Page 4 of 5 FirstFirst 12345 LastLast
Results 31 to 40 of 43

Thread: can't get rid of hldrrr.exe, srosa.sys, wintems.exe

  1. #31
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Don't worry Guillermo we will get rid of the infections.

    Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

    [Kill Explorer]
    [Unregister Dlls]
    [Processes - Non-Microsoft Only]
    YY -> wintems.exe -> %System32%\wintems.exe
    [Win32 Services - Non-Microsoft Only]
    YN -> (aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\aswUpdSv.exe
    YN -> (avast! Antivirus) avast! Antivirus [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashServ.exe
    YN -> (avast! Mail Scanner) avast! Mail Scanner [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashMaiSv.exe
    YN -> (avast! Web Scanner) avast! Web Scanner [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashWebSv.exe
    YN -> (AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    YN -> (Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Disabled | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    YN -> (Avg7UpdSvc) AVG7 Update Service [Win32_Own | Disabled | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    YN -> (AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgemc.exe
    YN -> (sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Spyware Doctor\svcntaux.exe
    YN -> (sdCoreService) PC Tools Security Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Spyware Doctor\swdsvc.exe
    [Registry - Non-Microsoft Only]
    < Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    YN -> {92780B25-18CC-41C8-B9BE-3C9C571A8263}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Referencia]
    < Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Referencia]
    NY -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Antivirus\Spybot\SDHelper.dll [Spybot - Search & Destroy Configuration]
    < Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
    YN -> Convertir a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
    YN -> Convertir a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
    YN -> Convertir destino de vínculo a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
    YN -> Convertir destino de vínculo en archivo PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
    YN -> Convertir selección a archivo PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
    YN -> Convertir selección a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
    YN -> Convertir vínculos seleccionados a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm
    YN -> Convertir vínculos seleccionados a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm
    YN -> E&xportar a Microsoft Excel ->
    [Files/Folders - Created Within 90 days]
    YY -> 112062.exe -> %System32%\drivers\down\112062.exe
    YY -> 126609.exe -> %System32%\drivers\down\126609.exe
    YY -> 128218.exe -> %System32%\drivers\down\128218.exe
    YY -> 136468.exe -> %System32%\drivers\down\136468.exe
    YY -> 148046.exe -> %System32%\drivers\down\148046.exe
    YY -> 148625.exe -> %System32%\drivers\down\148625.exe
    YY -> 157625.exe -> %System32%\drivers\down\157625.exe
    YY -> 172015.exe -> %System32%\drivers\down\172015.exe
    YY -> 172968.exe -> %System32%\drivers\down\172968.exe
    YY -> 201078.exe -> %System32%\drivers\down\201078.exe
    YY -> 205234.exe -> %System32%\drivers\down\205234.exe
    YY -> 206437.exe -> %System32%\drivers\down\206437.exe
    YY -> 210843.exe -> %System32%\drivers\down\210843.exe
    YY -> 212625.exe -> %System32%\drivers\down\212625.exe
    YY -> 216515.exe -> %System32%\drivers\down\216515.exe
    YY -> 236765.exe -> %System32%\drivers\down\236765.exe
    YY -> 257734.exe -> %System32%\drivers\down\257734.exe
    YY -> 261281.exe -> %System32%\drivers\down\261281.exe
    YY -> 262093.exe -> %System32%\drivers\down\262093.exe
    YY -> 263078.exe -> %System32%\drivers\down\263078.exe
    YY -> 264218.exe -> %System32%\drivers\down\264218.exe
    YY -> 269906.exe -> %System32%\drivers\down\269906.exe
    YY -> 281609.exe -> %System32%\drivers\down\281609.exe
    YY -> 36015.exe -> %System32%\drivers\down\36015.exe
    YY -> 39234.exe -> %System32%\drivers\down\39234.exe
    YY -> 425750.exe -> %System32%\drivers\down\425750.exe
    YY -> 437484.exe -> %System32%\drivers\down\437484.exe
