Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtus Monde Comes Back Non Stop [CLOSED]


  • This topic is locked This topic is locked

#1
cassano

cassano

    Member

  • Member
  • PipPip
  • 10 posts
Ok hello all, i come here for ask for your help, i was here long time ago and you guys helped me, but now i have another problem, ok heres the thing:

Virtus.Monde or w/e is called got infected my comp like a month ago, i was just about to post but i better checked your guides about how to fix it, virtusbegone, virtusfix, malwarebytes, etc

so ok virtusbegone and virtusfix didnt found anything, but malwarebytes did, and erased it, but then re-appeared, used malwarebytes and erased it again, then re-appeared used malwarebytes and came again, etc like in a cicle, my comp is kinda slowly and my internet games started to have a delay (may be the ISP or crappy programs, but better to be sure)

so a few mins ago reappeared again the virus, malwarebytes erased it again, so iam wondering if i have an infection so well if you could check my hijackthis log and tell me if its my imagination or theres something wrong, would be nice, btw before doing this post did one last malwarebytes check and theres was nothing, same my antivirus and found nothing, then i used hijackthis, so here is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:55, on 2008-05-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Admin\Escritorio\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Complemento del Asistente para Internet de Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: Asistente para Internet de Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Barra de búsqueda de Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Archivos de programa\WinPcap\rpcapd.exe

--
End of file - 5515 bytes
  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#3
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,

1.
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

2.
Click HERE and run an online scan with Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information into your next post.
[/list]
  • 0

#4
cassano

cassano

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi there sarahw, thank you for your support, i did what you asked for in the first post, for then do the steps in the second post, here are the logs the attachment file is the log in from kapersky in html, in case you want a better view insteand of my copy paste


=================================================================
Malwarebytes' Anti-Malware 1.12
Database version: 783

Scan type: Full Scan (C:\|)
Objects scanned: 102274
Time elapsed: 30 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
==============================================================




================================================================
Friday, May 23, 2008 7:01:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/05/2008
Kaspersky Anti-Virus database records: 799423


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 67037
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 01:07:01

Infected Object Name Virus Name Last Action
C:\Archivos de programa\ESET\cache\CACHE.NDB Object is locked skipped

C:\Archivos de programa\ESET\logs\virlog.dat Object is locked skipped

C:\Archivos de programa\ESET\logs\warnlog.dat Object is locked skipped

C:\Archivos de programa\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\Admin\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Admin\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Admin\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Admin\Configuración local\Historial\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Configuración local\Historial\History.IE5\MSHist012008052320080524\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Admin\NtUser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_614.dat Object is locked skipped

Scan process completed.

Attached Files


  • 0

#5
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#6
cassano

cassano

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi, here are the two logs from DSS

==============================================MAIN==============================
===================
Deckard's System Scanner v20071014.68
Run by Admin on 2008-05-24 12:42:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-05-24 19:42:17 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-05-24 19:32:32 UTC - RP2 - Instalado ATI Catalyst Control Center
1: 2008-05-24 07:39:43 UTC - RP1 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43, on 2008-05-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Admin\Escritorio\dss.exe
C:\DOCUME~1\Admin\ESCRIT~1\Admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 216.107.242.199 l2authd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Complemento del Asistente para Internet de Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Asistente para Internet de Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Barra de búsqueda de Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe

--
End of file - 5990 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Si3112 - c:\windows\system32\drivers\si3112.sys <Not Verified; Silicon Image, Inc.; SiI 3112 SATALink controller>

S2 npkcrypt - c:\archivos de programa\juegos\lineage ii khaos\system\npkcrypt.sys (file missing)
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 JavaQuickStarterService (Java Quick Starter) - "c:\archivos de programa\java\jre6\bin\jqs.exe" -service -config "c:\archivos de programa\java\jre6\lib\deploy\jqs\jqs.conf" <Not Verified; Sun Microsystems, Inc.; Java™ Platform SE 6 U10>

S3 Apple Mobile Device - "c:\archivos de programa\archivos comunes\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 AresChatServer (Ares Chatroom server) - c:\archivos de programa\ares\chatserver.exe
S4 NBService - c:\archivos de programa\nero\nero 7\nero backitup\nbservice.exe
S4 NMIndexingService - "c:\archivos de programa\archivos comunes\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\archivos de programa\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
S4 UPHClean (User Profile Hive Cleanup) - c:\archivos de programa\uphclean\uphclean.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-21 20:12:47 298 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-23 17:37:59 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-22 13:02:04 0 d-------- C:\WINDOWS\CSC
2008-05-22 12:55:32 0 d-------- C:\Archivos de programa\Sun
2008-05-22 12:52:08 0 d-------- C:\Archivos de programa\Archivos comunes\Java
2008-05-22 12:40:00 0 d-------- C:\Archivos de programa\Java
2008-05-08 17:53:54 0 d-------- C:\WINDOWS\system32\es
2008-05-08 17:53:54 0 d-------- C:\WINDOWS\system32\bits
2008-05-08 17:53:54 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 17:51:37 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-05-24 12:32:58 0 d-------- C:\Archivos de programa\ATI Technologies
2008-05-23 22:41:36 0 d-------- C:\Archivos de programa\Juegos
2008-05-22 14:15:54 0 d-------- C:\Archivos de programa\mIRC
2008-05-22 14:15:53 0 --a------ C:\Archivos
2008-05-22 12:52:08 0 d-------- C:\Archivos de programa\Archivos comunes
2008-05-22 12:39:54 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Sun
2008-05-22 12:33:09 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2008-05-19 21:38:03 0 d-------- C:\Archivos de programa\Malwarebytes' Anti-Malware
2008-05-19 12:59:48 0 d-------- C:\Archivos de programa\Microsoft Silverlight
2008-05-18 07:43:34 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Leadertech
2008-05-14 21:29:01 61084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-12 10:49:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-11 08:13:36 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Ahead
2008-05-09 19:13:22 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Ventrilo
2008-05-08 19:50:45 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-05-08 18:00:47 509172 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-05-08 18:00:47 92324 --a------ C:\WINDOWS\system32\perfc00A.dat
2008-05-08 17:54:10 0 d-------- C:\Archivos de programa\Messenger
2008-05-08 17:53:53 0 d-------- C:\Archivos de programa\Movie Maker
2008-05-08 17:51:16 0 d-------- C:\Archivos de programa\Windows NT
2008-05-06 07:14:11 0 d-------- C:\Archivos de programa\Archivos comunes\Blizzard Entertainment
2008-04-21 19:22:42 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Malwarebytes
2008-04-21 16:55:08 1188 --a------ C:\WINDOWS\mozver.dat
2008-04-21 16:51:41 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Talkback
2008-04-21 16:51:14 0 d-------- C:\Documents and Settings\Admin\Datos de programa\Mozilla
2008-04-20 20:04:36 0 d-------- C:\Documents and Settings\Admin\Datos de programa\mIRC
2008-04-10 20:36:27 0 d-------- C:\Archivos de programa\MSN Messenger
2008-04-10 20:36:27 0 d-------- C:\Archivos de programa\Messenger Plus! Live
2008-04-10 16:30:38 0 d--hs--c- C:\Archivos de programa\Archivos comunes\WindowsLiveInstaller
2008-04-10 16:30:33 0 d-------- C:\Archivos de programa\Windows Live
2008-04-07 15:36:16 0 d-------- C:\Archivos de programa\iTunes
2008-04-07 15:36:07 0 d-------- C:\Archivos de programa\iPod
2008-04-07 15:34:49 0 d-------- C:\Archivos de programa\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-05-22 12:40 34816 --a------ C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-05-22 12:40 73728 --a------ C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Archivos de programa\Eset\nod32kui.exe" [2007-06-29 20:21]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-24 11:01]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-24 11:01]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-24 11:00]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 01:58 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre6\bin\jusched.exe" [2008-05-22 12:40]
"StartCCC"="C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Archivos de programa\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Archivos de programa\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04807c7c-b189-11dc-a3d0-00196638fd63}]
Auto\command- H:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1befb127-c574-11dc-a40f-00196638fd63}]
1\Command- F:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- F:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe




-- Hosts -----------------------------------------------------------------------

216.107.242.199 l2authd.lineage2.com


-- End of Deckard's System Scanner: finished at 2008-05-24 12:45:56 ------------

================================================================================
==================










==============================================extra=============================
===================
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: Spanish

CPU 0: Procesador Intel Pentium II
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1023.23 MiB / 670.18 MiB
Pagefile Memory (total/avail): 2462.77 MiB / 2159.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.62 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 20.38 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380815AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Sistema de archivos instalables - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Admin\Datos de programa
CLASSPATH=.;C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Archivos de programa\Archivos comunes
COMPUTERNAME=lalala
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Admin
LOGONSERVER=\\lalala
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static;C:\Archivos de programa\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 22 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1601
ProgramFiles=C:\Archivos de programa
PROMPT=$P$G
QTJAVA=C:\Archivos de programa\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Admin\CONFIG~1\Temp
TMP=C:\DOCUME~1\Admin\CONFIG~1\Temp
USERDOMAIN=lalala
USERNAME=Admin
USERPROFILE=C:\Documents and Settings\Admin
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Admin (admin)
Administrador (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
--> C:\Archivos de programa\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0403-0000-0000000FF1CE} /uninstall {A5B6B786-2D6F-4B75-940F-42B32D01D146}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0416-0000-0000000FF1CE} /uninstall {669EB263-0AFE-4FCB-A068-DB082CA6273C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0C0A-0000-0000000FF1CE} /uninstall {35B14BD6-6042-4A55-B326-58309DC8C72A}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0C0A-0000-0000000FF1CE} /uninstall {2CC8520D-6A74-4CCA-9539-8E774E2B50D1}
Actualización de seguridad para Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Actualización KB909520 para Windows XP --> C:\WINDOWS\system32\sysocmgr.exe
Actualización KB917734 para el Reproductor de Windows Media 9 --> C:\WINDOWS\system32\sysocmgr.exe
Actualización KB931125 para Windows XP --> C:\WINDOWS\system32\sysocmgr.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares 2.0.9 --> "C:\Archivos de programa\Ares\uninstall.exe"
ATI - Software Uninstall Utility --> C:\Archivos de programa\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitTorrent DNA --> "C:\Archivos de programa\BitTorrent_DNA\dna.exe" /UNINSTALL
Call of Duty® 4 - Modern Warfare™ --> C:\Archivos de programa\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
eMule --> "C:\Archivos de programa\eMule\Uninstall.exe"
eMule Plus 1.2c --> "C:\Archivos de programa\eMule\unins000.exe"
FIFA 08 --> MsiExec.exe /X{0A2A5039-B37F-489D-B1DC-A5258DF9E697}
HijackThis 2.0.2 --> "C:\Documents and Settings\Admin\Escritorio\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 10 --> MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Development Kit 6 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160060}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LineAge Utils --> "C:\Archivos de programa\Juegos\LineAge Utils\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Archivos de programa\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live --> "C:\Archivos de programa\Messenger Plus! Live\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta 2007 Biblioteca Premium --> MsiExec.exe /I{07140081-E9B4-4DF6-A845-CAAFD093E477}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-0015-0C0A-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-0016-0C0A-0000-0000000FF1CE}
Microsoft Office Groove MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-00BA-0C0A-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-0044-0C0A-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-00A1-0C0A-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-001A-0C0A-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-0018-0C0A-0000-0000000FF1CE}
Microsoft Office Proof (Basque) 2007 --> MsiExec.exe /X{90120000-001F-042D-0000-0000000FF1CE}
Microsoft Office Proof (Catalan) 2007 --> MsiExec.exe /X{90120000-001F-0403-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Galician) 2007 --> MsiExec.exe /X{90120000-001F-0456-0000-0000000FF1CE}
Microsoft Office Proof (Portuguese (Brazil)) 2007 --> MsiExec.exe /X{90120000-001F-0416-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (Spanish) 2007 --> MsiExec.exe /X{90120000-002C-0C0A-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-0019-0C0A-0000-0000000FF1CE}
Microsoft Office Shared MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-006E-0C0A-0000-0000000FF1CE}
Microsoft Office Word MUI (Spanish) 2007 --> MsiExec.exe /X{90120000-001B-0C0A-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC --> C:\Archivos de programa\mIRC\uninstall.exe _?=C:\Archivos de programa\mIRC
MSN --> C:\Archivos de programa\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Ultra Edition --> MsiExec.exe /I{9A3D392C-B0BB-400A-A761-4B1497911034}
NOD32 antivirus system --> C:\Archivos de programa\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "C:\Archivos de programa\Eset\unins000.exe"
Omega script 0.9.3 --> C:\Archivos de programa\mIRC\uninst.exe
PowerDVD --> RunDll32 C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Archivos de programa\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Service Pack 2 para Windows XP --> C:\WINDOWS\system32\sysocmgr.exe
SupremeL2 Lineage II --> MsiExec.exe /I{C9CEB3CF-B929-4081-9AA9-16BCE2CD9338}
Tema de escritorio Blax XE --> "C:\WINDOWS\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
User Profile Hive Cleanup Service --> MsiExec.exe /X{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
VideoLAN VLC media player 0.8.6c --> C:\Archivos de programa\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Winamp --> "C:\Archivos de programa\Winamp\UninstWA.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Asistente para el inicio de sesión --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live installer --> MsiExec.exe /X{9E1DDBE7-BF44-4AC8-87CA-3D25FC63C6E1}
Windows Live Messenger --> MsiExec.exe /X{FC411B47-30BF-428C-9C1E-F6C54A94EA7E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (ESN) --> MsiExec.exe /X{5668914A-431C-4910-94E7-F6673615B538}
Windows Workflow Foundation ES Language Pack --> MsiExec.exe /I{AB588DC0-FC95-42D2-908F-BCAD99596282}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPcap 4.0.2 --> C:\Archivos de programa\WinPcap\uninstall.exe
WinRAR archiver --> C:\Archivos de programa\WinRAR\uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type5277 / Error
Event Submitted/Written: 05/24/2008 00:37:05 PM
Event ID/Source: 4099 / WmiAdapter
Event Description:
Error al abrir el servicio.

Event Record #/Type5276 / Error
Event Submitted/Written: 05/24/2008 00:37:04 PM
Event ID/Source: 4099 / WmiAdapter
Event Description:
Error al abrir el servicio.

Event Record #/Type5275 / Error
Event Submitted/Written: 05/24/2008 00:37:04 PM
Event ID/Source: 4099 / WmiAdapter
Event Description:
Error al abrir el servicio.

Event Record #/Type5274 / Error
Event Submitted/Written: 05/24/2008 00:37:03 PM
Event ID/Source: 4099 / WmiAdapter
Event Description:
Error al abrir el servicio.

Event Record #/Type5273 / Error
Event Submitted/Written: 05/24/2008 00:37:02 PM
Event ID/Source: 4099 / WmiAdapter
Event Description:
Error al abrir el servicio.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13633 / Error
Event Submitted/Written: 05/24/2008 00:29:20 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha obtenido un error "%%1058" al intentar iniciar el servicio wuauserv con argumentos ""
para ejecutar el servidor:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type13628 / Error
Event Submitted/Written: 05/24/2008 11:42:23 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha obtenido un error "%%1058" al intentar iniciar el servicio usnjsvc con argumentos ""
para ejecutar el servidor:
{98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Event Record #/Type13627 / Error
Event Submitted/Written: 05/24/2008 11:42:12 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha obtenido un error "%%1058" al intentar iniciar el servicio usnjsvc con argumentos ""
para ejecutar el servidor:
{98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Event Record #/Type13626 / Error
Event Submitted/Written: 05/24/2008 11:42:02 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha obtenido un error "%%1058" al intentar iniciar el servicio usnjsvc con argumentos ""
para ejecutar el servidor:
{98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Event Record #/Type13625 / Error
Event Submitted/Written: 05/24/2008 11:41:51 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM ha obtenido un error "%%1058" al intentar iniciar el servicio usnjsvc con argumentos ""
para ejecutar el servidor:
{98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}



-- End of Deckard's System Scanner: finished at 2008-05-24 12:45:56 ------------

================================================================================
==================
  • 0

#7
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
I can't see any signs of Vundo/Virtumonde in your logs. You are probably finding left over items from the infection.
  • Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
  • Double click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please let me know.
  • 0

#8
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
I can't see any signs of Vundo/Virtumonde in your logs. You are probably finding left over items from the infection.
  • Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
  • Double click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please let me know.
  • 0

#9
cassano

cassano

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hello again, well i did what you asked me to do, vundofix didnt find anything, may be this time malwarebytes atually erased everything, anyway probably my comp is now clean (nice) and if theres something for increase performance in the comp and internet ( example: in ventrilo i have an incredible ping that i cant even talk or heard anymore ) because it started when vundo appeared, may be did somthing on somewhere else who knows T_T, anyway if my comp is trully clean i would like to read it from you, here are the logs

================================================================================
==================

VundoFix V7.0.5

Scan started at 16:04:50 2008-05-24

Listing files found while scanning....

No infected files were found.


================================================================================
==================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:17, on 2008-05-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Archivos de programa\mIRC\mirc.exe
C:\Documents and Settings\Admin\Escritorio\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 216.107.242.199 l2authd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Complemento del Asistente para Internet de Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Asistente para Internet de Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Barra de búsqueda de Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe

--
End of file - 5998 bytes
  • 0

#10
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Try reading this link:
http://users.telenet...owcomputer.html
I will leave this thread open for a while so you can reply if your Anti Virus finds anything. Let me know if it does. Tell me the exact details of what is found if you do.
  • 0

#11
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Please download OTCleanIt from HERE to your desktop.
Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot so it can remove itself.
  • 0

#12
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP