Image size: 27392
Image MD5: CED2E8396A8838E59D8FD529C680E02C
Start: 3
Type: 1
Error Control: 1

Service (registry key): Fips
Start: 1
Type: 1
Error Control: 1

Service (registry key): Flpydisk
Display name: Controlador de disquete
Image path: system32\DRIVERS\flpydisk.sys
Image size: 20480
Image MD5: 0DD1DE43115B93F4D85E889D7A86F548
Start: 3
Type: 1
Error Control: 1

Service (registry key): FltMgr
Display name: FltMgr
Description: Controlador del administrador de filtros del sistema de archivos
Image path: system32\DRIVERS\fltMgr.sys
Image size: 124800
Image MD5: 157754F0DF355A9E0A6F54721914F9C6
Start: 0
Type: 2
Error Control: 1

Service (registry key): Fs_Rec
Start: 1
Type: 8
Error Control: 0

Service (registry key): Ftdisk
Display name: Controlador del administrador de volumen
Image path: system32\DRIVERS\ftdisk.sys
Image size: 125952
Image MD5: CC5F3AF5711A1C7C8FA1D43BB16B401A
Start: 0
Type: 1
Error Control: 1

Service (registry key): gameenum
Display name: Enumerador de puerto para juegos
Image path: system32\DRIVERS\gameenum.sys
Image size: 10624
Image MD5: 5F92FD09E5610A5995DA7D775EADCD12
Start: 3
Type: 1
Error Control: 0

Service (registry key): GEARAspiWDM
Display name: GEARAspiWDM
Image path: System32\Drivers\GEARAspiWDM.sys
Image size: 15664
Image MD5: 4AC51459805264AFFD5F6FDFB9D9235F
Start: 3
Type: 1
Error Control: 1

Service (registry key): genmcmn
Display name: Genius Wireless Mouse Driver
Image path: system32\DRIVERS\gmfiltr.sys
Image size: 6206
Image MD5: 60292CA78C7BF16A527CB5E3C1E2C279
Start: 3
Type: 1
Error Control: 0

Service (registry key): Gpc
Display name: Clasificador de paquetes genéricos
Description: Clasificador de paquetes genéricos
Image path: system32\DRIVERS\msgpc.sys
Image size: 35072
Image MD5: C0F1D4A21DE5A415DF8170616703DEBF
Start: 3
Type: 1
Error Control: 1

Service (registry key): gusvc
Display name: Google Updater Service
Object name: LocalSystem
Image path: "C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe"
Image size: 138168
Image MD5: A6608E72FD1F6EBA0AAA11D7C76C2DB5
Start: 2
Type: 16
Error Control: 0
Depends On services: RPCSS

Service (registry key): helpsvc
Display name: Ayuda y soporte técnico
Description: Habilita la ejecución del Centro de ayuda y soporte técnico en este equipo. Si se detiene este servicio, el Centro de ayuda y soporte técnico no estará disponible. Si se deshabilita este servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): HidServ
Display name: Acceso a dispositivo de interfaz humana
Description: Habilita el acceso de entrada genérico a los Dispositivos de interfaz humana (HID), que activa y mantiene el uso de botones de acceso directo predefinidos en los teclados, controles remotos y otros dispositivos multimedia. Si este servicio se detiene, los botones de acceso directo controlados por este servicio dejarán de funcionar. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 4
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): hidusb
Display name: Controlador de clases HID de Microsoft
Image path: system32\DRIVERS\hidusb.sys
Image size: 9600
Image MD5: 1DE6783B918F540149AA69943BDFEBA8
Start: 3
Type: 1
Error Control: 0

Service (registry key): hpn
Start: 4
Type: 1
Error Control: 1

Service (registry key): HPZid412
Display name: IEEE-1284.4 Driver HPZid412
Image path: system32\DRIVERS\HPZid412.sys
Image size: 51056
Image MD5: 287A63BD8509BD78E7978823B38AFA81
Start: 3
Type: 1
Error Control: 1

Service (registry key): HPZipr12
Display name: Print Class Driver for IEEE-1284.4 HPZipr12
Image path: system32\DRIVERS\HPZipr12.sys
Image size: 16496
Image MD5: 0B4FDA2657C3E0315EAA57F9C6D4FD1F
Start: 3
Type: 1
Error Control: 1

Service (registry key): HPZius12
Display name: USB to IEEE-1284.4 Translation Driver HPZius12
Image path: system32\DRIVERS\HPZius12.sys
Image size: 21488
Image MD5: 29559DB25258B60510A60C4E470FCE32
Start: 3
Type: 1
Error Control: 1

Service (registry key): HTTP
Display name: HTTP
Description: Este servicio implementa el protocolo de transferencia de hipertexto (HTTP). Si se deshabilita este servicio, no se podrá iniciar ningún servicio que dependa explícitamente de él.
Image path: System32\Drivers\HTTP.sys
Image size: 263040
Image MD5: C19B522A9AE0BBC3293397F3055E80A1
Start: 3
Type: 1
Error Control: 1

Service (registry key): HTTPFilter
Display name: HTTP SSL
Description: Este servicio implementa el protocolo de transferencia de hipertexto seguro (HTTPS), usando la Capa de sockets seguros (SSL). Si se deshabilita este servicio, no se podrá iniciar ningún servicio que dependa explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k HTTPFilter
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: HTTP

Service (registry key): i2omgmt
Start: 1
Type: 1
Error Control: 1

Service (registry key): i2omp
Start: 4
Type: 1
Error Control: 1

Service (registry key): i8042prt
Display name: Teclado i8042 y controlador de puerto de mouse PS/2
Image path: system32\DRIVERS\i8042prt.sys
Image size: 53760
Image MD5: 0CAB3EE361CFEAB260B3906C8B6FB2BE
Start: 1
Type: 1
Error Control: 1

Service (registry key): Imapi
Display name: Controlador de filtro de grabación de CD
Image path: system32\DRIVERS\imapi.sys
Image size: 41856
Image MD5: F8AA320C6A0409C0380E5D8A99D76EC6
Start: 1
Type: 1
Error Control: 1

Service (registry key): ImapiService
Display name: Servicio COM de grabación de CD de IMAPI
Description: Administra la grabación de CD usando la interfaz de programación de aplicaciones de grabación de imágenes (IMAPI). Si se detiene este servicio, el equipo no podrá grabar los CD. Si está deshabilitado, los servicios que dependan de éste no se iniciarán.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\imapi.exe
Image size: 150016
Image MD5: CEE36882EA2298D0AD7E5C1BA750D49C
Start: 3
Type: 16
Error Control: 1

Service (registry key): inetaccs
Start: 0
Type: 0
Error Control: 0

Service (registry key): ini910u
Start: 4
Type: 1
Error Control: 1

Service (registry key): Inport
Start: 0
Type: 0
Error Control: 0

Service (registry key): IntelIde
Start: 4
Type: 1
Error Control: 1

Service (registry key): intelppm
Display name: Controlador de procesador Intel
Image path: system32\DRIVERS\intelppm.sys
Image size: 40320
Image MD5: 98BBC0E8EFA90FFF1EC9456EE7B0B1F1
Start: 1
Type: 1
Error Control: 1

Service (registry key): Ip6Fw
Display name: Controlador de Firewall de Windows IPv6
Description: Proporciona un servicio de prevención de intrusiones para una red doméstica o de oficina pequeña.
Image path: system32\DRIVERS\Ip6Fw.sys
Image size: 29056
Image MD5: 4448006B6BC60E6C027932CFC38D6855
Start: 3
Type: 1
Error Control: 1

Service (registry key): IpFilterDriver
Display name: Controlador de filtro de tráfico IP
Description: Controlador de filtro de tráfico IP
Image path: system32\DRIVERS\ipfltdrv.sys
Image size: 32896
Image MD5: 731F22BA402EE4B62748ADAF6363C182
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): IpInIp
Display name: Controlador de túnel IP en IP
Description: Controlador de túnel IP en IP
Image path: system32\DRIVERS\ipinip.sys
Image size: 20992
Image MD5: E1EC7F5DA720B640CD8FB8424F1B14BB
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): IpNat
Display name: Traductor de direcciones de red IP
Description: Traductor de direcciones de red IP
Image path: system32\DRIVERS\ipnat.sys
Image size: 134912
Image MD5: B5A8E215AC29D24D60B4D1250EF05ACE
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): iPod Service
Display name: iPod Service
Description: iPod hardware management services
Object name: LocalSystem
Image path: "C:\Archivos de programa\iPod\bin\iPodService.exe"
Image size: 492608
Image MD5: 688B773BA6074D5E9695EF1886FDCD3E
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): IPSec
Display name: Controlador IPSEC
Description: Controlador IPSEC
Image path: system32\DRIVERS\ipsec.sys
Image size: 74752
Image MD5: 64537AA5C003A6AFEEE1DF819062D0D1
Start: 1
Type: 1
Error Control: 1

Service (registry key): IRENUM
Display name: Servicio enumerador IR
Image path: system32\DRIVERS\irenum.sys
Image size: 11264
Image MD5: 50708DAA1B1CBB7D6AC1CF8F56A24410
Start: 3
Type: 1
Error Control: 1

Service (registry key): ISAPISearch
Start: 0
Type: 0
Error Control: 0

Service (registry key): isapnp
Display name: Controlador de bus PnP ISA/EISA
Image path: system32\DRIVERS\isapnp.sys
Image size: 36352
Image MD5: 90BC6118193B4E8A76F0FC0D4A3572DE
Start: 0
Type: 1
Error Control: 3

Service (registry key): Kbdclass
Display name: Controlador de clase de teclado
Image path: system32\DRIVERS\kbdclass.sys
Image size: 25088
Image MD5: 71BFDDA7B3006B45B18D8BAC92BC9993
Start: 1
Type: 1
Error Control: 1

Service (registry key): kmixer
Display name: Mezclador de audio de onda Microsoft Kernel
Image path: system32\drivers\kmixer.sys
Image size: 171776
Image MD5: D93CAD07C5683DB066B0B2D2D3790EAD
Start: 3
Type: 1
Error Control: 1

Service (registry key): KSecDD
Start: 0
Type: 1
Error Control: 1

Service (registry key): lanmanserver
Display name: Servidor
Description: Ofrece compatibilidad con uso compartido de archivos, impresoras y canalizaciones con nombres en la red para este equipo. Si se detiene el servicio, estas funciones no estarán disponibles. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): lanmanworkstation
Display name: Estación de trabajo
Description: Crea y mantiene conexiones de cliente de red a servidores remotos. Si se detiene el servicio, estas conexiones no estarán disponibles. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): lbrtfdc
Start: 1
Type: 1
Error Control: 0

Service (registry key): ldap
Start: 0
Type: 0
Error Control: 0

Service (registry key): LicenseService
Start: 0
Type: 0
Error Control: 0

Service (registry key): LmHosts
Display name: Ayuda de NetBIOS sobre TCP/IP
Description: Habilita la compatibilidad con NetBIOS a través del servicio TCP/IP (NetBT) y la resolución de nombres NetBIOS.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: NetBT,Afd

Service (registry key): Messenger
Display name: Mensajero
Description: Transmite mensajes del servicio de alertas y el comando net send entre clientes y servidores. Este servicio no está relacionado con Windows Messenger. Si se detiene el servicio, no se transmitirán los mensajes de alerta. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 4
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation,NetBIOS,PlugPlay,RpcSS

Service (registry key): mnmdd
Start: 1
Type: 1
Error Control: 0

Service (registry key): mnmsrvc
Display name: Escritorio remoto compartido de NetMeeting
Description: Permite a los usuarios autorizados acceder remotamente a su escritorio Windows usando NetMeeting.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\mnmsrvc.exe
Image size: 32768
Image MD5: A0751C0AF862E271FBB135B4B7D56C4D
Start: 3
Type: 272
Error Control: 1

Service (registry key): Modem
Start: 3
Type: 1
Error Control: 0

Service (registry key): Mouclass
Display name: Controlador de clase de mouse
Image path: system32\DRIVERS\mouclass.sys
Image size: 23552
Image MD5: 05E9C75C6797145A4983E9D0A4778BC3
Start: 1
Type: 1
Error Control: 1

Service (registry key): mouhid
Display name: Controlador HID de mouse
Image path: system32\DRIVERS\mouhid.sys
Image size: 12416
Image MD5: 8EE532E516B2D23D686CFC1CC0A15C25
Start: 3
Type: 1
Error Control: 0

Service (registry key): MountMgr
Start: 0
Type: 1
Error Control: 1

Service (registry key): mraid35x
Start: 4
Type: 1
Error Control: 1

Service (registry key): MRxDAV
Display name: Redirector de cliente WebDav
Description: Redirector de cliente WebDav
Image path: system32\DRIVERS\mrxdav.sys
Image size: 181248
Image MD5: 46EDCC8F2DB2F322C24F48785CB46366
Start: 3
Type: 2
Error Control: 1

Service (registry key): MRxSmb
Display name: MRXSMB
Description: MRXSMB
Image path: system32\DRIVERS\mrxsmb.sys
Image size: 451456
Image MD5: 1FD607FC67F7F7C633C3DA65BFC53D18
Start: 1
Type: 2
Error Control: 1

Service (registry key): MSDTC
Display name: Coordinador de transacciones distribuidas de Microsoft
Description: Coordina las transacciones que se extienden a varios administradores de recursos, como bases de datos, colas de mensajes y sistemas de archivos. Si se detiene este servicio, estas transacciones no se producirán. Si se deshabilita el servicio, no se podrá iniciar ningún servicio que dependa específicamente de él.
Object name: NT AUTHORITY\NetworkService
Image path: C:\WINDOWS\system32\msdtc.exe
Image size: 6144
Image MD5: 64CF2B82B89B5DDDF04B1C5CFED39518
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS,SamSS

Service (registry key): Msfs
Start: 1
Type: 2
Error Control: 1

Service (registry key): MSIServer
Display name: Instalador de Windows
Description: Agrega, modifica y quita aplicaciones proporcionadas como paquetes de Windows Installer (*.msi). Si se deshabilita este servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\msiexec.exe /V
Image size: 78848
Image MD5: F5F0146580E7023ADB963879840777F8
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): MSKSSRV
Display name: Proxy de servicio de transferencia de Microsoft
Image path: system32\drivers\MSKSSRV.sys
Image size: 7552
Image MD5: AE431A8DD3C1D0D0610CDBAC16057AD0
Start: 3
Type: 1
Error Control: 1
cbehrends
2007-04-08, 22:27
Service (registry key): MSPCLOCK
Display name: Proxy del reloj de transferencia de Microsoft
Image path: system32\drivers\MSPCLOCK.sys
Image size: 5376
Image MD5: 13E75FEF9DFEB08EEDED9D0246E1F448
Start: 3
Type: 1
Error Control: 1

Service (registry key): MSPQM
Display name: Proxy del administrador de calidad de transferencia de Microsoft
Image path: system32\drivers\MSPQM.sys
Image size: 4992
Image MD5: 1988A33FF19242576C3D0EF9CE785DA7
Start: 3
Type: 1
Error Control: 1

Service (registry key): mssmbios
Display name: Controlador BIOS de Microsoft System Management
Image path: system32\DRIVERS\mssmbios.sys
Image size: 15488
Image MD5: 469541F8BFD2B32659D5D463A6714BCE
Start: 3
Type: 1
Error Control: 1

Service (registry key): Mup
Display name: Mup
Start: 0
Type: 2
Error Control: 1

Service (registry key): NDIS
Display name: Controlador de sistema NDIS
Start: 0
Type: 1
Error Control: 1

Service (registry key): NdisTapi
Display name: Controlador TAPI NDIS de acceso remoto
Description: Controlador TAPI NDIS de acceso remoto
Image path: system32\DRIVERS\ndistapi.sys
Image size: 9600
Image MD5: 08D43BBDACDF23F34D79E44ED35C1B4C
Start: 3
Type: 1
Error Control: 1

Service (registry key): Ndisuio
Display name: Protocolo E/S en modo de usuario NDIS
Description: Protocolo E/S en modo de usuario NDIS
Image path: system32\DRIVERS\ndisuio.sys
Image size: 12928
Image MD5: 34D6CD56409DA9A7ED573E1C90A308BF
Start: 3
Type: 1
Error Control: 1

Service (registry key): NdisWan
Display name: Controlador WAN NDIS de acceso remoto
Description: Controlador WAN NDIS de acceso remoto
Image path: system32\DRIVERS\ndiswan.sys
Image size: 91776
Image MD5: 0B90E255A9490166AB368CD55A529893
Start: 3
Type: 1
Error Control: 1

Service (registry key): NDProxy
Start: 3
Type: 1
Error Control: 1

Service (registry key): NetBIOS
Display name: Interfaz de NetBIOS
Description: Interfaz de NetBIOS
Image path: system32\DRIVERS\netbios.sys
Image size: 34560
Image MD5: 3A2ACA8FC1D7786902CA434998D7CEB4
Start: 1
Type: 2
Error Control: 1

Service (registry key): NetBT
Display name: NetBios a través de Tcpip
Description: NetBios a través de Tcpip
Image path: system32\DRIVERS\netbt.sys
Image size: 162816
Image MD5: 0C80E410CD2F47134407EE7DD19CC86B
Start: 1
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): NetDDE
Display name: DDE de red
Description: Ofrece transporte y seguridad en la red para el Intercambio dinámico de datos (DDE) para los programas que se ejecutan en el mismo equipo o en diferentes equipos. Si este servicio se detiene, se deshabilitarán el transporte y la seguridad DDE. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\system32\netdde.exe
Image size: 115200
Image MD5: BCFA51E14E310586A3D199BB8EC0AA4E
Start: 4
Type: 32
Error Control: 1
Depends On services: NetDDEDSDM

Service (registry key): NetDDEdsdm
Display name: DSDM de DDE de red
Description: Administra los recursos de red Intercambio dinámico de datos (DDE). Si este servicio se detiene, se deshabilitarán los recursos compartidos de red DDE. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\system32\netdde.exe
Image size: 115200
Image MD5: BCFA51E14E310586A3D199BB8EC0AA4E
Start: 4
Type: 32
Error Control: 1

Service (registry key): Netlogon
Display name: Inicio de sesión en red
Description: Admite la autenticación de paso de sucesos de inicio de sesión de cuenta para los equipos en un dominio.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 2B0B88652C9F6714FD4886839B3B0442
Start: 3
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): Netman
Display name: Conexiones de red
Description: Administra objetos en la carpeta Conexiones de red y acceso telefónico, donde se pueden ver conexiones de red de área local y remotas.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 288
Error Control: 1
Depends On services: RpcSs

Service (registry key): Nla
Display name: NLA (Network Location Awareness)
Description: Recopila y almacena información de configuración y ubicación de redes, e informa a las aplicaciones cuando esta información cambia.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: Tcpip,Afd

Service (registry key): nod32drv
Display name: nod32drv
Image path: \SystemRoot\system32\drivers\nod32drv.sys
Start: 1
Type: 1
Error Control: 1

Service (registry key): NOD32krn
Display name: NOD32 Kernel Service
Object name: LocalSystem
Image path: "C:\Archivos de programa\Eset\nod32krn.exe"
Image size: 552064
Image MD5: 5300E3715347A5DA5B94AEC3177F5F31
Start: 2
Type: 272
Error Control: 1

Service (registry key): Npfs
Start: 1
Type: 2
Error Control: 1

Service (registry key): Ntfs
Start: 4
Type: 2
Error Control: 1

Service (registry key): NtLmSsp
Display name: Proveedor de compatibilidad con seguridad LM de Windows NT
Description: Ofrece seguridad a programas de llamada a procedimiento remoto (RPC) que utilizan transportes diferentes de conductos con nombres.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 2B0B88652C9F6714FD4886839B3B0442
Start: 3
Type: 32
Error Control: 1

Service (registry key): NtmsSvc
Display name: Medios de almacenamiento extraíbles
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): Null
Start: 1
Type: 1
Error Control: 1

Service (registry key): NwlnkFlt
Display name: Controlador de filtro de tráfico IPX
Description: Controlador de filtro de tráfico IPX
Image path: system32\DRIVERS\nwlnkflt.sys
Image size: 12416
Image MD5: B305F3FAD35083837EF46A0BBCE2FC57
Start: 3
Type: 1
Error Control: 1
Depends On services: NwlnkFwd

Service (registry key): NwlnkFwd
Display name: Controlador retransmisor de tráfico IPX
Description: Controlador retransmisor de tráfico IPX
Image path: system32\DRIVERS\nwlnkfwd.sys
Image size: 32512
Image MD5: C99B3415198D1AAB7227F2C88FD664B9
Start: 3
Type: 1
Error Control: 1

Service (registry key): PalmUSBD
Image path: system32\drivers\PalmUSBD.sys
Image size: 16509
Image MD5: 803CF09C795290825607505D37819135
Start: 3
Type: 1
Error Control: 1

Service (registry key): Parport
Display name: Controlador de puerto paralelo
Image path: system32\DRIVERS\parport.sys
Image size: 80256
Image MD5: 0DF0B83C90473CCFDC3DC882CBB6E4A9
Start: 3
Type: 1
Error Control: 1

Service (registry key): PartMgr
Start: 0
Type: 1
Error Control: 1

Service (registry key): ParVdm
Start: 2
Type: 1
Error Control: 0
Depends On services: Parport
Depends On group: "Parallel arbitrator"

Service (registry key): PCI
Display name: Controlador de bus PCI
Image path: system32\DRIVERS\pci.sys
Image size: 68992
Image MD5: A566B8DA5E70B3237274D418853A87E0
Start: 0
Type: 1
Error Control: 3

Service (registry key): PCIDump
Start: 1
Type: 1
Error Control: 0

Service (registry key): PCIIde
Image path: system32\DRIVERS\pciide.sys
Image size: 3456
Image MD5: 33D63F0A9021ACB4D75D83B646B93A30
Start: 0
Type: 1
Error Control: 1

Service (registry key): Pcmcia
Start: 4
Type: 1
Error Control: 1

Service (registry key): PDCOMP
Start: 3
Type: 1
Error Control: 0

Service (registry key): PDFRAME
Start: 3
Type: 1
Error Control: 0

Service (registry key): PDRELI
Start: 3
Type: 1
Error Control: 0

Service (registry key): PDRFRAME
Start: 3
Type: 1
Error Control: 0

Service (registry key): perc2
Start: 4
Type: 1
Error Control: 1

Service (registry key): perc2hib
Start: 4
Type: 1
Error Control: 1

Service (registry key): PerfDisk
Start: 0
Type: 0
Error Control: 0

Service (registry key): PerfNet
Start: 0
Type: 0
Error Control: 0

Service (registry key): PerfOS
Start: 0
Type: 0
Error Control: 0

Service (registry key): PerfProc
Start: 0
Type: 0
Error Control: 0

Service (registry key): PlugPlay
Display name: Plug and Play
Description: Habilita un equipo para que reconozca y adapte los cambios de hardware con el menor esfuerzo por parte del usuario. Si se detiene o deshabilita este servicio, el sistema se volverá inestable.
Object name: LocalSystem
Image path: %SystemRoot%\system32\services.exe
Image size: 108544
Image MD5: F9852F505E0699BB83D5C6321917040B
Start: 2
Type: 32
Error Control: 1

Service (registry key): Pml Driver HPZ12
Display name: Pml Driver HPZ12
Object name: LocalSystem
Image path: C:\WINDOWS\system32\HPZipm12.exe
Image size: 65795
Image MD5: 5C1CADD1CB67C0B9D8A84EC6E4D6B5CC
Start: 3
Type: 16
Error Control: 1

Service (registry key): PolicyAgent
Display name: Servicios IPSEC
Description: Administra la directiva de seguridad IP e inicia el controlador ISAKMP/Oakley (IKE) y de seguridad IP.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 2B0B88652C9F6714FD4886839B3B0442
Start: 2
Type: 32
Error Control: 1
Depends On services: RPCSS,Tcpip,IPSec

Service (registry key): PptpMiniport
Display name: Minipuerto WAN (PPTP)
Description: Minipuerto WAN (PPTP)
Image path: system32\DRIVERS\raspptp.sys
Image size: 48384
Image MD5: 1C5CC65AAC0783C344F16353E60B72AC
Start: 3
Type: 1
Error Control: 1

Service (registry key): ProtectedStorage
Display name: Almacenamiento protegido
Description: Ofrece almacenamiento protegido para datos importantes, como claves privadas, para impedir el acceso de servicios, procesos o usuarios no autorizados.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 2B0B88652C9F6714FD4886839B3B0442
Start: 2
Type: 288
Error Control: 1
Depends On services: RpcSs

Service (registry key): PSched
Display name: Programador de paquetes QoS
Description: Programador de paquetes QoS
Image path: system32\DRIVERS\psched.sys
Image size: 69120
Image MD5: 48671F327553DCF1D27F6197F622A668
Start: 3
Type: 1
Error Control: 1
Depends On services: Gpc

Service (registry key): Ptilink
Display name: Controlador de vínculo paralelo directo
Description: Controlador de vínculo paralelo directo
Image path: system32\DRIVERS\ptilink.sys
Image size: 17792
Image MD5: 80D317BD1C3DBC5D4FE7B1678C60CADD
Start: 3
Type: 1
Error Control: 1
cbehrends
2007-04-08, 22:28
Service (registry key): ql1080
Start: 4
Type: 1
Error Control: 1

Service (registry key): Ql10wnt
Start: 4
Type: 1
Error Control: 1

Service (registry key): ql12160
Start: 4
Type: 1
Error Control: 1

Service (registry key): ql1240
Start: 4
Type: 1
Error Control: 1

Service (registry key): ql1280
Start: 4
Type: 1
Error Control: 1

Service (registry key): RasAcd
Display name: Controlador de conexión automática de acceso remoto
Description: Controlador de conexión automática de acceso remoto
Image path: system32\DRIVERS\rasacd.sys
Image size: 8832
Image MD5: FE0D99D6F31E4FAD8159F690D68DED9C
Start: 1
Type: 1
Error Control: 1

Service (registry key): RasAuto
Display name: Administrador de conexión automática de acceso remoto
Description: Crea una conexión a una red remota siempre que un programa hace referencia a un nombre o dirección DNS o NetBios remoto.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: RasMan,Tapisrv

Service (registry key): Rasl2tp
Display name: Minipuerto WAN (L2TP)
Description: Minipuerto WAN (L2TP)
Image path: system32\DRIVERS\rasl2tp.sys
Image size: 51328
Image MD5: 98FAEB4A4DCF812BA1C6FCA4AA3E115C
Start: 3
Type: 1
Error Control: 1

Service (registry key): RasMan
Display name: Administrador de conexión de acceso remoto
Description: Crea una conexión de red.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: Tapisrv

Service (registry key): RasPppoe
Display name: Controlador de acceso remoto PPPOE
Description: Controlador de acceso remoto PPPOE
Image path: system32\DRIVERS\raspppoe.sys
Image size: 41472
Image MD5: 7306EEED8895454CBED4669BE9F79FAA
Start: 3
Type: 1
Error Control: 1

Service (registry key): Raspti
Display name: Paralelo directo
Description: Paralelo directo
Image path: system32\DRIVERS\raspti.sys
Image size: 16512
Image MD5: FDBB1D60066FCFBB7452FD8F9829B242
Start: 3
Type: 1
Error Control: 1

Service (registry key): Rdbss
Display name: Rdbss
Description: Rdbss
Image path: system32\DRIVERS\rdbss.sys
Image size: 176512
Image MD5: 29D66245ADBA878FFF574CD66ABD2884
Start: 1
Type: 2
Error Control: 1

Service (registry key): RDPCDD
Image path: System32\DRIVERS\RDPCDD.sys
Image size: 4224
Image MD5: 4912D5B403614CE99C28420F75353332
Start: 1
Type: 1
Error Control: 0

Service (registry key): RDPDD
Start: 0
Type: 0
Error Control: 0

Service (registry key): rdpdr
Display name: Controlador de redireccionamiento de dispositivos de Terminal Server
Image path: system32\DRIVERS\rdpdr.sys
Image size: 196864
Image MD5: A2CAE2C60BC37E0751EF9DDA7CEAF4AD
Start: 3
Type: 1
Error Control: 1

Service (registry key): RDPNP
Start: 0
Type: 0
Error Control: 0

Service (registry key): RDPWD
Start: 3
Type: 1
Error Control: 0

Service (registry key): RDSessMgr
Display name: Administrador de sesión de Ayuda de escritorio remoto
Description: Administra y controla la Asistencia remota. Si se detiene este servicio, Asistencia remota no estará disponible. Antes de detener el servicio, vea la ficha Dependencias en el cuadro de diálogo Propiedades.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\sessmgr.exe
Image size: 142848
Image MD5: 8C88612F0E863B4F8069FC59C74259D4
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): redbook
Display name: Controlador de filtro de reproducción de CD de sonido digital
Image path: system32\DRIVERS\redbook.sys
Image size: 58624
Image MD5: 28531A950381DA67FC6412DFEBCC8C5C
Start: 1
Type: 1
Error Control: 1

Service (registry key): RemoteAccess
Display name: Enrutamiento y acceso remoto
Description: Ofrece servicios de enrutamiento a empresas en entornos de red de área local y extensa.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 4
Type: 32
Error Control: 1
Depends On services: RpcSS
Depends On group: NetBIOSGroup

Service (registry key): RemoteRegistry
Display name: Registro remoto
Description: Habilita usuarios remotos para que modifiquen la configuración del Registro en este equipo. Si se detiene este servicio, cualquier usuario en este equipo puede modificar el Registro. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): RpcLocator
Display name: Localizador de llamadas a procedimiento remoto (RPC)
Description: Administra la base de datos de servicios de nombres RPC.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\system32\locator.exe
Image size: 75264
Image MD5: 08377EBB699418269613903C5340311F
Start: 3
Type: 16
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): RpcSs
Display name: Llamada a procedimiento remoto (RPC)
Description: Ofrece el asignador de punto final y otros servicios RPC diversos.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\system32\svchost -k rpcss
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): RSVP
Display name: QoS RSVP
Description: Ofrece funcionalidad de señalización de red y control del tráfico local para programas y subprogramas de control compatibles con QoS.
Object name: LocalSystem
Image path: %SystemRoot%\system32\rsvp.exe
Image size: 132608
Image MD5: 5E38212C2C00DC342E2281D2F6BFB746
Start: 3
Type: 16
Error Control: 1
Depends On services: TcpIp,Afd,RpcSs

Service (registry key): SamSs
Display name: Administrador de cuentas de seguridad
Description: Almacena información de seguridad de cuentas de usuario locales.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 2B0B88652C9F6714FD4886839B3B0442
Start: 2
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): SCardSvr
Display name: Tarjeta inteligente
Description: Administra el acceso a una tarjeta inteligente de la el equipo hace lectura. Si este servicio se detiene, el equipo no podrá leer las tarjetas inteligentes. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\SCardSvr.exe
Image size: 99840
Image MD5: 71CAB99AD55F1DAAE201E990AA0EBDBF
Start: 3
Type: 32
Error Control: 0
Depends On services: PlugPlay

Service (registry key): Schedule
Display name: Programador de tareas
Description: Habilita un usuario para que configure y programe tareas automáticas en este equipo. Si se detiene este equipo, estas tareas no se ejecutarán en sus horas programadas. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): Secdrv
Display name: Secdrv
Description: SafeDisc driver
Image path: system32\DRIVERS\secdrv.sys
Image size: 27440
Image MD5: D26E26EA516450AF9D072635C60387F4
Start: 3
Type: 1
Error Control: 1

Service (registry key): seclogon
Display name: Inicio de sesión secundario
Description: Habilita los procesos de inicio en credenciales alternas. Si se detiene este servicio, se deshabilitará este tipo de acceso de inicio de sesión. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 288
Error Control: 0

Service (registry key): SENS
Display name: Notificación de sucesos del sistema
Description: Registra sucesos del sistema como los de inicio de sesión en Windows, red y energía, y los notifica a los suscriptores de sucesos del sistema COM+.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: EventSystem

Service (registry key): serenum
Display name: Controlador de filtro Serenum
Image path: system32\DRIVERS\serenum.sys
Image size: 15488
Image MD5: A2D868AEEFF612E70E213C451A70CAFB
Start: 3
Type: 1
Error Control: 1

Service (registry key): Serial
Display name: Controlador de puerto serie
Image path: system32\DRIVERS\serial.sys
Image size: 66176
Image MD5: FA9C4C4AC544301FA13C5C00A270399F
Start: 1
Type: 1
Error Control: 0

Service (registry key): Sfloppy
Start: 1
Type: 1
Error Control: 0
Depends On group: "SCSI miniport"

Service (registry key): SharedAccess
Display name: Firewall de Windows/Conexión compartida a Internet (ICS)
Description: Ofrece servicios de traducción de direcciones, direccionamiento, resolución de nombres y/o servicios de prevención de intrusión para una red doméstica o de pequeña empresa.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: Netman,WinMgmt

Service (registry key): ShellHWDetection
Display name: Detección de hardware shell
Description: Proporciona notificaciones sobre eventos de hardware AutoPlay.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 0
Depends On services: RpcSs

Service (registry key): Simbad
Start: 4
Type: 1
Error Control: 1

Service (registry key): SiS315
Image path: system32\DRIVERS\sisgrp.sys
Image size: 104064
Image MD5: C10865AB0A1FD9F4EC7DB70A1B8425D1
Start: 3
Type: 1
Error Control: 0

Service (registry key): SISNIC
Display name: Controlador de adaptador Fast Ethernet SiS PCI
Image path: system32\DRIVERS\sisnic.sys
Image size: 32768
Image MD5: 3FBB6EF8B5A71A2FA11F5F461BB73219
Start: 3
Type: 1
Error Control: 1

Service (registry key): smwdm
Image path: system32\drivers\smwdm.sys
Image size: 578304
Image MD5: BF208C85119770E6A9B6577019A3D810
Start: 3
Type: 1
Error Control: 1

Service (registry key): Sparrow
Start: 4
Type: 1
Error Control: 1

Service (registry key): splitter
Display name: Divisor de audio del núcleo de Microsoft
Image path: system32\drivers\splitter.sys
Image size: 6400
Image MD5: 8E186B8F23295D1E42C573B82B80D548
Start: 3
Type: 1
Error Control: 1

Service (registry key): Spooler
Display name: Cola de impresión
Description: Carga archivos en la memoria para imprimirlos después.
Object name: LocalSystem
Image path: %SystemRoot%\system32\spoolsv.exe
Image size: 57856
Image MD5: 1CF5AF263287CF6FEBF31539833EAF4A
Start: 2
Type: 272
Error Control: 1
Depends On services: RPCSS

Service (registry key): sptd
Image path: System32\Drivers\sptd.sys
Start: 0
Type: 1
Error Control: 1

Service (registry key): sr
Display name: Controlador de filtro de Restaurar sistema
Image path: system32\DRIVERS\sr.sys
Image size: 73600
Image MD5: 3C151D50CF3AE1683C6E3EC201B2AD3D
Start: 0
Type: 2
Error Control: 1

Service (registry key): srservice
Display name: Servicio de restauración de sistema
Description: Realiza funciones de restauración del sistema. Para detener el servicio, desactive Restaurar sistema en la ficha de Restaurar sistema en propiedades de Mi PC
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): Srv
Display name: Srv
Description: Srv
Image path: system32\DRIVERS\srv.sys
Image size: 336256
Image MD5: 20B7E396720353E4117D64D9DCB926CA
Start: 3
Type: 2
Error Control: 1

Service (registry key): SSDPSRV
Display name: Servicio de descubrimientos SSDP
Description: Habilita el descubrimiento de dispositivos UPnP en su red doméstica.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: HTTP

Service (registry key): StarWindService
Display name: StarWind iSCSI Service
Description: Enables network access to local devices via iSCSI protocol.
Object name: LocalSystem
Image path: C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Image size: 217600
Image MD5: AB2B9349ADA4AC5EC74B622B8303FE23
Start: 2
Type: 16
Error Control: 1

Service (registry key): stisvc
Display name: Adquisición de imágenes de Windows (WIA)
Description: Proporciona servicios de digitalización de imágenes para escáneres y cámaras.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k imgsvc
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): swenum
Display name: Controlador del bus de software
Image path: system32\DRIVERS\swenum.sys
Image size: 4352
Image MD5: 03C1BAE4766E2450219D20B993D6E046
Start: 3
Type: 1
Error Control: 1
cbehrends
2007-04-08, 22:29
Service (registry key): swmidi
Display name: Sintetizador de tabla de onda Microsoft Kernel GS
Image path: system32\drivers\swmidi.sys
Image size: 54272
Image MD5: 94ABC808FC4B6D7D2BBF42B85E25BB4D
Start: 3
Type: 1
Error Control: 1

Service (registry key): SwPrv
Display name: MS Software Shadow Copy Provider
Description: Administra instantáneas de volumen basadas en software y tomadas por el Servicio de instantáneas de volumen. Si se detiene el servicio, no se podrán administrar las instantáneas de volumen basadas en software. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependen explícitamente de él.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\dllhost.exe /Processid:{81BC7B28-6538-4B59-90C1-54E70E71AA85}
Image size: 5120
Image MD5: E7B97B5564D8362F95C4227A196DA4E1
Start: 3
Type: 16
Error Control: 0
Depends On services: rpcss

Service (registry key): symc810
Start: 4
Type: 1
Error Control: 1

Service (registry key): symc8xx
Start: 4
Type: 1
Error Control: 1

Service (registry key): sym_hi
Start: 4
Type: 1
Error Control: 1

Service (registry key): sym_u3
Start: 4
Type: 1
Error Control: 1

Service (registry key): sysaudio
Display name: Dispositivo de sonido del sistema Kernel de Microsoft
Image path: system32\drivers\sysaudio.sys
Image size: 60800
Image MD5: 650AD082D46BAC0E64C9C0E0928492FD
Start: 3
Type: 1
Error Control: 1

Service (registry key): SysmonLog
Display name: Registros y alertas de rendimiento
Description: Recopila información de rendimiento de equipos locales o remotos de acuerdo a parámetros de programación configurados previamente, luego guarda la información en un registro o emite una alerta. Si se detiene el servicio, no se recopilará la información de rendimiento. Si se deshabilita el servicio, no se podrá iniciar ninguno de los servicios que dependan explícitamente de él.
Object name: NT Authority\NetworkService
Image path: %SystemRoot%\system32\smlogsvc.exe
Image size: 92160
Image MD5: 69C20E092A03E619108ACCDB62FEDD18
Start: 3
Type: 16
Error Control: 1

Service (registry key): TapiSrv
Display name: Telefonía
Description: Ofrece compatibilidad con la API de telefonía (TAPI) para programas que controlan dispositivos de telefonía y conexiones de voz basadas en IP en el equipo local y, a través de la LAN, en servidores que utilizan también el servicio.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: PlugPlay,RpcSs

Service (registry key): Tcpip
Display name: Controlador de protocolo TCP/IP
Description: Controlador de protocolo TCP/IP
Image path: system32\DRIVERS\tcpip.sys
Image size: 359040
Image MD5: 9F4B36614A0FC234525BA224957DE55C
Start: 1
Type: 1
Error Control: 1
Depends On services: IPSec

Service (registry key): TDPIPE
Start: 3
Type: 1
Error Control: 0

Service (registry key): TDTCP
Start: 3
Type: 1
Error Control: 0

Service (registry key): TermDD
Display name: Controlador de dispositivo de terminal
Image path: system32\DRIVERS\termdd.sys
Image size: 40840
Image MD5: A540A99C281D933F3D69D55E48727F47
Start: 1
Type: 1
Error Control: 1

Service (registry key): TermService
Display name: Servicios de Terminal Server
Description: Permite que varios usuarios se conecten de forma interactiva a un equipo y que se muestren los escritorios y aplicaciones de equipos remotos. El acoplamiento de Escritorio remoto (incluido Escritorio remoto para administradores), Cambio rápido de usuarios, Asistencia remota y Terminal Server.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost -k DComLaunch
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): Themes
Display name: Temas
Description: Proporciona administración de temas de experiencia de usuario.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): TlntSvr
Display name: Telnet
Description: Permite que un usuario remoto inicie sesión en el equipo y ejecute programas , y sea compatible con varios clientes de Telnet TCP/IP, incluyendo los equipos basados en UNIX y Windows. Si este servicio se detiene, es posible que el acceso al usuario remoto no esté disponible. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\tlntsvr.exe
Image size: 74240
Image MD5: 2B7F532A887E4B942415FCD8AD40AF5F
Start: 4
Type: 16
Error Control: 1
Depends On services: RPCSS,TCPIP,NTLMSSP

Service (registry key): TosIde
Start: 4
Type: 1
Error Control: 1

Service (registry key): TrkWks
Display name: Cliente de seguimiento de vinculos distribuidos
Description: Mantiene vínculos entre archivos NTFS dentro de un equipo o entre equipos en un dominio de red.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): TSDDD
Start: 0
Type: 0
Error Control: 0

Service (registry key): uagp35
Display name: Filtro AGPv3.5 de Microsoft
Image path: system32\DRIVERS\uagp35.sys
Image size: 44672
Image MD5: 49C805D42D75EDDC9B6A7130999C9054
Start: 0
Type: 1
Error Control: 1

Service (registry key): Udfs
Start: 4
Type: 2
Error Control: 1

Service (registry key): ultra
Start: 4
Type: 1
Error Control: 1

Service (registry key): Update
Display name: Dispositivo de actualización Microcode
Image path: system32\DRIVERS\update.sys
Image size: 209408
Image MD5: AFF2E5045961BBC0A602BB6F95EB1345
Start: 3
Type: 1
Error Control: 1

Service (registry key): upnphost
Display name: Host de dispositivo Plug and Play universal
Description: Proporciona compatibilidad para albergar dispositivos Plug and Play universales.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: SSDPSRV,HTTP

Service (registry key): UPS
Display name: Sistema de alimentación ininterrumpida
Description: Administra un sistema de alimentación ininterrumpida (UPS) conectado al equipo.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\ups.exe
Image size: 18432
Image MD5: FCD517BF3DB339F5D18EDE1A95D72F71
Start: 3
Type: 16
Error Control: 1

Service (registry key): usbaudio
Display name: Controlador de audio USB (WDM)
Image path: system32\drivers\usbaudio.sys
Image size: 59264
Image MD5: 45A0D14B26C35497AD93BCE7E15C9941
Start: 3
Type: 1
Error Control: 1

Service (registry key): usbccgp
Display name: Controlador primario genérico USB de Microsoft
Image path: system32\DRIVERS\usbccgp.sys
Image size: 31616
Image MD5: BFFD9F120CC63BCBAA3D840F3EEF9F79
Start: 3
Type: 1
Error Control: 1

Service (registry key): usbehci
Display name: Controlador minipuerto de la controladora mejorada USB 2.0 de Microsoft
Image path: system32\DRIVERS\usbehci.sys
Image size: 26624
Image MD5: 15E993BA2F6946B2BFBBFCD30398621E
Start: 3
Type: 1
Error Control: 1

Service (registry key): usbhub
Display name: Controlador de concentrador estándar USB de Microsoft
Image path: system32\DRIVERS\usbhub.sys
Image size: 57600
Image MD5: C72F40947F92CEA56A8FB532EDF025F1
Start: 3
Type: 1
Error Control: 1

Service (registry key): usbohci
Display name: Controlador minipuerto de la controladora de host abierto USB de Microsoft
Image path: system32\DRIVERS\usbohci.sys
Image size: 17024
Image MD5: BDFE799A8531BAD8A5A985821FE78760
Start: 3
Type: 1
Error Control: 1

Service (registry key): usbprint
Display name: Clase de impresora USB de Microsoft
Image path: system32\DRIVERS\usbprint.sys
Image size: 25856
Image MD5: A42369B7CD8886CD7C70F33DA6FCBCF5
Start: 3
Type: 1
Error Control: 1

Service (registry key): usbstor
Display name: Dispositivo de almacenamiento masivo de datos USB
Image path: system32\DRIVERS\USBSTOR.SYS
Image size: 26496
Image MD5: 6CD7B22193718F1D17A47A1CD6D37E75
Start: 3
Type: 1
Error Control: 1

Service (registry key): usnsvc
Display name: Servicio Messenger Sharing USN Journal Reader
Description: Servicio instalado por Messenger para habilitar escenarios para compartir
Object name: LocalSystem
Image path: C:\WINDOWS\system32\svchost.exe -k usnsvc
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 16
Error Control: 1
Depends On services: rpcss,eventlog

Service (registry key): Vax347b
Image path: system32\DRIVERS\Vax347b.sys
Image size: 159616
Image MD5: CB3400D696BEE266C38CAE330C2B4337
Start: 0
Type: 1
Error Control: 1

Service (registry key): Vax347s
Image path: System32\Drivers\Vax347s.sys
Image size: 5248
Image MD5: 113E4B318BBAA7483CA4E582A4D63F49
Start: 0
Type: 1
Error Control: 0

Service (registry key): vaxscsi
Image path: \SystemRoot\System32\Drivers\vaxscsi.sys
Start: 3
Type: 1
Error Control: 1

Service (registry key): VgaSave
Image path: \SystemRoot\System32\drivers\vga.sys
Start: 1
Type: 1
Error Control: 0

Service (registry key): ViaIde
Start: 4
Type: 1
Error Control: 1

Service (registry key): VolSnap
Start: 0
Type: 1
Error Control: 1

Service (registry key): VSS
Display name: Instantáneas de volumen
Description: Administra e implementa Instantáneas de volumen usadas para copias de seguridad y otros propósitos. Si este servicio se detiene, las instantáneas se deshabilitarán para la copia de seguridad y ésta dará un error. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %SystemRoot%\System32\vssvc.exe
Image size: 293888
Image MD5: E8649EC7621B5AE45A29164CAE41A6DF
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): VXD
Start: 0
Type: 0
Error Control: 0

Service (registry key): W32Time
Display name: Horario de Windows
Description: Mantiene la sincronización de fecha y hora en todos los clientes y servidores de la red. Si se detiene este servicio, no estará disponible la sincronización de fecha y hora. Si se deshabilita este servicio, no se podrá iniciar ninguno de los servicios que dependen explícitamente de él.

Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): W3SVC
Start: 0
Type: 0
Error Control: 0

Service (registry key): Wanarp
Display name: Controlador ARP IP de acceso remoto
Description: Controlador ARP IP de acceso remoto
Image path: system32\DRIVERS\wanarp.sys
Image size: 34560
Image MD5: 984EF0B9788ABF89974CFED4BFBAACBC
Start: 3
Type: 1
Error Control: 1

Service (registry key): WDICA
Start: 3
Type: 1
Error Control: 0

Service (registry key): wdmaud
Display name: Controlador de compatibilidad de audio Microsoft WINMM WDM
Image path: system32\drivers\wdmaud.sys
Image size: 82944
Image MD5: 2797F33EBF50466020C430EE4F037933
Start: 3
Type: 1
Error Control: 1

Service (registry key): WebClient
Display name: Cliente Web
Description: Habilita los programas basados en Windows para que creen, tengan acceso y modifiquen archivos basados en Internet. Si este servicio se detiene, estas funciones no estarán disponibles. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: MRxDAV

Service (registry key): winmgmt
Display name: Instrumental de administración de Windows
Description: Proporciona una interfaz común y un modelo de objeto para tener acceso a la información de administración acerca de un sistema operativo, dispositivos, aplicaciones y servicios. Si se detiene este servicio, la mayoría del software basado en Windows no funcionará correctamente. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse.
Object name: LocalSystem
Image path: %systemroot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 0
Depends On services: RPCSS

Service (registry key): Winsock
Start: 3
Type: 4
Error Control: 1

Service (registry key): WinSock2
Start: 0
Type: 0
Error Control: 0

Service (registry key): WinTrust
Start: 0
Type: 0
Error Control: 0

Service (registry key): WmdmPmSN
Display name: Servicio del número de serie de medio portátil
Description: Recupera el número de serie de cualquier reproductor de medio portátil conectado al equipo. Si este servicio se interrumpe, puede que los contenidos protegidos no se descarguen en el dispositivo.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1

Service (registry key): Wmi
Display name: Extensiones de controlador de Instrumental de administración de Windows
Description: Proporciona información de administración de sistemas a y desde controladores.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1

Service (registry key): WmiApRpl
Start: 0
Type: 0
Error Control: 0

Service (registry key): WmiApSrv
Display name: Adaptador de rendimiento de WMI
Description: Proporciona información de la biblioteca de rendimiento desde los proveedores HiPerf de WMI.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Image size: 126464
Image MD5: 2710BF9B02BC92D352CFCABAC64918FA
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): WS2IFSL
Display name: Entorno de compatibilidad con proveedores de servicios no IFS de Windows Socket 2.0
Image path: \SystemRoot\System32\drivers\ws2ifsl.sys
Start: 1
Type: 1
Error Control: 1

Service (registry key): wscsvc
Display name: Centro de seguridad
Description: Supervisa las configuraciones de seguridad del sistema.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs,winmgmt

Service (registry key): wuauserv
Display name: Actualizaciones automáticas
Description: Habilita la descarga e instalación de actualizaciones de Windows. Si este servicio se deshabilita, el equipo no podrá usar la característica Actualizaciones automáticas ni el sitio Web de Windows Update.
Object name: LocalSystem
Image path: %systemroot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1

Service (registry key): WZCSVC
Display name: Configuración inalámbrica rápida
Description: Proporciona configuración automática para los adaptadores 802.11
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs,Ndisuio

Service (registry key): xmlprov
Display name: Servicio de aprovisionamiento de red
Description: Administra los archivos de configuración XML en cada dominio para el aprovisionamiento de red automático.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: FA03E1FC17F38FBDBA81470D08B3E416
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): {2EB466C1-FC90-45AB-A5B6-D1AAE74BB422}
Start: 0
Type: 0
Error Control: 0


Basically, according to spybot the computer is still infected. What do you think?

Carlos
Shaba
2007-04-09, 11:53
Hi

Those are just registry entries.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Delete these (right-click -> delete):

HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{871A54C1-1EB3-48BD-A879-5DBA4EF16BE6}
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\aldd

Run another scan with spybot and tell me if it still finds them?
cbehrends
2007-04-13, 01:46
Hi Shaba,

Sorry for the delay! I was on a trip.

It was a little bit stange. I ran Spybot, and first I got a problem:

BFast: Tracking cookie (Internet Explorer: Andy) (Cookie, fixed)

I fixed with Spybot, and a second run was clean.

What is strange for me is that after all these steps still a cookie appeared, and Spybot was able to clean it easily.

But I guess everything is normal now. I assume the case is closed, Thanks!

Carlos
Shaba
2007-04-13, 17:54
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!
Shaba
2007-04-15, 11:24
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.