    YY -> 446437.exe -> %System32%\drivers\down\446437.exe
    YY -> 449625.exe -> %System32%\drivers\down\449625.exe
    YY -> 452875.exe -> %System32%\drivers\down\452875.exe
    YY -> 455140.exe -> %System32%\drivers\down\455140.exe
    YY -> 459015.exe -> %System32%\drivers\down\459015.exe
    YY -> 460140.exe -> %System32%\drivers\down\460140.exe
    YY -> 468109.exe -> %System32%\drivers\down\468109.exe
    YY -> 571625.exe -> %System32%\drivers\down\571625.exe
    YY -> 572437.exe -> %System32%\drivers\down\572437.exe
    YY -> 580406.exe -> %System32%\drivers\down\580406.exe
    YY -> 594140.exe -> %System32%\drivers\down\594140.exe
    YY -> 595421.exe -> %System32%\drivers\down\595421.exe
    YY -> 614015.exe -> %System32%\drivers\down\614015.exe
    YY -> 626718.exe -> %System32%\drivers\down\626718.exe
    YY -> 635109.exe -> %System32%\drivers\down\635109.exe
    YY -> 637984.exe -> %System32%\drivers\down\637984.exe
    YY -> 647031.exe -> %System32%\drivers\down\647031.exe
    YY -> 77218.exe -> %System32%\drivers\down\77218.exe
    YY -> wget.exe -> %SystemRoot%\wget.exe
    [Files/Folders - Modified Within 90 days]
    YY -> 112062.exe -> %System32%\drivers\down\112062.exe
    YY -> 126609.exe -> %System32%\drivers\down\126609.exe
    YY -> 128218.exe -> %System32%\drivers\down\128218.exe
    YY -> 136468.exe -> %System32%\drivers\down\136468.exe
    YY -> 148046.exe -> %System32%\drivers\down\148046.exe
    YY -> 148625.exe -> %System32%\drivers\down\148625.exe
    YY -> 157625.exe -> %System32%\drivers\down\157625.exe
    YY -> 172015.exe -> %System32%\drivers\down\172015.exe
    YY -> 172968.exe -> %System32%\drivers\down\172968.exe
    YY -> 201078.exe -> %System32%\drivers\down\201078.exe
    YY -> 205234.exe -> %System32%\drivers\down\205234.exe
    YY -> 206437.exe -> %System32%\drivers\down\206437.exe
    YY -> 210843.exe -> %System32%\drivers\down\210843.exe
    YY -> 212625.exe -> %System32%\drivers\down\212625.exe
    YY -> 216515.exe -> %System32%\drivers\down\216515.exe
    YY -> 236765.exe -> %System32%\drivers\down\236765.exe
    YY -> 257734.exe -> %System32%\drivers\down\257734.exe
    YY -> 261281.exe -> %System32%\drivers\down\261281.exe
    YY -> 262093.exe -> %System32%\drivers\down\262093.exe
    YY -> 263078.exe -> %System32%\drivers\down\263078.exe
    YY -> 264218.exe -> %System32%\drivers\down\264218.exe
    YY -> 269906.exe -> %System32%\drivers\down\269906.exe
    YY -> 281609.exe -> %System32%\drivers\down\281609.exe
    YY -> 36015.exe -> %System32%\drivers\down\36015.exe
    YY -> 39234.exe -> %System32%\drivers\down\39234.exe
    YY -> 425750.exe -> %System32%\drivers\down\425750.exe
    YY -> 437484.exe -> %System32%\drivers\down\437484.exe
    YY -> 446437.exe -> %System32%\drivers\down\446437.exe
    YY -> 449625.exe -> %System32%\drivers\down\449625.exe
    YY -> 452875.exe -> %System32%\drivers\down\452875.exe
    YY -> 455140.exe -> %System32%\drivers\down\455140.exe
    YY -> 459015.exe -> %System32%\drivers\down\459015.exe
    YY -> 460140.exe -> %System32%\drivers\down\460140.exe
    YY -> 468109.exe -> %System32%\drivers\down\468109.exe
    YY -> 571625.exe -> %System32%\drivers\down\571625.exe
    YY -> 572437.exe -> %System32%\drivers\down\572437.exe
    YY -> 580406.exe -> %System32%\drivers\down\580406.exe
    YY -> 594140.exe -> %System32%\drivers\down\594140.exe
    YY -> 595421.exe -> %System32%\drivers\down\595421.exe
    YY -> 614015.exe -> %System32%\drivers\down\614015.exe
    YY -> 626718.exe -> %System32%\drivers\down\626718.exe
    YY -> 635109.exe -> %System32%\drivers\down\635109.exe
    YY -> 637984.exe -> %System32%\drivers\down\637984.exe
    YY -> 647031.exe -> %System32%\drivers\down\647031.exe
    YY -> 77218.exe -> %System32%\drivers\down\77218.exe
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    YN -> "drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" ->
    YN -> "german.exe"="C:\WINDOWS\system32\wintems.exe" ->
    YN -> C:\WINDOWS\system32\wintems.exe 471556 bytes executable ->
    YN -> C:\WINDOWS\system32\drivers\srosa.sys 108928 bytes executable ->
    YN -> C:\WINDOWS\system32\drivers\hldrrr.exe 533734 bytes executable ->
    [Empty Temp Folders]
    [Start Explorer]
    [ZipFiles]
    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .

    I will review the information when it comes back in.



    Then run ComboFix.exe again straight after and post that log here. Also do the IceSword steps again, however the files/processes may not be there. Also post a new IceSword log.


    You should find a zip file after you run WinPFind35. I need you to do the following with it

    CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

    Please go here:
    The Spy Killer Forum
    • Click on "New Topic"
    • Put your name, e-mail address, and this as the title: "%System32%\drivers\down\210843.exe and more"
    • Put a link to this topic in the description box.
    • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


      • %System32%\drivers\down\210843.exe and more


    • Click Open.
    • Click Post.

    Thank you!


    Then reboot and see how your PC is running and let me know how it all went.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  2. #32
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Hi, Rorschach112. Thanks for your post. I was just writting when it arrived. Before I proceed, let me tell you what happened yesterday, after my last post reporting the re-infection.

    I re-applied the two steps that you suggested, which were able to remove the infection even after a reboot. These were:

    1. Prepare a CFScript.txt with instructions for file removal and registry repair. In the file removal, I added all the bad files downloaded by the virus in system32\drivers\down, besides hldrrr.exe.

    2. Drop this script on top of ComboFix.

    3. Run avz4 to repair SafeBoot (fortunately I had been able to update before, since network connection was again broken after ComboFix).

    4. Reboot.

    After this, the computer was clean. IceSword reported no hidden processes nor bad SSDT. AVG AntiRootkit reported all clean. The bad files were gone. I waited a few minutes and all continued to be OK. So I decided to:

    5. Reinstall Spybot. The installer ran (good!). A full scan found a couple of bad items (one of them seemed related to the Bagle, which seems to be the infection I had). I removed all.

    6. Reinstall AVG. The installer ran (excellent!). I started a complete scan and went to bed. Today the results showed 16 infections found, all removed (several were in the vaults of the tools run at your suggestion). After this I reinstalled Avast and ran a new full scan, which found nothing.

    One interesting note: Immediately after AVG completed installation, it reported that WinPFind35U, on my Desktop, was infected. It was moved to the vault, and it's now there. WinPFind35U was the last tool I run, after which the infection reappeared. What do you think? Is it possible that the downloaded file was infected, or that the virus took refuge on an otherwise clean tool? Isn't it strange?

    So, the system seems now clean. I would rather run some scan if you suggest so, to verify the results of Spybot, AVG and Avast. I do not believe that further cleaning is necessary. Let me know your opinion.

    Guillermo

  3. #33
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Hello Guillermo, sounds like you did a pretty good job !

    The reason why your infection came back was due to all those .exe files. They weren't showing up in any of your logs which is strange.

    Immediately after AVG completed installation, it reported that WinPFind35U, on my Desktop, was infected.
    Unfortunately this is a false positive. A lot of our tools get detected as malware even though they are not, it is something we have to live with. Do not worry about it though.


    Lets just do another scan to be 100% sure you are clean. There are probably a few remains left.


    Do this again

    Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
    • Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
    • Under Rootkit Search on the left change it to Yes
    • Under Additional Scans check the box beside Reg - Disabled MS Config Items.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

    Make sure you attach the report in your reply.



    Also post a new HijackThis log.


    Can you also run IceSword and take a screenshot of the following areas : Processes, Win32 Services, SSDT, making sure to have the red entries in the screenshot if present, if there are none take a screenshot anyway for me.
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  4. #34
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Hi. Unfortunately, AVG does not allow me to run WinPfind35U. Even if I tell it to "Ignore" the threat, then Windows give me a "can't access" error when I try to run the tool.

    Guillermo

  5. #35
    Retired Security Volunteer
    Join Date
    Sep 2007
    Location
    Ireland
    Posts
    1,620

    Default

    Can you make sure AVG is fully closed, then re-download WinPFind35 again and run it

    If not then do this

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    • Close all other windows before proceeding.
    • Double-click on dss.exe and follow the prompts.
    • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
    • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



    Then do the other steps in my previous post
    Who watches The Watchmen?

    It's like you said. All I am is what I'm going after.

    ~Scratch~

  6. #36
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Here's a HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:16:02 PM, on 1/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
    C:\Archivos de programa\Antivirus\Avast\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
    C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
    C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
    C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
    C:\Archivos de programa\Net\Opera\Opera.exe
    C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE
    C:\Archivos de programa\Util\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;*.local;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191420182250
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

    --
    End of file - 10472 bytes

  7. #37
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Here's an IceSword Processes log:

    Process:

    System Idle Process
    System
    C:\WINDOWS\RTHDCPL.exe
    C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
    C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
    C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
    C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Archivos de programa\Util\IceSword\IceSword.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
    C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE
    C:\Archivos de programa\Antivirus\Avast\ashServ.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
    C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
    C:\WINDOWS\system32\alg.exe
    C:\Archivos de programa\Net\Opera\Opera.exe

  8. #38
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Here's an IceSword Win32Services log:

    Started Service:

    Service Name:ALG Display Name:Servicio de puerta de enlace de capa de aplicación
    Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
    Service Name:AudioSrv Display Name:Audio de Windows
    Service Name:avast! Antivirus Display Name:avast! Antivirus
    Service Name:avast! Mail Scanner Display Name:avast! Mail Scanner
    Service Name:avast! Web Scanner Display Name:avast! Web Scanner
    Service Name:Avg7Alrt Display Name:AVG7 Alert Manager Server
    Service Name:Avg7UpdSvc Display Name:AVG7 Update Service
    Service Name:AVGEMS Display Name:AVG E-mail Scanner
    Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
    Service Name:Browser Display Name:Examinador de equipos
    Service Name:CryptSvc Display Name:Servicios de cifrado
    Service Name:DcomLaunch Display Name:Iniciador de procesos de servidor DCOM
    Service Name:Dhcp Display Name:Cliente DHCP
    Service Name:dmserver Display Name:Administrador de discos lógicos
    Service Name:Dnscache Display Name:Cliente DNS
    Service Name:ERSvc Display Name:Error Reporting Service
    Service Name:Eventlog Display Name:Registro de sucesos
    Service Name:EventSystem Display Name:Sistema de sucesos COM+
    Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
    Service Name:FileZilla Server Display Name:FileZilla Server FTP server
    Service Name:gusvc Display Name:Google Updater Service
    Service Name:helpsvc Display Name:Ayuda y soporte técnico
    Service Name:lanmanserver Display Name:Servidor
    Service Name:lanmanworkstation Display Name:Estación de trabajo
    Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
    Service Name:Netman Display Name:Conexiones de red
    Service Name:Nla Display Name:NLA (Network Location Awareness)
    Service Name:NVSvc Display Name:NVIDIA Display Driver Service
    Service Name:PlugPlay Display Name:Plug and Play
    Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
    Service Name:PolicyAgent Display Name:Servicios IPSEC
    Service Name:ProtectedStorage Display Name:Almacenamiento protegido
    Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
    Service Name:RemoteRegistry Display Name:Registro remoto
    Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
    Service Name:SamSs Display Name:Administrador de cuentas de seguridad
    Service Name:Schedule Display Name:Programador de tareas
    Service Name:seclogon Display Name:Inicio de sesión secundario
    Service Name:SENS Display Name:Notificación de sucesos del sistema
    Service Name:SharedAccess Display Name:Firewall de Windows/Conexión compartida a Internet (ICS)
    Service Name:ShellHWDetection Display Name:Detección de hardware shell
    Service Name:Spooler Display Name:Cola de impresión
    Service Name:srservice Display Name:Servicio de restauración de sistema
    Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
    Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
    Service Name:TapiSrv Display Name:Telefonía
    Service Name:TermService Display Name:Servicios de Terminal Server
    Service Name:Themes Display Name:Temas
    Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
    Service Name:W32Time Display Name:Horario de Windows
    Service Name:WebClient Display Name:Cliente Web
    Service Name:WinDefend Display Name:Windows Defender
    Service Name:winmgmt Display Name:Instrumental de administración de Windows
    Service Name:wscsvc Display Name:Centro de seguridad
    Service Name:wuauserv Display Name:Actualizaciones automáticas

