problems with win32.agent.at and smitfraud-C.toolbar888

C

cbehrends

New member
Hi!

I have problems with win32.agent.at and smitfraud-C.toolbar888.

I followed these steps:

1) Scan with updated Spybot: Every time I scan, the problem seems fixed with exception of just one point of the win32.agent. However, after a new scan all problems reapear. Here is the log:

--------------------------------------------------------------------------

--- Report generated: 2007-03-26 21:36 ---

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\aldd

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15

Win32.Agent.At: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\PsapiAnalyzer.PsapiAnalyzer

Win32.Agent.At: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\PsapiAnalyzer.PsapiAnalyzer.1

Win32.Agent.At: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0A07916B-B841-4184-AAD5-06FE2F75788C}

Win32.Agent.At: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A07916B-B841-4184-AAD5-06FE2F75788C}

Win32.Agent.At: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-813497703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{871A54C1-1EB3-48BD-A879-5DBA4EF16BE6}

Win32.Agent.At: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

Win32.Agent.At: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

BFast: Tracking cookie (Internet Explorer: Andy) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-03-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-21 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-03-21 Includes\DialerC.sbi (*)
2007-03-21 Includes\Hijackers.sbi (*)
2007-03-21 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-21 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-21 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-03-21 Includes\PUPSC.sbi (*)
2007-03-21 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-21 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-03-21 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\Trojans.sbi (*)
2007-03-21 Includes\TrojansC.sbi (*)

--------------------------------------------------------------------------

2) Run an on-line Anti Virus scan.
I ran Panda on-line. Here is the log;
--------------------------------------------------------------------------

Incident Status Location

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\blkhlwwg.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\bpevxhuh.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\cknkpevn.dll
Adware:Adware/WebSearch Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\dbxcxubj.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\gaswwrsv.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\hnnkbfoe.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\jlpvxxng.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\lrhtbykh.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\nreiayxk.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\oexorxyx.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\uklfjbpy.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\xhpkfefk.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Andy\Configuración local\Temp\yhxvgemp.dll
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Andy\Cookies\andy@bfast[1].txt
Potentially unwanted tool:Application/Reboot.A Not disinfected C:\WINDOWS\pss\Reboot.exeCommon Startup
--------------------------------------------------------------------------


3) Run Spybot in Safe Mode:
I ran SpyBot several times, but the result is similar as in normal mode.

4) HiJackThis log
I ran HijackThis. Here goes the log file:

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:46:01 p.m., on 26/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\qkkvkupe.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--------------------------------------------------------------------------

I appreciate very much your support!

Carlos
 
Hi cbehrends

Rename HijackThis.exe to HJT.exe and post a fresh HijackThis log, please :)
 
Hi shaba,

You asked me to rename the HiJackThis.exe file to HJT.exe and to generate a fresh log.

Here it goes:
Logfile of HijackThis v1.99.1
Scan saved at 09:22:24 p.m., on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PsapiAnalyzer Object - {0A07916B-B841-4184-AAD5-06FE2F75788C} - c:\windows\taskwave.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O20 - Winlogon Notify: taskwave - c:\windows\taskwave.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Sorry for delaying the answer, I was on a trip!

Regards,

Carlos
 
Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
Hi Shaba,

I downlodade Vundo, I ran it, and this is the log:

--------------------------------------------------------------------------
VundoFix V6.3.18

Checking Java version...

Sun Java not detected
Scan started at 11:50:46 a.m. 01/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\ldmyocjo.dll
C:\WINDOWS\system32\xajcvcrd.dll
c:\windows\taskwave.dll

Beginning removal...

Attempting to delete c:\windows\taskwave.dll
c:\windows\taskwave.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete c:\windows\taskwave.dll
c:\windows\taskwave.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Sun Java not detected
Scan started at 12:17:56 p.m. 01/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\ldmyocjo.dll

Beginning removal...

Performing Repairs to the registry.
Done!

--------------------------------------------------------------------------

Then I ran HJT.exe, resulting in this log file:

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:38:38 p.m., on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

-------------------------------------------------------------------------

Seems that still there is a problem, as Vundo shows a file that appeared after rebooting .

Regards,

Carlos
 
Hi

Upload these files to VirusTotal and post back results here:

C:\WINDOWS\Driver Cache\i386\cabsvr.dll
C:\WINDOWS\system32\gnqybxsf.dll
 
Hi Shaba,

Thanks for the quick answer!

Here it goes the result for C:\WINDOWS\Driver Cache\i386\cabsvr.dll

--------------------------------------------------------------------------
Antivirus Version Update Result
AhnLab-V3 2007.3.31.0 04.01.2007 no virus found
AntiVir 7.3.1.47 04.01.2007 TR/Vundo.Gen
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 03.31.2007 no virus found
AVG 7.5.0.447 04.01.2007 no virus found
BitDefender 7.2 04.02.2007 no virus found
CAT-QuickHeal 9.00 03.31.2007 no virus found
ClamAV devel-20070312 04.01.2007 no virus found
DrWeb 4.33 04.01.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.01.2007 no virus found
eTrust-Vet 30.6.3527 03.31.2007 no virus found
Ewido 4.0 04.01.2007 no virus found
FileAdvisor 1 04.02.2007 no virus found
Fortinet 2.85.0.0 04.01.2007 suspicious
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.01.2007 no virus found
Ikarus T3.1.1.3 04.01.2007 no virus found
Kaspersky 4.0.2.24 04.01.2007 no virus found
McAfee 4997 03.31.2007 no virus found
Microsoft 1.2306 04.01.2007 no virus found
NOD32v2 2161 04.01.2007 no virus found
Norman 5.80.02 03.31.2007 no virus found
Panda 9.0.0.4 04.01.2007 Suspicious file
Prevx1 V2 04.02.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 no virus found
Symantec 10 04.02.2007 no virus found
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 04.01.2007 no virus found
Webwasher-Gateway 6.0.1 04.01.2007 Trojan.Vundo.Gen


Aditional Information
File size: 253746 bytes
MD5: f6d8711eeaee5953fcf5ee61d11832d1
SHA1: ee0eeefd9bf668c34a65fe6b1c48fad428f75f89


------------------------------------------------------------------------

And now for C:\WINDOWS\system32\gnqybxsf.dll

-------------------------------------------------------------------------

Antivirus Version Update Result
AhnLab-V3 2007.3.31.0 04.01.2007 no virus found
AntiVir 7.3.1.47 04.01.2007 TR/Crypt.ULPM.Gen
Authentium 4.93.8 03.31.2007 no virus found
Avast 4.7.936.0 03.31.2007 no virus found
AVG 7.5.0.447 04.01.2007 no virus found
BitDefender 7.2 04.02.2007 Trojan.Virtumod.GM
CAT-QuickHeal 9.00 03.31.2007 no virus found
ClamAV devel-20070312 04.01.2007 no virus found
DrWeb 4.33 04.01.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.01.2007 no virus found
eTrust-Vet 30.6.3527 03.31.2007 no virus found
Ewido 4.0 04.01.2007 no virus found
FileAdvisor 1 04.02.2007 no virus found
Fortinet 2.85.0.0 04.01.2007 suspicious
F-Prot 4.3.1.45 03.30.2007 no virus found
F-Secure 6.70.13030.0 04.01.2007 no virus found
Ikarus T3.1.1.3 04.01.2007 no virus found
Kaspersky 4.0.2.24 04.01.2007 no virus found
McAfee 4997 03.31.2007 no virus found
Microsoft 1.2306 04.01.2007 no virus found
NOD32v2 2161 04.01.2007 no virus found
Norman 5.80.02 03.31.2007 no virus found
Panda 9.0.0.4 04.01.2007 Suspicious file
Prevx1 V2 04.02.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 03.31.2007 no virus found
Symantec 10 04.02.2007 Trojan Horse
TheHacker 6.1.6.083 03.30.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.3 04.01.2007 no virus found
VirusBuster 4.3.7:9 04.01.2007 no virus found
Webwasher-Gateway 6.0.1 04.01.2007 Trojan.Crypt.ULPM.Gen


Aditional Information
File size: 43796 bytes
MD5: b6d40074bd6a9216c40f1ea3ef847a00
SHA1: 5237985c40dab3744f5551f026e22bd82b84f061

-------------------------------------------------------------------------

Thanks!

Carlos
 
Hi

Both are vundo as expected

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Driver Cache\i386\cabsvr.dll
C:\WINDOWS\system32\gnqybxsf.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Post a fresh HijackThis log.
 
Hi Shaba,

I ran the KillBox Tool. It was a little confusing as it was unclear if both files were registered to delete, so I did it twice. It was not necessary to run missingfilesetup.exe.

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 07:15:17 p.m., on 02/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\kmvfrtgl.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--------------------------------------------------------------------------

Is it OK?

thanks,

Carlos
 
Hi

More research is needed

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)

Post:

- startuplist
- blacklight log
 
Hi Shaba,

Mmm... it seems is a difficult case. here it goes the startup list of HJT:

------------------------------------------------------------------------

StartupList report, 03/04/2007, 07:15:33 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andy\Menú Inicio\Programas\Inicio]
HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
iTunesHelper = "C:\Archivos de programa\iTunes\iTunesHelper.exe"
mHotKey = C:\ARCHIV~1\GENIUS~2\mHotkey.exe
SoundService = rundll32.exe "C:\WINDOWS\system32\hmcwqpws.dll",setvm

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
MSMSGS = "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Skype = "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\gnqybxsf.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\ldmyocjo.dll (file missing) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ManagerActiveXBKB Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveXBKB.dll
CODEBASE = https://www.bankboston.com.br/download/ActiveXBKBCab.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6.627 bytes
Report generated in 0,234 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


------------------------------------------------------------------------

The fsbl log sounds cryptic to me:

-------------------------------------------------------------------------

04/03/07 19:18:48 [Info]: BlackLight Engine 1.0.61 initialized
04/03/07 19:18:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/03/07 19:18:48 [Note]: 7019 4
04/03/07 19:18:48 [Note]: 7005 0
04/03/07 19:19:14 [Note]: 7006 0
04/03/07 19:19:14 [Note]: 7011 1384
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:18 [Note]: FSRAW library version 1.7.1021
04/03/07 19:19:18 [Note]: 2000 1012
04/03/07 19:22:33 [Note]: 2000 1012
04/03/07 19:25:41 [Note]: 7007 0

-------------------------------------------------------------------------

That is for now, thanks!

Carlos
 
Hi

Did you check those two boxes next to next to the Box that says "Generate StartupList log"? I ask because startuplist is incomplete.
 
Hi Shaba,

I thought that I have answered this yesterday, but it seems I have done something wrong, because I do not see my post with the reply. So now it goes:

Startup list

-------------------------------------------------------------------
StartupList report, 03/04/2007, 07:15:33 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andy\Menú Inicio\Programas\Inicio]
HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
iTunesHelper = "C:\Archivos de programa\iTunes\iTunesHelper.exe"
mHotKey = C:\ARCHIV~1\GENIUS~2\mHotkey.exe
SoundService = rundll32.exe "C:\WINDOWS\system32\hmcwqpws.dll",setvm

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
MSMSGS = "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Skype = "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\gnqybxsf.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\ldmyocjo.dll (file missing) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ManagerActiveXBKB Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveXBKB.dll
CODEBASE = https://www.bankboston.com.br/download/ActiveXBKBCab.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6.627 bytes
Report generated in 0,234 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
--------------------------------------------------------------------------



F-Secure Blacklight

--------------------------------------------------------------------


04/03/07 19:18:48 [Info]: BlackLight Engine 1.0.61 initialized
04/03/07 19:18:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/03/07 19:18:48 [Note]: 7019 4
04/03/07 19:18:48 [Note]: 7005 0
04/03/07 19:19:14 [Note]: 7006 0
04/03/07 19:19:14 [Note]: 7011 1384
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:15 [Note]: 7026 0
04/03/07 19:19:18 [Note]: FSRAW library version 1.7.1021
04/03/07 19:19:18 [Note]: 2000 1012
04/03/07 19:22:33 [Note]: 2000 1012
04/03/07 19:25:41 [Note]: 7007 0


-------------------------------------------------------------------------


Thanks!

Carlos
 
Hi

Still incomplete, we'll try another tool:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
 
Hi Shaba,

My fault, sorry! You asked me to generate a startup list. I posted the answer but I have not noticed that it was in a second page of the post! So I have not seen your comment in page 2, and I posted EXACTLY the same log. sorry!

So now:
1) I rechecked the HJT, please find below the log.
2) I ran DSS, find below the log.

Log of the HJT
------------------------------------------------------------------------------------------------------

StartupList report, 05/04/2007, 06:13:01 p.m.
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andy\Menú Inicio\Programas\Inicio]
HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
iTunesHelper = "C:\Archivos de programa\iTunes\iTunesHelper.exe"
mHotKey = C:\ARCHIV~1\GENIUS~2\mHotkey.exe
SoundService = rundll32.exe "C:\WINDOWS\system32\nkpxeqpc.dll",setvm

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
MSMSGS = "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Skype = "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\gnqybxsf.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\system32\ldmyocjo.dll (file missing) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job
HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ManagerActiveXBKB Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveXBKB.dll
CODEBASE = https://www.bankboston.com.br/download/ActiveXBKBCab.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6.844 bytes
Report generated in 0,500 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

------------------------------------------------------------------------------------------------------------

Log of the DSS *********************************************************************************************

MAIN
------------------------------------------------------------------------------------------------------------

Deckard's System Scanner v20070328.36
Run by Andy on 2007-04-05 at 18:19:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2007-04-05 21:19:15 UTC - RP111 - Deckard's System Scanner Restore Point
58: 2007-04-05 14:22:15 UTC - RP110 - Punto de control del sistema
57: 2007-04-04 14:21:09 UTC - RP109 - Punto de control del sistema
56: 2007-04-02 22:54:09 UTC - RP108 - Punto de control del sistema
55: 2007-04-01 01:21:38 UTC - RP107 - Punto de control del sistema


-- First Restore Point --
1: 2007-01-15 22:46:35 UTC - RP53 - Punto de control del sistema


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 06:20:17 p.m., on 05/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Andy\Escritorio\dss.exe
C:\DOCUME~1\Andy\ESCRIT~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\nkpxeqpc.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\gnqybxsf.dll
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys
R1 nod32drv - c:\windows\system32\drivers\nod32drv.sys
R2 AMON - c:\windows\system32\drivers\amon.sys
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys
R3 genmcmn (Genius Wireless Mouse Driver) - c:\windows\system32\drivers\gmfiltr.sys
R3 SiS315 - c:\windows\system32\drivers\sisgrp.sys
R3 SISNIC (Controlador de adaptador Fast Ethernet SiS PCI) - c:\windows\system32\drivers\sisnic.sys
R3 smwdm - c:\windows\system32\drivers\smwdm.sys

S3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 StarWindService (StarWind iSCSI Service) - c:\archivos de programa\alcohol soft\alcohol 120\starwind\starwindservice.exe
R3 usnsvc (Servicio Messenger Sharing USN Journal Reader) - c:\windows\system32\svchost.exe -k usnsvc


-- Scheduled Tasks -------------------------------------------------------------

2007-04-05 17:28:02 354 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job<HPUSGD~1.JOB>
2007-03-23 11:41:04 298 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2006-11-05 01:28:57 332 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN3641B36QE0.job<HPDARC~1.JOB>

LOG FOLLOWS IN NEXT POST (TOO LONG FOR ONE POST)
 
COMES FROM PREVIEWS POST (LOG TOO LONG FOR ONE PAGE)



-- Files created between 2007-03-05 and 2007-04-05 -----------------------------

2007-04-04 23:32:51 125716 --a------ C:\WINDOWS\system32\nkpxeqpc.dll
2007-04-03 20:14:34 1693696 --a------ C:\WINDOWS\system32\ltclr13n.dll
2007-04-03 20:14:34 155648 --a------ C:\WINDOWS\system32\lftif13n.dll
2007-04-03 20:14:34 98304 --a------ C:\WINDOWS\system32\lffax13n.dll
2007-04-03 20:13:17 69632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-04-03 20:13:16 462848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-04-03 20:13:16 450560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-04-03 20:13:16 163840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-04-03 20:13:16 206336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-04-03 20:13:16 299008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-04-03 20:13:16 401408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-04-03 20:13:16 57344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-04-02 19:00:17 0 d-------- C:\!KillBox
2007-04-01 19:03:59 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-01 12:55:52 0 d-------- C:\Archivos de programa\SpywareBlaster<SPYWAR~1>
2007-04-01 11:50:46 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-31 20:54:13 125716 --a------ C:\WINDOWS\system32\csxckwwx.dll
2007-03-28 18:34:08 125716 --a------ C:\WINDOWS\system32\yasphwio.dll
2007-03-26 16:13:39 4208 ---hs---- C:\WINDOWS\ntp2.ini2<NTP2~1.INI>
2007-03-25 18:35:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-11 17:39:51 0 d-------- C:\Archivos de programa\Enigma Software Group<ENIGMA~1>


-- Find3M Report ---------------------------------------------------------------

2007-04-05 18:20:33 0 d-------- C:\Documents and Settings\Andy\Datos de programa\Skype
2007-04-05 10:47:39 5075 --ahs---- C:\Documents and Settings\Andy\Datos de programa\57781143122241A5B2841A48E1EC0100.sta<577811~1.STA>
2007-04-05 10:47:39 18679 --ahs---- C:\Documents and Settings\Andy\Datos de programa\57781143122241A5B2841A48E1EC0100.rul<577811~1.RUL>
2007-04-04 09:44:57 0 d-------- C:\Archivos de programa\QUICKEN
2007-03-26 20:07:21 0 d-------- C:\Archivos de programa\Palm
2007-03-26 20:04:50 0 d-------- C:\Archivos de programa\Messenger<MESSEN~1>
2007-03-26 20:04:39 0 d-------- C:\Archivos de programa\iTunes
2007-03-26 19:56:27 0 d-------- C:\Archivos de programa\Archivos comunes\System
2007-03-25 21:47:12 0 d-------- C:\Archivos de programa\Genius TwinTouch Wireless<GENIUS~2>
2007-03-25 18:51:05 0 d-------- C:\Archivos de programa\MSN Messenger<MSNMES~1>
2007-03-25 17:56:21 0 d-------- C:\Archivos de programa\Cordless USB Phone<CORDLE~1>
2007-03-05 15:41:18 16 --a------ C:\WINDOWS\popcinfo.dat
2007-02-26 19:27:28 0 d-------- C:\Archivos de programa\Bejeweled 2 Deluxe<BEJEWE~1>
2007-02-21 16:11:03 0 d-------- C:\Archivos de programa\GenoPro
2007-02-21 14:52:09 0 d-------- C:\Archivos de programa\ReflexiveArcade<REFLEX~1>
2007-02-17 14:43:14 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-02-12 19:17:00 0 d-------- C:\Documents and Settings\Andy\Datos de programa\AdobeUM


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Archivos de programa\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nod32kui"="\"C:\\Archivos de programa\\Eset\\nod32kui.exe\" /WAITSERVICE"
"iTunesHelper"="\"C:\\Archivos de programa\\iTunes\\iTunesHelper.exe\""
"mHotKey"="C:\\ARCHIV~1\\GENIUS~2\\mHotkey.exe"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\nkpxeqpc.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Google\\GOOGLE~2\\GOOGLE~1.EXE -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Reboot.exe]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Reboot.exe"
"backup"="C:\\WINDOWS\\pss\\Reboot.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Reboot.exe"
"item"="Reboot"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbuaqnix"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\kbuaqnix.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb09"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphmon05"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hphmon05.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd05"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mouseElf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mouseElf"
"hkey"="HKLM"
"command"="C:\\ARCHIV~1\\GENIUS~2\\mouseElf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Archivos de programa\\Google\\GoogleToolbarNotifier\\1.2.1128.2480\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINDOWS\system32\gnqybxsf.dll"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cabsvr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-05 at 18:21:10 ---------


---------------------------------------------------------------------------------------

EXTRA

----------------------------------------------------------------------------------------


Deckard's System Scanner v20070328.36
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Spanish

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 255.53 MiB / 65 MiB
Pagefile Memory (total/avail): 617.54 MiB / 396.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1997.45 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 40 GiB total, 11.84 GiB free.
D: is Fixed (NTFS) - 34.55 GiB total, 29.57 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Andy\Datos de programa
CLASSPATH=.;C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Archivos de programa\Archivos comunes
COMPUTERNAME=ANDREA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Andy
LOGONSERVER=\\ANDREA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Archivos de programa\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Archivos de programa
PROMPT=$P$G
QTJAVA=C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Andy\CONFIG~1\Temp
TMP=C:\DOCUME~1\Andy\CONFIG~1\Temp
USERDOMAIN=ANDREA
USERNAME=Andy
USERPROFILE=C:\Documents and Settings\Andy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Andy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actualización para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Ad-Aware SE Personal --> C:\ARCHIV~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\ARCHIV~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.0 (solo quitar) --> "C:\Archivos de programa\Archivos comunes\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 7.0.8 - Español --> MsiExec.exe /I{AC76BA86-7AD7-1034-7B44-A70800000002}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
Bejeweled 2 Deluxe --> "C:\Archivos de programa\Bejeweled 2 Deluxe\ReflexiveArcade\unins000.exe"
Disco de recuerdos de HP --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
EvidenceEraser add-in --> rundll32.exe C:\WINDOWS\Driver Cache\i386\cabsvr.dll,Uninstall
Genius TwinTouch Wireless --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{B5D58380-99A9-11D6-8606-00C0DF22A91A}\setup.exe"
GenoPro 2.0.0.2 --> C:\Archivos de programa\GenoPro\Uninstall.exe
Google Earth --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0xa -removeonly
Google Updater --> "C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 1.99.1 --> C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HijackThis.exe /uninstall
HP Software Update --> MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010416-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (2.0.0.2) --> C:\ARCHIV~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.3) --> C:\Archivos de programa\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Archivos de programa\MSN\MsnInstaller\msninst.exe /Action:ARP
NOD32 antivirus system --> C:\Archivos de programa\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Archivos de programa\Eset\unins000.exe"
Palm Desktop --> MsiExec.exe /X{72765AF7-BEA5-4C62-9EC9-A9E386305D04}
Palm VersaMail(tm) --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{73945E25-F26E-462F-8018-915DDBCF9DE3}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Archivos de programa\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pocket Quicken --> C:\WINDOWS\IsUninst.exe -f"C:\Archivos de programa\Pocket Quicken\Uninst.isu"
PocketMirror 3.1.3 (Edición estándar) --> C:\WINDOWS\IsUn040a.exe -f"C:\Archivos de programa\Palm\Chapura\PocketMirror\DeIsL1.isu" -cC:\ARCHIV~1\Palm\Chapura\POCKET~1\UninstEx.dll
Quicken 2003 Premier --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{359BF8A1-CB4C-4212-A174-BD63F052EE33} anything
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
SierraAddressBook 3.0 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{7CE979C6-E5FF-41C5-B6CC-4EE18071563B}\setup.exe"
SierraHome Print Artist 15.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Sierra\Print Artist 15.0\HiUninst.isu" -c"C:\Sierra\Print Artist 15.0\Uninstpa.DLL"
Skype 2.5 --> "C:\Archivos de programa\Skype\Phone\unins000.exe"
SpamBayes 1.1a1 --> "C:\Archivos de programa\SpamBayes\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Archivos de programa\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Archivos de programa\SpywareBlaster\unins000.exe"
VNC Enterprise Edition 4.1.9 --> "C:\Archivos de programa\RealVNC4\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{FD3FEE11-A03E-47DC-971B-60F73D7128A4}


-- End of Deckard's System Scanner: finished at 2007-04-05 at 18:21:10 ---------

------------------------------------------------------------------------------------------------

Again, sorry for the mistake by posting twice the same HJT startup log, one by April 3 and the other by April 4.


Happy Eastern!

Carlos
 
Hi

Let's try this next:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundService"=-

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\csxckwwx.dll
C:\WINDOWS\system32\yasphwio.dll
C:\WINDOWS\system32\nkpxeqpc.dll
C:\WINDOWS\Driver Cache\i386\cabsvr.dll
C:\WINDOWS\system32\gnqybxsf.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
 
Hi Shaba,

Here it goes the Avenger.txt

*********************************************************

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pgsrpxiv

*******************

Script file located at: \??\C:\WINDOWS\system32\frvuanwq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\csxckwwx.dll deleted successfully.
File C:\WINDOWS\system32\yasphwio.dll deleted successfully.
File C:\WINDOWS\system32\nkpxeqpc.dll deleted successfully.
File C:\WINDOWS\Driver Cache\i386\cabsvr.dll deleted successfully.


File C:\WINDOWS\system32\gnqybxsf.dll not found!
Deletion of file C:\WINDOWS\system32\gnqybxsf.dll failed!

Could not process line:
C:\WINDOWS\system32\gnqybxsf.dll
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

*********************************************************

And now the HJT log

*********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 09:17:25 a.m., on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

*******************************************************

That is! Bye!

Carlos
 
Hi

Looks like a success :)

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\ldmyocjo.dll (file missing)
O20 - Winlogon Notify: cabsvr - C:\WINDOWS\Driver Cache\i386\cabsvr.dll (file missing)

Close all windows including browser and press fix checked,

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi,

It seems good news, but the Kaspersky is not that positive:

Here it follows the log:

******************************************************

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 06, 2007 10:07:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/04/2007
Kaspersky Anti-Virus database records: 292207
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 76966
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:44:26

Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-04-06.20-05-05.log Object is locked skipped
C:\Archivos de programa\Eset\cache\CACHE.NDB Object is locked skipped
C:\Archivos de programa\Eset\infected\3AFYXTBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Archivos de programa\Eset\infected\43ZO4YAA.NQF Infected: Trojan-Downloader.Win32.Agent.bac skipped
C:\Archivos de programa\Eset\infected\BCQJ3XBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Archivos de programa\Eset\infected\EWQ2TXBA.NQF Infected: Trojan.Win32.BHO.g skipped
C:\Archivos de programa\Eset\infected\SPDQGGCA.NQF Infected: Trojan.Win32.BHO.g skipped
C:\Archivos de programa\Eset\infected\ZSWEGTCA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Archivos de programa\Eset\logs\virlog.dat Object is locked skipped
C:\Archivos de programa\Eset\logs\warnlog.dat Object is locked skipped
C:\Archivos de programa\RealVNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Andy\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andy\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\call256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chat512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\index2.dat Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\profile256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user1024.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user16384.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\user4096.dbb Object is locked skipped
C:\Documents and Settings\Andy\Datos de programa\Skype\andr34\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Andy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andy\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP111\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd9133.sys Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007321.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007322.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
D:\System Volume Information\_restore{A59DD7FA-69B8-4EE9-A534-A72EA339B030}\RP56\A0007323.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

Scan process completed.


********************************************************

And here a fresh HJT

********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:13:10 p.m., on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\ARCHIV~1\GENIUS~2\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Palm\HOTSYNC.EXE
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andy\Escritorio\hIJACKtHIS\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clarin.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mHotKey] C:\ARCHIV~1\GENIUS~2\mHotkey.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Archivos de programa\QUICKEN\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clarin.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD941590-6424-11D2-A82F-00104B7AF15C} (ManagerActiveXBKB Class) - https://www.bankboston.com.br/download/ActiveXBKBCab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

********************************************************

What do you think?

Carlos
 
You must log in or register to reply here.
Back
Top