Help! Mysterious virus sending thousands of spam e-mails from my PC :(

[DavidR]

I assume that it wasn't anything to do with combofix otherwise that probably wouldn't have run if something was missing.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

I will let Keith look after your combofix log but the unloading of a rootkit driver looks promising.

If you ran HJT and log you posted before combofix then can you run it again and post the contents.

[mauserme]

p.s. is it normal that when i downloaded combofix, my avast antivirus alerted me of a trojan virus and there was an attempt to change the search criteria of my google search bar? i moved the trojan to the avast virus chest.

Some av's will give you an alert but normally not avast!  I just downloaded from both sites with no warnings at all, so I would say you have something else at work in the background.

It looks like msasvc.exe is still loading as a service but is (was) being hidden by the rootkit.  We still have some work to do.

Ditto to everything David posted, especially running HJT after ComboFix and posting both logs again.  Ideally this can be done with no re-boot between the scans, but if ComboFix needs a reboot let that happen.


Please also scan this file at Virus Total[/u][/color] and post the results

C:\Archivos de programa\delete.exe

[DavidR]

It looks like msasvc.exe is still loading as a service but is (was) being hidden by the rootkit.  We still have some work to do.

That is interesting and possibly a clue that a rootkit might be at work if an otherwise malicious file indicated on a google search, etc. shows up in the HJT log as file missing, especially if that is a service entry.
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing).

It also seems that many email spambots that are nor noticed by their email activity are being hidden by rootkits as these are becoming more frequent in the forums.

A good time to stop them getting established (files in system folders and registry entries) via DropMyRights.

@ lad from leigh
Once the dark and sticky stuff is cleaned off the fan - You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob's, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.
http://mysharedfiles.no-ip.org/dropmyrights

[mauserme]

[That is interesting and possibly a clue that a rootkit might be at work if an otherwise malicious file indicated on a google search, etc. shows up in the HJT log as file missing, especially if that is a service entry.
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing).

My thoughts as well.

It would be easy enough to stop and delete the service but I'm afraid it is being being restored by a process we haven't found yet (just as the 023 returned in HJT after being fixed (I assume the instructions to fix that line were followed)).


EDIT:  By way of clarification, MsaSvc is still registered as a service with startup type = auto.  But the service was actually stopped when ComboFix was run.

[mbourne]

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Does combofix run in a command prompt window? If so, I suspect the stall is caused by a mouse click selecting an area of the screen for copying when QuickEdit mode is enabled for the command prompt. Right-clicking inside the window should remove the selection and allow combofix to continue (this also copies the selected area to clipboard).

[mauserme]

[Does combofix run in a command prompt window?  ...

Yes, it does.  You may be right about the cause of the potential hang - I honestly don't know.  But given the nature of what it does - quarantining malware in addition to generating a text log - it would be best to avoid hanging it.

[mbourne]

But given the nature of what it does - quarantining malware in addition to generating a text log - it would be best to avoid hanging it.

Agreed, I was more suggesting a possible way of un-hanging it if someone were to accidentally click in the window and find that it hung, without needing to kill and re-start the program.

[lad from leigh]

the virus notification that i mentioned is described as follows:

Name: Cfiles.cf
Original location: C/Combofix
Virus: Win32 Dadobra-Ey (Trj)

I´ve passed the delete.exe file through virus total and it gave the ok.

I´ve also been on the internet about an hour now and not once has the avast mail scanner notified me of untoward goings on, which is the first time! I did the HJT fix on the files you told me to.

This is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:35:02, on 08/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\VM_STI.EXE
C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe
C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\Documents and Settings\DAD\Escritorio\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC210NC Webcam
O4 - HKLM\..\Run: [SsAAD.exe] C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Archivos de programa\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TrayMin210.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\ARCHIV~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7659 bytes


I´ll get right on to what you´ve said about using my pc as and administrator, it makes a lot of sense. thanks for the tip.
i appreciate all the help.

[mauserme]

Well, if you're reluctant to run ComboFix again can you post the contents of C:\ComboFix-quarantined-files.txt

[lad from leigh]

heres the new combofix log, although in executing the programme, the same virus message came up as before!! so i moved it to the virus chest.

ComboFix 07-09-08.7 - "DAD" 2007-09-09 20:50:58.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.3082.18.168 [GMT 2:00]
.

(((((((((((((((((((((((((   Files Created from 2007-08-09 to 2007-09-09  )))))))))))))))))))))))))))))))
.

2007-09-08 13:14   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-09-04 01:13   <DIR>   d--------   C:\DOCUME~1\DAD\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DATOSD~1\SUPERAntiSpyware.com
2007-09-04 01:13   <DIR>   d--------   C:\Archivos de programa\SUPERAntiSpyware
2007-09-04 01:13   <DIR>   d--------   C:\Archivos de programa\Archivos comunes\Wise Installation Wizard
2007-09-01 10:07   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 11:18   ---------   d--------   C:\DOCUME~1\DAD\DATOSD~1\Skype
2007-09-01 10:13   ---------   d--------   C:\Archivos de programa\eMule
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
2007-07-28 00:07   783224   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02   94416   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02   92848   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00   23152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59   42912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58   26624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57   95608   --a------   C:\WINDOWS\system32\AVASTSS.scr
2007-06-26 08:09   1104896   --a------   C:\WINDOWS\system32\msxml3.dll
2007-06-20 22:10   151552   ---------   C:\WINDOWS\system32\pxwma.dll
2007-06-20 22:10   108544   ---------   C:\WINDOWS\system32\pxcpyi64.exe
2007-06-20 22:10   104960   ---------   C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 15:30   282112   --a------   C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:22   1035776   --a------   C:\WINDOWS\explorer.exe
2004-11-30 15:23   40960   -r-------   C:\Archivos de programa\delete.exe
.

(((((((((((((((((((((((((((((   snapshot_2007-09-08_132115.62   )))))))))))))))))))))))))))))))))))))))))
.
----atw            16,384 2007-09-09 18:32:58  C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
----atw            16,384 2007-09-09 08:17:08  C:\WINDOWS\Temp\Perflib_Perfdata_498.dat
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 08:01 C:\WINDOWS\sm56hlpr.exe]
"mmtask"="C:\Archivos de programa\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-12-01 14:49]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 12:48 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" []
"ISUSPM Startup"="C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 11:41]
"ISUSScheduler"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" [2004-04-13 05:07]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" [2005-10-27 01:01]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37]
"SsAAD.exe"="C:\ARCHIV~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:42]
"RealPlayer"="C:\Archivos de programa\Real\RealPlayer\realplay.exe" [2006-06-02 18:20]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 18:35]
"SUPERAntiSpyware"="C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\MENINI~1\PROGRA~1\Inicio\
Inicio r pido de Adobe Reader.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
TrayMin210.exe.lnk - C:\Archivos de programa\Philips\Philips SPC210NC Webcam\TrayMin210.exe [2007-04-20 21:52:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Archivos de programa\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll

S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\system32\msasvc.exe
S3 admjoy;Aureal Game Port Enumerator;C:\WINDOWS\system32\DRIVERS\admjoy.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 20:52:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-09 20:53:03
C:\ComboFix-quarantined-files.txt ... 2007-09-09 20:52
C:\ComboFix2.txt ... 2007-09-08 13:21
.
   --- E O F ---

[lad from leigh]

p.s. the quarantined files.

Code: [Select]

2006-06-13 23:06      104    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\DAD\ESCRIT~1\Internet.lnk.vir
2006-12-27 18:15      1442985    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\DAD\DATOSD~1\Install.dat.vir
2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir


Listado de rutas de carpetas
El n£mero de serie del volumen es 6413-090A
C:\QOOBOX\QUARANTINE
+---C
|   +---ComboFix
|   |       FProps.vbs.vir
|   |       
|   \---DOCUME~1
|       \---DAD
|           +---DATOSD~1
|           |       Install.dat.vir
|           |       
|           \---ESCRIT~1
|                   Internet.lnk.vir
|                   
\---Registry_backups


thanks.

[mauserme]

Its good that the outgoing email has subsided but unless I can see logically why something is fixed I'm never satisfied that it is fixed.  Unfortunatey I don't see the logic yet - not enough, at least.

I know you're ready to be done with this but please post a WinPFind3U log so I can have a closer look at things.  This log will be long - typically requiring several posts to fit everything.

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  Non-Microsoft Only
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

[lad from leigh]

ok
WinPFind3 logfile created on: 13/09/2007 1:30:54
WinPFind3U by OldTimer - Version 1.0.42   Folder = C:\Documents and Settings\DAD\Escritorio\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
 
447,48 Mb Total Physical Memory | 193,83 Mb Available Physical Memory | 43,32% Memory free
1,03 Gb Paging File | 0,83 Gb Available in Paging File | 80,81% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 152,66 Gb Total Space | 102,07 Gb Free Space | 66,87% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LEE
Current User Name: DAD
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 75128 bytes | Modified Date = 28/07/2007 0:03:34 | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 243064 bytes | Modified Date = 28/07/2007 0:03:08 | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 132472 bytes | Modified Date = 28/07/2007 0:03:28 | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 345464 bytes | Modified Date = 28/07/2007 0:02:20 | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 16248 bytes | Modified Date = 27/07/2007 23:52:46 | Attr =    ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 10/08/2007 18:35:12 | Attr =    ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 00, 100, 1161 | Size = 69632 bytes | Modified Date = 13/04/2004 5:07:18 | Attr =    ]
mmtask.exe -> %ProgramFiles%\Musicmatch\Musicmatch Jukebox\mmtask.exe -> Musicmatch Inc. [Ver = 9.0.0.1 | Size = 53248 bytes | Modified Date = 01/12/2004 14:49:10 | Attr =    ]
sm56hlpr.exe -> %SystemRoot%\sm56hlpr.exe -> Motorola Inc. [Ver = 6.09.07 | Size = 544768 bytes | Modified Date = 29/12/2004 8:01:56 | Attr = R  ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.39 | Size = 77824 bytes | Modified Date = 17/05/2005 12:48:32 | Attr = R  ]
ssaad.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe ->  [Ver = 3.0.00.13241 | Size = 81920 bytes | Modified Date = 24/01/2005 19:58:02 | Attr =    ]
ssscsisv.exe -> %CommonProgramFiles%\Sony Shared\AVLib\SSScsiSV.exe -> Sony Corporation [Ver = 3.0.00.13241 | Size = 69632 bytes | Modified Date = 24/01/2005 18:36:52 | Attr =    ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 14:06:28 | Attr =    ]
traymin210.exe -> %ProgramFiles%\Philips\Philips SPC210NC Webcam\TrayMin210.exe ->  [Ver = 1, 0, 0, 4 | Size = 278528 bytes | Modified Date = 10/05/2006 13:24:34 | Attr =    ]
vm_sti.exe -> %SystemRoot%\VM_STI.EXE -> BIGDOG [Ver = 4, 2, 610, 4 | Size = 40960 bytes | Modified Date = 09/06/2004 15:37:02 | Attr =    ]
winampa.exe -> %ProgramFiles%\Winamp\winampa.exe ->  [Ver =  | Size = 33792 bytes | Modified Date = 27/10/2005 1:01:14 | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 16248 bytes | Modified Date = 27/07/2007 23:52:46 | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 132472 bytes | Modified Date = 28/07/2007 0:03:28 | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 243064 bytes | Modified Date = 28/07/2007 0:03:08 | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 345464 bytes | Modified Date = 28/07/2007 0:02:20 | Attr =    ]
(dmadmin) Servicio del administrador de discos lógicos [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., VERITAS Software [Ver = 2600.2180.503.0 | Size = 225792 bytes | Modified Date = 19/08/2004 15:42:44 | Attr =    ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 27/01/2007 10:12:26 | Attr =    ]
(MsaSvc) Microsoft authenticate service [Win32_Own | Auto | Stopped] -> %System32%\msasvc.exe -> File not found
(MSCSPTISRV) MSCSPTISRV [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\MSCSPTISRV.exe -> Sony Corporation [Ver = 4.1.00.13261 | Size = 53337 bytes | Modified Date = 26/01/2005 15:30:04 | Attr =    ]
(PACSPTISVR) PACSPTISVR [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\PACSPTISVR.exe -> Sony Corporation [Ver = 4.1.00.13261 | Size = 53337 bytes | Modified Date = 26/01/2005 15:25:34 | Attr =    ]
(SPTISRV) Sony SPTI Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Sony Shared\AVLib\SPTISRV.exe -> Sony Corporation [Ver = 4.1.00.13261 | Size = 69718 bytes | Modified Date = 26/01/2005 15:20:14 | Attr =    ]
(SSScsiSV) SonicStage SCSI Service [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Sony Shared\AVLib\SSScsiSV.exe -> Sony Corporation [Ver = 3.0.00.13241 | Size = 69632 bytes | Modified Date = 24/01/2005 18:36:52 | Attr =    ]

[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 26624 bytes | Modified Date = 27/07/2007 23:58:36 | Attr =    ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found
(admjoy) Aureal Game Port Enumerator [Kernel | On_Demand | Stopped] -> %System32%\drivers\admjoy.sys -> Aureal, Inc. [Ver = 5.12.01.1500 | Size = 10880 bytes | Modified Date = 03/08/2004 22:32:24 | Attr =    ]
(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found
(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ALCXWDM.SYS -> Realtek Semiconductor Corp. [Ver = 5.10.5850 built by: WinDDK | Size = 2319680 bytes | Modified Date = 18/05/2005 11:50:30 | Attr = R  ]
(AliIde) AliIde [Kernel | Disabled | Stopped] ->  -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found
(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 94416 bytes | Modified Date = 28/07/2007 0:02:34 | Attr =    ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 23152 bytes | Modified Date = 28/07/2007 0:00:40 | Attr =    ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1029.0 | Size = 42912 bytes | Modified Date = 27/07/2007 23:59:58 | Attr =    ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found
(AvFlt) Antivirus Filter Driver [File_System | On_Demand | Stopped] -> %System32%\drivers\av5flt.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\DAD\CONFIG~1\Temp\catchme.sys -> File not found
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found
(Changer) Changer [Kernel | System | Stopped] ->  -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] ->  -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found

[lad from leigh]

....
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 800256 bytes | Modified Date = 19/08/2004 15:28:34 | Attr =    ]
(dmio) Controlador del administrador de discos lógicos [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 154240 bytes | Modified Date = 19/08/2004 15:28:40 | Attr =    ]
(dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 24/08/2001 12:00:00 | Attr =    ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] ->  -> File not found
(hpn) hpn [Kernel | Disabled | Stopped] ->  -> File not found
(i2omgmt) i2omgmt [Kernel | System | Stopped] ->  -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] ->  -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found
(IntelIde) IntelIde [Kernel | Disabled | Stopped] ->  -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found
(MxlW2k) MxlW2k [Kernel | On_Demand | Running] -> %System32%\drivers\MxlW2k.sys -> MusicMatch, Inc. [Ver = 1.1.0.121 | Size = 28352 bytes | Modified Date = 24/04/2006 1:03:10 | Attr =    ]
(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] ->  -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] ->  -> File not found
(Ptilink) Controlador de vínculo paralelo directo [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 24/08/2001 12:00:00 | Attr =    ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.18a | Size = 20576 bytes | Modified Date = 20/06/2007 22:10:30 | Attr =    ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] ->  -> File not found
(rtl8139) Controlador de Windows NT del adaptador Fast Ethernet PCI basado en Realtek  RTL8139(A/B/C) [Kernel | On_Demand | Running] -> %System32%\drivers\RTL8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 03/08/2004 23:31:34 | Attr =    ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys ->  [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 10/10/2006 13:53:48 | Attr =    ]
(SASENUM) SASENUM [Kernel | On_Demand | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 16/02/2006 17:51:08 | Attr = R  ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS ->  [Ver = 1, 0, 0, 1036 | Size = 32256 bytes | Modified Date = 27/02/2007 12:39:26 | Attr =    ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys ->  [Ver =  | Size = 27440 bytes | Modified Date = 17/07/2004 11:36:38 | Attr =    ]
(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found
(smserial) smserial [Kernel | On_Demand | Running] -> %System32%\drivers\smserial.sys -> Motorola Inc. [Ver = SM56 Rel. 6.09 Build 07 | Size = 923826 bytes | Modified Date = 11/01/2005 9:25:10 | Attr = R  ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] ->  -> File not found
(TosIde) TosIde [Kernel | Disabled | Stopped] ->  -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] ->  -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found
(ZSMC301b) Philips SPC210NC Webcam [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbVM31b.sys -> VM [Ver = 4.2.1010.41 | Size = 91527 bytes | Modified Date = 26/02/2005 16:25:52 | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1029, 0 | Size = 75128 bytes | Modified Date = 28/07/2007 0:03:34 | Attr =    ]
BigDogPath -> %SystemRoot%\VM_STI.EXE -> BIGDOG [Ver = 4, 2, 610, 4 | Size = 40960 bytes | Modified Date = 09/06/2004 15:37:02 | Attr =    ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 3, 00, 100, 1131 | Size = 196608 bytes | Modified Date = 17/04/2004 11:41:30 | Attr =    ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 00, 100, 1161 | Size = 69632 bytes | Modified Date = 13/04/2004 5:07:18 | Attr =    ]
mmtask -> %ProgramFiles%\Musicmatch\Musicmatch Jukebox\mmtask.exe -> Musicmatch Inc. [Ver = 9.0.0.1 | Size = 53248 bytes | Modified Date = 01/12/2004 14:49:10 | Attr =    ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 11:50:42 | Attr =    ]
SMSERIAL -> %SystemRoot%\sm56hlpr.exe -> Motorola Inc. [Ver = 6.09.07 | Size = 544768 bytes | Modified Date = 29/12/2004 8:01:56 | Attr = R  ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.0.39 | Size = 77824 bytes | Modified Date = 17/05/2005 12:48:32 | Attr = R  ]
SsAAD.exe -> %ProgramFiles%\Sony\SonicStage\SSAAD.exe ->  [Ver = 3.0.00.13241 | Size = 81920 bytes | Modified Date = 24/01/2005 19:58:02 | Attr =    ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> File not found
WinampAgent -> %ProgramFiles%\Winamp\winampa.exe ->  [Ver =  | Size = 33792 bytes | Modified Date = 27/10/2005 1:01:14 | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
RealPlayer -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.12.857 | Size = 1003520 bytes | Modified Date = 02/06/2006 18:20:56 | Attr =    ]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 14:06:28 | Attr =    ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 10/08/2007 18:35:12 | Attr =    ]
< Common Startup > -> C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio ->
%AllUsersStartup%\Inicio rápido de Adobe Reader.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 14/12/2004 4:44:06 | Attr =    ]
%AllUsersStartup%\TrayMin210.exe.lnk -> %ProgramFiles%\Philips\Philips SPC210NC Webcam\TrayMin210.exe ->  [Ver = 1, 0, 0, 4 | Size = 278528 bytes | Modified Date = 10/05/2006 13:24:34 | Attr =    ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 13:55:48 | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 13:41:36 | Attr =    ]

[lad from leigh]

.....
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< HOSTS File > (792 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
musicmatch.com

• ->  ->

< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
musicmatch.com

• ->  ->

< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 14/12/2004 1:56:50 | Attr =    ]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} [HKLM] -> %ProgramFiles%\Skype\Phone\IEPlugin\SkypeIEPlugin.dll [Skype add-on (mastermind)] -> Skype Technologies S.A. [Ver = 2, 2, 0, 78 | Size = 722472 bytes | Modified Date = 30/03/2007 13:31:02 | Attr =    ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 1:04:00 | Attr =    ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 10/08/2007 18:35:10 | Attr =    ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R  ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R  ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 20/01/2007 0:55:32 | Attr = R  ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{77BF5300-1474-4EC7-9980-D32B190E9B07} -> Reg Data - Value does not exist [ButtonText: Skype] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Referencia] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xportar a Microsoft Excel ->  -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 ->  ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{32EC8C8C-AAA8-4ECC-9C85-E14495A46D73} ->    (NIC Fast Ethernet PCI Familia RTL8139 de Realtek ) ->
{A5EEF4CB-1DC6-48BB-89F7-227C3FE9FD52} ->    () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 12/01/2007 12:50:48 | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->