  9. #39
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

  10. #40
    Junior Member
    Join Date
    Jan 2008
    Posts
    29

    Default

    Quote Originally Posted by Rorschach112 View Post
    Can you make sure AVG is fully closed, then re-download WinPFind35 again and run it
    I don't find any AVG option that allows to shut down the antivirus. I could kill it's processes, but there are probably several, even hidden (I say, to protect itself).

    Here's DSS Main log. No Extra was produced (?).

    Deckard's System Scanner v20071014.68
    Run by Abramson on 2008-01-10 12:27:03
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------



    -- HijackThis (run as Abramson.exe) --------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:27:05 PM, on 1/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
    C:\Archivos de programa\Antivirus\Avast\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
    C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
    C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
    C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
    C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
    C:\Documents and Settings\Abramson\Escritorio\dss.exe
    C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;*.local;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191420182250
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

    --
    End of file - 10405 bytes

    -- Files created between 2007-12-10 and 2008-01-10 -----------------------------

    2008-01-09 20:19:16 0 dr-h----- C:\$VAULT$.AVG
    2008-01-09 20:03:53 0 d-------- C:\WINDOWS\system32\drivers\down
    2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
    2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
    2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
    2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
    2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
    2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
    2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
    2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
    2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
    2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
    2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
    2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


    -- Find3M Report ---------------------------------------------------------------

    2008-01-10 12:22:20 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
    2008-01-10 12:16:57 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
    2008-01-10 11:08:24 0 d-------- C:\Archivos de programa\Util
    2008-01-10 11:08:24 0 d-------- C:\Archivos de programa\Archivos comunes
    2008-01-10 10:58:32 0 d-------- C:\Archivos de programa\Antivirus
    2008-01-10 09:43:45 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
    2008-01-09 14:04:35 0 d-------- C:\Archivos de programa\Spyware Doctor
    2008-01-09 12:10:35 0 d-------- C:\Archivos de programa\Astro
    2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
    2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
    2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
    2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
    2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
    2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
    2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
    2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
    2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
    2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
    2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
    2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
    2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
    2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
    2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
    2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
    2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
    2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
    2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
    2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
    2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
    2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
    2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
    2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
    2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
    2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
    2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
    2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
    2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
    2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
    2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
    "nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
    "RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
    "Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
    "SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
    "NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
    "zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
    "FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
    "NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
    "AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [01/09/2008 08:16 PM]
    "avast!"="C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe" [12/04/2007 11:00 AM]
    "Windows Defender"="C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 Pml Driver HPZ12 Net Driver HPZ12




    -- End of Deckard's System Scanner: finished at 2008-01-10 12:27:22 ------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •