Avast WEBforum
Other => Viruses and worms => Topic started by: bitoclass on August 19, 2007, 01:56:09 PM
-
Hi,
My PC has somehow picked up a virus, which has been sending out tonnes of spam for some time :(
I am so careful, virus-scanning all downloads, keeping Windows up-to-date etc., I'm the first person friends and family turn to when they get their PCs in a mess, and in nearly a decade online I've never previously had so much as a spyware infection, let alone a spambot!
This has really shocked me and I have no idea how it got onto my PC, still less how to track it down and remove it. (I only know it's here because the Avast On-Access Scanner window was showing a new outgoing message every few seconds (under 'Last scanned') with awful Subjects like "Important security information for your bank account" and so forth.)
Since discovering it I have been blocking traffic carefully so I'm no longer spamming, and have tried System Restore to one and two months ago but it didn't work, so then I disabled System Restore in case the virus was hiding in the restore files.
A Thorough Scan with Avast didn't find anything, and nor has Kaspersky's Online Scanner. Windows Defender also failed to find anything, as did Spybot - Search and Destroy.
Finally, through a complicated chain of investigation I have determined the following:
1. The process making the connections to send the spam is svchost.exe.
2. It tries to connect from ports in the 3000 range on my PC to HTTP ports on a range of remote servers such as stormpay.com, leapcash.com and missoula.servershost.net. I guess these are compromised web servers or something.
3. If I disable the "DCOM Server Process Launcher" (path: "C:\WINDOWS\system32\svchost -k DcomLaunch") in the Windows Services list, on the next reboot the connection attempts are no longer made. This is an important system service, though, so I can't just leave this disabled to work around the problem!
Can anyone help me identify what's behind this problem, why Avast (and other scanners) are not picking up on it, and most importantly what I can do to stop this happening and thoroughly clean my computer of this malware?
Thanks in advance everyone!
-
You should post a combofix Report. yoou can find a guide here:
http://forum.avast.com/index.php?topic=29972.msg246988#msg246988
Only combofix, not the BFU mentioned there!
-
Sometimes, could be good to download, install, update and run AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives). Other tools that could help are machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).
Maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.
-
Maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.
I tried HijackThis soon after I found the problem and posted the log here:
http://forums.spywareinfo.com/index.php?showtopic=104414&st=0&p=571430
There didn't look anything amiss in it, and no-one replied, so I guess it didn't reveal anything, but you're welcome to have a look and see if you can see anything of course!
I've just tried F-Secure Blacklight and it failed to find anything wrong at all.
I'm running ComboFix but it has been going for much longer than the '10 minutes' it says it should take and it doesn't show any progress bar or anything so it's hard to know when it will finish, if ever! Hopefully it being so slow is a sign it is finding something!
Do you know where it will save a log of its findings or anything? I saved it to and ran it from my desktop - will the log appear there?
Hmm, does anyone know how long should I leave it running without it saying anything before I decide it's hung or something? ??? It's been going for a good half-hour or more now.
-
I tried HijackThis soon after I found the problem and posted the log here:
http://forums.spywareinfo.com/index.php?showtopic=104414&st=0&p=571430
There didn't look anything amiss in it, and no-one replied, so I guess it didn't reveal anything, but you're welcome to have a look and see if you can see anything of course!
Are you sure?
What about...
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
Do you know where it will save a log of its findings or anything? I saved it to and ran it from my desktop - will the log appear there? Hmm, does anyone know how long should I leave it running without it saying anything before I decide it's hung or something? ??? It's been going for a good half-hour or more now.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
What about...
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
That file is digitally signed by Microsoft and dated 2004 so unfortunately I don't think it's at fault, but I can't find anything out about it on the internet - the only Google result for rasrad32.dll is my Hijack This forum post!
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
OK, I've tried closing ComboFix and starting it again - I assume that's what you were suggesting I should do. It's running at the moment so I'm going to leave it going and come back when it's finished. In the meantime here's my Hijack This log again - I just ran it again to get an up-to-date one.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:52, on 2007-08-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\system32\3007WFP\LcdOsd.exe
C:\WINDOWS\system32\3007WFP\LcdOsd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BBC Alerts\BBC_Alerts.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
(I'll continue this in another post - it was too long for the forum to allow in a single post unfortunately.)
-
Hijack This log continued...
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Oh dear, out of room again - a third post follows!
-
Hijack This log, part three:
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172765515765
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172938035906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D940FA-FF03-4B3B-950A-2B22E03A2A18}: NameServer = 192.168.1.1
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell 3007WFP (Service) - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 12909 bytes
-
Can I hitch onto this thread and try out a new programe. It doesn't make any changes to the system it is purely analysis only
Please download http://www.runscanner.net/download.aspx and install
When the first page comes up select Beginner Mode
On the next page select Save a binary .Run file (optional)
Then click Start full computer scan at the bottom
At this time Runscanner.exe may request access to the Internet please allow it to do so
It will then run for 2 or 3 minutes
On completion it will ask for a location to save the file and a name
It will do this for both the .run file and the log
Call the file test and save to your desktop
You will see the .run file on your desktop Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment to your next post.
Along with the Log file produced
-
Then upload that as an attachment to your next post.
Along with the Log file produced
I can't actually see any Attachment option on this forum - am I overlooking a button somewhere?
I'll paste the log in in the meantime:
Runscanner logfile http://www.runscanner.net
000 General info
----------------
Computer name : BITOCLASS
Type of scan : Full scan
RunScanner Version : 1.0.1.0
Creation time : 2007-08-19 15:21:27
User rights : Administrator
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : English (United Kingdom)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS
Hosts file location : %SystemRoot%\System32\drivers\etc
Hosts <> 127.0.0.1 : 3
001 Running processes
---------------------
* c:\program files\avast4\aswupdsv.exe (ALWIL Software)
* c:\program files\avast4\ashserv.exe (ALWIL Software)
c:\program files\nvidia corporation\ntune\ntuneservice.exe (NVIDIA)
* c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
c:\windows\system32\service.exe
c:\windows\system32\3007wfp\lcdosd.exe
c:\windows\system32\3007wfp\lcdosd.exe
* c:\program files\sunbelt software\personal firewall\kpf4ss.exe (Sunbelt Software)
c:\program files\belkin bulldog plus\upsd.exe (Delta)
c:\program files\ultravnc\winvnc.exe (UltraVNC)
* c:\program files\sunbelt software\personal firewall\kpf4gui.exe (Sunbelt Software)
* c:\program files\avast4\ashmaisv.exe (ALWIL Software)
* c:\program files\avast4\ashwebsv.exe (ALWIL Software)
* c:\program files\sunbelt software\personal firewall\kpf4gui.exe (Sunbelt Software)
* c:\program files\analog devices\core\smax4pnp.exe (Analog Devices, Inc.)
* c:\progra~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe (Adobe Systems Inc.)
* c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
c:\program files\bbc alerts\bbc_alerts.exe (Skinkers Communications)
* c:\program files\kontiki\kservice.exe
* c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)
c:\program files\belkin bulldog plus\mups.exe
c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe (Macrovision Europe Ltd.)
* c:\documents and settings\paul\desktop\runscanner.exe (Runscanner.net)
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\analog devices\core\smax4pnp.exe (Analog Devices, Inc.)
c:\program files\analog devices\soundmax\smax4.exe (Analog Devices, Inc.)
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation)
C:\WINDOWS\system32\nwiz.exe
c:\program files\ultravnc\winvnc.exe (UltraVNC)
* c:\progra~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe (Adobe Systems Inc.)
c:\program files\nvidia corporation\ntune\ntunecmd.exe (NVIDIA)
* c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
* c:\program files\kontiki\khost.exe (Kontiki Inc.)
* c:\windows\system32\nvmctray.dll (NVIDIA Corporation)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\bbc alerts\bbc_alerts.exe (Skinkers Communications)
* c:\program files\kontiki\khost.exe (Kontiki Inc.)
* c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)
005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
* c:\progra~1\adobe\acroba~1.0\acrobat\adobec~1.exe
c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)
c:\progra~1\belkin~1\mups.exe
010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
c:\program files\common files\adobe systems shared\service\adobelmsvc.exe (Adobe LM Service)
* c:\program files\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\program files\avast4\ashserv.exe (avast! Antivirus)
* c:\program files\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\program files\avast4\ashwebsv.exe (avast! Web Scanner)
c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe (FLEXnet Licensing Service)
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe (Windows CardSpace)
* c:\program files\kontiki\kservice.exe (KService)
c:\program files\common files\macromedia shared\service\macromedia licensing.exe (Macromedia Licensing Service)
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe (Net.Tcp Port Sharing Service)
c:\program files\nvidia corporation\ntune\ntuneservice.exe (nTune Service)
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service)
c:\windows\system32\service.exe (Dell 3007WFP)
* c:\program files\sunbelt software\personal firewall\kpf4ss.exe (Sunbelt Personal Firewall 4)
c:\program files\belkin bulldog plus\upsd.exe (UPS - UPSentry Service)
c:\program files\ultravnc\winvnc.exe (VNC Server)
011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* C:\WINDOWS\system32\drivers\adihdaud.sys (ADI UAA Function Driver for High Definition Audio Service)
* C:\WINDOWS\system32\drivers\aeaudio.sys (AE Audio Service)
C:\WINDOWS\system32\drivers\asio.sys (AsIO)
c:\windows\system32\drivers\entech.sys (ENTECH)
* c:\windows\system32\drivers\fwdrv.sys (Firewall Driver)
C:\WINDOWS\system32\drivers\gmer.sys (Base)
* C:\WINDOWS\system32\drivers\hdaudbus.sys (Microsoft UAA Bus Driver for High Definition Audio)
* c:\windows\system32\drivers\khips.sys (Kerio HIPS Driver)
* C:\WINDOWS\system32\drivers\asacpi.sys (ATK0110 ACPI UTILITY)
* C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
c:\windows\nvoclock.sys (NVR0Dev)
C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* C:\WINDOWS\system32\drivers\rtenicxp.sys (Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver)
c:\windows\system32\drivers\sbkupnt.sys (SBKUPNT)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\senfilt.sys (SenFilt Service)
C:\WINDOWS\system32\drivers\sfdrv01.sys (StarForce Protection Environment Driver (version 1.x))
* C:\WINDOWS\system32\drivers\sfdrv01a.sys (StarForce Protection Environment Driver (version 1.x.a))
* C:\WINDOWS\system32\drivers\sfhlp02.sys (StarForce Protection Helper Driver (version 2.x))
* C:\WINDOWS\system32\drivers\sfsync04.sys (StarForce Protection Synchronization Driver (version 4.x))
* C:\WINDOWS\system32\drivers\sfvfs02.sys (StarForce Protection VFS Driver (version 2.x))
C:\WINDOWS\system32\drivers\sonypvs1.sys (Sony Digital Imaging Video2)
* C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)
Continued in next post...
-
Runscanner log continued:
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\common files\microsoft shared\web folders\pkmcdo.dll (Microsoft Corporation) {CD00020A-8B95-11D1-82DB-00C04FB1625D}
035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
-------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {47833539-D0C5-4125-9FA8-0819E2EAAC93}
045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {47833539-D0C5-4125-9FA8-0819E2EAAC93}
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
c:\program files\orbitdownloader\orbitcth.dll (Orbitdownloader.com) {000123B4-9B42-4900-B3F7-F4B073EFC214}
* c:\program files\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {AE7CD045-E861-484f-8273-0445EE161910}
c:\program files\free download manager\iefdmcks.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205}
061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
----------------------------------------------------------------------------
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439}
c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
c:\windows\system32\phototoys.dll (Microsoft Corporation) {1530F7EE-5128-43BD-9977-84A4B0FAD7DF}
* c:\program files\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* c:\program files\adobe\acrobat 8.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
* c:\program files\serif\pageplus\12.0\program\thumbnailprovider.dll (Serif (Europe) Ltd) {2170E0A4-42F2-4EB5-911F-ABC2717F6563}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516}
062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
C:\WINDOWS\system32\rasrad32.dll (Microsoft Corporation)
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
* c:\windows\system32\adobepdf.dll (Adobe Systems Incorporated.)
* C:\WINDOWS\system32\ebpmon24.dll (SEIKO EPSON CORPORATION)
073 %windir%\Tasks
------------------
AboutTime.job : c:\progra~1\aboutt~1\aboutt~1.exe
100 Internet Explorer settings
------------------------------
Start Page HKCU : about:blank
Start Page HKLM : about:blank
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
------------------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {182EC0BE-5110-49C8-A062-BEB1D02A220B}
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
GUID / CLSID not found {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
* c:\windows\system32\macromed\director\swdir.dll (Adobe Systems, Inc.) {166B1BCA-3F9C-11CF-8075-444553540000}
c:\windows\downloaded program files\housecall_activex.dll (Trend Micro Inc.) {215B8138-A3CF-44C5-803F-8226143CFC0A}
c:\windows\downloaded program files\accounttracking.dll (eWise Systems Pty Ltd) {4E62C4DE-627D-4604-B157-4B7D6B09F02E}
* c:\windows\downloaded program files\sysreqlab2.dll (Husdawg, LLC) {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
* c:\windows\downloaded program files\asinst.dll (Panda Software) {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
* c:\program files\java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
120 Domain/DNS hijacking
------------------------
NameServer {F0D940FA-FF03-4B3B-950A-2B22E03A2A18} : 192.168.1.1
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1
173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
* c:\program files\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
GUID / CLSID not found
* c:\program files\trillian\buddy.dll (Cerulean Studios) {6F1DC701-9891-11d5-B8C6-444553540001}
c:\progra~1\tugzip\tzshell.dll {B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}
CombiFix is still running without seeming to be doing anything again btw - been going for about half an hour again now.
-
What about...
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
That file is digitally signed by Microsoft and dated 2004 so unfortunately I don't think it's at fault, but I can't find anything out about it on the internet - the only Google result for rasrad32.dll is my Hijack This forum post!
I did a google search on that file and the only hit that it returns is your topic in spywareinfo and that because it is in your HJT log, so if it were an MS signed file I would have thought there would be some hits on google. What does it say in the file properties about what it is/does ?
It may be worthwhile scanning it:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive.
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive.
Wow, those sites are brilliant - I will use those whenever I have any suspicions in future, what a great idea they are - thanks!
I'm afraid that both those sites found nothing wrong with rasrad32.dll so it looks like it's probably OK.
In my Googling I found rasrad.dll came up a bit so maybe this is just a 32-bit update which no-one uses any more or something. Not that I even understood exactly what it was anyway!
45 minutes and counting with CombiFix now, and still no sign of it using any CPU or seeming to do anything :(
-
You will see the .run file on your desktop Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment to your next post.
Along with the Log file produced
I've just put the run file through the advanced mode and got it up online for you to look at instead:
http://www.runscanner.net/report.aspx?report=54bd4472-80c9-4e01-8b1e-15df2874ee91
Nothing shows up as definitely bad and I think I can account for the blue things so I'm not sure if this is going to help :( But if you can see anything for me to look at further please let me know!
Thanks!
-
Looks good to me, the run file would also have given me the running processes
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
I can find no info on this at all including the Microsoft dll list which in itself is suspicious. If combofix is not running then you could try winpfind
This is a deep analaysis tool
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - IE CmdMapping
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
Looks good to me, the run file would also have given me the running processes
Ah OK - you're probably not missing much there then because I haven't yet re-enabled that Service so the virus isn't actually doing anything at the moment, so I don't think its process is running.
I have to go out for a few hours now but I am going to leave this WinPFind3U running while I'm out (with everything else shut), since ComboFix still hadn't done anything over an hour after I started it.
I'll post my log when I get home later. Thanks very much for your help!
-
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
The file is 101,252 bytes, which would mean it would take 11 posts to put it up here. Instead I have put it online here:
http://www.digitalhome.plus.com/WinPFind3.txt
Hope it is revealing!
Thanks for your help,
Paul
(P.S. As you will see, in this text file I have censored three of the items in my Hosts file, as they reveal personal information I'd rather keep out of a forum - there's nothing suspicious about them, I promise!)
-
Last night I shut down just about every little running thing (including system tray stuff) on my PC and tried running ComboFix again. I didn't so much as hover over the window once it was running, let alone clicking it. This morning it has once again not finished running and does not appear to be doing anything.
There is a folder in my C drive that it has created called ComboFix. It contains 90 objects, of which 18 have modified dates/times of last night when I started running it, and one has a modified time of two minutes later. That last file is called WowErr.cf and contains the following text:
Completed Stage_7
Can anyone tell me why this ComboFix process never finishes, or what Stage 7 is that could make it stall, or anything else helpful? Would it be useful for me to post the contents of any of these other files that were modified when I started running it?
d-delA.cf
DirRoot
attribed.cf
svclist.cf
v-files.cf
suspect_ntfy.cf
ComboFix.txt
errdbg.cf
borlander_folder.cf
borlander_file.cf
Cfolders.cf
Cfiles.cf
whitedir.cf
dll_whitelist.cf
dnd.cf
appdatafolders.cf
setpath.bat
(The 18th item with that same modified date/time is a folder called 'test', which is empty.)
Could my virus/rootkit/whatever be actually blocking ComboFix from working in some way?
Any help with this, or with analysing the WinPFind3 log I posted last night, would be much appreciated!
-
Try this...
1) Go to Start then click Run. 2) Type msconfig. 3) When System Configuration Utility window appear click on Services tab. 4) Check "Hide All Microsoft Services" box. 5) Kill all non-Microsoft services process then run ComboFix or Runscanner.
-
Are you sure you've run ComboFix scan? Seem like you don't. Double click on ComboFix then press 1 and finally enter...
I'm a bit confused - when I run ComboFix.exe I get a Command Prompt window called AutoScan, which has a blue background. It says "Please wait" for a few seconds, then the following:
Scanning for infected files . . .
This typically doesn't take more than 10 minutes
Scan times for badly infected machines may easily double
ComboFix has changed your clock settings.
Do not change it back. It shall be restored later
Then nothing else happens.
At what point should I be typing 1? I'm not prompted to type 1. Am I running the wrong thing? Should I be running something out of the ComboFix folder rather than the ComboFix.exe file that I downloaded?
Sorry if I appear stupid but I'm a bit confused by this software as it never gets past the above text!
-
Please redownload Combofix and start it again. It seems that it has some trouble finishing the scan. Maybe due to Malware.
If it still hangs on a "Stage", please start the Taskmanager and kill any of these Tasks: Findstr.exe/sed.exe/swreg.exe
after that Combofix may continue scanning.
Also please start catchme.exe in you Windowsfolder. Press scan and let it do its work. After finish the scan you will find a file called catchme.log on your desktop, please post the content of that file.
-
I were prompted to press 1 to scan or 2 to cancel. But it was month ago. Dunno if they have added later fixs...
-
Please redownload Combofix and start it again. It seems that it has some trouble finishing the scan. Maybe due to Malware.
If it still hangs on a "Stage", please start the Taskmanager and kill any of these Tasks: Findstr.exe/sed.exe/swreg.exe
after that Combofix may continue scanning.
Also please start catchme.exe in you Windowsfolder. Press scan and let it do its work. After finish the scan you will find a file called catchme.log on your desktop, please post the content of that file.
Thanks - I will try this later - unfortunately I have to go to work now :( Really appreciate all this help though!
-
If you want to know precisely which sub-process and linked Windows services are connected with the program, start the freeware "Process Explorer" offered by Microsoft for download. The tool displays all running processes. Select the "svchost.exe" process. In the details window you can then find all files, indexes and registry entries that are connected with it. With one click on the "Properties" you can find out more details. This also includes the IP address and the port with which the program connects.
-
[font size=4]If you want to know precisely which sub-process and linked Windows services are connected with the program, start the freeware "Process Explorer" offered by Microsoft for download.[/font]
Thanks, but that's actually one of the programs I used early on to isolate the source of the rogue connection attempts. It showed which instance of svchost was the one doing the connecting, and which services were hosted by that svchost, namely Terminal Services and that DCOM one I mentioned before. When I then disabled the DCOM service, the connection attempts ceased.
What I *couldn't* tell from it was anything else using the lists of DLLs and handlers. The vast, vast majority of DLLs were Microsoft ones and the others looked unsuspicious to my relatively untrained eye, while the handlers list just didn't mean a lot to me for the most part (but looked OK in the bits that I could follow). Any advice on what to look for? I wonder if any of it is exportable for pasting onto this forum...?
-
Please redownload Combofix and start it again. It seems that it has some trouble finishing the scan. Maybe due to Malware.
If it still hangs on a "Stage", please start the Taskmanager and kill any of these Tasks: Findstr.exe/sed.exe/swreg.exe
after that Combofix may continue scanning.
Excellent - you were spot on with this - when I killed Findstr.exe after it seemed to have hung, Combifix then carried on to the end.
Also please start catchme.exe in you Windowsfolder. Press scan and let it do its work. After finish the scan you will find a file called catchme.log on your desktop, please post the content of that file.
Right, here are the two logfiles, combofix and catchme:
http://www.digitalhome.plus.com/ComboFix.txt
http://www.digitalhome.plus.com/catchme.log
There is also a file alongside the ComboFix one called ComboFix-quarantined-files.txt. That says the following:
[ code ]
2005-11-02 09:31 45056 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\Service.exe.vir
Folder PATH listing for volume Windows XP
Volume serial number is 00090188 C0F8:FD76
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| \---system32
| Service.exe.vir
|
\---Registry_backups
[/ code ]
[/tt]
ComboFix.txt mentions C:\WINDOWS\system32\service.exe, and this quarantined files log shows it being got rid of, but I'm pretty sure it's just part of my Dell 3007WFP monitor software - Process Explorer shows it with LCDOSD.exe hanging off it, and now it's been killed I don't get an LCD on-screen display when I change the monitor's brightness. I uploaded service.exe to those online multi-engine virus-checkers earlier and none of them found anything wrong with it.
I notice it also mentions this:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rasrad32]
rasrad32.dll 2004-11-23 02:44 8192 C:\WINDOWS\system32\rasrad32.dll
If this *was* at fault, what could I do to disable it to test if the problem then goes away?
This line looks the most suspicious in the file but I don't really understand what this part of the file is listing so it might be nothing:
*Newly Created Service* - UVKMWMXMIIQI
Surely no legitimate service would have such a ridiculous name, would it? What can I do about that? Can I remove it?
So, over to you geniuses to tell me what to do now! Thanks again!
-
Nothing untoward on winpfind and service.exe is prt of Dell
-
Hm, so does anyone else have any advice or is this destined to become the world's most mysterious virus? And, more to the point, am I just going to have to wipe my PC out and start from scratch - perhaps with the more secure Windows Vista rather than XP? Oh dear :(
-
Hmm... do you've tried Windows OneCare? Maybe the virus lies inside your registry so s'time registry cleaning will help...
-
When you have a chance please post a fresh HJT log.
-
When you have a chance please post a fresh HJT log.
OK, just ran it and got a new log:
http://www.digitalhome.plus.com/hijackthis3.log
By the way, I think the stuff I said before about disabling the DCOM service stopping the virus might not be entirely true - the virus still tries several connection attempts when the computer first gets into Windows, for the first five minutes or so, but after that it stops trying until the next reboot.
-
Your first HJT log from 18 August shows a single instance of C:\WINDOWS\system32\cmd.exe in the running processes, and the log from 19 August shows 2 instances running. The most recent log shows none.
Do you recall having command windows open when you ran the first 2 scans? Was there email activity the first 2 times but none this time?
What version of WINVnc do you have?
-
Your first HJT log from 18 August shows a single instance of C:\WINDOWS\system32\cmd.exe in the running processes, and the log from 19 August shows 2 instances running. The most recent log shows none.
Do you recall having command windows open when you ran the first 2 scans? Was there email activity the first 2 times but none this time?
Hi, yes, that's a red herring I'm afraid: I did indeed have some command windows open on those first scans and none this time. (Also, it's definitely svchost.exe which is trying to make the connections rather than cmd.exe.) And there was no e-mail activity when I was doing any of those scans because I had blocked it with a firewall the first time and tried with partial success to disable the relevant service (as well as keeping the firewall in place) the second and third times.
What version of WINVnc do you have?
It's UltraVNC, whatever the latest stable release is (not the new beta that supports Vista).
Thanks.
-
This brings me to
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
also.
Tech, DavidR, Essexboy mentioned it and I see it as very suspicious too.
You could try renaming the file rasrad32.dll to rasrad32.old followed by a reboot. Do the symptoms subside?
-
This brings me to
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
also.
Tech, DavidR, Essexboy mentioned it and I see it as very suspicious too.
You could try renaming the file rasrad32.dll to rasrad32.old followed by a reboot. Do the symptoms subside?
OK, will do, thanks - you're the first person to tell me it's suspicious *and* what to do about it. I was a bit worried that renaming/deleting it might make the PC not boot or something if the registry was looking for it, because I don't really understand what Winlogon Notify means/how integral it is to the startup process.
So tonight when I get home I will indeed try renaming this and seeing what happens and I'll let you know - thanks again!
-
I don't speak much French, but babelfish.altavista.com does, and I think I may finally have found the one other person in the entire world who has this same malware!
http://forum.malekal.com/ftopic4508.php
That's the French original page as there doesn't seem to be a way to link to the translation.
In summary, it looks rather like this person has a suspect item in their Winlogon Notify, and that it is a DLL file which ends with 32.dll! Sound familiar?
It looks like the French person fixed it by pasting the line from their HJT log into the HJT 'fix' box, so you can guess what I'm going to try when I get home! Something tells me this is going to be a good evening at last!
-
Well you can try this link, http://babelfish......forum.malekal.com%2Fftopic4508.php (http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=fr_en&url=http%3A%2F%2Fforum.malekal.com%2Fftopic4508.php)
I have a firefox extension, Translator 1.0.4.3, this allows you to open the original page and then using translator select the from and to languages and it opens a new page with the translation and I just copied the path to this translation.
-
It looks like the French person fixed it by pasting the line from their HJT log into the HJT 'fix' box, so you can guess what I'm going to try when I get home! Something tells me this is going to be a good evening at last!
That's fine if you would like to do that.
I was suggesting a slightly more conservative approach to testing this but the action you suggest will remove the registry entry from your startups but should leave the file intact. If this alleviates the problem please upload a sample of the file to avast! before deleting it.
EDIT: Well, translated or not that French thread is about something different than you have (probably Vundo plus something else over there). Your 020 is suspicious but there really isn't any direct correlation to what you saw there.
-
Well, translated or not that French thread is about something different than you have (probably Vundo plus something else over there). Your 020 is suspicious but there really isn't any direct correlation to what you saw there.
What makes you say that? What's different about the French person's problem from mine? It sounds identical to me. No anti-virus products would pick mine up, nor that one; it was a DLL in system32, set up in Winlogon Notify, which had the same name as a valid system DLL but with '32' appended; and the symptoms - connecting to a range of remote sites including leapcash.com and hostlife.net - were also identical. I can't understand why you're sure it's different. (Not saying you don't have your reasons, but I'd like to hear them as that French case just seems so similar to mine!)
Anyway, the upshot is that the fix on that forum did indeed work. Sorry if it seemed like a criticism of your suggested fix - no criticism intended but since that fix was for what I'm still sure is my problem and had been seen to work by someone else with it I thought I might as well try that first - of course I'd still have tried your fix if that hadn't worked, and I still very much appreciated your suggestion!
Strangely this site was no longer working in Internet Explorer (wouldn't keep me logged in long enough to post - I checked cookie settings etc. but to no avail) but now I'm virus-free I've gone back to Opera so I'm able to post here again - that's why I've been silent on the matter since it was fixed, sorry for keeping people in suspense!
Now, about uploading the infected file to Avast - where can I do this? I'm very disturbed that still no online virus scanners, nor Avast, are picking this file up as problematic: there could be thousands of people out there infected with this and they wouldn't know about it! I can't see anything on the Avast site about uploading virus samples for Avast's records - can anyone point me in the right direction?
Thanks very much to everyone for your help with this. I'm so glad I got to the bottom of it in the end! Now I just want to help anti-virus vendors get this virus tracked and make sure no-one else has to go through all this!
-
I'm not saying they are no similarities because there certainly are. Here's how I see it:
Indications Common to Many Types of Malware
AntiVirus products will not pick them up (or will not control them).
They run as a DLL in c:\windows\system32.
They run from the winlgogon notify reg key.
The file name tries to mimic a valid system file.
Because these are so common they cannot be used to unquestionably correlate one infection to another.
Similarities Between Your Logs and His
Connections to some of the same web sites.
A suspicious file that has a similar name structure loading from the same folder.
Differences Between the Logs
The file names are not the same.
He had yaywxus.dll loading form the winlogon_notify key in addition to ddeml32.dll, while you loaded a single file.
yaywxus.dll looks like Vundo to me, while I see no indication of Vundo in your logs (this appears to have been cleaned prior to his staring the thread but may have contributed, or may have been a result of another infection).
You mention outgoing email while he mentions only "Connections (whereas nothing is launched) worms of the equivocal sites:" without mentioning any outgoing email.
Your only ComboFix deletion, service.exe, is probably a false positive. His only ComboFix deletion, c:\autorun.inf, is absent in your logs and might indicate removable media as the infection vector.
From my point of view, trying to help someone I've never met fix his computer, I cannot make assumptions that might break things. There are enough differences in important areas that I will call it different even though the same fix (deleting the registry loading point and then deleting the file) is the same for a great many forms of malware.
[Now, about uploading the infected file to Avast - where can I do this?
Where is the file? Still in system32, in the chest, or deleted?
-
Hi again,
I see your point, but the list of sites his was connecting to was basically identical to the list that mine was, which is why I was so convinced it was the same problem. I just assumed he had more than one problem on his PC, since his symptoms were a superset of mine. It sounds like parts of his problems which didn't match mine were already known about enough to have been given a name (Vundo), whereas the main part of his problem and the entire part of mine were not known/named.
[Now, about uploading the infected file to Avast - where can I do this?
Where is the file? Still in system32, in the chest, or deleted?
I took a copy of it into a folder, along with an export of the relevant part of the registry (Winlogon Notify), so I could supply the two items to any anti-virus vendors who were interested.
Thanks!
-
To send a sample to avast, simply send a password protected zipped attachment to virus at avast.com
In the body of the email, include the password, the vps and program version of avast, a description of the files/symptoms and a link to this thread.
-
To send a sample to avast, simply send a password protected zipped attachment to virus at avast.com
In the body of the email, include the password, the vps and program version of avast, a description of the files/symptoms and a link to this thread.
Great, thanks, will do!
-
Hi.
I have been reading all the process you have undergone as i have the same problem and have had for some time, it is really getting me down. I have tried to make sense of the solution but i´m afraid my knowledge and experience are very poor (and my french even poorer)! Is there any any chance you could tell me in layman terms how i can fix the problem. This is the only place i have found where someone has managed to solve the problem and is therefore my only hope. Sorry for sounding a bit desperate, but i´m desperate.!
Thanks.
-
I have been reading all the process you have undergone as i have the same problem and have had for some time, it is really getting me down. I have tried to make sense of the solution but i´m afraid my knowledge and experience are very poor (and my french even poorer)! Is there any any chance you could tell me in layman terms how i can fix the problem. This is the only place i have found where someone has managed to solve the problem and is therefore my only hope. Sorry for sounding a bit desperate, but i´m desperate.!
Sure. Download Hijack This (http://www.spywareinfo.com/~merijn/programs.php) and run it. In the resultant list, look for an item about "Winlogon Notify", referencing a DLL in System32. Tick this in the list and click Fix selected. (I am doing this from memory so excuse me if the names of buttons etc. are not quite exactly right!) Reboot, then delete the DLL that was referenced from the System32 folder (in C:\Windows or C:\Winnt). That should be it, sorted, but you might want to reinstall your PC anyway to be on the safe side - that's my plan but then I am extra-cautious!
Best of luck!
-
Whether an appinit_dll or winlogon_notify key, not all 020 entries in HJT are bad. Some caution is needed here about what we say should be deleted..
It would be better to post the HJT log so we can can see exactly what you have going on.
-
I absolutely agree don't take any action without first posting the contents of the hijackthis.log file and getting advice on the action to take. messing with O20 entries could seriously ruin your day.
-
If you still detecting strange behaviors or you can scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log that would help to identify the problem and the solution.
That should be it, sorted, but you might want to reinstall your PC anyway to be on the safe side - that's my plan but then I am extra-cautious!
Like Bob, this is what I think about reformatting...
http://forum.avast.com/index.php?topic=30172.msg249246#msg249246
-
this is the result of the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:05:48, on 01/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DAD\Escritorio\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [SsAAD.exe] C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Archivos de programa\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TrayMin210.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
--
End of file - 7648 bytes
thanks to all for the help!
-
You don't appear to be using a firewall or you are using XP's firewall (really need to look at one that protects against unauthorised outbound connections) or it is disabled ?
This can be fixed.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
This one although the files doesn't appear to be there (you should check)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
See http://fileinfo.prevx.com/adware/qqc6f641158518-MSAS22915957/MSASVC.EXE.html (http://fileinfo.prevx.com/adware/qqc6f641158518-MSAS22915957/MSASVC.EXE.html)
and http://www.castlecops.com/o23list-2222.html (http://www.castlecops.com/o23list-2222.html)
The msasvc.exe file if found should be uploaded for checking at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
If detected by multiple scanners but not avast send it to avast and fix the entry in HJT.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
-
i followed the path to try and find the file for up loading (O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)) but it isnt there! i deselected the hidden system files option to see if it came out but still no luck. i will be sorting a firewall out this week. you were right, i only had the xp running, i was a bit innocent in thinking i wouldnt need much more for what i do on the internet, any reccomendations?!
What about this file, is there any reason i can´t see it?
Thanks again.
-
Some times though HJT reports the file missing, that may not be the case, so it is always important to check.
Check the other links I gave about this file and see if any of the associated files or registry entries exist on your system and report your findings.
Rub HJT again and check the fix box to the left of the two entries I mentioned and click the Fix button.
- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php (http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php) later set of results
-
here are the results of runscanner log. will have to post it in 2 pages.
thanks.
Runscanner logfile http://www.runscanner.net
* = authenticode signed file
- = file not found
000 General info
----------------
Computer name : LEE
Creation time : 04/09/2007 1:01:08
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : Español (alfabetización internacional)
User rights : Administrator
Windows folder : C:\WINDOWS
001 Running processes
---------------------
c:\archivos de programa\musicmatch\musicmatch jukebox\mmtask.exe (Musicmatch Inc.)
* c:\archivos de programa\alwil software\avast4\ashserv.exe (ALWIL Software)
* c:\archivos de programa\alwil software\avast4\aswupdsv.exe (ALWIL Software)
* c:\archivos de programa\alwil software\avast4\ashmaisv.exe (ALWIL Software)
* c:\archiv~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\archivos de programa\alwil software\avast4\ashwebsv.exe (ALWIL Software)
* c:\windows\vm_sti.exe (BIGDOG)
* c:\archivos de programa\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
c:\archivos de programa\archivos comunes\installshield\updateservice\issch.exe (InstallShield Software Corporation)
* c:\windows\sm56hlpr.exe (Motorola Inc.)
* c:\windows\soundman.exe (Realtek Semiconductor Corp.)
* c:\docume~1\dad\config~1\temp\rar$ex00.796\runscanner.exe (Runscanner.net)
c:\archiv~1\sony\sonics~1\ssaad.exe
c:\archivos de programa\archivos comunes\sony shared\avlib\ssscsisv.exe (Sony Corporation)
c:\archivos de programa\philips\philips spc210nc webcam\traymin210.exe
c:\archivos de programa\winamp\winampa.exe
c:\archivos de programa\winrar\winrar.exe
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\archiv~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\windows\vm_sti.exe (BIGDOG)
c:\archiv~1\archiv~1\instal~1\update~1\isuspm.exe (InstallShield Software Corporation)
c:\archivos de programa\archivos comunes\installshield\updateservice\issch.exe (InstallShield Software Corporation)
c:\archivos de programa\musicmatch\musicmatch jukebox\mmtask.exe (Musicmatch Inc.)
c:\windows\system32\nerocheck.exe (Ahead Software Gmbh)
* C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
* C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
c:\archiv~1\sony\sonics~1\ssaad.exe
- c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe
c:\archivos de programa\winamp\winampa.exe
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\archivos de programa\real\realplayer\realplay.exe (RealNetworks, Inc.)
* c:\archivos de programa\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
005 C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
--------------------------------------------------------------------
c:\archiv~1\adobe\acroba~1.0\reader\reader~1.exe (Adobe Systems Incorporated)
c:\archiv~1\philips\philip~1\traymi~1.exe
010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
* c:\archivos de programa\alwil software\avast4\ashserv.exe (avast! Antivirus)
* c:\archivos de programa\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\archivos de programa\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\archivos de programa\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
* c:\archivos de programa\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
- c:\windows\system32\msasvc.exe (Microsoft authenticate service)
c:\archivos de programa\archivos comunes\sony shared\avlib\mscsptisrv.exe (MSCSPTISRV)
c:\archivos de programa\archivos comunes\sony shared\avlib\pacsptisvr.exe (PACSPTISVR)
c:\archivos de programa\archivos comunes\sony shared\avlib\ssscsisv.exe (SonicStage SCSI Service)
c:\archivos de programa\archivos comunes\sony shared\avlib\sptisrv.exe (Sony SPTI Service)
-
..........
011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* C:\WINDOWS\system32\drivers\admjoy.sys (Aureal Game Port Enumerator)
* C:\WINDOWS\system32\drivers\ptilink.sys (Controlador de vínculo paralelo directo)
* C:\WINDOWS\system32\drivers\rtl8139.sys (Controlador de Windows NT del adaptador Fast Ethernet PCI basado en Realtek RTL8139(A/B/C))
* C:\WINDOWS\system32\drivers\smserial.sys (Motorola SM56 Modem WDM Driver)
* C:\WINDOWS\system32\drivers\usbvm31b.sys (Philips SPC210NC Webcam)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\alcxwdm.sys (Service for Realtek AC97 Audio (WDM))
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
* c:\archiv~1\archiv~1\skype\skype4~1.dll (Skype Technologies) {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}
035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11d4-9B18-009027A5CD4F}
044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
------------------------------------------------------------------
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11D4-9B18-009027A5CD4F}
045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11D4-9B18-009027A5CD4F}
047 Trusted zones
-----------------
Zone: musicmatch.com : *.musicmatch.com
Zone: musicmatch.com : *.musicmatch.com
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
* c:\archivos de programa\adobe\acrobat 7.0\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\archiv~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}
* c:\archivos de programa\google\googletoolbar3.dll (Google Inc.) {AA58ED58-01DD-4d91-8333-CF10577473F7}
* c:\archivos de programa\google\googletoolbarnotifier\2.0.301.7164\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
* c:\archiv~1\skype\phone\ieplugin\skypei~1.dll (Skype Technologies S.A.) {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
* c:\archivos de programa\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
c:\archivos de programa\jetaudio\jetflext.dll (JetAudio, Inc.) {8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}
c:\archivos de programa\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
c:\archivos de programa\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\archivos de programa\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)
100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Page_URL HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL HKLM : http://www.google.com/ie
Search Page HKCU : http://www.google.com
Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://www.google.com/ie
SearchUrl HKCU : http://www.google.com/search?q=%s
Start Page HKCU : http://www.google.com/
Start Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* c:\windows\system32\macromed\flash\flash9c.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}
105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
E&xportar a Microsoft Excel : res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1
173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\archivos de programa\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
- c:\archivos de programa\mp3 player utilities 3.57\amvtools\srccount.dll {548773BA-874E-4C02-9DC7-B7A096772C7D}
c:\archivos de programa\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
p.s. still cant find msasvc in system32 nor can I.T. friend of mine.
-
Your runscanner log also indicates that msasvc.exe is missing.
What is the current status of the outgoing email problem? Besides the email, are there other symptoms of infection?
-
non whatsoever which seems strange to me. i would have thought that, due to the amount of suposedly sent e-mails, both my pc and connection would be noticebly affected in response time which is not the case.
also the activity seems to have receeded slightly in so much as the message that avast generated in the past about the amount of suspicious mail being sent in a short period of time no longer appears however the mail scanner of avast is up and running as indicated by the icon on the lower status bar of the screen. when i move the mouse cursor over the icon it indicates me the adresses of the emails being sent. periodically there are periods when it stops then starts again. the decrease in activity also coincided with me activating the xp firewall and updates that were pending.
what i am also going to see is if it only starts when i have Internet Explorer open or if merely having the p.c. switched on (and the cable connection open) it starts to do the same. a freind of mine and i have been monitoring the memory usage and activated programmes when it starts up and there doesnt seem to be anything untoward going on which is very strange but then again i suppose the virus makers have this in mind!!!
any ideas?
thanks.
-
If you haven't already fixed the lines DavidR mentioned please do so now.
Open HJT and click to Do a System Scan Only. When complete place a check next to these lines
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
Close all other windows, including your browser, and click Fixed Checked.
Now run ComboFix and post the log it produces, followed by a fresh HJT log. Please note that if you have an older version of ComboFix on your computer you must delete it and download the latest version.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
right. i´ve done as you instructed and here are the results (i only know how to copy them and paste them here, though it takes up a lot of page).
HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:12:01, on 08/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DAD\Escritorio\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [SsAAD.exe] C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Archivos de programa\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TrayMin210.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
--
End of file - 7636 bytes
........
-
....
Combofix log:
ComboFix 07-09-08.7 - "DAD" 2007-09-08 13:18:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.181 [GMT 2:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\DAD\DATOSD~1\install.dat
C:\DOCUME~1\DAD\ESCRIT~1\internet.lnk
((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.
2007-09-08 13:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-04 01:13 <DIR> d-------- C:\DOCUME~1\DAD\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13 <DIR> d-------- C:\Archivos de programa\SUPERAntiSpyware
2007-09-04 01:13 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-09-01 10:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-01 10:13 --------- d-------- C:\Archivos de programa\eMule
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-23 19:36 --------- d-------- C:\DOCUME~1\DAD\DATOSD~1\Skype
2007-06-26 08:09 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-20 22:10 151552 --------- C:\WINDOWS\system32\pxwma.dll
2007-06-20 22:10 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-20 22:10 104960 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 15:30 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:22 1035776 --a------ C:\WINDOWS\explorer.exe
2004-11-30 15:23 40960 -r------- C:\Archivos de programa\delete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 08:01 C:\WINDOWS\sm56hlpr.exe]
"mmtask"="C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-12-01 14:49]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 12:48 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" []
"ISUSPM Startup"="C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 11:41]
"ISUSScheduler"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" [2004-04-13 05:07]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [2005-10-27 01:01]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37]
"SsAAD.exe"="C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"RealPlayer"="C:\Archivos de programa\Real\RealPlayer\realplay.exe" [2006-06-02 18:20]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 18:35]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\DOCUME~1\ALLUSE~1\MENINI~1\PROGRA~1\Inicio\
Inicio r pido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
TrayMin210.exe.lnk - C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe [2007-04-20 21:52:05]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\system32\msasvc.exe
S3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 13:20:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-08 13:21:46
C:\ComboFix-quarantined-files.txt ... 2007-09-08 13:21
.
--- E O F ---
many thanks once again!
-
p.s. is it normal that when i downloaded combofix, my avast antivirus alerted me of a trojan virus and there was an attempt to change the search criteria of my google search bar? i moved the trojan to the avast virus chest.
-
I assume that it wasn't anything to do with combofix otherwise that probably wouldn't have run if something was missing.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
I will let Keith look after your combofix log but the unloading of a rootkit driver looks promising.
If you ran HJT and log you posted before combofix then can you run it again and post the contents.
-
p.s. is it normal that when i downloaded combofix, my avast antivirus alerted me of a trojan virus and there was an attempt to change the search criteria of my google search bar? i moved the trojan to the avast virus chest.
Some av's will give you an alert but normally not avast! I just downloaded from both sites with no warnings at all, so I would say you have something else at work in the background.
It looks like msasvc.exe is still loading as a service but is (was) being hidden by the rootkit. We still have some work to do.
Ditto to everything David posted, especially running HJT after ComboFix and posting both logs again. Ideally this can be done with no re-boot between the scans, but if ComboFix needs a reboot let that happen.
Please also scan this file at Virus Total[/u][/color] (http://www.virustotal.com/) and post the results
C:\Archivos de programa\delete.exe
-
It looks like msasvc.exe is still loading as a service but is (was) being hidden by the rootkit. We still have some work to do.
That is interesting and possibly a clue that a rootkit might be at work if an otherwise malicious file indicated on a google search, etc. shows up in the HJT log as file missing, especially if that is a service entry.
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing).
It also seems that many email spambots that are nor noticed by their email activity are being hidden by rootkits as these are becoming more frequent in the forums.
A good time to stop them getting established (files in system folders and registry entries) via DropMyRights.
@ lad from leigh
Once the dark and sticky stuff is cleaned off the fan - You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob's, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.
http://mysharedfiles.no-ip.org/dropmyrights (http://mysharedfiles.no-ip.org/dropmyrights)
-
[That is interesting and possibly a clue that a rootkit might be at work if an otherwise malicious file indicated on a google search, etc. shows up in the HJT log as file missing, especially if that is a service entry.
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing).
My thoughts as well.
It would be easy enough to stop and delete the service but I'm afraid it is being being restored by a process we haven't found yet (just as the 023 returned in HJT after being fixed (I assume the instructions to fix that line were followed)).
EDIT: By way of clarification, MsaSvc is still registered as a service with startup type = auto. But the service was actually stopped when ComboFix was run.
-
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Does combofix run in a command prompt window? If so, I suspect the stall is caused by a mouse click selecting an area of the screen for copying when QuickEdit mode is enabled for the command prompt. Right-clicking inside the window should remove the selection and allow combofix to continue (this also copies the selected area to clipboard).
-
[Does combofix run in a command prompt window? ...
Yes, it does. You may be right about the cause of the potential hang - I honestly don't know. But given the nature of what it does - quarantining malware in addition to generating a text log - it would be best to avoid hanging it.
-
But given the nature of what it does - quarantining malware in addition to generating a text log - it would be best to avoid hanging it.
Agreed, I was more suggesting a possible way of un-hanging it if someone were to accidentally click in the window and find that it hung, without needing to kill and re-start the program.
-
the virus notification that i mentioned is described as follows:
Name: Cfiles.cf
Original location: C/Combofix
Virus: Win32 Dadobra-Ey (Trj)
I´ve passed the delete.exe file through virus total and it gave the ok.
I´ve also been on the internet about an hour now and not once has the avast mail scanner notified me of untoward goings on, which is the first time! I did the HJT fix on the files you told me to.
This is the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:35:02, on 08/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\Documents and Settings\DAD\Escritorio\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [SsAAD.exe] C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Archivos de programa\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TrayMin210.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
--
End of file - 7659 bytes
I´ll get right on to what you´ve said about using my pc as and administrator, it makes a lot of sense. thanks for the tip.
i appreciate all the help.
-
Well, if you're reluctant to run ComboFix again can you post the contents of C:\ComboFix-quarantined-files.txt
-
heres the new combofix log, although in executing the programme, the same virus message came up as before!! so i moved it to the virus chest.
ComboFix 07-09-08.7 - "DAD" 2007-09-09 20:50:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.168 [GMT 2:00]
.
((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))
.
2007-09-08 13:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-04 01:13 <DIR> d-------- C:\DOCUME~1\DAD\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13 <DIR> d-------- C:\Archivos de programa\SUPERAntiSpyware
2007-09-04 01:13 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-09-01 10:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 11:18 --------- d-------- C:\DOCUME~1\DAD\DATOSD~1\Skype
2007-09-01 10:13 --------- d-------- C:\Archivos de programa\eMule
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-06-26 08:09 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-20 22:10 151552 --------- C:\WINDOWS\system32\pxwma.dll
2007-06-20 22:10 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-20 22:10 104960 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 15:30 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:22 1035776 --a------ C:\WINDOWS\explorer.exe
2004-11-30 15:23 40960 -r------- C:\Archivos de programa\delete.exe
.
((((((((((((((((((((((((((((( snapshot_2007-09-08_132115.62 )))))))))))))))))))))))))))))))))))))))))
.
----atw 16,384 2007-09-09 18:32:58 C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
----atw 16,384 2007-09-09 08:17:08 C:\WINDOWS\Temp\Perflib_Perfdata_498.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 08:01 C:\WINDOWS\sm56hlpr.exe]
"mmtask"="C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-12-01 14:49]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 12:48 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" []
"ISUSPM Startup"="C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 11:41]
"ISUSScheduler"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" [2004-04-13 05:07]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [2005-10-27 01:01]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37]
"SsAAD.exe"="C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"RealPlayer"="C:\Archivos de programa\Real\RealPlayer\realplay.exe" [2006-06-02 18:20]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 18:35]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\DOCUME~1\ALLUSE~1\MENINI~1\PROGRA~1\Inicio\
Inicio r pido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
TrayMin210.exe.lnk - C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe [2007-04-20 21:52:05]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\system32\msasvc.exe
S3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 20:52:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-09 20:53:03
C:\ComboFix-quarantined-files.txt ... 2007-09-09 20:52
C:\ComboFix2.txt ... 2007-09-08 13:21
.
--- E O F ---
-
p.s. the quarantined files.
2006-06-13 23:06 104 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\DAD\ESCRIT~1\Internet.lnk.vir
2006-12-27 18:15 1442985 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\DAD\DATOSD~1\Install.dat.vir
2007-07-08 21:23 15399 --a------ C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
Listado de rutas de carpetas
El n£mero de serie del volumen es 6413-090A
C:\QOOBOX\QUARANTINE
+---C
| +---ComboFix
| | FProps.vbs.vir
| |
| \---DOCUME~1
| \---DAD
| +---DATOSD~1
| | Install.dat.vir
| |
| \---ESCRIT~1
| Internet.lnk.vir
|
\---Registry_backups
thanks.
-
Its good that the outgoing email has subsided but unless I can see logically why something is fixed I'm never satisfied that it is fixed. Unfortunatey I don't see the logic yet - not enough, at least.
I know you're ready to be done with this but please post a WinPFind3U log so I can have a closer look at things. This log will be long - typically requiring several posts to fit everything.
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
ok
WinPFind3 logfile created on: 13/09/2007 1:30:54
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\DAD\Escritorio\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
447,48 Mb Total Physical Memory | 193,83 Mb Available Physical Memory | 43,32% Memory free
1,03 Gb Paging File | 0,83 Gb Available in Paging File | 80,81% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 152,66 Gb Total Space | 102,07 Gb Free Space | 66,87% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: LEE
Current User Name: DAD
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 75128 bytes | Modified Date = 28/07/2007 0:03:34 | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 243064 bytes | Modified Date = 28/07/2007 0:03:08 | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 132472 bytes | Modified Date = 28/07/2007 0:03:28 | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 345464 bytes | Modified Date = 28/07/2007 0:02:20 | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 16248 bytes | Modified Date = 27/07/2007 23:52:46 | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 10/08/2007 18:35:12 | Attr = ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 00, 100, 1161 | Size = 69632 bytes | Modified Date = 13/04/2004 5:07:18 | Attr = ]
mmtask.exe -> %ProgramFiles%\Musicmatch\Musicmatch Jukebox\mmtask.exe -> Musicmatch Inc. [Ver = 9.0.0.1 | Size = 53248 bytes | Modified Date = 01/12/2004 14:49:10 | Attr = ]
sm56hlpr.exe -> %SystemRoot%\sm56hlpr.exe -> Motorola Inc. [Ver = 6.09.07 | Size = 544768 bytes | Modified Date = 29/12/2004 8:01:56 | Attr = R ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.39 | Size = 77824 bytes | Modified Date = 17/05/2005 12:48:32 | Attr = R ]
ssaad.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe -> [Ver = 3.0.00.13241 | Size = 81920 bytes | Modified Date = 24/01/2005 19:58:02 | Attr = ]
ssscsisv.exe -> %CommonProgramFiles%\Sony Shared\AVLib\SSScsiSV.exe -> Sony Corporation [Ver = 3.0.00.13241 | Size = 69632 bytes | Modified Date = 24/01/2005 18:36:52 | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 14:06:28 | Attr = ]
traymin210.exe -> %ProgramFiles%\Philips\Philips SPC210NC Webcam\TrayMin210.exe -> [Ver = 1, 0, 0, 4 | Size = 278528 bytes | Modified Date = 10/05/2006 13:24:34 | Attr = ]
vm_sti.exe -> %SystemRoot%\VM_STI.EXE -> BIGDOG [Ver = 4, 2, 610, 4 | Size = 40960 bytes | Modified Date = 09/06/2004 15:37:02 | Attr = ]
winampa.exe -> %ProgramFiles%\Winamp\winampa.exe -> [Ver = | Size = 33792 bytes | Modified Date = 27/10/2005 1:01:14 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 16248 bytes | Modified Date = 27/07/2007 23:52:46 | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 132472 bytes | Modified Date = 28/07/2007 0:03:28 | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 243064 bytes | Modified Date = 28/07/2007 0:03:08 | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 345464 bytes | Modified Date = 28/07/2007 0:02:20 | Attr = ]
(dmadmin) Servicio del administrador de discos lógicos [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., VERITAS Software [Ver = 2600.2180.503.0 | Size = 225792 bytes | Modified Date = 19/08/2004 15:42:44 | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 27/01/2007 10:12:26 | Attr = ]
(MsaSvc) Microsoft authenticate service [Win32_Own | Auto | Stopped] -> %System32%\msasvc.exe -> File not found
(MSCSPTISRV) MSCSPTISRV [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\MSCSPTISRV.exe -> Sony Corporation [Ver = 4.1.00.13261 | Size = 53337 bytes | Modified Date = 26/01/2005 15:30:04 | Attr = ]
(PACSPTISVR) PACSPTISVR [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\PACSPTISVR.exe -> Sony Corporation [Ver = 4.1.00.13261 | Size = 53337 bytes | Modified Date = 26/01/2005 15:25:34 | Attr = ]
(SPTISRV) Sony SPTI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SPTISRV.exe -> Sony Corporation [Ver = 4.1.00.13261 | Size = 69718 bytes | Modified Date = 26/01/2005 15:20:14 | Attr = ]
(SSScsiSV) SonicStage SCSI Service [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Sony Shared\AVLib\SSScsiSV.exe -> Sony Corporation [Ver = 3.0.00.13241 | Size = 69632 bytes | Modified Date = 24/01/2005 18:36:52 | Attr = ]
[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 26624 bytes | Modified Date = 27/07/2007 23:58:36 | Attr = ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(admjoy) Aureal Game Port Enumerator [Kernel | On_Demand | Stopped] -> %System32%\drivers\admjoy.sys -> Aureal, Inc. [Ver = 5.12.01.1500 | Size = 10880 bytes | Modified Date = 03/08/2004 22:32:24 | Attr = ]
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ALCXWDM.SYS -> Realtek Semiconductor Corp. [Ver = 5.10.5850 built by: WinDDK | Size = 2319680 bytes | Modified Date = 18/05/2005 11:50:30 | Attr = R ]
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 94416 bytes | Modified Date = 28/07/2007 0:02:34 | Attr = ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 23152 bytes | Modified Date = 28/07/2007 0:00:40 | Attr = ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 42912 bytes | Modified Date = 27/07/2007 23:59:58 | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(AvFlt) Antivirus Filter Driver [File_System | On_Demand | Stopped] -> %System32%\drivers\av5flt.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\DAD\CONFIG~1\Temp\catchme.sys -> File not found
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
-
....
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 800256 bytes | Modified Date = 19/08/2004 15:28:34 | Attr = ]
(dmio) Controlador del administrador de discos lógicos [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 154240 bytes | Modified Date = 19/08/2004 15:28:40 | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 24/08/2001 12:00:00 | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(IntelIde) IntelIde [Kernel | Disabled | Stopped] -> -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(MxlW2k) MxlW2k [Kernel | On_Demand | Running] -> %System32%\drivers\MxlW2k.sys -> MusicMatch, Inc. [Ver = 1.1.0.121 | Size = 28352 bytes | Modified Date = 24/04/2006 1:03:10 | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(Ptilink) Controlador de vínculo paralelo directo [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 24/08/2001 12:00:00 | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.18a | Size = 20576 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(rtl8139) Controlador de Windows NT del adaptador Fast Ethernet PCI basado en Realtek RTL8139(A/B/C) [Kernel | On_Demand | Running] -> %System32%\drivers\RTL8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 03/08/2004 23:31:34 | Attr = ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 10/10/2006 13:53:48 | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 16/02/2006 17:51:08 | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> [Ver = 1, 0, 0, 1036 | Size = 32256 bytes | Modified Date = 27/02/2007 12:39:26 | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 17/07/2004 11:36:38 | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(smserial) smserial [Kernel | On_Demand | Running] -> %System32%\drivers\smserial.sys -> Motorola Inc. [Ver = SM56 Rel. 6.09 Build 07 | Size = 923826 bytes | Modified Date = 11/01/2005 9:25:10 | Attr = R ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(ZSMC301b) Philips SPC210NC Webcam [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbVM31b.sys -> VM [Ver = 4.2.1010.41 | Size = 91527 bytes | Modified Date = 26/02/2005 16:25:52 | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 75128 bytes | Modified Date = 28/07/2007 0:03:34 | Attr = ]
BigDogPath -> %SystemRoot%\VM_STI.EXE -> BIGDOG [Ver = 4, 2, 610, 4 | Size = 40960 bytes | Modified Date = 09/06/2004 15:37:02 | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 3, 00, 100, 1131 | Size = 196608 bytes | Modified Date = 17/04/2004 11:41:30 | Attr = ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 00, 100, 1161 | Size = 69632 bytes | Modified Date = 13/04/2004 5:07:18 | Attr = ]
mmtask -> %ProgramFiles%\Musicmatch\Musicmatch Jukebox\mmtask.exe -> Musicmatch Inc. [Ver = 9.0.0.1 | Size = 53248 bytes | Modified Date = 01/12/2004 14:49:10 | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 11:50:42 | Attr = ]
SMSERIAL -> %SystemRoot%\sm56hlpr.exe -> Motorola Inc. [Ver = 6.09.07 | Size = 544768 bytes | Modified Date = 29/12/2004 8:01:56 | Attr = R ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.39 | Size = 77824 bytes | Modified Date = 17/05/2005 12:48:32 | Attr = R ]
SsAAD.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe -> [Ver = 3.0.00.13241 | Size = 81920 bytes | Modified Date = 24/01/2005 19:58:02 | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> File not found
WinampAgent -> %ProgramFiles%\Winamp\winampa.exe -> [Ver = | Size = 33792 bytes | Modified Date = 27/10/2005 1:01:14 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
RealPlayer -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.12.857 | Size = 1003520 bytes | Modified Date = 02/06/2006 18:20:56 | Attr = ]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 14:06:28 | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 10/08/2007 18:35:12 | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio ->
%AllUsersStartup%\Inicio rápido de Adobe Reader.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 14/12/2004 4:44:06 | Attr = ]
%AllUsersStartup%\TrayMin210.exe.lnk -> %ProgramFiles%\Philips\Philips SPC210NC Webcam\TrayMin210.exe -> [Ver = 1, 0, 0, 4 | Size = 278528 bytes | Modified Date = 10/05/2006 13:24:34 | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 13:55:48 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 13:41:36 | Attr = ]
-
.....
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< HOSTS File > (792 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
musicmatch.com
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
musicmatch.com
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 14/12/2004 1:56:50 | Attr = ]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} [HKLM] -> %ProgramFiles%\Skype\Phone\IEPlugin\SkypeIEPlugin.dll [Skype add-on (mastermind)] -> Skype Technologies S.A. [Ver = 2, 2, 0, 78 | Size = 722472 bytes | Modified Date = 30/03/2007 13:31:02 | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 1:04:00 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 10/08/2007 18:35:10 | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{77BF5300-1474-4EC7-9980-D32B190E9B07} -> Reg Data - Value does not exist [ButtonText: Skype] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Referencia] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xportar a Microsoft Excel -> -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{32EC8C8C-AAA8-4ECC-9C85-E14495A46D73} -> (NIC Fast Ethernet PCI Familia RTL8139 de Realtek ) ->
{A5EEF4CB-1DC6-48BB-89F7-227C3FE9FD52} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 12/01/2007 12:50:48 | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
-
[Files/Folders - Created Within 90 days]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 08/09/2007 12:14:37 | Attr = ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Created Date = 20/06/2007 9:15:50 | Attr = H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Created Date = 20/06/2007 21:15:47 | Attr = H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Created Date = 04/07/2007 23:41:15 | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Created Date = 05/07/2007 11:34:20 | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Created Date = 09/07/2007 9:10:54 | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Created Date = 09/07/2007 17:53:10 | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Created Date = 09/07/2007 21:23:37 | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Created Date = 25/07/2007 10:37:31 | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Created Date = 10/08/2007 17:37:56 | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Created Date = 13/08/2007 22:55:11 | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Created Date = 13/08/2007 23:23:24 | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Created Date = 14/08/2007 7:48:27 | Attr = H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Created Date = 14/08/2007 10:01:40 | Attr = H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Created Date = 14/08/2007 10:47:56 | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Created Date = 14/08/2007 13:20:35 | Attr = H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Created Date = 20/06/2007 9:15:50 | Attr = H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Created Date = 20/06/2007 21:15:47 | Attr = H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Created Date = 04/07/2007 23:41:15 | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Created Date = 05/07/2007 11:34:20 | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Created Date = 09/07/2007 9:10:54 | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Created Date = 09/07/2007 17:53:10 | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Created Date = 09/07/2007 21:23:37 | Attr = H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Created Date = 25/07/2007 10:37:31 | Attr = H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Created Date = 10/08/2007 17:37:55 | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Created Date = 13/08/2007 22:55:11 | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Created Date = 13/08/2007 23:23:23 | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Created Date = 14/08/2007 7:48:27 | Attr = H ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Created Date = 14/08/2007 10:01:40 | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Created Date = 14/08/2007 10:47:56 | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Created Date = 14/08/2007 13:20:35 | Attr = H ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Created Date = 01/09/2007 9:07:15 | Attr = H ]
-
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ -> [Folder | Created Date = 01/09/2007 9:07:50 | Attr = H ]
$NtUninstallKB873339$ -> %SystemRoot%\$NtUninstallKB873339$ -> [Folder | Created Date = 01/09/2007 11:17:08 | Attr = H ]
$NtUninstallKB885835$ -> %SystemRoot%\$NtUninstallKB885835$ -> [Folder | Created Date = 01/09/2007 11:21:02 | Attr = H ]
$NtUninstallKB885836$ -> %SystemRoot%\$NtUninstallKB885836$ -> [Folder | Created Date = 01/09/2007 11:20:52 | Attr = H ]
$NtUninstallKB886185$ -> %SystemRoot%\$NtUninstallKB886185$ -> [Folder | Created Date = 01/09/2007 11:10:30 | Attr = H ]
$NtUninstallKB887472$ -> %SystemRoot%\$NtUninstallKB887472$ -> [Folder | Created Date = 01/09/2007 11:16:29 | Attr = H ]
$NtUninstallKB888302$ -> %SystemRoot%\$NtUninstallKB888302$ -> [Folder | Created Date = 01/09/2007 11:11:27 | Attr = H ]
$NtUninstallKB890046$ -> %SystemRoot%\$NtUninstallKB890046$ -> [Folder | Created Date = 01/09/2007 11:13:54 | Attr = H ]
$NtUninstallKB890859$ -> %SystemRoot%\$NtUninstallKB890859$ -> [Folder | Created Date = 01/09/2007 11:07:47 | Attr = H ]
$NtUninstallKB891781$ -> %SystemRoot%\$NtUninstallKB891781$ -> [Folder | Created Date = 01/09/2007 11:14:37 | Attr = H ]
$NtUninstallKB893756$ -> %SystemRoot%\$NtUninstallKB893756$ -> [Folder | Created Date = 01/09/2007 11:19:07 | Attr = H ]
$NtUninstallKB894391$ -> %SystemRoot%\$NtUninstallKB894391$ -> [Folder | Created Date = 01/09/2007 11:08:29 | Attr = H ]
$NtUninstallKB896358$ -> %SystemRoot%\$NtUninstallKB896358$ -> [Folder | Created Date = 01/09/2007 11:16:06 | Attr = H ]
$NtUninstallKB896423$ -> %SystemRoot%\$NtUninstallKB896423$ -> [Folder | Created Date = 01/09/2007 11:18:09 | Attr = H ]
$NtUninstallKB896428$ -> %SystemRoot%\$NtUninstallKB896428$ -> [Folder | Created Date = 01/09/2007 11:08:44 | Attr = H ]
$NtUninstallKB898461$ -> %SystemRoot%\$NtUninstallKB898461$ -> [Folder | Created Date = 01/09/2007 9:07:15 | Attr = H ]
$NtUninstallKB899587$ -> %SystemRoot%\$NtUninstallKB899587$ -> [Folder | Created Date = 01/09/2007 11:21:39 | Attr = H ]
$NtUninstallKB899591$ -> %SystemRoot%\$NtUninstallKB899591$ -> [Folder | Created Date = 01/09/2007 11:19:30 | Attr = H ]
$NtUninstallKB900485$ -> %SystemRoot%\$NtUninstallKB900485$ -> [Folder | Created Date = 01/09/2007 11:18:01 | Attr = H ]
$NtUninstallKB900725$ -> %SystemRoot%\$NtUninstallKB900725$ -> [Folder | Created Date = 01/09/2007 11:11:18 | Attr = H ]
$NtUninstallKB901017$ -> %SystemRoot%\$NtUninstallKB901017$ -> [Folder | Created Date = 01/09/2007 11:19:40 | Attr = H ]
$NtUninstallKB901190$ -> %SystemRoot%\$NtUninstallKB901190$ -> [Folder | Created Date = 01/09/2007 11:10:05 | Attr = H ]
$NtUninstallKB901214$ -> %SystemRoot%\$NtUninstallKB901214$ -> [Folder | Created Date = 01/09/2007 11:12:17 | Attr = H ]
$NtUninstallKB902400$ -> %SystemRoot%\$NtUninstallKB902400$ -> [Folder | Created Date = 01/09/2007 11:14:06 | Attr = H ]
$NtUninstallKB904706$ -> %SystemRoot%\$NtUninstallKB904706$ -> [Folder | Created Date = 01/09/2007 11:10:11 | Attr = H ]
$NtUninstallKB905414$ -> %SystemRoot%\$NtUninstallKB905414$ -> [Folder | Created Date = 01/09/2007 11:12:43 | Attr = H ]
$NtUninstallKB905749$ -> %SystemRoot%\$NtUninstallKB905749$ -> [Folder | Created Date = 01/09/2007 11:09:47 | Attr = H ]
$NtUninstallKB908519$ -> %SystemRoot%\$NtUninstallKB908519$ -> [Folder | Created Date = 01/09/2007 11:08:22 | Attr = H ]
$NtUninstallKB908531$ -> %SystemRoot%\$NtUninstallKB908531$ -> [Folder | Created Date = 01/09/2007 11:09:55 | Attr = H ]
$NtUninstallKB910437$ -> %SystemRoot%\$NtUninstallKB910437$ -> [Folder | Created Date = 01/09/2007 11:15:39 | Attr = H ]
$NtUninstallKB911280$ -> %SystemRoot%\$NtUninstallKB911280$ -> [Folder | Created Date = 01/09/2007 11:18:50 | Attr = H ]
$NtUninstallKB911562$ -> %SystemRoot%\$NtUninstallKB911562$ -> [Folder | Created Date = 01/09/2007 11:18:33 | Attr = H ]
$NtUninstallKB911564$ -> %SystemRoot%\$NtUninstallKB911564$ -> [Folder | Created Date = 01/09/2007 11:15:31 | Attr = H ]
$NtUninstallKB911927$ -> %SystemRoot%\$NtUninstallKB911927$ -> [Folder | Created Date = 01/09/2007 11:19:51 | Attr = H ]
$NtUninstallKB913580$ -> %SystemRoot%\$NtUninstallKB913580$ -> [Folder | Created Date = 01/09/2007 11:09:15 | Attr = H ]
$NtUninstallKB914388$ -> %SystemRoot%\$NtUninstallKB914388$ -> [Folder | Created Date = 01/09/2007 11:13:00 | Attr = H ]
$NtUninstallKB914389$ -> %SystemRoot%\$NtUninstallKB914389$ -> [Folder | Created Date = 01/09/2007 11:08:06 | Attr = H ]
$NtUninstallKB916595$ -> %SystemRoot%\$NtUninstallKB916595$ -> [Folder | Created Date = 01/09/2007 11:10:24 | Attr = H ]
$NtUninstallKB917344$ -> %SystemRoot%\$NtUninstallKB917344$ -> [Folder | Created Date = 01/09/2007 11:12:51 | Attr = H ]
$NtUninstallKB917953$ -> %SystemRoot%\$NtUninstallKB917953$ -> [Folder | Created Date = 01/09/2007 11:12:35 | Attr = H ]
$NtUninstallKB918118$ -> %SystemRoot%\$NtUninstallKB918118$ -> [Folder | Created Date = 01/09/2007 11:11:46 | Attr = H ]
$NtUninstallKB918439$ -> %SystemRoot%\$NtUninstallKB918439$ -> [Folder | Created Date = 01/09/2007 11:14:29 | Attr = H ]
$NtUninstallKB919007$ -> %SystemRoot%\$NtUninstallKB919007$ -> [Folder | Created Date = 01/09/2007 11:13:07 | Attr = H ]
$NtUninstallKB920213$ -> %SystemRoot%\$NtUninstallKB920213$ -> [Folder | Created Date = 01/09/2007 11:10:56 | Attr = H ]
$NtUninstallKB920670$ -> %SystemRoot%\$NtUninstallKB920670$ -> [Folder | Created Date = 01/09/2007 11:14:45 | Attr = H ]
$NtUninstallKB920683$ -> %SystemRoot%\$NtUninstallKB920683$ -> [Folder | Created Date = 01/09/2007 11:08:15 | Attr = H ]
$NtUninstallKB920685$ -> %SystemRoot%\$NtUninstallKB920685$ -> [Folder | Created Date = 01/09/2007 11:19:16 | Attr = H ]
$NtUninstallKB920872$ -> %SystemRoot%\$NtUninstallKB920872$ -> [Folder | Created Date = 01/09/2007 11:13:37 | Attr = H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Created Date = 01/09/2007 11:16:39 | Attr = H ]
$NtUninstallKB922582$ -> %SystemRoot%\$NtUninstallKB922582$ -> [Folder | Created Date = 01/09/2007 11:11:59 | Attr = H ]
$NtUninstallKB922819$ -> %SystemRoot%\$NtUninstallKB922819$ -> [Folder | Created Date = 01/09/2007 11:21:12 | Attr = H ]
$NtUninstallKB923191$ -> %SystemRoot%\$NtUninstallKB923191$ -> [Folder | Created Date = 01/09/2007 11:12:07 | Attr = H ]
$NtUninstallKB923414$ -> %SystemRoot%\$NtUninstallKB923414$ -> [Folder | Created Date = 01/09/2007 11:20:43 | Attr = H ]
$NtUninstallKB923689$ -> %SystemRoot%\$NtUninstallKB923689$ -> [Folder | Created Date = 01/09/2007 11:09:40 | Attr = H ]
$NtUninstallKB923980$ -> %SystemRoot%\$NtUninstallKB923980$ -> [Folder | Created Date = 01/09/2007 11:18:58 | Attr = H ]
$NtUninstallKB924270$ -> %SystemRoot%\$NtUninstallKB924270$ -> [Folder | Created Date = 01/09/2007 11:17:49 | Attr = H ]
$NtUninstallKB924496$ -> %SystemRoot%\$NtUninstallKB924496$ -> [Folder | Created Date = 01/09/2007 11:16:59 | Attr = H ]
$NtUninstallKB924667$ -> %SystemRoot%\$NtUninstallKB924667$ -> [Folder | Created Date = 01/09/2007 11:18:17 | Attr = H ]
$NtUninstallKB925398_WMP64$ -> %SystemRoot%\$NtUninstallKB925398_WMP64$ -> [Folder | Created Date = 01/09/2007 11:15:59 | Attr = H ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Created Date = 01/09/2007 11:15:07 | Attr = H ]
$NtUninstallKB926255$ -> %SystemRoot%\$NtUninstallKB926255$ -> [Folder | Created Date = 01/09/2007 11:11:37 | Attr = H ]
$NtUninstallKB926436$ -> %SystemRoot%\$NtUninstallKB926436$ -> [Folder | Created Date = 01/09/2007 11:13:46 | Attr = H ]
$NtUninstallKB927779$ -> %SystemRoot%\$NtUninstallKB927779$ -> [Folder | Created Date = 01/09/2007 11:21:29 | Attr = H ]
$NtUninstallKB927802$ -> %SystemRoot%\$NtUninstallKB927802$ -> [Folder | Created Date = 01/09/2007 11:21:21 | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 02/09/2007 19:01:29 | Attr = H ]
$NtUninstallKB928255$ -> %SystemRoot%\$NtUninstallKB928255$ -> [Folder | Created Date = 01/09/2007 11:20:28 | Attr = H ]
$NtUninstallKB928843$ -> %SystemRoot%\$NtUninstallKB928843$ -> [Folder | Created Date = 01/09/2007 11:07:32 | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Created Date = 01/09/2007 11:14:55 | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Created Date = 01/09/2007 11:13:17 | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 01/09/2007 11:10:18 | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Created Date = 01/09/2007 11:17:38 | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Created Date = 01/09/2007 11:20:05 | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Created Date = 01/09/2007 11:12:27 | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Created Date = 01/09/2007 11:10:44 | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Created Date = 01/09/2007 11:08:37 | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Created Date = 01/09/2007 11:10:36 | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Created Date = 01/09/2007 11:18:41 | Attr = H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ -> [Folder | Created Date = 01/09/2007 11:16:49 | Attr = H ]
-
$NtUninstallKB936782_WMP9$ -> %SystemRoot%\$NtUninstallKB936782_WMP9$ -> [Folder | Created Date = 01/09/2007 11:17:27 | Attr = H ]
$NtUninstallKB937143$ -> %SystemRoot%\$NtUninstallKB937143$ -> [Folder | Created Date = 01/09/2007 11:08:53 | Attr = H ]
$NtUninstallKB938127$ -> %SystemRoot%\$NtUninstallKB938127$ -> [Folder | Created Date = 01/09/2007 11:11:06 | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Created Date = 01/09/2007 11:18:26 | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Created Date = 01/09/2007 11:16:20 | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 109056 bytes | Created Date = 08/09/2007 12:14:21 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 08/09/2007 12:16:23 | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 08/09/2007 12:14:21 | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 31/08/2007 21:38:33 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 31/08/2007 21:38:33 | Attr = H ]
snymsico.dll -> %SystemRoot%\snymsico.dll -> Sony Corporation [Ver = 1, 0, 0, 09120 | Size = 90112 bytes | Created Date = 20/06/2007 21:11:15 | Attr = ]
CDDBControl.dll -> %System32%\CDDBControl.dll -> Gracenote (formerly CDDB, Inc.) [Ver = 2, 0, 0, 13 | Size = 630784 bytes | Created Date = 20/06/2007 21:10:30 | Attr = ]
CddbLangES.dll -> %System32%\CddbLangES.dll -> Gracenote [Ver = 2, 0, 0, 1 | Size = 110592 bytes | Created Date = 20/06/2007 21:10:30 | Attr = ]
CDDBUI.dll -> %System32%\CDDBUI.dll -> Gracenote [Ver = 2, 0, 0, 13 | Size = 757760 bytes | Created Date = 20/06/2007 21:10:31 | Attr = ]
moveex.exe -> %System32%\moveex.exe -> [Ver = | Size = 38400 bytes | Created Date = 08/09/2007 12:14:21 | Attr = ]
PreInstall -> %System32%\PreInstall -> [Folder | Created Date = 01/09/2007 9:07:17 | Attr = ]
px.dll -> %System32%\px.dll -> Sonic Solutions [Ver = 2.0.60.500 | Size = 360448 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
pxcpya64.exe -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.28a | Size = 56832 bytes | Created Date = 20/06/2007 21:10:30 | Attr = ]
pxcpyi64.exe -> %System32%\pxcpyi64.exe -> Sonic Solutions [Ver = 1.00.28a | Size = 108544 bytes | Created Date = 20/06/2007 21:10:30 | Attr = ]
pxdrv.dll -> %System32%\pxdrv.dll -> Sonic Solutions [Ver = 1.01.23a | Size = 397312 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
pxhpinst.exe -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 2.03.18a | Size = 57344 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
pxinsa64.exe -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 2.03.18a | Size = 54272 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
pxinsi64.exe -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 2.03.18a | Size = 104960 bytes | Created Date = 20/06/2007 21:10:30 | Attr = ]
pxmas.dll -> %System32%\pxmas.dll -> Sonic Solutions [Ver = 2.0.60.500 | Size = 155648 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
pxwave.dll -> %System32%\pxwave.dll -> Sonic Solutions [Ver = 2.0.60.500 | Size = 339968 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
pxwma.dll -> %System32%\pxwma.dll -> Sonic Solutions [Ver = 1, 0, 0, 3 | Size = 151552 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
SoftwareDistribution -> %System32%\SoftwareDistribution -> [Folder | Created Date = 31/08/2007 21:20:15 | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 08/09/2007 12:14:21 | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 08/09/2007 12:14:20 | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 08/09/2007 12:14:20 | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 08/09/2007 12:14:21 | Attr = ]
vxblock.dll -> %System32%\vxblock.dll -> Sonic Solutions [Ver = 1.00.61a | Size = 28672 bytes | Created Date = 20/06/2007 21:10:29 | Attr = ]
NETMD031.sys -> %System32%\drivers\NETMD031.sys -> Sony Corporation [Ver = 1.3.11.04010 | Size = 35319 bytes | Created Date = 20/06/2007 21:11:15 | Attr = ]
NETMD033.sys -> %System32%\drivers\NETMD033.sys -> Sony Corporation [Ver = 1.3.30.11110 | Size = 36232 bytes | Created Date = 20/06/2007 21:11:15 | Attr = ]
NETMDUSB.sys -> %System32%\drivers\NETMDUSB.sys -> Sony Corporation [Ver = 1.2.10.08080 | Size = 38951 bytes | Created Date = 20/06/2007 21:11:15 | Attr = ]
NWWMUSB.sys -> %System32%\drivers\NWWMUSB.sys -> Sony Corporation [Ver = 1.3.00.07090 | Size = 27255 bytes | Created Date = 20/06/2007 21:11:39 | Attr = ]
PxHelp20.sys -> %System32%\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.18a | Size = 20576 bytes | Created Date = 20/06/2007 21:10:30 | Attr = ]
VMCUSB.sys -> %System32%\drivers\VMCUSB.sys -> Sony Corporation [Ver = 1.3.04.09110 | Size = 11510 bytes | Created Date = 20/06/2007 21:11:29 | Attr = ]
[Files/Folders - Modified Within 90 days]
Archivos de programa -> %ProgramFiles% -> [Folder | Modified Date = 04/09/2007 1:13:50 | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 08/09/2007 13:21:18 | Attr = ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 20/08/2007 22:50:34 | Attr = H ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 20/08/2007 23:28:40 | Attr = H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 21/08/2007 11:32:02 | Attr = H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 21/08/2007 18:18:10 | Attr = H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 21/08/2007 22:09:26 | Attr = H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 22/08/2007 20:50:38 | Attr = H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 20/06/2007 22:15:48 | Attr = H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 05/07/2007 0:41:16 | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 05/07/2007 12:34:22 | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 09/07/2007 10:10:56 | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 09/07/2007 18:53:12 | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 09/07/2007 22:23:38 | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 25/07/2007 11:37:32 | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 10/08/2007 18:37:58 | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 13/08/2007 23:55:12 | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/08/2007 0:23:26 | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/08/2007 8:48:28 | Attr = H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/08/2007 11:01:42 | Attr = H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/08/2007 11:47:58 | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/08/2007 14:20:36 | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 20/08/2007 22:50:34 | Attr = H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 20/08/2007 23:28:40 | Attr = H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 21/08/2007 11:32:02 | Attr = H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 21/08/2007 18:18:10 | Attr = H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 21/08/2007 22:09:26 | Attr = H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 22/08/2007 20:50:38 | Attr = H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 20/06/2007 22:15:48 | Attr = H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 05/07/2007 0:41:16 | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 05/07/2007 12:34:22 | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 09/07/2007 10:10:56 | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 09/07/2007 18:53:12 | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 09/07/2007 22:23:38 | Attr = H ]
-
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 10/08/2007 18:37:56 | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 13/08/2007 23:55:12 | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/08/2007 0:23:24 | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/08/2007 8:48:28 | Attr = H ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/08/2007 11:01:42 | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/08/2007 11:47:58 | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/08/2007 14:20:36 | Attr = H ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 08/09/2007 13:16:24 | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 02/09/2007 20:01:14 | Attr = H ]
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ -> [Folder | Modified Date = 01/09/2007 10:07:52 | Attr = H ]
$NtUninstallKB873339$ -> %SystemRoot%\$NtUninstallKB873339$ -> [Folder | Modified Date = 01/09/2007 12:17:10 | Attr = H ]
$NtUninstallKB885835$ -> %SystemRoot%\$NtUninstallKB885835$ -> [Folder | Modified Date = 01/09/2007 12:21:04 | Attr = H ]
$NtUninstallKB885836$ -> %SystemRoot%\$NtUninstallKB885836$ -> [Folder | Modified Date = 01/09/2007 12:20:54 | Attr = H ]
$NtUninstallKB886185$ -> %SystemRoot%\$NtUninstallKB886185$ -> [Folder | Modified Date = 01/09/2007 12:10:32 | Attr = H ]
$NtUninstallKB887472$ -> %SystemRoot%\$NtUninstallKB887472$ -> [Folder | Modified Date = 01/09/2007 12:16:30 | Attr = H ]
$NtUninstallKB888302$ -> %SystemRoot%\$NtUninstallKB888302$ -> [Folder | Modified Date = 01/09/2007 12:11:28 | Attr = H ]
$NtUninstallKB890046$ -> %SystemRoot%\$NtUninstallKB890046$ -> [Folder | Modified Date = 01/09/2007 12:13:56 | Attr = H ]
$NtUninstallKB890859$ -> %SystemRoot%\$NtUninstallKB890859$ -> [Folder | Modified Date = 01/09/2007 12:07:52 | Attr = H ]
$NtUninstallKB891781$ -> %SystemRoot%\$NtUninstallKB891781$ -> [Folder | Modified Date = 01/09/2007 12:14:40 | Attr = H ]
$NtUninstallKB893756$ -> %SystemRoot%\$NtUninstallKB893756$ -> [Folder | Modified Date = 01/09/2007 12:19:10 | Attr = H ]
$NtUninstallKB894391$ -> %SystemRoot%\$NtUninstallKB894391$ -> [Folder | Modified Date = 01/09/2007 12:08:32 | Attr = H ]
$NtUninstallKB896358$ -> %SystemRoot%\$NtUninstallKB896358$ -> [Folder | Modified Date = 01/09/2007 12:16:10 | Attr = H ]
$NtUninstallKB896423$ -> %SystemRoot%\$NtUninstallKB896423$ -> [Folder | Modified Date = 01/09/2007 12:18:12 | Attr = H ]
$NtUninstallKB896428$ -> %SystemRoot%\$NtUninstallKB896428$ -> [Folder | Modified Date = 01/09/2007 12:08:46 | Attr = H ]
$NtUninstallKB898461$ -> %SystemRoot%\$NtUninstallKB898461$ -> [Folder | Modified Date = 01/09/2007 10:07:16 | Attr = H ]
$NtUninstallKB899587$ -> %SystemRoot%\$NtUninstallKB899587$ -> [Folder | Modified Date = 01/09/2007 12:21:40 | Attr = H ]
$NtUninstallKB899591$ -> %SystemRoot%\$NtUninstallKB899591$ -> [Folder | Modified Date = 01/09/2007 12:19:32 | Attr = H ]
$NtUninstallKB900485$ -> %SystemRoot%\$NtUninstallKB900485$ -> [Folder | Modified Date = 01/09/2007 12:18:04 | Attr = H ]
$NtUninstallKB900725$ -> %SystemRoot%\$NtUninstallKB900725$ -> [Folder | Modified Date = 01/09/2007 12:11:20 | Attr = H ]
$NtUninstallKB901017$ -> %SystemRoot%\$NtUninstallKB901017$ -> [Folder | Modified Date = 01/09/2007 12:19:44 | Attr = H ]
$NtUninstallKB901190$ -> %SystemRoot%\$NtUninstallKB901190$ -> [Folder | Modified Date = 01/09/2007 12:10:08 | Attr = H ]
$NtUninstallKB901214$ -> %SystemRoot%\$NtUninstallKB901214$ -> [Folder | Modified Date = 01/09/2007 12:12:20 | Attr = H ]
$NtUninstallKB902400$ -> %SystemRoot%\$NtUninstallKB902400$ -> [Folder | Modified Date = 01/09/2007 12:14:10 | Attr = H ]
$NtUninstallKB904706$ -> %SystemRoot%\$NtUninstallKB904706$ -> [Folder | Modified Date = 01/09/2007 12:10:14 | Attr = H ]
$NtUninstallKB905414$ -> %SystemRoot%\$NtUninstallKB905414$ -> [Folder | Modified Date = 01/09/2007 12:12:46 | Attr = H ]
$NtUninstallKB905749$ -> %SystemRoot%\$NtUninstallKB905749$ -> [Folder | Modified Date = 01/09/2007 12:09:50 | Attr = H ]
$NtUninstallKB908519$ -> %SystemRoot%\$NtUninstallKB908519$ -> [Folder | Modified Date = 01/09/2007 12:08:24 | Attr = H ]
$NtUninstallKB908531$ -> %SystemRoot%\$NtUninstallKB908531$ -> [Folder | Modified Date = 01/09/2007 12:09:58 | Attr = H ]
$NtUninstallKB910437$ -> %SystemRoot%\$NtUninstallKB910437$ -> [Folder | Modified Date = 01/09/2007 12:15:42 | Attr = H ]
$NtUninstallKB911280$ -> %SystemRoot%\$NtUninstallKB911280$ -> [Folder | Modified Date = 01/09/2007 12:18:52 | Attr = H ]
$NtUninstallKB911562$ -> %SystemRoot%\$NtUninstallKB911562$ -> [Folder | Modified Date = 01/09/2007 12:18:36 | Attr = H ]
$NtUninstallKB911564$ -> %SystemRoot%\$NtUninstallKB911564$ -> [Folder | Modified Date = 01/09/2007 12:15:34 | Attr = H ]
$NtUninstallKB911927$ -> %SystemRoot%\$NtUninstallKB911927$ -> [Folder | Modified Date = 01/09/2007 12:19:54 | Attr = H ]
$NtUninstallKB913580$ -> %SystemRoot%\$NtUninstallKB913580$ -> [Folder | Modified Date = 01/09/2007 12:09:18 | Attr = H ]
$NtUninstallKB914388$ -> %SystemRoot%\$NtUninstallKB914388$ -> [Folder | Modified Date = 01/09/2007 12:13:02 | Attr = H ]
$NtUninstallKB914389$ -> %SystemRoot%\$NtUninstallKB914389$ -> [Folder | Modified Date = 01/09/2007 12:08:08 | Attr = H ]
$NtUninstallKB916595$ -> %SystemRoot%\$NtUninstallKB916595$ -> [Folder | Modified Date = 01/09/2007 12:10:26 | Attr = H ]
$NtUninstallKB917344$ -> %SystemRoot%\$NtUninstallKB917344$ -> [Folder | Modified Date = 01/09/2007 12:12:54 | Attr = H ]
$NtUninstallKB917953$ -> %SystemRoot%\$NtUninstallKB917953$ -> [Folder | Modified Date = 01/09/2007 12:12:38 | Attr = H ]
$NtUninstallKB918118$ -> %SystemRoot%\$NtUninstallKB918118$ -> [Folder | Modified Date = 01/09/2007 12:11:50 | Attr = H ]
$NtUninstallKB918439$ -> %SystemRoot%\$NtUninstallKB918439$ -> [Folder | Modified Date = 01/09/2007 12:14:32 | Attr = H ]
$NtUninstallKB919007$ -> %SystemRoot%\$NtUninstallKB919007$ -> [Folder | Modified Date = 01/09/2007 12:13:10 | Attr = H ]
$NtUninstallKB920213$ -> %SystemRoot%\$NtUninstallKB920213$ -> [Folder | Modified Date = 01/09/2007 12:10:58 | Attr = H ]
$NtUninstallKB920670$ -> %SystemRoot%\$NtUninstallKB920670$ -> [Folder | Modified Date = 01/09/2007 12:14:48 | Attr = H ]
$NtUninstallKB920683$ -> %SystemRoot%\$NtUninstallKB920683$ -> [Folder | Modified Date = 01/09/2007 12:08:18 | Attr = H ]
$NtUninstallKB920685$ -> %SystemRoot%\$NtUninstallKB920685$ -> [Folder | Modified Date = 01/09/2007 12:19:18 | Attr = H ]
$NtUninstallKB920872$ -> %SystemRoot%\$NtUninstallKB920872$ -> [Folder | Modified Date = 01/09/2007 12:13:40 | Attr = H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Modified Date = 01/09/2007 12:16:42 | Attr = H ]
$NtUninstallKB922582$ -> %SystemRoot%\$NtUninstallKB922582$ -> [Folder | Modified Date = 01/09/2007 12:12:02 | Attr = H ]
$NtUninstallKB922819$ -> %SystemRoot%\$NtUninstallKB922819$ -> [Folder | Modified Date = 01/09/2007 12:21:14 | Attr = H ]
$NtUninstallKB923191$ -> %SystemRoot%\$NtUninstallKB923191$ -> [Folder | Modified Date = 01/09/2007 12:12:10 | Attr = H ]
$NtUninstallKB923414$ -> %SystemRoot%\$NtUninstallKB923414$ -> [Folder | Modified Date = 01/09/2007 12:20:44 | Attr = H ]
$NtUninstallKB923689$ -> %SystemRoot%\$NtUninstallKB923689$ -> [Folder | Modified Date = 01/09/2007 12:09:44 | Attr = H ]
$NtUninstallKB923980$ -> %SystemRoot%\$NtUninstallKB923980$ -> [Folder | Modified Date = 01/09/2007 12:19:00 | Attr = H ]
$NtUninstallKB924270$ -> %SystemRoot%\$NtUninstallKB924270$ -> [Folder | Modified Date = 01/09/2007 12:17:52 | Attr = H ]
$NtUninstallKB924496$ -> %SystemRoot%\$NtUninstallKB924496$ -> [Folder | Modified Date = 01/09/2007 12:17:04 | Attr = H ]
$NtUninstallKB924667$ -> %SystemRoot%\$NtUninstallKB924667$ -> [Folder | Modified Date = 01/09/2007 12:18:18 | Attr = H ]
-
$NtUninstallKB925398_WMP64$ -> %SystemRoot%\$NtUninstallKB925398_WMP64$ -> [Folder | Modified Date = 01/09/2007 12:16:02 | Attr = H ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Modified Date = 01/09/2007 12:15:10 | Attr = H ]
$NtUninstallKB926255$ -> %SystemRoot%\$NtUninstallKB926255$ -> [Folder | Modified Date = 01/09/2007 12:11:40 | Attr = H ]
$NtUninstallKB926436$ -> %SystemRoot%\$NtUninstallKB926436$ -> [Folder | Modified Date = 01/09/2007 12:13:48 | Attr = H ]
$NtUninstallKB927779$ -> %SystemRoot%\$NtUninstallKB927779$ -> [Folder | Modified Date = 01/09/2007 12:21:32 | Attr = H ]
$NtUninstallKB927802$ -> %SystemRoot%\$NtUninstallKB927802$ -> [Folder | Modified Date = 01/09/2007 12:21:22 | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 02/09/2007 20:01:30 | Attr = H ]
$NtUninstallKB928255$ -> %SystemRoot%\$NtUninstallKB928255$ -> [Folder | Modified Date = 01/09/2007 12:20:32 | Attr = H ]
$NtUninstallKB928843$ -> %SystemRoot%\$NtUninstallKB928843$ -> [Folder | Modified Date = 01/09/2007 12:07:34 | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Modified Date = 01/09/2007 12:14:58 | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Modified Date = 01/09/2007 12:13:20 | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 01/09/2007 12:10:20 | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Modified Date = 01/09/2007 12:17:40 | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Modified Date = 01/09/2007 12:20:08 | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Modified Date = 01/09/2007 12:12:30 | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Modified Date = 01/09/2007 12:10:46 | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Modified Date = 01/09/2007 12:08:40 | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Modified Date = 01/09/2007 12:10:40 | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Modified Date = 01/09/2007 12:18:44 | Attr = H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ -> [Folder | Modified Date = 01/09/2007 12:16:52 | Attr = H ]
$NtUninstallKB936782_WMP9$ -> %SystemRoot%\$NtUninstallKB936782_WMP9$ -> [Folder | Modified Date = 01/09/2007 12:17:30 | Attr = H ]
$NtUninstallKB937143$ -> %SystemRoot%\$NtUninstallKB937143$ -> [Folder | Modified Date = 01/09/2007 12:09:00 | Attr = H ]
$NtUninstallKB938127$ -> %SystemRoot%\$NtUninstallKB938127$ -> [Folder | Modified Date = 01/09/2007 12:11:08 | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Modified Date = 01/09/2007 12:18:28 | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Modified Date = 01/09/2007 12:16:24 | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 13/09/2007 1:21:44 | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 109056 bytes | Modified Date = 20/07/2007 0:47:24 | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 03/09/2007 17:41:46 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 08/09/2007 13:16:24 | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 31/08/2007 22:20:26 | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 02/09/2007 20:01:44 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 02/09/2007 20:01:44 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 04/09/2007 1:13:56 | Attr = HS]
msagent -> %SystemRoot%\msagent -> [Folder | Modified Date = 01/09/2007 15:12:22 | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 163 bytes | Modified Date = 09/09/2007 22:49:46 | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 17/06/2007 0:11:58 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 13/09/2007 1:30:24 | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 31/08/2007 22:38:34 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 31/08/2007 22:38:34 | Attr = H ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 31/08/2007 22:20:26 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 08/09/2007 13:14:22 | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 13/09/2007 1:22:22 | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 01/09/2007 12:18:22 | Attr = ]
WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx -> [Ver = | Size = 316640 bytes | Modified Date = 20/06/2007 22:08:08 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 13/09/2007 1:21:52 | Attr = H ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 783224 bytes | Modified Date = 28/07/2007 0:07:22 | Attr = ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 95608 bytes | Modified Date = 27/07/2007 23:57:50 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 03/09/2007 23:42:10 | Attr = ]
Com -> %System32%\Com -> [Folder | Modified Date = 01/09/2007 12:14:18 | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2958 bytes | Modified Date = 20/08/2007 22:48:22 | Attr = ]
d3d9caps.dat -> %System32%\d3d9caps.dat -> [Ver = | Size = 664 bytes | Modified Date = 16/07/2007 0:03:46 | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 02/09/2007 20:01:34 | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 09/09/2007 20:51:02 | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 190592 bytes | Modified Date = 01/09/2007 15:12:24 | Attr = ]
inetsrv -> %System32%\inetsrv -> [Folder | Modified Date = 03/09/2007 23:42:16 | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 53608 bytes | Modified Date = 03/09/2007 23:42:26 | Attr = ]
perfc00A.dat -> %System32%\perfc00A.dat -> [Ver = | Size = 69864 bytes | Modified Date = 03/09/2007 23:42:26 | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 383254 bytes | Modified Date = 03/09/2007 23:42:26 | Attr = ]
perfh00A.dat -> %System32%\perfh00A.dat -> [Ver = | Size = 443278 bytes | Modified Date = 03/09/2007 23:42:26 | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 958184 bytes | Modified Date = 03/09/2007 23:42:26 | Attr = ]
PreInstall -> %System32%\PreInstall -> [Folder | Modified Date = 01/09/2007 10:07:18 | Attr = ]
px.dll -> %System32%\px.dll -> Sonic Solutions [Ver = 2.0.60.500 | Size = 360448 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxcpya64.exe -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.28a | Size = 56832 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxcpyi64.exe -> %System32%\pxcpyi64.exe -> Sonic Solutions [Ver = 1.00.28a | Size = 108544 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxdrv.dll -> %System32%\pxdrv.dll -> Sonic Solutions [Ver = 1.01.23a | Size = 397312 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxhpinst.exe -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 2.03.18a | Size = 57344 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxinsa64.exe -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 2.03.18a | Size = 54272 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxinsi64.exe -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 2.03.18a | Size = 104960 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxmas.dll -> %System32%\pxmas.dll -> Sonic Solutions [Ver = 2.0.60.500 | Size = 155648 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxwave.dll -> %System32%\pxwave.dll -> Sonic Solutions [Ver = 2.0.60.500 | Size = 339968 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
pxwma.dll -> %System32%\pxwma.dll -> Sonic Solutions [Ver = 1, 0, 0, 3 | Size = 151552 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
SoftwareDistribution -> %System32%\SoftwareDistribution -> [Folder | Modified Date = 31/08/2007 22:20:18 | Attr = ]
-
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 22/07/2007 18:39:28 | Attr = ]
vxblock.dll -> %System32%\vxblock.dll -> Sonic Solutions [Ver = 1.00.61a | Size = 28672 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 12/09/2007 10:45:50 | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 26624 bytes | Modified Date = 27/07/2007 23:58:36 | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 92848 bytes | Modified Date = 28/07/2007 0:02:50 | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 94416 bytes | Modified Date = 28/07/2007 0:02:34 | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 23152 bytes | Modified Date = 28/07/2007 0:00:40 | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 42912 bytes | Modified Date = 27/07/2007 23:59:58 | Attr = ]
PxHelp20.sys -> %System32%\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.18a | Size = 20576 bytes | Modified Date = 20/06/2007 22:10:30 | Attr = ]
[File String Scan - Non-Microsoft Only]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.0.44 | Size = 18726912 bytes | Modified Date = 18/05/2005 9:17:54 | Attr = R ]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 783224 bytes | Modified Date = 28/07/2007 0:07:22 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41129 bytes | Modified Date = 24/08/2001 12:00:00 | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 22/07/2007 18:39:28 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 24/08/2001 12:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 24/08/2001 12:00:00 | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 03/08/2004 22:41:38 | Attr = ]
< End of report >
seems a hell of a lot of info. thanks for all your help.
yet again i have no untoward activity this connection.
-
seems a hell of a lot of info.
That's becuase it is a hell of a lot of info ;D
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 90 days]
NY -> sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm
NY -> sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm
NY -> sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm
NY -> sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm
NY -> sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm
NY -> sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm
NY -> sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm
NY -> sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm
NY -> sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm
NY -> sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm
NY -> sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm
NY -> sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm
NY -> sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm
NY -> sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm
NY -> sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm
NY -> sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm
NY -> sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm
NY -> sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm
NY -> sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm
NY -> sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm
NY -> sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm
NY -> sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm
NY -> sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm
NY -> sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm
NY -> sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm
NY -> sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm
NY -> sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm
NY -> sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm
NY -> sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm
NY -> sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm
[Files/Folders - Modified Within 90 days]
NY -> sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm
NY -> sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm
NY -> sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm
NY -> sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm
NY -> sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm
NY -> sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm
NY -> sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm
NY -> sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm
NY -> sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm
NY -> sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm
NY -> sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm
NY -> sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm
NY -> sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm
NY -> sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm
NY -> sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm
NY -> sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm
NY -> sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm
NY -> sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm
NY -> sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm
NY -> sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm
NY -> sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm
NY -> sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm
NY -> sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm
NY -> sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm
NY -> sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm
NY -> sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm
NY -> sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm
NY -> sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm
NY -> sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm
NY -> sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm
NY -> sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm
NY -> sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm
NY -> sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm
NY -> sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm
NY -> sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm
NY -> sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm
NY -> sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm
NY -> sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm
NY -> sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm
NY -> WMSysPr9.prx -> %SystemRoot%\WMSysPr9.prx
NY -> d3d9caps.dat -> %System32%\d3d9caps.dat
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here. (many of the files I've listed are duplicates so you will see a lot of "file not found". That's OK - just post the entire log).
Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.
After posting the WinPFind3u results please delete the copy of ComboFix you have and get a fresh copy Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe). Then post new ComboFix and HJT logs, running the programs in that order.
-
sorry for the delay. been on holiday.
listen, i really appreciate all the help. but i was already in unknown waters as regards understanding exactly whats going on so in the end i decided to re-install from scratch. the only things i had saved were fotos and the odd bit of music and films, most of which were backed up on cd. i´ve got no indication of the original problem since re-installing either so, fingers crossed its all ok. i´ve learnt a lot from the exprience and its good to see there are good people willing to help others without any self interest. thanks again.
-
i´ve got no indication of the original problem since re-installing either so, fingers crossed its all ok.
You've chose the deepest way to get rid from an infection... anyway, glad you're clean now.
-
Ah - we were so close ...
But if you're more comfortable this way its for the best :)
-
I Have exactly the same problem...have you found a solution?
-
Hi, welcome to the forum.
As mauserme said, they where close to cleaning that computer.
Bear in mind that the fixes in this thread may not apply to your situation. Even though your problem may seem the same, it may be a completely different trojan/virus.
To get the best help possible, please start your own thread. For two reasons.... 1 you may not get noticed here and 2 like I said, your problem may be slightly different, so the fix will be different and there won't be any confusing the logs.