# Win32/NSAnti: how to get rid of it?



## AmberBCN (Jan 12, 2008)

Hi,
I have Win Xp. A few days ago I started receiving Infection warnings from my antivirus -AVG 7.5- that said files from C:\DOCUME~1\AMBAR\CONFIG~1\TEMP had been infected by Win32/NSAnti. I continued moving them everyday to the virus vault but they continued appearing. I'm getting pop ups, I think everything is going much slower and my computer heats up really fast (although it has always tended to, now its almost burning hot). I tried to eliminate all the files that were in TEMP but there are about three that can't be erased. 
I tried to restore my system to an anterior date, but it seems impossible. It has always worked before (I probably erased something important?).
I also have Spydoctor and Norton Security Scan, which do detect problems and erase files but do not achieve to solve them. 
I would appreciate any help, thanks!
AmberBCN


----------



## AmberBCN (Jan 12, 2008)

A couple of days have past since I posted the first message. Now I'm getting new infection warnings: Win32/Polycript, Generic FAZ and Trojan horse PSW. The pop ups are now coming up every couple of minutes...
Help please!


----------



## AmberBCN (Jan 12, 2008)

bump


----------



## Cookiegal (Aug 27, 2003)

Pasting the log for easier viewing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:01, on 13/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Spyware Doctor\svcntaux.exe
C:\Archivos de programa\Spyware Doctor\swdsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Archivos de programa\Logitech\Video\LogiTray.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\FlashGet\FlashGet.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\MSN Messenger\livecall.exe
D:\Documents and Settings\emule.exe
C:\Downloads\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Archivos de programa\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Archivos de programa\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [SpyBrowser] "C:\Archivos de programa\SpyBro\SpyBro.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 10169 bytes


----------



## Cookiegal (Aug 27, 2003)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## AmberBCN (Jan 12, 2008)

SDFix: Version 1.127

Run by Ambar on 15/01/2008 at 22:02

Microsoft Windows XP [Versi¢n 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\autorun.inf - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:07:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 18

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avginet.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgcc.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Archivos de programa\\Grisoft\\AVG7\\avgemc.exe"="C:\\Archivos de programa\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Documents and Settings\\Usuari\\Escritorio\\eMule Plus\\eMule\\eMule.exe"="D:\\Documents and Settings\\Usuari\\Escritorio\\eMule Plus\\eMule\\eMule.exe:*:Enabled:eMule Plus"
"C:\\Documents and Settings\\Ambar\\Escritorio\\Dades\\C\\Archivos de programa\\Telefonica\\KitAIM\\AimExDll.exe"="C:\\Documents and Settings\\Ambar\\Escritorio\\Dades\\C\\Archivos de programa\\Telefonica\\KitAIM\\AimExDll.exe:*:Enabled:Aplicaci¢n MFC AimExDLL"
"D:\\Documents and Settings\\eMule Plus\\eMule\\eMule.exe"="D:\\Documents and Settings\\eMule Plus\\eMule\\eMule.exe:*:Enabled:eMule Plus"
"C:\\Archivos de programa\\FlashGet\\FlashGet.exe"="C:\\Archivos de programa\\FlashGet\\FlashGet.exe:*:Enabled:Flashget"
"C:\\Documents and Settings\\Ambar\\Configuraci¢n local\\Temp\\Rar$EX00.398\\emule.exe"="C:\\Documents and Settings\\Ambar\\Configuraci¢n local\\Temp\\Rar$EX00.398\\emule.exe:*:Enabled:eMule"
"C:\\Archivos de programa\\Zattoo\\zattood.exe"="C:\\Archivos de programa\\Zattoo\\zattood.exe:*:Enabled:zattood"
"D:\\Documents and Settings\\emule.exe"="D:\\Documents and Settings\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\Ambar\\Configuraci¢n local\\Temp\\Rar$EX00.631\\eMule v.0.48a pro ultra 2.bin\\emule.exe"="C:\\Documents and Settings\\Ambar\\Configuraci¢n local\\Temp\\Rar$EX00.631\\eMule v.0.48a pro ultra 2.bin\\emule.exe:*:Enabled:eMule"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 12 Jan 2008 106,183 ..SHR --- "C:\d.com"
Sat 12 Jan 2008 106,183 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Tue 15 Jan 2008 54,784 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sat 2 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 2 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16:35, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Spyware Doctor\svcntaux.exe
C:\Archivos de programa\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Archivos de programa\Logitech\Video\LogiTray.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Archivos comunes\Teleca Shared\CapabilityManager.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Logitech\Video\FxSvr2.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Archivos de programa\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Archivos de programa\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [SpyBrowser] "C:\Archivos de programa\SpyBro\SpyBro.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9991 bytes


----------



## Cookiegal (Aug 27, 2003)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## AmberBCN (Jan 12, 2008)

ComboFix 08-01-15.4 - Ambar 2008-01-15 22:41:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.3082.18.173 [GMT 1:00]
Se ejecuta desde: C:\Documents and Settings\Ambar\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración

*ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! *
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Archivos de programa\webmediaplayer
C:\Archivos de programa\webmediaplayer\Conditions générales.url
C:\Archivos de programa\webmediaplayer\Confidentialité.url
C:\Archivos de programa\webmediaplayer\resources\languages_v2.xml
C:\Archivos de programa\webmediaplayer\resources\webmedias
C:\Archivos de programa\webmediaplayer\skins\classic.skn
C:\Archivos de programa\webmediaplayer\sqlite3.dll
C:\Archivos de programa\webmediaplayer\uninst.exe
C:\Archivos de programa\webmediaplayer\WebMediaPlayer.exe
C:\Archivos de programa\webmediaplayer\Website.url
C:\Autorun.inf
C:\Documents and Settings\All Users\Menú Inicio\Programas.\WebMediaPlayer
C:\Documents and Settings\All Users\Menú Inicio\Programas.\WebMediaPlayer\Conditions générales.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas.\WebMediaPlayer\Confidentialité.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas.\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas.\WebMediaPlayer\Website.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Conditions générales.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Confidentialité.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Website.lnk
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\enuxaei.dat
C:\Documents and Settings\Ambar\Configuración local\Datos de programa\enuxaei.exe
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\enuxaei_nav.dat
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\enuxaei_navps.dat
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\nvs2.inf
D:\Autorun.inf

.
(((((((((((((((((( Archivos creados desde 2007-12-15 - 2008-01-15 )))))))))))))))))))))))))))))))))
.

2008-01-15 22:39 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-15 22:01 . 2008-01-15 22:01 d--------	C:\WINDOWS\ERUNT
2008-01-14 19:24 . 2008-01-14 19:24	268	--ah-----	C:\sqmdata01.sqm
2008-01-14 19:24 . 2008-01-14 19:24	244	--ah-----	C:\sqmnoopt01.sqm
2008-01-13 20:55 . 2008-01-13 20:55	244	--ah-----	C:\sqmnoopt00.sqm
2008-01-13 20:55 . 2008-01-13 20:55	232	--ah-----	C:\sqmdata00.sqm
2008-01-13 02:36 . 2007-07-06 12:50	401,720	--a------	C:\Archivos de programa\HiJackThis.exe
2008-01-12 22:21 . 2008-01-12 22:21 d--------	C:\Documents and Settings\Ambar\Datos de programa\Grisoft
2008-01-12 22:19 . 2007-05-30 13:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 22:14 . 2008-01-12 22:14	14,113,576	--a------	C:\Archivos de programa\avgas-setup-7.5.1.43-3339.exe
2008-01-12 22:14 . 2008-01-12 22:14	92,672	--a------	C:\Archivos de programa\KillBox.exe
2008-01-12 19:08 . 2008-01-12 22:05 d--------	C:\Archivos de programa\SpyBro
2008-01-12 18:38 . 2008-01-12 18:38	103	--a------	C:\ioSpecial.ini
2008-01-10 11:34 . 2008-01-12 08:51	106,183	-r-hs----	C:\d.com
2008-01-09 14:54 . 2008-01-09 14:53	104,392	-r-hs----	C:\tio8x6.cmd
2008-01-09 12:18 . 2008-01-09 12:18	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2008-01-09 12:18 . 2008-01-09 12:18	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2008-01-09 12:18 . 2008-01-09 12:18	4,816	--a------	C:\WINDOWS\system32\divxsm.tlb
2008-01-09 12:16 . 2008-01-09 12:16	823,296	--a------	C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 12:16 . 2008-01-09 12:16	823,296	--a------	C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 12:16 . 2008-01-09 12:16	802,816	--a------	C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 12:16 . 2008-01-09 12:16	682,496	--a------	C:\WINDOWS\system32\DivX.dll
2008-01-09 12:16 . 2008-01-09 12:16	196,608	--a------	C:\WINDOWS\system32\dtu100.dll
2008-01-09 12:16 . 2008-01-09 12:16	81,920	--a------	C:\WINDOWS\system32\dpl100.dll
2008-01-09 12:16 . 2008-01-09 12:16	416	--a------	C:\WINDOWS\system32\dtu100.dll.manifest
2008-01-09 12:16 . 2008-01-09 12:16	416	--a------	C:\WINDOWS\system32\dpl100.dll.manifest
2008-01-07 19:02 . 2008-01-07 19:02	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-07 19:02 . 2008-01-07 19:02	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-02 18:50 . 2008-01-02 18:50 d--------	C:\Documents and Settings\Ambar\Datos de programa\FUJIFILM
2008-01-02 18:46 . 2003-09-04 01:45	274,432	--a------	C:\WINDOWS\system32\FFTIFF16.dll
2008-01-02 18:46 . 2004-07-24 12:28	155,648	--a------	C:\WINDOWS\system32\FFRAFLIB.DLL
2008-01-02 18:45 . 2008-01-02 18:46 d--------	C:\Archivos de programa\FinePixViewer
2008-01-02 18:42 . 2008-01-02 18:42 d--------	C:\Archivos de programa\REGSHAVE
2008-01-02 18:42 . 2001-11-25 12:11	81,924	---------	C:\WINDOWS\system32\drivers\VC4CB104.SYS
2008-01-02 18:42 . 2002-02-05 17:33	69,632	---------	C:\WINDOWS\system32\FREGSHEX.DLL
2008-01-02 18:42 . 2002-02-27 12:27	65,536	---------	C:\WINDOWS\system32\FINFCHECK.dll
2008-01-02 18:42 . 2002-06-25 10:06	45,056	---------	C:\WINDOWS\system32\FINFCOPY.dll
2008-01-02 18:42 . 2002-02-13 11:00	45,056	---------	C:\WINDOWS\system32\FCLKBTN.DLL
2007-12-25 17:19 . 2008-01-15 22:32 d-a------	C:\Documents and Settings\All Users\Datos de programa\TEMP
2007-12-25 17:18 . 2007-12-25 17:18 d--------	C:\Documents and Settings\Ambar\Datos de programa\PC Tools
2007-12-25 17:18 . 2008-01-14 23:59 d--------	C:\Archivos de programa\Spyware Doctor
2007-12-25 17:18 . 2005-09-23 07:29	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-12-25 17:18 . 2007-10-04 17:10	79,688	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-25 17:18 . 2007-10-04 17:10	62,280	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-25 17:18 . 2007-10-04 17:10	41,288	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-25 17:18 . 2007-10-04 17:11	29,000	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2007-12-25 17:02 . 2008-01-13 11:55 d--------	C:\Archivos de programa\Archivos comunes\Symantec Shared
2007-12-25 16:52 . 2008-01-15 21:36 d--------	C:\Archivos de programa\Norton Security Scan
2007-12-25 15:25 . 2008-01-15 09:50 d--------	C:\Documents and Settings\All Users\Datos de programa\Google Updater

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 21:39	---------	d-----w	C:\Archivos de programa\FlashGet
2008-01-15 21:32	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\AVG7
2008-01-15 21:16	9,992	----a-w	C:\Archivos de programa\hijackthis.log
2008-01-12 21:19	---------	d-----w	C:\Documents and Settings\All Users\Datos de programa\Grisoft
2008-01-12 17:44	---------	d-----w	C:\Archivos de programa\MSN Messenger
2008-01-12 17:31	---------	d-----w	C:\Archivos de programa\Java
2008-01-12 15:23	---------	d-----w	C:\Archivos de programa\DivX
2008-01-09 11:18	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-01-02 17:45	---------	d--h--w	C:\Archivos de programa\InstallShield Installation Information
2007-12-25 14:25	---------	d-----w	C:\Archivos de programa\Google
2007-12-11 19:44	593,920	----a-w	C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44	57,344	----a-w	C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44	53,248	----a-w	C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44	344,064	----a-w	C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44	156,992	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43	12,288	----a-w	C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-07 11:32	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\Nero
2007-12-06 22:40	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\U3
2007-12-04 20:23	---------	d-----w	C:\Archivos de programa\Total Video Converter
2007-12-01 21:16	---------	d-----w	C:\Archivos de programa\DivXLand
2007-11-17 12:15	---------	d-----w	C:\Archivos de programa\Archivos comunes\xing shared
2007-11-17 12:15	---------	d-----w	C:\Archivos de programa\Archivos comunes\Real
2007-11-17 12:14	---------	d-----w	C:\Archivos de programa\Real
2007-11-07 09:28	726,528	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:36	1,293,824	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-09-26 00:04	50,688	----a-w	C:\Archivos de programa\ATF-Cleaner.exe
2007-05-22 08:22	430,993	----a-w	C:\Archivos de programa\jb8100_bios3a12.zip
2007-02-26 12:00	4,604,752	----a-w	C:\Archivos de programa\installSinEspias71.exe
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe" [2005-10-28 15:25 94208]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-11-28 01:00 15360]
"LogitechSoftwareUpdate"="C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44 196608]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 12:14 68856]
"SpyBrowser"="C:\Archivos de programa\SpyBro\SpyBro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 01:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"PCTVOICE"="pctspk.exe" [2003-09-26 16:22 180224 C:\WINDOWS\system32\pctspk.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 20:10 335872]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:32 579072]
"Sony Ericsson PC Suite"="C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17 159744]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2007-05-07 15:12 155648]
"EPSON Stylus Photo RX420 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe" [2004-04-09 04:00 98304]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32 221184]
"LogitechVideoRepair"="C:\Archivos de programa\Logitech\Video\ISStart.exe" [2005-06-08 14:24 458752]
"LogitechVideoTray"="C:\Archivos de programa\Logitech\Video\LogiTray.exe" [2005-06-08 14:14 217088]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-11-17 13:14 185896]
"REGSHAVE"="C:\Archivos de programa\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"SDTray"="C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27 1065288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-11-28 01:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [2007-10-26 13:03 219136]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Google Updater.lnk - C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe [2007-12-25 15:25:28]

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-05-07 14:50]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-05-07 14:50]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-05-07 14:50]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-05-07 14:50]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-05-07 14:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\d.com
\Shell\explore\Command - C:\d.com
\Shell\open\Command - C:\d.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\d.com
\Shell\explore\Command - D:\d.com
\Shell\open\Command - D:\d.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c407321-bab8-11dc-a7d5-000e3567d320}]
\Shell\AutoRun\command - F:\semo2x.exe
\Shell\explore\Command - F:\semo2x.exe
\Shell\open\Command - F:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7bdeaf1-bc60-11dc-a7d8-00039d706381}]
\Shell\AutoRun\command - F:\d.com
\Shell\explore\Command - F:\d.com
\Shell\open\Command - F:\d.com

*Newly Created Service* - PROCEXP90 
.
Contenido de carpeta 'Tareas Programadas'
"2008-01-11 16:03:44 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Archivos de programa\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:43:27
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito 
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-15 22:44:00
ComboFix-quarantined-files.txt 2008-01-15 21:43:52
.
2008-01-08 22:30:43	--- E O F ---


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:57, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Spyware Doctor\svcntaux.exe
C:\Archivos de programa\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Archivos de programa\Logitech\Video\LogiTray.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Logitech\Video\FxSvr2.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Archivos de programa\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Archivos de programa\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Archivos de programa\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpyBrowser] "C:\Archivos de programa\SpyBro\SpyBro.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9690 bytes


----------



## Cookiegal (Aug 27, 2003)

Please insert your flash or external drive (whatever is normally your D and/or F drives).

Download *Flash_Disinfector.exe by sUBs* from *here* and save it to your desktop.
 Double-click *Flash_Disinfector.exe* to run it and follow any prompts that may appear.
 The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
 Wait until it has finished scanning and then exit the program.
*Note*: _Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection._

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\d.com
> C:\tio8x6.cmd
> 
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## AmberBCN (Jan 12, 2008)

ComboFix 08-01-15.4 - Ambar 2008-01-16 12:00:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.34.3082.18.264 [GMT 1:00]
Se ejecuta desde: C:\Documents and Settings\Ambar\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ambar\Escritorio\CFScript.txt.txt
* Creado un nuevo punto de restauración

*ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! *

FILE
C:\d.com
C:\tio8x6.cmd
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Archivos de programa\SpyBro
C:\d.com
C:\tio8x6.cmd

.
(((((((((((((((((( Archivos creados desde 2007-12-16 - 2008-01-16 )))))))))))))))))))))))))))))))))
.

2008-01-15 22:39 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-15 22:01 . 2008-01-15 22:01 d--------	C:\WINDOWS\ERUNT
2008-01-14 19:24 . 2008-01-14 19:24	268	--ah-----	C:\sqmdata01.sqm
2008-01-14 19:24 . 2008-01-14 19:24	244	--ah-----	C:\sqmnoopt01.sqm
2008-01-13 20:55 . 2008-01-13 20:55	244	--ah-----	C:\sqmnoopt00.sqm
2008-01-13 20:55 . 2008-01-13 20:55	232	--ah-----	C:\sqmdata00.sqm
2008-01-13 02:36 . 2007-07-06 12:50	401,720	--a------	C:\Archivos de programa\HiJackThis.exe
2008-01-12 22:21 . 2008-01-12 22:21 d--------	C:\Documents and Settings\Ambar\Datos de programa\Grisoft
2008-01-12 22:19 . 2007-05-30 13:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 22:14 . 2008-01-12 22:14	14,113,576	--a------	C:\Archivos de programa\avgas-setup-7.5.1.43-3339.exe
2008-01-12 22:14 . 2008-01-12 22:14	92,672	--a------	C:\Archivos de programa\KillBox.exe
2008-01-12 18:38 . 2008-01-12 18:38	103	--a------	C:\ioSpecial.ini
2008-01-09 12:18 . 2008-01-09 12:18	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2008-01-09 12:18 . 2008-01-09 12:18	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2008-01-09 12:18 . 2008-01-09 12:18	4,816	--a------	C:\WINDOWS\system32\divxsm.tlb
2008-01-09 12:16 . 2008-01-09 12:16	823,296	--a------	C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 12:16 . 2008-01-09 12:16	823,296	--a------	C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 12:16 . 2008-01-09 12:16	802,816	--a------	C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 12:16 . 2008-01-09 12:16	682,496	--a------	C:\WINDOWS\system32\DivX.dll
2008-01-09 12:16 . 2008-01-09 12:16	196,608	--a------	C:\WINDOWS\system32\dtu100.dll
2008-01-09 12:16 . 2008-01-09 12:16	81,920	--a------	C:\WINDOWS\system32\dpl100.dll
2008-01-09 12:16 . 2008-01-09 12:16	416	--a------	C:\WINDOWS\system32\dtu100.dll.manifest
2008-01-09 12:16 . 2008-01-09 12:16	416	--a------	C:\WINDOWS\system32\dpl100.dll.manifest
2008-01-07 19:02 . 2008-01-07 19:02	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-07 19:02 . 2008-01-07 19:02	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-02 18:50 . 2008-01-02 18:50 d--------	C:\Documents and Settings\Ambar\Datos de programa\FUJIFILM
2008-01-02 18:46 . 2003-09-04 01:45	274,432	--a------	C:\WINDOWS\system32\FFTIFF16.dll
2008-01-02 18:46 . 2004-07-24 12:28	155,648	--a------	C:\WINDOWS\system32\FFRAFLIB.DLL
2008-01-02 18:45 . 2008-01-02 18:46 d--------	C:\Archivos de programa\FinePixViewer
2008-01-02 18:42 . 2008-01-02 18:42 d--------	C:\Archivos de programa\REGSHAVE
2008-01-02 18:42 . 2001-11-25 12:11	81,924	---------	C:\WINDOWS\system32\drivers\VC4CB104.SYS
2008-01-02 18:42 . 2002-02-05 17:33	69,632	---------	C:\WINDOWS\system32\FREGSHEX.DLL
2008-01-02 18:42 . 2002-02-27 12:27	65,536	---------	C:\WINDOWS\system32\FINFCHECK.dll
2008-01-02 18:42 . 2002-06-25 10:06	45,056	---------	C:\WINDOWS\system32\FINFCOPY.dll
2008-01-02 18:42 . 2002-02-13 11:00	45,056	---------	C:\WINDOWS\system32\FCLKBTN.DLL
2007-12-25 17:19 . 2008-01-16 11:26 d-a------	C:\Documents and Settings\All Users\Datos de programa\TEMP
2007-12-25 17:18 . 2007-12-25 17:18 d--------	C:\Documents and Settings\Ambar\Datos de programa\PC Tools
2007-12-25 17:18 . 2008-01-14 23:59 d--------	C:\Archivos de programa\Spyware Doctor
2007-12-25 17:18 . 2005-09-23 07:29	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-12-25 17:18 . 2007-10-04 17:10	79,688	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-25 17:18 . 2007-10-04 17:10	62,280	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-25 17:18 . 2007-10-04 17:10	41,288	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-25 17:18 . 2007-10-04 17:11	29,000	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2007-12-25 17:02 . 2008-01-15 23:25 d--------	C:\Archivos de programa\Archivos comunes\Symantec Shared
2007-12-25 16:52 . 2008-01-16 06:53 d--------	C:\Archivos de programa\Norton Security Scan
2007-12-25 15:25 . 2008-01-16 10:51 d--------	C:\Documents and Settings\All Users\Datos de programa\Google Updater

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 11:00	---------	d-----w	C:\Archivos de programa\FlashGet
2008-01-16 07:00	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\AVG7
2008-01-15 21:48	9,691	----a-w	C:\Archivos de programa\hijackthis.log
2008-01-12 21:19	---------	d-----w	C:\Documents and Settings\All Users\Datos de programa\Grisoft
2008-01-12 17:44	---------	d-----w	C:\Archivos de programa\MSN Messenger
2008-01-12 17:31	---------	d-----w	C:\Archivos de programa\Java
2008-01-12 15:23	---------	d-----w	C:\Archivos de programa\DivX
2008-01-09 11:18	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-01-02 17:45	---------	d--h--w	C:\Archivos de programa\InstallShield Installation Information
2007-12-25 14:25	---------	d-----w	C:\Archivos de programa\Google
2007-12-11 19:44	593,920	----a-w	C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44	57,344	----a-w	C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44	53,248	----a-w	C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44	344,064	----a-w	C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44	156,992	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43	12,288	----a-w	C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-07 11:32	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\Nero
2007-12-06 22:40	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\U3
2007-12-04 20:23	---------	d-----w	C:\Archivos de programa\Total Video Converter
2007-12-01 21:16	---------	d-----w	C:\Archivos de programa\DivXLand
2007-11-17 12:15	---------	d-----w	C:\Archivos de programa\Archivos comunes\xing shared
2007-11-17 12:15	---------	d-----w	C:\Archivos de programa\Archivos comunes\Real
2007-11-17 12:14	---------	d-----w	C:\Archivos de programa\Real
2007-11-07 09:28	726,528	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:36	1,293,824	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-09-26 00:04	50,688	----a-w	C:\Archivos de programa\ATF-Cleaner.exe
2007-05-22 08:22	430,993	----a-w	C:\Archivos de programa\jb8100_bios3a12.zip
2007-02-26 12:00	4,604,752	----a-w	C:\Archivos de programa\installSinEspias71.exe
.

((((((((((((((((((((((((((((( [email protected]_22.43.34,94 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 21:40:37	241,664	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 10:59:39	241,664	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 21:40:37	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 10:59:39	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 21:40:38	241,664	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 10:59:39	241,664	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 21:40:38	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 10:59:39	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 21:40:38	5,369,856	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-16 10:59:39	5,369,856	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 21:40:38	204,800	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 10:59:39	204,800	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe" [2005-10-28 15:25 94208]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-11-28 01:00 15360]
"LogitechSoftwareUpdate"="C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44 196608]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 12:14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 01:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"PCTVOICE"="pctspk.exe" [2003-09-26 16:22 180224 C:\WINDOWS\system32\pctspk.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 20:10 335872]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:32 579072]
"Sony Ericsson PC Suite"="C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17 159744]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2007-05-07 15:12 155648]
"EPSON Stylus Photo RX420 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe" [2004-04-09 04:00 98304]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32 221184]
"LogitechVideoRepair"="C:\Archivos de programa\Logitech\Video\ISStart.exe" [2005-06-08 14:24 458752]
"LogitechVideoTray"="C:\Archivos de programa\Logitech\Video\LogiTray.exe" [2005-06-08 14:14 217088]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-11-17 13:14 185896]
"REGSHAVE"="C:\Archivos de programa\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"SDTray"="C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27 1065288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-11-28 01:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [2007-10-26 13:03 219136]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Google Updater.lnk - C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe [2007-12-25 15:25:28]

R3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-05-07 14:50]
R3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-05-07 14:50]
R3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-05-07 14:50]
R3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-05-07 14:50]
R3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-05-07 14:50]

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-11 16:03:44 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Archivos de programa\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 12:02:45
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito 
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-16 12:03:26
ComboFix-quarantined-files.txt 2008-01-16 11:03:17
ComboFix2.txt 2008-01-15 21:44:01
.
2008-01-08 22:30:43	--- E O F ---


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:08 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Spyware Doctor\svcntaux.exe
C:\Archivos de programa\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Archivos de programa\Logitech\Video\LogiTray.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Logitech\Video\FxSvr2.exe
C:\Archivos de programa\FlashGet\FlashGet.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Archivos de programa\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Archivos de programa\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9640 bytes


----------



## Cookiegal (Aug 27, 2003)

Do you know what this zip file is that's in program files?

C:\Archivos de programa\*jb8100_bios3a12.zip*

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the Kaspersky scan*


----------



## AmberBCN (Jan 12, 2008)

Yeah: once my computer wasn't working right (files took a long time to open) and I took it to the place where I bought it. They said it wasn't serious, that they only had to upgrade the "bios" , so that is what that is. That would be the Spanish (or Catalan?) term, but its probably the same in English. Its in the Program Files folder, and inside there's a program called PHLASH 16, a file called PM3A12.WPH and a file called "Archivo por lotes MS-DOS" (translated: file by MS-DOS sets -or lots-).


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine. Thanks for the explanation. Zip files can contain anything, including malicious batches, executables, etc. so I wanted to be sure about it.

Please proceed with the Kaspersky scan.


----------



## AmberBCN (Jan 12, 2008)

Thursday, January 17, 2008 5:35:41 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/01/2008
Kaspersky Anti-Virus database records: 513295

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
C:\
D:\
E:\

Scan Statistics 
Total number of scanned objects 55843 
Number of viruses found 11 
Number of infected objects 192 
Number of suspicious objects 0 
Duration of the scan process 01:04:51

Infected Object Name Virus Name Last Action 
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\Content.IE5\1U6GNW9O\mando[1].htm Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Adobe\Updater5\aumLib.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\dfsr.db Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\fsr.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\tmp.edb Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Historial\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Historial\History.IE5\MSHist012008011720080118\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DFA869.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DFA881.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DFCC35.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DFCC68.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Escritorio\SDFix.exe/data.rar/SDFix/apps/dummy.exe Infected: Trojan.Win32.Obfuscated.na skipped

C:\Documents and Settings\Ambar\Escritorio\SDFix.exe/data.rar/SDFix/dummy.exe Infected: Trojan.Win32.Obfuscated.na skipped

C:\Documents and Settings\Ambar\Escritorio\SDFix.exe/data.rar/SDFix/apps/MD5File.exe Infected: Trojan.Win32.Obfuscated.na skipped

C:\Documents and Settings\Ambar\Escritorio\SDFix.exe/data.rar Infected: Trojan.Win32.Obfuscated.na skipped

C:\Documents and Settings\Ambar\Escritorio\SDFix.exe RarSFX: infected - 4 skipped

C:\Documents and Settings\Ambar\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ambar\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped

C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped

C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.bua skipped

C:\QooBox\Quarantine\C\d.com.vir Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\QooBox\Quarantine\C\tio8x6.cmd.vir Infected: Worm.Win32.AutoRun.bpn skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\QooBox\Quarantine\D\autorun.inf.vir Infected: Worm.Win32.AutoRun.bua skipped

C:\SDFix\apps\dummy.exe Infected: Trojan.Win32.Obfuscated.na skipped

C:\SDFix\apps\MD5File.exe Infected: Trojan.Win32.Obfuscated.na skipped

C:\SDFix\backups\backups.zip/backups/autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\SDFix\backups_old1\backups.zip/backups/autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\SDFix\backups_old1\backups.zip ZIP: infected - 1 skipped

C:\SDFix\dummy.exe Infected: Trojan.Win32.Obfuscated.na skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061369.dll Infected: Worm.Win32.AutoRun.bmr skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061377.bat Infected: Worm.Win32.AutoRun.bmz skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061378.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061382.exe Infected: Worm.Win32.AutoRun.bmz skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061383.dll Infected: Worm.Win32.AutoRun.bmz skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061386.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061387.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061395.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061396.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061430.dll Infected: Worm.Win32.AutoRun.bmz skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061433.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061434.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061439.exe Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061440.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061462.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061463.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061492.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061495.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061496.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061501.exe Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061502.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061507.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061520.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061524.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061528.exe Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061538.com Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061539.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061549.com Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061550.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061568.com Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061569.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061582.dll Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061584.com Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061585.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061591.exe Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061592.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061600.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061601.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061623.bat Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061783.dll Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061787.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061788.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061793.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061794.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061809.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061810.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061814.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061815.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061833.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061834.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061841.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0062037.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062052.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062053.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062067.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062068.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062075.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062266.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062279.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062280.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062294.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062295.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062302.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062493.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062504.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062505.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062506.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062509.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062510.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062512.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062513.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062514.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062728.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062741.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062742.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062743.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062760.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062761.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062955.cmd Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062967.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062968.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062969.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062972.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062973.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062978.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062979.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063030.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063031.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063150.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063151.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063238.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063239.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063499.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063501.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063502.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063552.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063574.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063576.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063577.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063585.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063586.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063607.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped


----------



## AmberBCN (Jan 12, 2008)

(CONTINUATION OF SCAN)
C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063643.exe Infected: Trojan-PSW.Win32.OnLineGames.oby skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063644.dll Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063645.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063646.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063653.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063681.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063682.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063690.exe Infected: Trojan.Win32.Obfuscated.na skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063691.exe Infected: Trojan.Win32.Obfuscated.na skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063696.exe Infected: Trojan.Win32.Obfuscated.na skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063744.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063745.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063748.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063753.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063781.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063782.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063793.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063793.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063793.exe NSIS: infected - 2 skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063796.exe Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063797.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063798.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP261\A0063906.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP261\A0063907.cmd Infected: Worm.Win32.AutoRun.bpn skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP261\change.log Object is locked skipped 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped 

C:\WINDOWS\Sti_Trace.log Object is locked skipped 

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped 

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\default Object is locked skipped 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped 

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped 

C:\WINDOWS\system32\config\SAM Object is locked skipped 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped 

C:\WINDOWS\system32\config\software Object is locked skipped 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\system Object is locked skipped 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped 

C:\WINDOWS\system32\h323log.txt Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped 

C:\WINDOWS\wiadebug.log Object is locked skipped 

C:\WINDOWS\wiaservc.log Object is locked skipped 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061379.bat Infected: Worm.Win32.AutoRun.bmz skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061380.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061388.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061389.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061397.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061398.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061435.bat Infected: Trojan-PSW.Win32.OnLineGames.ngm skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061436.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061464.bat Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061465.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061497.bat Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061498.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061509.cmd Infected: Worm.Win32.AutoRun.bpn skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061526.cmd Infected: Worm.Win32.AutoRun.bpn skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061540.com Infected: Worm.Win32.AutoRun.bqi skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061541.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061551.com Infected: Worm.Win32.AutoRun.bqi skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061552.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061570.com Infected: Worm.Win32.AutoRun.bqi skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061571.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061586.com Infected: Worm.Win32.AutoRun.bqi skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061587.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061603.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061624.bat Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061790.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061811.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061812.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061816.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061817.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062507.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062508.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062970.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062971.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062974.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062975.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062980.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062981.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063032.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063033.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063152.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063153.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063240.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063241.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063503.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063504.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063579.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063580.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063647.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063648.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063683.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063684.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063783.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063784.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063799.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP261\change.log Object is locked skipped 

D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped 

D:\d.com Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

D:\tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped 

D:\Documents and Settings\Temp\048.part Object is locked skipped 

D:\Documents and Settings\Temp\049.part Object is locked skipped 

D:\Documents and Settings\Temp\026.part Object is locked skipped 

D:\Documents and Settings\Temp\050.part Object is locked skipped 

D:\Documents and Settings\Temp\002.part Object is locked skipped 

D:\Documents and Settings\Temp\003.part Object is locked skipped 

D:\Documents and Settings\Temp\004.part Object is locked skipped 

D:\Documents and Settings\Temp\001.part Object is locked skipped 

D:\Documents and Settings\Temp\009.part Object is locked skipped 

D:\Documents and Settings\Temp\063.part Object is locked skipped 

D:\Documents and Settings\Temp\064.part Object is locked skipped 

D:\Documents and Settings\Temp\008.part Object is locked skipped 

D:\Documents and Settings\Temp\006.part Object is locked skipped 

D:\Documents and Settings\Temp\005.part Object is locked skipped 

D:\Documents and Settings\Temp\012.part Object is locked skipped 

D:\Documents and Settings\Temp\014.part Object is locked skipped 

D:\Documents and Settings\Temp\015.part Object is locked skipped 

D:\Documents and Settings\Temp\031.part Object is locked skipped 

D:\Documents and Settings\Temp\032.part Object is locked skipped 

D:\Documents and Settings\Temp\042.part Object is locked skipped 

D:\Documents and Settings\Temp\051.part Object is locked skipped 

D:\Documents and Settings\Temp\054.part Object is locked skipped 

D:\Documents and Settings\Temp\041.part Object is locked skipped 

D:\Documents and Settings\Temp\043.part Object is locked skipped 

D:\Documents and Settings\Temp\044.part Object is locked skipped 

D:\Documents and Settings\Temp\019.part Object is locked skipped 

D:\Documents and Settings\Temp\045.part Object is locked skipped 

D:\Documents and Settings\Temp\052.part Object is locked skipped 

D:\Documents and Settings\Temp\053.part Object is locked skipped 

D:\Documents and Settings\Temp\055.part Object is locked skipped 

D:\Documents and Settings\Temp\059.part Object is locked skipped 

D:\Documents and Settings\Temp\061.part Object is locked skipped 

D:\Documents and Settings\Temp\089.part Object is locked skipped 

D:\Documents and Settings\Temp\025.part Object is locked skipped 

D:\Documents and Settings\Temp\090.part Object is locked skipped 

D:\Documents and Settings\Temp\091.part Object is locked skipped 

D:\Documents and Settings\Temp\065.part Object is locked skipped 

D:\Documents and Settings\Temp\066.part Object is locked skipped 

D:\Documents and Settings\Temp\094.part Object is locked skipped 

D:\Documents and Settings\Temp\067.part Object is locked skipped 

D:\Documents and Settings\Temp\028.part Object is locked skipped 

D:\Documents and Settings\Temp\068.part Object is locked skipped 

D:\Documents and Settings\Temp\030.part Object is locked skipped 

D:\Documents and Settings\Temp\100.part Object is locked skipped 

D:\Documents and Settings\Temp\102.part Object is locked skipped 

D:\Documents and Settings\Temp\103.part Object is locked skipped 

D:\Documents and Settings\Temp\104.part Object is locked skipped 

D:\Documents and Settings\Temp\106.part Object is locked skipped 

D:\Documents and Settings\Temp\039.part Object is locked skipped 

D:\Documents and Settings\Temp\040.part Object is locked skipped 

Scan process completed.


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:48 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Spyware Doctor\svcntaux.exe
C:\Archivos de programa\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Archivos de programa\Logitech\Video\LogiTray.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
D:\Documents and Settings\emule.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Archivos de programa\Grisoft\AVG7\avgcc.exe
C:\Archivos de programa\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Archivos de programa\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Archivos de programa\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Archivos de programa\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Archivos de programa\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9935 bytes


----------



## Cookiegal (Aug 27, 2003)

Delete these files from your D drive:

D:\*d.com*
D:\*tio8x6.cmd*

How are things now?


----------



## AmberBCN (Jan 12, 2008)

I can't find the files you want me to delete. 
Everything is working fine, there are no more pop ups, but my avg has just detected two new threats: 
-win32/nsanti in c:\docume~1\ambar\config~1\temp\m.dll
-win32/nsanti in c:\docume~1\ambar\config~1\temp\lb2t87v.dll


----------



## AmberBCN (Jan 12, 2008)

I've found tio8x6.cmd.vir in c:\qoobox\quarantine\c and d.com in c:\qoobox\quarantine\c. Should I eliminate those?


----------



## Cookiegal (Aug 27, 2003)

No, the files in Qoobox are quarantined.

The files I asked you to find were on the D drive, not on C.

I need the full name of this folder. Please navigate to it and tell me the full name as it's been truncated.

c:\documents and settings\ambar\*CONFIG*~1


----------



## AmberBCN (Jan 12, 2008)

The full name of the folder is C:\documents and settings\ambar\configuracion local. Inside there are two other folders: Application Data and Temp.


----------



## AmberBCN (Jan 12, 2008)

Pop ups are starting again (not many though) and internet is going extremely slow


----------



## Cookiegal (Aug 27, 2003)

OK, thanks for that.

Please run a new Kaspersky scan and post the log.


----------



## AmberBCN (Jan 12, 2008)

Saturday, January 19, 2008 10:44:36 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 523397

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
C:\
D:\
E:\

Scan Statistics 
Total number of scanned objects 56126 
Number of viruses found 10 
Number of infected objects 99 
Number of suspicious objects 0 
Duration of the scan process 01:40:25

Infected Object Name Virus Name Last Action 
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\Content.IE5\1U6GNW9O\mando[1].htm Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\Content.IE5\DEZY43PE\back_main[1].jpg Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\dfsr.db Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\fsr.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8C20_2E9C_202E_8D70\tmp.edb Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Datos de programa\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Historial\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Historial\History.IE5\MSHist012008011920080120\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\$2E3E7AD0.t$m Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DF7D5D.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DF7DE1.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DF9CBA.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Configuración local\Temp\~DF9D08.tmp Object is locked skipped

C:\Documents and Settings\Ambar\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ambar\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ambar\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped

C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped

C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.bua skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\QooBox\Quarantine\D\autorun.inf.vir Infected: Worm.Win32.AutoRun.bua skipped

C:\SDFix\backups\backups.zip/backups/autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\SDFix\backups_old1\backups.zip/backups/autorun.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\SDFix\backups_old1\backups.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061369.dll Infected: Worm.Win32.AutoRun.bmr skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061377.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061378.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061382.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061383.dll Infected: Worm.Win32.AutoRun.bmz skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061386.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061387.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061395.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061396.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061430.dll Infected: Worm.Win32.AutoRun.bmz skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061433.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061434.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061439.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061440.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061462.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061463.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061492.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061495.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061496.inf Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061501.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061502.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061507.cmd Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061520.dll Infected: Worm.Win32.AutoRun.bnq skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061524.cmd Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP240\A0061528.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061538.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061539.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061549.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061550.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061568.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061569.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061582.dll Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061584.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061585.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061591.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061592.dll Infected: Worm.Win32.AutoRun.bpn skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061600.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061601.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061623.bat Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061783.dll Infected: Worm.Win32.AutoRun.bqi skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061787.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061788.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061793.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061794.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061809.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061810.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061814.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061815.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061833.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061834.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061841.dll Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0062037.cmd Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062052.inf Infected: Worm.Win32.AutoRun.bua skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062053.com Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062067.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062068.exe Object is locked skipped

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062075.dll Object is locked skipped


----------



## AmberBCN (Jan 12, 2008)

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP247\A0062266.cmd Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062279.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062280.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062294.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062295.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062302.dll Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062493.cmd Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062504.dll Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062505.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062506.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062509.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062510.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062512.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062513.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062514.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP249\A0062728.cmd Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062741.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062742.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062743.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062760.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062761.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062955.cmd Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062967.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062968.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062969.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062972.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062973.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062978.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062979.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063030.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063031.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063150.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063151.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063238.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063239.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063499.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063501.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063502.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063552.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063574.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063576.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063577.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063585.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063586.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063607.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063643.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063644.dll Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063645.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063646.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063653.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063681.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063682.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063744.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063745.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063748.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063753.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063781.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063782.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063793.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063793.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.ce skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063793.exe NSIS: infected - 2 skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063796.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063797.dll Infected: Trojan-PSW.Win32.OnLineGames.nst skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063798.inf Infected: Worm.Win32.AutoRun.bua skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP261\A0063906.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP261\A0063907.cmd Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP262\A0064014.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP262\A0064021.exe Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP263\A0064045.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP263\A0064046.com Object is locked skipped 

C:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP265\change.log Object is locked skipped 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\EventCache\{8EDADEA5-B7FB-4BB7-95A1-16F730BF25F7}.bin Object is locked skipped 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped 

C:\WINDOWS\Sti_Trace.log Object is locked skipped 

C:\WINDOWS\system32\amvo0.dll Infected: Trojan-PSW.Win32.OnLineGames.oti skipped 

C:\WINDOWS\system32\amvo1.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\default Object is locked skipped 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped 

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped 

C:\WINDOWS\system32\config\SAM Object is locked skipped 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped 

C:\WINDOWS\system32\config\software Object is locked skipped 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped 

C:\WINDOWS\system32\config\system Object is locked skipped 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped 

C:\WINDOWS\system32\h323log.txt Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped 

C:\WINDOWS\wiadebug.log Object is locked skipped 

C:\WINDOWS\wiaservc.log Object is locked skipped 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP235\A0061380.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP236\A0061389.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061398.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP237\A0061436.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP238\A0061465.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP239\A0061498.inf Infected: Worm.Win32.AutoRun.bnq skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP241\A0061541.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP242\A0061552.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061571.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP243\A0061587.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061603.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP244\A0061790.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP245\A0061812.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP246\A0061817.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP248\A0062508.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP250\A0062971.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP251\A0062975.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP252\A0062981.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP253\A0063033.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP254\A0063153.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063241.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP255\A0063504.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP257\A0063580.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063648.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063684.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP258\A0063784.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP259\A0063799.inf Infected: Worm.Win32.AutoRun.bua skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP265\change.log Object is locked skipped 

D:\System Volume Information\_restore{AB0AA948-5AF5-4C9E-95A6-379C609B2696}\RP265\A0064089.cmd Object is locked skipped 

D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped 

Scan process completed.


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:40 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Spyware Doctor\svcntaux.exe
C:\Archivos de programa\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\MSN Messenger\livecall.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Grisoft\AVG7\avgcc.exe
C:\Archivos de programa\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Archivos de programa\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8194 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.
*
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present*

Boot to safe mode and delete these files manually:

C:\WINDOWS\system32\*amvo0.dll*
C:\WINDOWS\system32\*amvo1.dll*

How are things now?


----------



## AmberBCN (Jan 12, 2008)

I fixed the file you asked me to with hijackthis, but I wasn't able to fint the files that I had to delay, they simply weren't there...
I don't have any more pop ups, but internet is still going pretty slow. Another thing is that my AVG has detected today about 50 files infected with Worm/Autorun.Y in D:/System volume information and c:/d.com (one of the files I couldn't find, is there maybe some specific way of finding these files that I don't know about?), as also some Worm/Generic.FHU and one called Trojan horse PSW.OnlineGames.ABBC 
ThaNKS


----------



## Cookiegal (Aug 27, 2003)

c:/d.com was probably in Qoobox, wihch is where ComboFix moves infected files as backup.

The ones in system restore are not a threat and we will eliminate them when we're done.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Download and install *AVG Anti-Spyware v7.5*. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions. 

After download, double click on the file to launch the install process. 
Choose a language, click "*OK*" and then click "*Next*". 
Read the "_License Agreement_" and click "*I Agree*". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. _As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them._ 
Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "*Update*" button and click "*Start update*". 
Wait until you see the "_Update successful_" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.
*Reboot your computer in SAFE MODE* using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". _(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)_

*Scan with AVG Anti-Spyware as follows*:
Click on the "*Scanner*" button and choose the "*Settings*" tab.

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan? *", "*Possibly unwanted software*", and *What to Scan?*" leave all the default settings. 
Under "*Reports*" select "*Do not automatically generate reports*". 
Click the "*Scan*" tab to return to scanning options. 
Click "*Complete System Scan*" to start. 
When the scan has finished, it should automatically be set to *Quarantine*--if not click on _Recommended Action_ and set it there. 
You will also be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
_*IMPORTANT!* Do not save the report before you have clicked the :*Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button._
Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
_Note: Close all open windows, programs, and *DO NOT USE the computer while AVG Anti-Spyware is scanning*. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection._

_AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period._

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## AmberBCN (Jan 12, 2008)

---------------------------------------------------------
AVG Anti-Spyware - Informe del análisis
---------------------------------------------------------

+ Creado en:	1:19:03 PM 1/22/2008

+ Resultado del análisis:	



No se encontró nada.



::Fin del informe


THIS SAYS THAT IT DIDN'T FIND ANYTHING


----------



## AmberBCN (Jan 12, 2008)

Incident Status Location

Adware:Adware/NaviPromo Not disinfected C:\Archivos de programa\WebMediaPlayer\uninst.exe[²ÜÇ\NSUtils.dll] 
Potentially unwanted tool:Application/Webmediaplayer Not disinfected C:\Archivos de programa\WebMediaPlayer\WebMediaPlayer.exe  
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe 
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Ambar\Cookies\[email protected][2].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ambar\Cookies\[email protected][1].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ambar\Cookies\[email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ambar\Cookies\[email protected][1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ambar\Cookies\[email protected][2].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ambar\Escritorio\ComboFix.exe[nircmd.com] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ambar\Escritorio\ComboFix.exe[nircmd.cfexe] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ambar\Escritorio\FIX\Flash_Disinfector.exe[nircmd.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ambar\Escritorio\FIX\SDFix.exe[SDFix\apps\Process.exe] 
Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\uninst.exe.vir  
Potentially unwanted tool:Application/Webmediaplayer Not disinfected C:\QooBox\Quarantine\C\Archivos de programa\WebMediaPlayer\WebMediaPlayer.exe.vir 
Virus:W32/Lineage.HCL.worm Disinfected C:\QooBox\Quarantine\C\autorun.inf.vir 
Virus:W32/Lineage.HCL.worm Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir 
Virus:W32/Lineage.HCL.worm Disinfected C:\QooBox\Quarantine\D\autorun.inf.vir 
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe 
Virus:W32/Lineage.HCL.worm Disinfected C:\SDFix\backups\backups.zip[backups/autorun.inf] 
Virus:W32/Lineage.HCL.worm Disinfected C:\SDFix\backups_old1\backups.zip[backups/autorun.inf] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe


----------



## AmberBCN (Jan 12, 2008)

Pop ups are back!


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:26 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\documents and settings\ambar\configuración local\datos de programa\msrsly.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\MSN Messenger\livecall.exe
C:\Archivos de programa\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msrsly] c:\documents and settings\ambar\configuración local\datos de programa\msrsly.exe msrsly
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7947 bytes


----------



## Cookiegal (Aug 27, 2003)

Please remove the version of ComboFix you have and redownload it to get the latest version.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## AmberBCN (Jan 12, 2008)

ComboFix 08-01-23.2 - Ambar 2008-01-24 8:18:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.34.3082.18.271 [GMT 1:00]
Se ejecuta desde: C:\Archivos de programa\ComboFix.exe

*ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! *
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Archivos de programa\webmediaplayer
C:\Archivos de programa\webmediaplayer\Privacy Policy.url
C:\Archivos de programa\webmediaplayer\resources\languages_v2.xml
C:\Archivos de programa\webmediaplayer\resources\webmedias
C:\Archivos de programa\webmediaplayer\skins\classic.skn
C:\Archivos de programa\webmediaplayer\sqlite3.dll
C:\Archivos de programa\webmediaplayer\Terms and conditions.url
C:\Archivos de programa\webmediaplayer\uninst.exe
C:\Archivos de programa\webmediaplayer\WebMediaPlayer.exe
C:\Archivos de programa\webmediaplayer\Website.url
C:\Documents and Settings\All Users\Escritorio\webmediaplayer.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Website.lnk
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\msrsly.dat
c:\documents and settings\ambar\configuración local\datos de programa\msrsly.exe
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\msrsly_nav.dat
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\msrsly_navps.dat
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\nvs2.inf

.
(((((((((((((((((( Archivos creados desde 2007-12-24 - 2008-01-24 )))))))))))))))))))))))))))))))))
.

2008-01-23 06:50 . 2008-01-23 06:50	1,551,017	--a------	C:\Archivos de programa\ComboFix.exe
2008-01-22 13:47 . 2008-01-22 14:21 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-22 13:47 . 2008-01-22 13:57	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-01-22 13:47 . 2008-01-22 13:57	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico
2008-01-22 13:47 . 2008-01-22 13:57	1,406	--a------	C:\WINDOWS\system32\Help.ico
2008-01-20 01:45 . 2008-01-20 01:45 d--------	C:\Archivos de programa\backups
2008-01-18 22:31 . 2008-01-18 22:34 d--------	C:\Archivos de programa\Typing Assistant
2008-01-18 22:16 . 2008-01-18 22:16	164	--a------	C:\install.dat
2008-01-18 22:09 . 2008-01-18 22:09 d--------	C:\Archivos de programa\TVAnts
2008-01-17 00:34 . 2008-01-17 00:34 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-15 22:39 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-15 22:01 . 2008-01-15 22:01 d--------	C:\WINDOWS\ERUNT
2008-01-14 19:24 . 2008-01-14 19:24	268	--ah-----	C:\sqmdata01.sqm
2008-01-14 19:24 . 2008-01-14 19:24	244	--ah-----	C:\sqmnoopt01.sqm
2008-01-13 20:55 . 2008-01-13 20:55	244	--ah-----	C:\sqmnoopt00.sqm
2008-01-13 20:55 . 2008-01-13 20:55	232	--ah-----	C:\sqmdata00.sqm
2008-01-13 02:36 . 2007-07-06 12:50	401,720	--a------	C:\Archivos de programa\HiJackThis.exe
2008-01-12 22:19 . 2007-05-30 13:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 22:14 . 2008-01-12 22:14	14,113,576	--a------	C:\Archivos de programa\avgas-setup-7.5.1.43-3339.exe
2008-01-12 22:14 . 2008-01-12 22:14	92,672	--a------	C:\Archivos de programa\KillBox.exe
2008-01-12 18:38 . 2008-01-12 18:38	103	--a------	C:\ioSpecial.ini
2008-01-09 12:18 . 2008-01-09 12:18	1,044,480	--a------	C:\WINDOWS\system32\libdivx.dll
2008-01-09 12:18 . 2008-01-09 12:18	200,704	--a------	C:\WINDOWS\system32\ssldivx.dll
2008-01-09 12:18 . 2008-01-09 12:18	4,816	--a------	C:\WINDOWS\system32\divxsm.tlb
2008-01-09 12:16 . 2008-01-09 12:16	823,296	--a------	C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 12:16 . 2008-01-09 12:16	823,296	--a------	C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 12:16 . 2008-01-09 12:16	802,816	--a------	C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 12:16 . 2008-01-09 12:16	682,496	--a------	C:\WINDOWS\system32\DivX.dll
2008-01-09 12:16 . 2008-01-09 12:16	196,608	--a------	C:\WINDOWS\system32\dtu100.dll
2008-01-09 12:16 . 2008-01-09 12:16	81,920	--a------	C:\WINDOWS\system32\dpl100.dll
2008-01-09 12:16 . 2008-01-09 12:16	416	--a------	C:\WINDOWS\system32\dtu100.dll.manifest
2008-01-09 12:16 . 2008-01-09 12:16	416	--a------	C:\WINDOWS\system32\dpl100.dll.manifest
2008-01-07 19:02 . 2008-01-07 19:02	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-07 19:02 . 2008-01-07 19:02	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-02 18:46 . 2003-09-04 01:45	274,432	--a------	C:\WINDOWS\system32\FFTIFF16.dll
2008-01-02 18:46 . 2004-07-24 12:28	155,648	--a------	C:\WINDOWS\system32\FFRAFLIB.DLL
2008-01-02 18:45 . 2008-01-02 18:46 d--------	C:\Archivos de programa\FinePixViewer
2008-01-02 18:42 . 2008-01-02 18:42 d--------	C:\Archivos de programa\REGSHAVE
2008-01-02 18:42 . 2001-11-25 12:11	81,924	---------	C:\WINDOWS\system32\drivers\VC4CB104.SYS
2008-01-02 18:42 . 2002-02-05 17:33	69,632	---------	C:\WINDOWS\system32\FREGSHEX.DLL
2008-01-02 18:42 . 2002-02-27 12:27	65,536	---------	C:\WINDOWS\system32\FINFCHECK.dll
2008-01-02 18:42 . 2002-06-25 10:06	45,056	---------	C:\WINDOWS\system32\FINFCOPY.dll
2008-01-02 18:42 . 2002-02-13 11:00	45,056	---------	C:\WINDOWS\system32\FCLKBTN.DLL
2007-12-25 17:18 . 2008-01-19 00:40 d--------	C:\Archivos de programa\Spyware Doctor
2007-12-25 17:18 . 2005-09-23 07:29	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-12-25 17:18 . 2007-10-04 17:10	79,688	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-25 17:18 . 2007-10-04 17:10	62,280	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-25 17:18 . 2007-10-04 17:10	41,288	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-25 17:18 . 2007-10-04 17:11	29,000	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2007-12-25 17:02 . 2008-01-21 09:57 d--------	C:\Archivos de programa\Archivos comunes\Symantec Shared
2007-12-25 16:52 . 2008-01-20 13:07 d--------	C:\Archivos de programa\Norton Security Scan

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 19:35	---------	d-----w	C:\Archivos de programa\FlashGet
2008-01-22 19:34	7,948	----a-w	C:\Archivos de programa\hijackthis.log
2008-01-22 13:08	---------	d-----w	C:\Archivos de programa\MSN Messenger
2008-01-22 13:04	---------	d-----w	C:\Archivos de programa\Google
2008-01-18 23:45	---------	d-----w	C:\Archivos de programa\Archivos comunes\Teleca Shared
2008-01-12 17:31	---------	d-----w	C:\Archivos de programa\Java
2008-01-12 15:23	---------	d-----w	C:\Archivos de programa\DivX
2008-01-09 11:18	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-01-02 17:45	---------	d--h--w	C:\Archivos de programa\InstallShield Installation Information
2007-12-11 19:44	593,920	----a-w	C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44	57,344	----a-w	C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44	53,248	----a-w	C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44	344,064	----a-w	C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44	156,992	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43	12,288	----a-w	C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-04 20:23	---------	d-----w	C:\Archivos de programa\Total Video Converter
2007-12-01 21:16	---------	d-----w	C:\Archivos de programa\DivXLand
2007-11-07 09:28	726,528	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:36	1,293,824	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-09-26 00:04	50,688	----a-w	C:\Archivos de programa\ATF-Cleaner.exe
2007-05-22 08:22	430,993	----a-w	C:\Archivos de programa\jb8100_bios3a12.zip
2007-02-26 12:00	4,604,752	----a-w	C:\Archivos de programa\installSinEspias71.exe
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 12:14 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-11-28 01:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:32 579072]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2007-05-07 15:12 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-11-28 01:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [2007-10-26 13:03 219136]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Google Updater.lnk - C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe [2007-12-25 15:25:28 124400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-05-07 14:50]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-05-07 14:50]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-05-07 14:50]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-05-07 14:50]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-05-07 14:50]

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-18 19:33:37 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Archivos de programa\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 08:20:07
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito 
archivos ocultos: 0

**************************************************************************
.
--------------------- DLLs cargados bajo los procesos en ejecución ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Archivos de programa\ArcSoft\PhotoImpression 5\share\pihook.dll
.


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:24, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\explorer.exe
D:\Documents and Settings\emule.exe
C:\Archivos de programa\Grisoft\AVG7\avgcc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7697 bytes


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## AmberBCN (Jan 12, 2008)

Well, today I haven't had any pop ups, the computer temperture isn't hot anymore... but a screeching noise has appeared! It's this undescriptable noise... a screech about 2 seconds long, a very high note. I have heard it before when I had a virus a year ago (the store took care of it because it still has its warranty)...


----------



## Cookiegal (Aug 27, 2003)

When does it make this noise? Is it on reboot?


----------



## AmberBCN (Jan 12, 2008)

No, it does it always, every 26 seconds more or less.


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## AmberBCN (Jan 12, 2008)

Today I haven't heard the noise. I've been using the computer for about 4 hours.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*c:\windows\episms00.swb*

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Files/Folders - Created Within 60 days]
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[Files/Folders - Modified Within 30 days]
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[File String Scan - All]
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:DFC5A2B2
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## AmberBCN (Jan 12, 2008)

Service load: 0% 100% 

File: episms00.swb 
Status: OK 
MD5: 2fa2723d4d632f63caab757f2922102e 
Packers detected: - 
Bit9 reports: File not found 

Scanner results 
Scan taken on 01 Feb 2008 16:03:30 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Ikarus Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing


----------



## Cookiegal (Aug 27, 2003)

It seems it's part of your Epson printer.

Please download *Navilog1* by IL-MAFIOSO:
http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe
(*Alternate download location *Here*)

* Save it to your Desktop.
* Double-click on *Navilog1.exe* to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the *Navilog1* shortcut on your Desktop to run it.
* Press *E* for *English* from the language Menu.
* Type *1* in the next Menu to select *Search* and press *Enter*.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: *fixnavi.txt.*
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%*SystemDrive*%\*fixnavi.txt*". (usually C:\fixnavi.txt)


----------



## AmberBCN (Jan 12, 2008)

Explorer killed successfully
[Files/Folders - Created Within 60 days]
ADS C:\Documents and Settings\All Users\Datos de programa\TEMPFC5A2B2 deleted successfully.
[Files/Folders - Modified Within 30 days]
Unable to delete ADS C:\Documents and Settings\All Users\Datos de programa\TEMPFC5A2B2 .
[File String Scan - All]
Unable to delete ADS C:\Documents and Settings\All Users\Datos de programa\TEMPFC5A2B2 .
[Empty Temp Folders]
C:\DOCUME~1\Ambar\CONFIG~1\Temp\ -> emptied.
C:\Documents and Settings\Ambar\Configuración local\Archivos temporales de Internet\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 02-02-2008 12:38:36


----------



## AmberBCN (Jan 12, 2008)

Search Navipromo version 3.4.2 began on 2008-02-02 at 12:48:18.20

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Archivos de programa\navilog1
Updated on 27.01.2008 at 17h00 by IL-MAFIOSO

Microsoft Windows XP [Versi¢n 5.1.2600]
Version Internet Explorer : 7.0.5730.11
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***

*** Search folders in C:\WINDOWS ***

*** Search folders in C:\Archivos de programa ***

*** Search folders in C:\DOCUME~1\ALLUSE~1\DATOSD~1 ***

*** Search folders in "C:\Documents and Settings\Ambar\datos de programa" ***

*** Search folders in "C:\Documents and Settings\Ambar\configuraci¾n local\datos de programa" ***

*** Search folders in "C:\Documents and Settings\Ambar\MENINI~1\PROGRA~1" ***

*** Search folders in C:\DOCUME~1\ALLUSE~1\MENINI~1\PROGRA~1 ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No file found

*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in "C:\Documents and Settings\Ambar\configuraci¾n local\datos de programa" *

gnc.exe missing, Scan not done in "C:\Documents and Settings\Ambar\configuraci¾n local\datos de programa" !

*** Search files ***

*** Search specific Registry keys ***

*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :

2)Heuristic Search :

* In C:\WINDOWS\system32 :

* In "C:\Documents and Settings\Ambar\configuraci¾n local\datos de programa" :

3)Certificates Search :

Egroup certificate not found !

4)Search known files :

*** Search completed on 2008-02-02 at 12:50:45.52 ***


----------



## AmberBCN (Jan 12, 2008)

While doing the navilog search my avg detected 2 threats (it hadn't detected anythng for about a week): a trojan hourse in a couple of files from c:/documents and settings/ambar/local configuration/temp


----------



## Cookiegal (Aug 27, 2003)

What were the names of the files? They may have been files belonging to Navilog.


----------



## AmberBCN (Jan 12, 2008)

Trojan horse Generic9.ACFR on c: documents and settings/ambar/configuracion local/temp/smfvgsmx9177487.dll


----------



## AmberBCN (Jan 12, 2008)

Here's what AVG has found lately


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.


----------



## Cookiegal (Aug 27, 2003)

Also, please remove the version of ComboFix that you currently have and download it again.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## AmberBCN (Jan 12, 2008)

ComboFix 08-02-21 - Ambar 2008-02-21 14:51:06.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.34.3082.18.244 [GMT 1:00]
Se ejecuta desde: C:\Archivos de programa\ComboFix.exe
* Creado un nuevo punto de restauración

*ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! *
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\ssprs.dll
.
---- Previous Run -------
.
C:\Archivos de programa\webmediaplayer
C:\Archivos de programa\webmediaplayer\Privacy Policy.url
C:\Archivos de programa\webmediaplayer\resources\languages_v2.xml
C:\Archivos de programa\webmediaplayer\resources\webmedias
C:\Archivos de programa\webmediaplayer\skins\classic.skn
C:\Archivos de programa\webmediaplayer\sqlite3.dll
C:\Archivos de programa\webmediaplayer\Terms and conditions.url
C:\Archivos de programa\webmediaplayer\uninst.exe
C:\Archivos de programa\webmediaplayer\WebMediaPlayer.exe
C:\Archivos de programa\webmediaplayer\Website.url
C:\Documents and Settings\All Users\Escritorio\webmediaplayer.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Privacy Policy.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Terms and conditions.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\All Users\Menú Inicio\Programas\WebMediaPlayer\Website.lnk
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\msrsly.dat
c:\documents and settings\ambar\configuración local\datos de programa\msrsly.exe
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\msrsly_nav.dat
c:\Documents and Settings\Ambar\Configuración local\Datos de programa\msrsly_navps.dat
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\nvs2.inf

.
(((((((((((((((((( Archivos creados desde 2008-01-21 - 2008-02-21 )))))))))))))))))))))))))))))))))
.

2008-02-20 21:45 . 2008-02-20 21:45	1,598,301	--a------	C:\Archivos de programa\ComboFix.exe
2008-02-07 22:25 . 2008-02-11 10:59	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-02-07 22:25 . 2008-02-07 22:25	1,409	--a------	C:\WINDOWS\QTFont.for
2008-02-02 12:45 . 2008-02-02 12:51 d--------	C:\Archivos de programa\Navilog1
2008-02-01 21:10 . 2008-02-01 21:10	1,025	--a------	C:\WINDOWS\system32\sysprs7.tgz
2008-02-01 21:10 . 2008-02-01 21:10	1,025	--a------	C:\WINDOWS\system32\sysprs7.dll
2008-02-01 21:10 . 2008-02-04 00:45	354	--a------	C:\WINDOWS\system32\lsprst7.tgz
2008-02-01 21:10 . 2008-02-04 00:45	16	---h-----	C:\WINDOWS\system32\servdat.slm
2008-02-01 21:01 . 2008-02-01 21:01	1,024	--a------	C:\WINDOWS\system32\clauth2.dll
2008-02-01 21:01 . 2008-02-01 21:01	1,024	--a------	C:\WINDOWS\system32\clauth1.dll
2008-02-01 21:01 . 2008-02-04 00:35	14	--a------	C:\WINDOWS\system32\ssprs.tgz
2008-02-01 21:01 . 2008-02-01 21:01	0	--a------	C:\WINDOWS\system32\nsprs.tgz
2008-02-01 20:57 . 2008-02-04 00:35 d--------	C:\Archivos de programa\SPSSEval
2008-01-29 01:25 . 2008-01-29 01:25	268	--ah-----	C:\sqmdata02.sqm
2008-01-29 01:25 . 2008-01-29 01:25	244	--ah-----	C:\sqmnoopt02.sqm
2008-01-22 13:47 . 2008-01-22 14:21 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-22 13:47 . 2008-01-22 13:57	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-01-22 13:47 . 2008-01-22 13:57	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico
2008-01-22 13:47 . 2008-01-22 13:57	1,406	--a------	C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 13:50	---------	d-----w	C:\Archivos de programa\FlashGet
2008-02-21 09:42	---------	d-----w	C:\Archivos de programa\Archivos comunes\Adobe
2008-02-21 09:00	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\AVG7
2008-02-20 21:54	---------	d-----w	C:\Documents and Settings\All Users\Datos de programa\Google Updater
2008-02-17 09:49	---------	d-----w	C:\Archivos de programa\Archivos comunes\Symantec Shared
2008-02-15 14:00	---------	d-----w	C:\Archivos de programa\Norton Security Scan
2008-01-22 13:08	---------	d-----w	C:\Archivos de programa\MSN Messenger
2008-01-22 13:04	---------	d-----w	C:\Archivos de programa\Google
2008-01-22 09:04	---------	d---a-w	C:\Documents and Settings\All Users\Datos de programa\TEMP
2008-01-20 00:45	---------	d-----w	C:\Archivos de programa\backups
2008-01-18 23:45	---------	d-----w	C:\Archivos de programa\Archivos comunes\Teleca Shared
2008-01-18 23:40	---------	d-----w	C:\Archivos de programa\Spyware Doctor
2008-01-18 21:34	---------	d-----w	C:\Archivos de programa\Typing Assistant
2008-01-18 21:16	164	----a-w	C:\install.dat
2008-01-18 21:14	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\Webroot
2008-01-18 21:09	---------	d-----w	C:\Archivos de programa\TVAnts
2008-01-18 20:07	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\Smart PC Solutions
2008-01-16 23:35	---------	d-----w	C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
2008-01-12 21:21	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\Grisoft
2008-01-12 21:19	---------	d-----w	C:\Documents and Settings\All Users\Datos de programa\Grisoft
2008-01-12 17:31	---------	d-----w	C:\Archivos de programa\Java
2008-01-12 15:23	---------	d-----w	C:\Archivos de programa\DivX
2008-01-09 11:18	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:16	823,296	----a-w	C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16	823,296	----a-w	C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16	81,920	----a-w	C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16	802,816	----a-w	C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16	682,496	----a-w	C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16	196,608	----a-w	C:\WINDOWS\system32\dtu100.dll
2008-01-02 17:50	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\FUJIFILM
2008-01-02 17:46	---------	d-----w	C:\Archivos de programa\FinePixViewer
2008-01-02 17:45	---------	d--h--w	C:\Archivos de programa\InstallShield Installation Information
2008-01-02 17:42	---------	d-----w	C:\Archivos de programa\REGSHAVE
2007-12-25 16:18	---------	d-----w	C:\Documents and Settings\Ambar\Datos de programa\PC Tools
2007-12-11 19:44	593,920	----a-w	C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44	57,344	----a-w	C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44	53,248	----a-w	C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44	344,064	----a-w	C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44	294,912	----a-w	C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44	156,992	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43	12,288	----a-w	C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-07 02:08	824,832	----a-w	C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41	550,912	----a-w	C:\WINDOWS\system32\oleaut32.dll
2007-07-06 11:50	401,720	----a-w	C:\Archivos de programa\HiJackThis.exe
2007-05-22 08:22	430,993	----a-w	C:\Archivos de programa\jb8100_bios3a12.zip
.

------- Sigcheck -------

"C:\WINDOWS\system32\winlogon.exe"
----a-w 505,344 2006-11-28 00:00:00 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 12:14 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-11-28 01:00 15360]
"AdobeUpdater"="C:\Archivos de programa\Archivos comunes\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:32 579072]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2007-05-07 15:12 155648]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2007-11-17 13:14 185896]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-11-28 01:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [2007-10-26 13:03 219136]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Google Updater.lnk - C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe [2007-12-25 15:25:28 124400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-05-07 14:50]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-05-07 14:50]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-05-07 14:50]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-05-07 14:50]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-05-07 14:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{faa4afd1-fca2-11db-a678-00039d706381}]
\Shell\AutoRun\command - u.bat
\Shell\explore\Command - u.bat
\Shell\open\Command - u.bat

.
Contenido de carpeta 'Tareas Programadas'
"2008-02-16 05:16:32 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Archivos de programa\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 14:53:41
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito 
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-02-21 14:54:21
ComboFix-quarantined-files.txt 2008-02-21 13:54:07
ComboFix2.txt 2008-01-15 21:44:01
.
2008-02-14 00:00:17	--- E O F ---


----------



## AmberBCN (Jan 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:00 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Grisoft\AVG7\avgcc.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Archivos de programa\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Archivos de programa\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Archivos de programa\Archivos comunes\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Archivos de programa\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCA6BC07-D232-429D-BB37-A23950801C4C}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8070 bytes


----------



## AmberBCN (Jan 12, 2008)

HI, 
the AVG still detects worms, and the computer does weird things: the desktop icons blink, when I open an internet page there are a few "click" sounds instead of only one, etc. No more pop-ups, no more screeching noises, but I do receive some spam mail. Also, error messages sometimes appear when I open DivX and it closes the program. I attached the error message. 
Thanx!


----------



## Cookiegal (Aug 27, 2003)

What can you tell me about this program? Do you recognize it?

C:\Archivos de programa\*SPSSEval*


----------



## AmberBCN (Jan 12, 2008)

Yes, SPSS is a statistics program that I downloaded, its a free trial that is expired.


----------



## Cookiegal (Aug 27, 2003)

If it's expired then I imagine you have no objection to uninstalling it?

Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## AmberBCN (Jan 12, 2008)

Ok, I uninstalled!

450 Grammaire Avancé
Actualización de seguridad para el Reproductor de Windows Media (KB911564)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)
Actualización de seguridad para el Reproductor de Windows Media 6.4 (KB925398)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
Actualización de seguridad para Windows Internet Explorer 7 (KB928090)
Actualización de seguridad para Windows Internet Explorer 7 (KB931768)
Actualización de seguridad para Windows Internet Explorer 7 (KB933566)
Actualización de seguridad para Windows Internet Explorer 7 (KB937143)
Actualización de seguridad para Windows Internet Explorer 7 (KB938127)
Actualización de seguridad para Windows Internet Explorer 7 (KB939653)
Actualización de seguridad para Windows Internet Explorer 7 (KB942615)
Actualización de seguridad para Windows Internet Explorer 7 (KB944533)
Actualización de seguridad para Windows XP (KB911562)
Actualización de seguridad para Windows XP (KB913580)
Actualización de seguridad para Windows XP (KB914388)
Actualización de seguridad para Windows XP (KB914389)
Actualización de seguridad para Windows XP (KB917344)
Actualización de seguridad para Windows XP (KB917422)
Actualización de seguridad para Windows XP (KB917953)
Actualización de seguridad para Windows XP (KB918118)
Actualización de seguridad para Windows XP (KB918439)
Actualización de seguridad para Windows XP (KB919007)
Actualización de seguridad para Windows XP (KB920213)
Actualización de seguridad para Windows XP (KB920670)
Actualización de seguridad para Windows XP (KB920683)
Actualización de seguridad para Windows XP (KB920685)
Actualización de seguridad para Windows XP (KB921503)
Actualización de seguridad para Windows XP (KB922819)
Actualización de seguridad para Windows XP (KB923191)
Actualización de seguridad para Windows XP (KB923414)
Actualización de seguridad para Windows XP (KB923689)
Actualización de seguridad para Windows XP (KB923694)
Actualización de seguridad para Windows XP (KB923789)
Actualización de seguridad para Windows XP (KB923980)
Actualización de seguridad para Windows XP (KB924191)
Actualización de seguridad para Windows XP (KB924270)
Actualización de seguridad para Windows XP (KB924496)
Actualización de seguridad para Windows XP (KB924667)
Actualización de seguridad para Windows XP (KB925902)
Actualización de seguridad para Windows XP (KB926255)
Actualización de seguridad para Windows XP (KB926436)
Actualización de seguridad para Windows XP (KB927779)
Actualización de seguridad para Windows XP (KB927802)
Actualización de seguridad para Windows XP (KB928090)
Actualización de seguridad para Windows XP (KB928255)
Actualización de seguridad para Windows XP (KB928843)
Actualización de seguridad para Windows XP (KB929123)
Actualización de seguridad para Windows XP (KB930178)
Actualización de seguridad para Windows XP (KB931261)
Actualización de seguridad para Windows XP (KB931784)
Actualización de seguridad para Windows XP (KB932168)
Actualización de seguridad para Windows XP (KB933729)
Actualización de seguridad para Windows XP (KB935839)
Actualización de seguridad para Windows XP (KB935840)
Actualización de seguridad para Windows XP (KB936021)
Actualización de seguridad para Windows XP (KB938829)
Actualización de seguridad para Windows XP (KB941202)
Actualización de seguridad para Windows XP (KB941568)
Actualización de seguridad para Windows XP (KB941569)
Actualización de seguridad para Windows XP (KB941644)
Actualización de seguridad para Windows XP (KB943055)
Actualización de seguridad para Windows XP (KB943460)
Actualización de seguridad para Windows XP (KB943485)
Actualización de seguridad para Windows XP (KB944653)
Actualización de seguridad para Windows XP (KB946026)
Actualización para Windows XP (KB900485)
Actualización para Windows XP (KB904942)
Actualización para Windows XP (KB908531)
Actualización para Windows XP (KB911280)
Actualización para Windows XP (KB916595)
Actualización para Windows XP (KB920872)
Actualización para Windows XP (KB922582)
Actualización para Windows XP (KB927891)
Actualización para Windows XP (KB930916)
Actualización para Windows XP (KB931836)
Actualización para Windows XP (KB933360)
Actualización para Windows XP (KB936357)
Actualización para Windows XP (KB938828)
Actualización para Windows XP (KB942763)
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.2 - Español
ATI - Utilidad de desinstalación de software
ATI Control Panel
ATI Display Driver
AVG 7.5
AVG Anti-Spyware 7.5
Compressor WinRAR
Controlador de Logitech® Camera
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DivXLand Media Subtitler
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Scan
EPSON Smart Panel
ESPRX420 Manual de Ref.
Favorit
FinePixViewer Ver.4.3
FlashGet 1.9.6.1073
FUJIFILM USB Driver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HSP56 Modem Drivers
Java(TM) 6 Update 3
Kaspersky Online Scanner
Maxtor Manager
Maxtor Manager
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Navilog1 3.4.2
Nero 7 Demo
Norton Security Scan
OpenMG Limited Patch 4.2-05-07-27-01
OpenMG Secure Module 4.2.00
Panda ActiveScan
Paquete de compatibilidad para 2007 Office system
PhotoImpression 5
PIF DESIGNER2.1
QuickTime
RealPlayer
Realtek AC'97 Audio
rellotge_catala_conf_v3 Screen Saver
Reproductor de Windows Media 11
Revisión para el Reproductor de Windows Media 11 (KB939683)
Revisión para Windows XP (KB914440)
ScanToWeb
Software de impresora EPSON
Software Logitech QuickCam
Sony Ericsson PC Suite 1.20.173
Spyware Doctor 5.1
Total Video Converter 3.02
TVAnts 1.0
Winamp (remove only)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11


----------



## Cookiegal (Aug 27, 2003)

Please run another scan with ComboFix since uninstalling that program and post the log.


----------

