Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan BHO.ndc or trojan dowloader.delf [RESOLVED]


  • This topic is locked This topic is locked

#1
sabrin

sabrin

    Member

  • Member
  • PipPip
  • 33 posts
Hello. My computer is infected with a trojan. Ive tried various methods of removing it. Normal scans, (spyware doctor and AVG detect the trojan). Ive tried fixing it with Hijack this, there are two BHO (no name) with dll files from system32 folder (iasacctn.dll and csseqchki.dll). n The first dll is listed as the trojan, the second dll was listed as a suspicious file and I killed it with Spybot. The file is now missing but their is a csseqchki.dll.bak in its place which doesnt show as suspicious but i cant delete it, is being used by a running process. I tried the Spybot kill and killbox on the iasacctn.dll file and also went to regedit to delete the values and keys can't get it :) done. Running process re-writing them. Anyway heres my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:03, on 24/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsCtrls.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
c:\archivos de programa\panda software\panda titanium antivirus 2005\firewall\PSHOST.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Spyware Doctor\pctsTray.exe
C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Windows Media Player\WMPNSCFG.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\ApvxdWin.exe
C:\WINDOWS\System32\alg.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Archivos de programa\Trend Micro\HijackThis\hijackthis.exe
C:\ARCHIV~1\EVIDEN~1\ee.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EC4FCE-420C-44FB-AFA4-2B53391A6B76} - c:\windows\system32\csseqchki.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F0CC449D-A030-4659-9A7E-A51496110090} - C:\WINDOWS\system32\iasacctn.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar4.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARCHIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Archivos de programa\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Archivos de programa\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118700649640
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: jdnayltr - csseqchki.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsCtrls.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\archivos de programa\panda software\panda titanium antivirus 2005\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe

--
End of file - 10999 bytes

and here is the unistall list from HJT

2d3 SteadyMove for Adobe Premiere Pro
Actualización de seguridad para Windows Internet Explorer 7 (KB928090)
Actualización de seguridad para Windows Internet Explorer 7 (KB929969)
Actualización de seguridad para Windows Internet Explorer 7 (KB931768)
Actualización de seguridad para Windows Internet Explorer 7 (KB933566)
Actualización de seguridad para Windows Internet Explorer 7 (KB937143)
Actualización de seguridad para Windows Internet Explorer 7 (KB938127)
Actualización de seguridad para Windows Internet Explorer 7 (KB939653)
Actualización de seguridad para Windows Internet Explorer 7 (KB942615)
Actualización de seguridad para Windows Internet Explorer 7 (KB944533)
Adabas D 13.01.00
Adobe Encore DVD 1.0
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Premiere Pro
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Type Manager 4.0
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
ArcSoft PhotoStudio 5.5
ATI - Utilidad de desinstalación de software
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
Barra Yahoo! con bloqueador de ventanas emergentes
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CCleaner (remove only)
CleanUp!
Cómo funcionan las cosas 3.0
Compresor WinRAR
dBpowerAMP Music Converter
Digital Camera Driver
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Image Clip Palette
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX4800_4200 User's Guide
Evidence Eliminator
FaxTools
FloorPlan 3D v8
Food Additives 1.0
FPAdjust
FunTV Installation
Google Earth
Google SketchUp
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Video Player
HijackThis 2.0.2
InCD
Java™ 6 Update 5
Lexibase Collins Español-Inglés - Versión especial para Grijalbo
MAGIX music maker V2000
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0)
MSN
MSN Messenger 7.5
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MySpaceIM
NaturalHealingIntroduction
Nero Digital
Nero Media Player
Nero OEM
NeroVision Express Content
OGA Notifier 1.7.0102.0
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
OpenOffice.org 2.2
Panda Antivirus + Firewall 2007
PCI SoftV92 Modem
Picture Package
PIF DESIGNER
PowerCinema 3.0
PowerDVD
QuickTime
Realtek AC'97 Audio
Reproductor de Windows Media 11
Revisión para Windows Internet Explorer 7 (KB947864)
Roxio PhotoSuite 5
Skype™ 3.5
SLang 2
Songplayer 2.1
SonicStage 3.0
Sony USB Driver
Spybot - Search & Destroy
Spyware Doctor 5.5
SpywareBlaster 4.0
StarOffice 8
StartupMonitor
StudyWorks
Symbols for FloorPlan v8
TextAloud
The American Heritage Talking Dictionary
TurboCAD Designer v9
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live Safety scanner
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11

and here are two jpg screen shots for AVG and Spyware Doctor (SD)

ok cant get them in here, so Ill write them out.

AVG: HKLM\SOFTWARE\MICROSOFT\WINDOWS\Current Version\Explorer\Browser Helper Object\{F0CC449D-A030-4659-9A7E-A51496110090}

AND THE sd SHOWS:

Registry Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object\{F0CC449D-A030-4659-9A7E-A51496110090}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F0CC449D-A030-4659-9A7E-A51496110090}INprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F0CC449D-A030-4659-9A7E-A51496110090}
HKEY_USERS\S-1-5-21-4123246043-2408357389-2317482086-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0CC449D-A030-4659-9A7E-A51496110090}iexplorer
HKEY_USERS\S-1-5-21-4123246043-2408357389-2317482086-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0CC449D-A030-4659-9A7E-A51496110090}
Registry Value:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F0CC449D-A030-4659-9A7E-A51496110090}INprocServer32,(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F0CC449D-A030-4659-9A7E-A51496110090}INprocServer32,ThreadingModel
HKEY_USERS\S-1-5-21-4123246043-2408357389-2317482086-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0CC449D-A030-4659-9A7E-A51496110090}iexplorer,type
HKEY_USERS\S-1-5-21-4123246043-2408357389-2317482086-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0CC449D-A030-4659-9A7E-A51496110090}iexplorer,count
HKEY_USERS\S-1-5-21-4123246043-2408357389-2317482086-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0CC449D-A030-4659-9A7E-A51496110090}iexplorer,time
File:
C:\WINDOWS\system32\iasacctn.dll
The fix on both AVG and SD dont work. I tried deleting the file for the winlogon value with HJT but it didnt work, but did with spybot.
Ok Hope thats enough info for some one out there to help me.
Take care and look forward to reply.
Oh, Im in spain and my windows is in spanish, speak it fluently and dont think that will make a difference. Also, Im surfing with firefox now, and things are much smoother, the SD window blocking access to the dll file by explore.exe has stopped. ok
thanks
sabrin
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hola

Que tal :)



Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
HI,
Thanks for the quick reply. One problem, i did what you suggested, but didnt work. 1- ive got a OEM XP disk and the restore console isnt accessible. Also the link you gave me to the microsoft guide for bootable disks wont work as I dont have a floppy drive. I downloaded the file from microsoft but when I went to move it over the combofix icon on my desktop nothing happened. Will try agian. But think I need either more information or another option? Thanks and will post shortly my second attempt result.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Are you saying that ComobFix.exe doesn't work when you try run it ?
  • 0

#5
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
What happens is that I download combofix to my desktop then download the xp boot file for recovery console from the link you provided. When I move it over the combofix icon nothing happens. I can click on the exe file for the xp bootdisk restore file and I get a black DOS window asking me to prepare 6 floppy disks and designate the drive, thing is i dont have a floopy for the disk to go into. I tried putting in the drive letter for the dvd burner and for my hard drive, but the DOS window just disappears. Combofix will exe, but since i dont have the xp recovery console on my computer ( I can enter a recovery mode with the OEM cd) and since the directions stated that i needed to have the recovery console installed BEFORE running combofix, i havent run it yet. Also, when rebooting I dont receive the recovery console /or XP option open the system. Am I making any sense? ¨Was thinking to try the combofix without the prerequisite recovery console but hesitated and wrote this and the above mail. Run the Combo anyway or am I missing something? Muchas gracias
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ah ok I understand

The Recovery Console is just for safety, you can go ahead and run ComboFix.exe

You are in safe hands :)
  • 0

#7
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi. Thanks. I thought as much. I disabled everything but when I click on the combofix.exe nothing happens. And by nothing I mean nothing. The properties tab says that the combofix is a 1.69mb RAR. Should I unzip it in another location?
tryed running it from he run in START but nothing happens, says it cant find the file and says I should checkthe ubilation or spelling. Im stuck. will try downloading agian. Thanks
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Unzip it to your desktop and run ComboFix.exe, should work

If it fails, do this


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#9
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
ok, Im on it. back with you shortly
  • 0

#10
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Combofix is a no go. heres the DSS

Deckard's System Scanner v20071014.68
Run by Beep on 2008-04-30 19:03:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-04-30 17:03:50 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-04-29 15:39:06 UTC - RP8 - Punto de control del sistema
7: 2008-04-28 14:44:48 UTC - RP7 - Punto de control del sistema
6: 2008-04-26 08:48:39 UTC - RP6 - Software Distribution Service 3.0
5: 2008-04-24 17:00:24 UTC - RP5 - secondpoint


-- First Restore Point --
1: 2008-04-24 12:35:35 UTC - RP1 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Beep.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:49, on 30/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsCtrls.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
c:\archivos de programa\panda software\panda titanium antivirus 2005\firewall\PSHOST.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Windows Media Player\WMPNSCFG.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
C:\Archivos de programa\Spyware Doctor\pctsTray.exe
C:\Archivos de programa\Spyware Doctor\pctsSvc.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Apvxdwin.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Documents and Settings\Beep\Escritorio\dss.exe
C:\ARCHIV~1\TRENDM~1\HIJACK~1\Beep.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\psimreal.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\avciman.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EC4FCE-420C-44FB-AFA4-2B53391A6B76} - c:\windows\system32\csseqchki.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F0CC449D-A030-4659-9A7E-A51496110090} - C:\WINDOWS\system32\iasacctn.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar4.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\ARCHIV~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Archivos de programa\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Archivos de programa\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.beep.es
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118700649640
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: jdnayltr - csseqchki.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsCtrls.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\archivos de programa\panda software\panda titanium antivirus 2005\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe

--
End of file - 11173 bytes

-- HijackThis Fixed Entries (C:\ARCHIV~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080424-194020-987 O2 - BHO: (no name) - {08EC4FCE-420C-44FB-AFA4-2B53391A6B76} - c:\windows\system32\csseqchki.dll (file missing)
backup-20080424-194020-767 O20 - Winlogon Notify: jdnayltr - csseqchki.dll (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\ARCHIV~1\PANDAS~1\PANDAT~1\PAVSCRIP.EXE "%1" %*
.vbs - VBSFile - shell\open\command - C:\ARCHIV~1\PANDAS~1\PANDAT~1\PAVSCRIP.EXE "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 rslwrwyn - c:\windows\system32\drivers\gozrwmiz.dat
R1 ATMhelpr - c:\windows\system32\drivers\atmhelpr.sys <Not Verified; Adobe Systems Incorporated; Adobe Type Manager Deluxe>
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 ShldDrv (Panda File Shield Driver) - c:\windows\system32\drivers\shldrv51.sys <Not Verified; Panda Software International; Panda shield>
R2 cpoint (Panda CPoint Driver) - c:\windows\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
R3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
R3 ComFiltr (Panda Anti-Dialer) - c:\windows\system32\drivers\comfiltr.sys (file missing)
R3 PavSRK.sys - c:\windows\system32\pavsrk.sys (file missing)
R3 PavTPK.sys - c:\windows\system32\pavtpk.sys (file missing)
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys (file missing)
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 bgsvcgen (B's Recorder GOLD Library General Service) - c:\windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD8>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-30 18:18:50 344 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-23 18:29:20 252 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-03-24 04:00:02 258 --a------ C:\WINDOWS\Tasks\Liberador de espacio en disco.job
2008-03-16 02:45:02 250 --a------ C:\WINDOWS\Tasks\dfrg.job


-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-24 17:45:12 0 d-------- C:\Archivos de programa\Enigma Software Group
2008-04-24 15:28:49 0 d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-04-24 15:06:49 0 d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-04-24 12:39:01 0 d-------- C:\!KillBox
2008-04-23 16:10:40 0 d--hs---- C:\FOUND.025
2008-04-23 00:09:46 0 d-------- C:\WINDOWS\pss
2008-04-22 22:22:44 0 d--hs---- C:\FOUND.024
2008-04-21 19:25:51 0 d-------- C:\Archivos de programa\Java
2008-04-21 19:25:28 0 d-------- C:\Archivos de programa\Archivos comunes\Java
2008-04-21 18:56:59 0 d-------- C:\Archivos de programa\SpywareBlaster
2008-04-19 11:17:21 0 d-------- C:\Documents and Settings\All Users\Application Data
2008-04-19 11:17:21 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-19 11:12:55 0 d-------- C:\Archivos de programa\Archivos comunes\PC Tools
2008-04-19 10:26:58 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-04-18 19:23:34 0 d-------- C:\Archivos de programa\Panda Security
2008-04-17 19:50:18 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-17 18:49:59 0 d-------- C:\Archivos de programa\CAPCOM
2008-04-03 21:46:55 6490880 --a------ C:\WINDOWS\system32\raliilhq.dat
2008-04-03 21:46:55 0 d-------- C:\Archivos de programa\Archivos comunes\Mozilla Shared
2008-03-30 20:31:49 0 d-------- C:\pavsigbeta


-- Find3M Report ---------------------------------------------------------------

2008-04-28 19:12:50 3021 --a------ C:\WINDOWS\mozver.dat
2008-04-24 19:20:54 88064 --a------ C:\WINDOWS\system32\iasacctn.dll
2008-04-24 15:07:04 0 d-------- C:\Documents and Settings\Beep\Datos de programa\Malwarebytes
2008-04-24 12:52:44 0 d-------- C:\Documents and Settings\Beep\Datos de programa\Grisoft
2008-04-23 16:26:32 190720 --a------ C:\WINDOWS\system32\pfuhzspw.dat
2008-04-22 13:12:18 43264 --a------ C:\WINDOWS\system32\jiodyepz.dat
2008-04-19 10:29:06 439680 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-04-19 10:29:06 68696 --a------ C:\WINDOWS\system32\perfc00A.dat
2008-04-19 10:27:00 0 d-------- C:\Documents and Settings\Beep\Datos de programa\PC Tools
2008-04-17 19:51:10 0 d-------- C:\Documents and Settings\Beep\Datos de programa\Codemasters
2008-04-17 19:50:42 0 d-------- C:\Documents and Settings\Beep\Datos de programa\InstallShield
2008-04-12 16:23:30 36608 --a------ C:\WINDOWS\system32\pvtbwhiu.dat
2008-04-12 16:23:30 35584 --a------ C:\WINDOWS\system32\kiiirmux.dat
2008-04-02 11:36:12 4448238 --a------ C:\9b7ba937e4e75d055390aafc08a91ddfKRN_DATA
2008-04-01 17:41:06 638208 --a------ C:\WINDOWS\system32\olzlnmen.dat
2008-03-23 20:28:58 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-23 20:28:58 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-21 15:28:00 0 d-------- C:\Documents and Settings\Beep\Datos de programa\DivX
2008-03-14 13:40:26 0 d-------- C:\Documents and Settings\Beep\Datos de programa\OpenOffice.org2
2008-02-21 03:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 03:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 03:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 03:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 03:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 03:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 03:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 03:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08EC4FCE-420C-44FB-AFA4-2B53391A6B76}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0CC449D-A030-4659-9A7E-A51496110090}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe" [25/08/2004 12:52]
"Windows Defender"="C:\Archivos de programa\Windows Defender\MSASCui.exe" [03/11/2006 18:20]
"Run StartupMonitor"="StartupMonitor.exe" [20/05/2000 17:23 C:\WINDOWS\StartupMonitor.exe]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 08:53 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [02/02/2005 06:00]
"!AVG Anti-Spyware"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 11:25]
"ISTray"="C:\Archivos de programa\Spyware Doctor\pctsTray.exe" [01/02/2008 11:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 21/09/2007 11:33 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jdnayltr]
csseqchki.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xptedhih

*Newly Created Service* - COMFILTR



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-30 19:10:17 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Spanish

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 1023.48 MiB / 454.55 MiB
Pagefile Memory (total/avail): 2462.66 MiB / 1576.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.63 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 149.01 GiB total, 54.68 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 149.05 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Panda Antivirus 2007 Personal Firewall v6.01.00 (Panda Software) Disabled
AV: Panda Antivirus + Firewall 2007 v6.01.00 (Panda Software) Disabled
AV: Spyware Doctor with AntiVirus v4.4.5 (PC Tools) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Archivos de programa\\Messenger\\msmsgs.exe"="C:\\Archivos de programa\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"="C:\\Archivos de programa\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Archivos de programa\\MySpace\\IM\\MySpaceIM.exe"="C:\\Archivos de programa\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Beep\Datos de programa
CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables;
CLIENTNAME=Console
CommonProgramFiles=C:\Archivos de programa\Archivos comunes
COMPUTERNAME=NOMBRE-F86A4812
ComSpec=C:\WINDOWS\system32\cmd.exe
DBCONFIG=C:\adabas\sql
DBROOT=C:\adabas\
DBWORK=C:\adabas\sql
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Beep
LOGONSERVER=\\NOMBRE-F86A4812
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\ARCHIVOS DE PROGRAMA\ATI TECHNOLOGIES\ATI CONTROL PANEL;C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005;C:\Archivos de programa\Archivos comunes\Roxio Shared\DLLShared;C:\Archivos de programa\Archivos comunes\Ulead Systems\MPEG;C:\Archivos de programa\QuickTime\QTSystem\;C:\adabas\bin;C:\adabas\pgm;C:\Archivos de programa\IMSI\FloorPlan 3D v8\Program
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Archivos de programa
PROMPT=$P$G
PS5ROOT=C:\Archivos de programa\Roxio\PhotoSuite\
QTJAVA=C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Beep\CONFIG~1\Temp
TMP=C:\DOCUME~1\Beep\CONFIG~1\Temp
USERDOMAIN=NOMBRE-F86A4812
USERNAME=Beep
USERPROFILE=C:\Documents and Settings\Beep
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Beep (admin)
Administrador (admin)
Invitado (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Archivos de programa\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\PhotoDeluxe HE 3.1\DeIsL1.isu"
--> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
2d3 SteadyMove for Adobe Premiere Pro --> MsiExec.exe /I{94118D5F-2D5D-4BF5-9F84-11FB8A97B566}
Adabas D 13.01.00 --> MsiExec.exe /X{5C52CED3-D45C-4DA9-932F-B91BD44BB461}
Adobe Encore DVD 1.0 --> RunDll32 "C:\Archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{F2CF483C-7EEE-4B64-A730-14F83CD5AFFE}\setup.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUN040A.EXE -f"C:\Archivos de programa\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Archivos de programa\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Premiere Pro --> RunDll32 "C:\Archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{084709F7-38C5-4609-B55F-2417939315EB}\setup.exe"
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Type Manager 4.0 --> C:\WINDOWS\uninst.exe -f"C:\Archivos de programa\Adobe Type Manager\DeIsL1.isu" -c"C:\Archivos de programa\Adobe Type Manager\UNINST.DLL"
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Adobe® Photoshop® Album Starter Edition 3.0.1 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{4A81B632-07AB-4CAC-BB04-DF20DFFBFFA0}\setup.exe" -l0x9
ATI - Utilidad de desinstalación de software --> C:\Archivos de programa\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Barra Yahoo! con bloqueador de ventanas emergentes --> C:\ARCHIV~1\YAHOO!\COMMON\unyt.exe
Cómo funcionan las cosas 3.0 --> C:\WINDOWS\UNIN040A.EXE -r"Zeta Multimedia\Cómo funcionan las cosas 3.0\03.01.0004" -n"Cómo funcionan las cosas 3.0" -fC:\ARCHIV~1\ZETAMU~1\COMOFU~1.0\DeIsL1.isu -cC:\ARCHIV~1\ZETAMU~1\COMOFU~1.0\uninst.dll -oNT
Canon Camera Support Core Library --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5662C158-CA24-4228-BF6C-596FADA08682} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7B847C9D-6758-45E6-B598-3BD8F43EAE9E}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A70D14C6-FF2C-4B8E-A643-7E74EC607614}
Canon Camera Window for ZoomBrowser EX --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E73534D5-CC93-4C63-9072-5A9734255C74}
Canon EOS Kiss_N REBEL_XT 350D WIA Driver --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33CF7CDF-9805-4500-9CC7-D19D52AD63C4}
Canon Internet Library for ZoomBrowser EX --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A}
Canon PhotoRecord --> MsiExec.exe /X{862983D7-FA08-493E-A9ED-6B7859E069D3}
Canon RAW Image Task for ZoomBrowser EX --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A0F34E4E-25F0-4B68-AE8F-EF0C15CB1FED}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities Digital Photo Professional 1.6.1 --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{789CF5F1-3326-4B7B-9D01-31047E0F5651}
Canon Utilities EOS Capture 1.3 --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{16480125-0428-4097-9A2A-74464004D169}
Canon Utilities PhotoStitch 3.1 --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "C:\Archivos de programa\CCleaner\uninst.exe"
CleanUp! --> C:\Archivos de programa\CleanUp!\uninstall.exe
Compresor WinRAR --> C:\Archivos de programa\WinRAR\uninstall.exe
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
Digital Camera Driver --> C:\ARCHIV~1\ACTEBIS\UNWISE.EXE C:\ARCHIV~1\ACTEBIS\INSTALL.LOG
DivX Codec --> C:\Archivos de programa\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Archivos de programa\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Archivos de programa\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Archivos de programa\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Archivos de programa\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Shrink 3.2 --> "C:\Archivos de programa\DVD Shrink\unins000.exe"
EPSON Attach To Email --> C:\Archivos de programa\Archivos comunes\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0xa -UnInstall
EPSON Easy Photo Print --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{5DA7BC15-18D3-41A0-9F59-838DA3EAEF17}\SETUP.EXE" -l0xa UNINST
EPSON File Manager --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Image Clip Palette --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{314F6D08-A8B7-11D8-8446-0050BA1D384D}\Setup.exe" -l0xa -u
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Archivos de programa\epson\escndv\setup\setup.exe /r
EPSON Scan Assistant --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0xa -u
EPSON Web-To-Page --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
ESDX4800_4200 User's Guide --> C:\Archivos de programa\EPSON\TPMANUAL\ESDX4800_4200\USE_G\DOCUNINS.EXE
Evidence Eliminator --> C:\ARCHIV~1\EVIDEN~1\UNWISE.EXE C:\ARCHIV~1\EVIDEN~1\INSTALL.LOG
FaxTools --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
FloorPlan 3D v8 --> MsiExec.exe /I{53F6009E-756A-4D3D-A0D3-B6D4CBEDA819}
Food Additives 1.0 --> C:\Archivos de programa\Food Additives\uninst.exe
FPAdjust --> C:\WINDOWS\IsUninst.exe -f"C:\Archivos de programa\Flat Panel Adjust\Uninst.isu"
FunTV Installation --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{B4637769-343B-42C3-8064-ECEA9D3F4B20}\setup.exe" -l0x9 -removeonly
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google SketchUp --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{E1423608-F529-40A1-93CA-C7F396F30DF0}\setup.exe" -l0x9
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\archivos de programa\google\googletoolbar4.dll"
Google Video Player --> "C:\Archivos de programa\Google\Google Video Player\Uninstall.exe"
HijackThis 2.0.2 --> "C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe" /uninstall
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lexibase Collins Español-Inglés - Versión especial para Grijalbo --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{5124C146-1B05-47C6-A584-2ECCF2A37014}\setup.exe" -l0xa
MAGIX music maker V2000 --> C:\MAGIX\MAGIXM~1\UNWISE.EXE C:\MAGIX\MAGIXM~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Archivos de programa\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50) --> MsiExec.exe /X{2E5A5B57-57FC-4C79-A239-9DB280ADEC2A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0) --> C:\Archivos de programa\Mozilla Firefox\uninstall\uninst.exe
MSN --> C:\Archivos de programa\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Messenger 7.5 --> MsiExec.exe /I{5CCEE3CA-03EC-11DA-BFBD-00065BBDC0B5}
MySpaceIM --> C:\Archivos de programa\MySpace\IM\Uninstall.exe
NaturalHealingIntroduction --> C:\WINDOWS\uninst.exe -f"C:\Archivos de programa\NaturalHealing\Introduction\DeIsL1.isu" -c"C:\Archivos de programa\NaturalHealing\Introduction\_ISREG32.DLL"
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM --> C:\Archivos de programa\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express Content --> C:\WINDOWS\UNNVEContent.exe /UNINSTALL
OGA Notifier 1.7.0102.0 --> MsiExec.exe /I{049F2E8F-D5EC-4133-87FA-8E94837D8D0C}
OpenMG Limited Patch 4.1-05-13-31-01 --> C:\Archivos de programa\Archivos comunes\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-13-31-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00 --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
OpenOffice.org 2.2 --> MsiExec.exe /I{A1C8D94A-4303-4489-B585-4B6E6CD408CB}
Panda Antivirus + Firewall 2007 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{98032D6F-3EE6-4646-B68C-40BF012AC89B}\SETUP.exe" -l0x9 -removeonly
PCI SoftV92 Modem --> C:\Archivos de programa\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSetup.exe -U -IPSCRCTR5K.inf
Picture Package --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
PIF DESIGNER --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{B90450DF-E781-46FD-B1F1-0C86DA40E443}\SETUP.EXE" -l0x9 anything
PowerCinema 3.0 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\ARCHIV~1\ARCHIV~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Realtek AC'97 Audio --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Roxio PhotoSuite 5 --> MsiExec.exe /I{607CE53B-0999-4F3B-8FF1-DB1AA47548A8}
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SLang 2 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\SLang 2\DeIsL1.isu" -c"C:\Program Files\SLang 2\_ISREG32.DLL"
Songplayer 2.1 --> C:\ARCHIV~1\SONGPL~1\UNWISE.EXE C:\ARCHIV~1\SONGPL~1\INSTALL.LOG
SonicStage 3.0 --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0xa UNINSTALL -removeonly
Sony USB Driver --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy --> "C:\Archivos de programa\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Archivos de programa\Spyware Doctor\unins000.exe /LOG
SpywareBlaster 4.0 --> "C:\Archivos de programa\SpywareBlaster\unins000.exe"
StarOffice 8 --> MsiExec.exe /I{4BC1CB2B-FDCE-4DB4-A557-BA8127569B0D}
StartupMonitor --> MsiExec.exe /I{76EFAC4F-1712-401F-B2AE-590B170C9BCE}
StudyWorks --> C:\WINDOWS\uninst.exe -fc:\StudyWks\DeIsL1.isu
Symbols for FloorPlan v8 --> MsiExec.exe /I{7135DAB0-ACA8-4EFB-B700-FAF66363491A}
TextAloud --> "C:\Archivos de programa\TextAloud\unins000.exe"
The American Heritage Talking Dictionary --> C:\AHEDW\unsetup.exe
TurboCAD Designer v9 --> MsiExec.exe /I{CEB37677-3019-4EBE-9BDD-A110A4F70439}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Safety scanner --> RunDll32.exe "C:\Archivos de programa\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type186 / Warning
Event Submitted/Written: 04/30/2008 05:37:22 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows no puede descargar su archivo del Registro de clases - todavía está en uso por otras aplicaciones o servicios. El archivo se descargará cuando no esté en uso.

Event Record #/Type184 / Error
Event Submitted/Written: 04/30/2008 05:28:12 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicación que no responde: explorer.exe, versión 6.0.2900.3156, módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Event Record #/Type179 / Warning
Event Submitted/Written: 04/30/2008 03:53:13 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows no puede descargar su archivo del Registro de clases - todavía está en uso por otras aplicaciones o servicios. El archivo se descargará cuando no esté en uso.

Event Record #/Type174 / Warning
Event Submitted/Written: 04/29/2008 08:57:33 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows no puede descargar su archivo del Registro de clases - todavía está en uso por otras aplicaciones o servicios. El archivo se descargará cuando no esté en uso.

Event Record #/Type173 / Error
Event Submitted/Written: 04/29/2008 08:55:08 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicación que no responde: Ee.exe, versión 5.0.0.58, módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1943 / Error
Event Submitted/Written: 04/30/2008 07:02:16 PM
Event ID/Source: 10010 / DCOM
Event Description:
El servidor {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} no se registró con DCOM dentro del tiempo de espera requerido.

Event Record #/Type1942 / Error
Event Submitted/Written: 04/30/2008 07:01:45 PM
Event ID/Source: 10010 / DCOM
Event Description:
El servidor {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} no se registró con DCOM dentro del tiempo de espera requerido.

Event Record #/Type1941 / Error
Event Submitted/Written: 04/30/2008 07:01:14 PM
Event ID/Source: 10010 / DCOM
Event Description:
El servidor {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} no se registró con DCOM dentro del tiempo de espera requerido.

Event Record #/Type1939 / Error
Event Submitted/Written: 04/30/2008 06:59:20 PM
Event ID/Source: 10010 / DCOM
Event Description:
El servidor {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} no se registró con DCOM dentro del tiempo de espera requerido.

Event Record #/Type1938 / Error
Event Submitted/Written: 04/30/2008 06:58:49 PM
Event ID/Source: 10010 / DCOM
Event Description:
El servidor {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} no se registró con DCOM dentro del tiempo de espera requerido.



-- End of Deckard's System Scanner: finished at 2008-04-30 19:10:17 ------------
  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {08EC4FCE-420C-44FB-AFA4-2B53391A6B76} - c:\windows\system32\csseqchki.dll (file missing)
O2 - BHO: (no name) - {F0CC449D-A030-4659-9A7E-A51496110090} - C:\WINDOWS\system32\iasacctn.dll
O20 - Winlogon Notify: jdnayltr - csseqchki.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\iasacctn.dll
C:\WINDOWS\system32\pfuhzspw.dat
C:\WINDOWS\system32\jiodyepz.dat
C:\WINDOWS\system32\pvtbwhiu.dat
C:\WINDOWS\system32\kiiirmux.dat
C:\WINDOWS\system32\olzlnmen.dat
c:\windows\system32\drivers\gozrwmiz.dat

Folders to delete:
C:\FOUND.025
C:\FOUND.024

Drivers to delete:
rslwrwyn


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply by using Add/Reply



Also do this

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#12
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
do I need to disable anything like spybot teatimer, or firewall or spyware doctor onguard before doing the hijackthis fix?
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No need to do that just yet
  • 0

#14
sabrin

sabrin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Ok Rorschach,

Heres what happened. 1- Avenger went well, log below. 2- pasted the line into the run window but go a error message saying that windows couldnt find the config file, changed desktop to escritorio because my windows in in spanish, this is the correct address, I checked, but no go. So I opened and ran dss. Got an error message saying that HJT couldnt write to the host file (blocked by Panda). So here we have the avenger text and the main.txt from dss. I also recieved the following error when the computer restarted and the avenger.txt came up.
Exception Processing message c0000013 parameters 75b1bf9c 4 75b1bf9c 75 b1bf9c. Dont know what it means??
Also, the csseqchki.dll file missing is gone but there is a csseqchki.dll.bak file in its place. Kill it with killbox?

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\iasacctn.dll" deleted successfully.
File "C:\WINDOWS\system32\pfuhzspw.dat" deleted successfully.
File "C:\WINDOWS\system32\jiodyepz.dat" deleted successfully.
File "C:\WINDOWS\system32\pvtbwhiu.dat" deleted successfully.
File "C:\WINDOWS\system32\kiiirmux.dat" deleted successfully.
File "C:\WINDOWS\system32\olzlnmen.dat" deleted successfully.
File "c:\windows\system32\drivers\gozrwmiz.dat" deleted successfully.
Folder "C:\FOUND.025" deleted successfully.
Folder "C:\FOUND.024" deleted successfully.
Driver "rslwrwyn" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Deckard's System Scanner v20071014.68
Run by Beep on 2008-05-01 16:00:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Beep.exe) ------------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-01 16:01:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PAVSRV51.EXE
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsCtrlS.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrSrv.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PSHost.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
C:\Archivos de programa\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Windows Media Player\wmpnetwk.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIADE.EXE
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Archivos de programa\Windows Media Player\wmpnscfg.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\ApVxdWin.exe
C:\WINDOWS\system32\alg.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\psimreal.exe
C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Avciman.exe
C:\Documents and Settings\Beep\Escritorio\dss.exe
C:\Archivos de programa\Trend Micro\HijackThis\Beep.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...px&id=64855
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08EC4FCE-420C-44FB-AFA4-2B53391A6B76} - c:\windows\system32\csseqchki.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Archivos de programa\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Archivos de programa\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Archivos de programa\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\GoogleToolbar4.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\Archivos de programa\TextAloud\TAForIE.dll
O3 - Toolbar: Barra Yahoo! con bloqueador de ventanas emergentes - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Archivos de programa\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Archivos de programa\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} () - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ntent/opuc3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1118700649640
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll
O20 - Winlogon Notify: jdnayltr - C:\WINDOWS\system32\csseqchki.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsCtrlS.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrSrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PAVSRV51.EXE
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\Firewall\PSHost.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Archivos de programa\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe


--
End of file - 13051 bytes

-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-04-24 17:45:12 0 d-------- C:\Archivos de programa\Enigma Software Group
2008-04-24 15:28:49 0 d-------- C:\Archivos de programa\SUPERAntiSpyware
2008-04-24 15:06:49 0 d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-04-24 12:39:01 0 d-------- C:\!KillBox
2008-04-23 00:09:46 0 d-------- C:\WINDOWS\pss
2008-04-21 19:25:51 0 d-------- C:\Archivos de programa\Java
2008-04-21 19:25:28 0 d-------- C:\Archivos de programa\Archivos comunes\Java
2008-04-21 18:56:59 0 d-------- C:\Archivos de programa\SpywareBlaster
2008-04-19 11:17:21 0 d-------- C:\Documents and Settings\All Users\Application Data
2008-04-19 11:17:21 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-19 11:12:55 0 d-------- C:\Archivos de programa\Archivos comunes\PC Tools
2008-04-19 10:26:58 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-04-18 19:23:34 0 d-------- C:\Archivos de programa\Panda Security
2008-04-17 19:50:18 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-17 18:49:59 0 d-------- C:\Archivos de programa\CAPCOM
2008-04-03 21:46:55 6490880 --a------ C:\WINDOWS\system32\raliilhq.dat
2008-04-03 21:46:55 0 d-------- C:\Archivos de programa\Archivos comunes\Mozilla Shared


-- Find3M Report ---------------------------------------------------------------

2008-04-28 19:12:50 3021 --a------ C:\WINDOWS\mozver.dat
2008-04-24 15:07:04 0 d-------- C:\Documents and Settings\Beep\Datos de programa\Malwarebytes
2008-04-24 12:52:44 0 d-------- C:\Documents and Settings\Beep\Datos de programa\Grisoft
2008-04-19 10:29:06 439680 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-04-19 10:29:06 68696 --a------ C:\WINDOWS\system32\perfc00A.dat
2008-04-19 10:27:00 0 d-------- C:\Documents and Settings\Beep\Datos de programa\PC Tools
2008-04-17 19:51:10 0 d-------- C:\Documents and Settings\Beep\Datos de programa\Codemasters
2008-04-17 19:50:42 0 d-------- C:\Documents and Settings\Beep\Datos de programa\InstallShield
2008-04-02 11:36:12 4448238 --a------ C:\9b7ba937e4e75d055390aafc08a91ddfKRN_DATA
2008-03-23 20:28:58 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-23 20:28:58 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-21 15:28:00 0 d-------- C:\Documents and Settings\Beep\Datos de programa\DivX
2008-03-14 13:40:26 0 d-------- C:\Documents and Settings\Beep\Datos de programa\OpenOffice.org2
2008-02-21 03:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 03:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 03:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 03:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 03:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 03:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 03:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 03:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08EC4FCE-420C-44FB-AFA4-2B53391A6B76}]
c:\windows\system32\csseqchki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe" [25/08/2004 12:52]
"Windows Defender"="C:\Archivos de programa\Windows Defender\MSASCui.exe" [03/11/2006 18:20]
"Run StartupMonitor"="StartupMonitor.exe" [20/05/2000 17:23 C:\WINDOWS\StartupMonitor.exe]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 08:53 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [02/02/2005 06:00]
"!AVG Anti-Spyware"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 11:25]
"ISTray"="C:\Archivos de programa\Spyware Doctor\pctsTray.exe" [01/02/2008 11:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Archivos de programa\Windows Media Player\WMPNSCFG.exe" [03/11/2006 10:02]
"SpybotSD TeaTimer"="C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"C:\Archivos de programa\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xptedhih




-- End of Deckard's System Scanner: finished at 2008-05-01 16:04:08 ------------
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You should be able to delete that file manually, so go ahead and do that


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\raliilhq.dat

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {08EC4FCE-420C-44FB-AFA4-2B53391A6B76} - c:\windows\system32\csseqchki.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: jdnayltr - C:\WINDOWS\system32\csseqchki.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP