Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-spy.HTML.smitfraud.c


  • This topic is locked This topic is locked

#1
ignacio

ignacio

    New Member

  • Member
  • Pip
  • 8 posts
My system is infected with a trojan that shows a warning symbol in the taskbar (it seems I have solved this with killbox following instructions in other posts), changes my default home page, shows a security warning message in my desktop, etc. Below is my Ad-Aware log:

Ad-Aware SE Build 1.05
Logfile Created on:Lunes, 09 de Mayo de 2005 10:29:32 a.m.
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CommonName(TAC index:7):3 total references
Tracking Cookie(TAC index:3):1 total references
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 50
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663

09-05-2005 10:11:56 a.m. Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 51
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663


09-05-2005 10:12:38 a.m. Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:8 %
Total physical memory:245232 kb
Available physical memory:17448 kb
Total page file size:599732 kb
Available on page file:333784 kb
Total virtual memory:2097024 kb
Available virtual memory:2029196 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


09-05-2005 10:29:32 a.m. - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 544
ThreadCreationTime : 09-05-2005 01:05:12 p.m.
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 592
ThreadCreationTime : 09-05-2005 01:05:15 p.m.
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 616
ThreadCreationTime : 09-05-2005 01:05:17 p.m.
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 660
ThreadCreationTime : 09-05-2005 01:05:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicación de servicios y controlador
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 672
ThreadCreationTime : 09-05-2005 01:05:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 832
ThreadCreationTime : 09-05-2005 01:05:22 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 916
ThreadCreationTime : 09-05-2005 01:05:24 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 1124
ThreadCreationTime : 09-05-2005 01:05:25 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1184
ThreadCreationTime : 09-05-2005 01:05:26 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1312
ThreadCreationTime : 09-05-2005 01:05:27 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1496
ThreadCreationTime : 09-05-2005 01:05:29 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [avgamsvr.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 1756
ThreadCreationTime : 09-05-2005 01:05:39 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 1796
ThreadCreationTime : 09-05-2005 01:05:39 p.m.
BasePriority : Normal
FileVersion : 7,1,0,285
ProductVersion : 7.1.0.285
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2004, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [mdm.exe]
ModuleName : C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
Command Line : "C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"
ProcessID : 1836
ThreadCreationTime : 09-05-2005 01:05:39 p.m.
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k imgsvc
ProcessID : 1876
ThreadCreationTime : 09-05-2005 01:05:40 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 1892
ThreadCreationTime : 09-05-2005 01:05:40 p.m.
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:17 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 568
ThreadCreationTime : 09-05-2005 01:05:47 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador de Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : EXPLORER.EXE

#:18 [shnlog.exe]
ModuleName : C:\WINDOWS\system32\shnlog.exe
Command Line : "C:\WINDOWS\system32\shnlog.exe"
ProcessID : 1228
ThreadCreationTime : 09-05-2005 01:05:52 p.m.
BasePriority : Normal

ProductVersion : 1.7

#:19 [khooker.exe]
ModuleName : C:\WINDOWS\system32\khooker.exe
Command Line : "C:\WINDOWS\system32\khooker.exe"
ProcessID : 1256
ThreadCreationTime : 09-05-2005 01:05:54 p.m.
BasePriority : Normal
FileVersion : 0, 0, 0, 2030
ProductVersion : 0, 0, 0, 2030
ProductName : SIS ® Compatible Super VGA keyboard daemon for Windows 2000/XP
CompanyName : Silicon Integrated Systems Corporation
FileDescription : SiS Compatible Super VGA Keyboard Daemon
InternalName : KHOOKER 2.03.50
LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002
OriginalFilename : KHOOKER.EXE
Comments : SiS Compatible Super VGA Keyboard Daemon

#:20 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 1264
ThreadCreationTime : 09-05-2005 01:05:55 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:21 [pctspk.exe]
ModuleName : C:\WINDOWS\system32\pctspk.exe
Command Line : "C:\WINDOWS\system32\pctspk.exe"
ProcessID : 1272
ThreadCreationTime : 09-05-2005 01:05:55 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : pctvoice Application
FileDescription : pctvoice MFC Application
InternalName : pctvoice
LegalCopyright : Copyright © 2001
OriginalFilename : pctvoice.EXE

#:22 [avgcc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 1484
ThreadCreationTime : 09-05-2005 01:05:57 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:23 [intmon.exe]
ModuleName : C:\WINDOWS\system32\intmon.exe
Command Line : intmon.exe
ProcessID : 1288
ThreadCreationTime : 09-05-2005 01:05:58 p.m.
BasePriority : Normal


#:24 [avgemc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 1572
ThreadCreationTime : 09-05-2005 01:05:59 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:25 [duesystraycd.exe]
ModuleName : C:\Archivos de programa\DUE\DUESystrayCD.exe
Command Line : "C:\Archivos de programa\DUE\DUESystrayCD.exe"
ProcessID : 1588
ThreadCreationTime : 09-05-2005 01:05:59 p.m.
BasePriority : Normal
FileVersion : 1.00.0283
ProductVersion : 1.00.0283
ProductName : DUESysTray
CompanyName : SIGNUM
InternalName : DUESysTrayCD
LegalCopyright : Desarrollado por Marco Mendoza para SIGNUM Cía. Ltda.
OriginalFilename : DUESysTrayCD.exe

#:26 [qoeloader.exe]
ModuleName : C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe
Command Line : "C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"
ProcessID : 1620
ThreadCreationTime : 09-05-2005 01:06:01 p.m.
BasePriority : Normal
FileVersion : 2.1.213.4
ProductVersion : 2.1.213.4
ProductName : QOELoader Application
CompanyName : Qurb, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
LegalCopyright : Copyright © 2002, 2003 Qurb, Inc. All rights reserved.
OriginalFilename : QOELoader.exe

#:27 [acrotray.exe]
ModuleName : C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
Command Line : "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
ProcessID : 1936
ThreadCreationTime : 09-05-2005 01:06:02 p.m.
BasePriority : Normal
FileVersion : 6.0.1.2004121400
ProductVersion : 6.0.1.2004121400
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:28 [kemailkb.exe]
ModuleName : C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
Command Line : "C:\ARCHIV~1\KEMailKb\KEMailKb.EXE"
ProcessID : 192
ThreadCreationTime : 09-05-2005 01:06:04 p.m.
BasePriority : Normal
FileVersion : 1,2,0,1
ProductVersion : 4, 15, 0, 2002
ProductName : Dritek System Inc. MMKeybd 04.15.2002 ( VC60 )
CompanyName : Dritek System Inc.
FileDescription : MultiMedia Keyboard
InternalName : MMKeybd
LegalCopyright : Copyright © 2001-2002 Dritek System Inc.
OriginalFilename : MMKeybd.exe

#:29 [skype.exe]
ModuleName : C:\Archivos de programa\Skype\Phone\Skype.exe
Command Line : "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
ProcessID : 964
ThreadCreationTime : 09-05-2005 01:06:07 p.m.
BasePriority : Normal


#:30 [hpohmr08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe"
ProcessID : 2132
ThreadCreationTime : 09-05-2005 01:06:15 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects

#:31 [hpotdd01.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
ProcessID : 2144
ThreadCreationTime : 09-05-2005 01:06:15 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:32 [hpoevm08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe" -Embedding
ProcessID : 2216
ThreadCreationTime : 09-05-2005 01:06:21 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:33 [msimn.exe]
ModuleName : C:\Archivos de programa\Outlook Express\msimn.exe
Command Line : "C:\Archivos de programa\Outlook Express\msimn.exe"
ProcessID : 2224
ThreadCreationTime : 09-05-2005 01:06:21 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
LegalCopyright : © 2004 Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : MSIMN.EXE

#:34 [hposts08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe" /CtxID "#Hewlett-Packard#hp psc 1200 series#1111599258" /Startup
ProcessID : 2356
ThreadCreationTime : 09-05-2005 01:06:25 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:35 [excel.exe]
ModuleName : C:\Archivos de programa\Microsoft Office\OFFICE11\EXCEL.EXE
Command Line : "C:\Archivos de programa\Microsoft Office\OFFICE11\EXCEL.EXE" /e
ProcessID : 2600
ThreadCreationTime : 09-05-2005 01:06:31 p.m.
BasePriority : Normal


#:36 [iexplore.exe]
ModuleName : C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
Command Line : "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE"
ProcessID : 2808
ThreadCreationTime : 09-05-2005 01:07:27 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : IEXPLORE.EXE

#:37 [ad-aware.exe]
ModuleName : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 3060
ThreadCreationTime : 09-05-2005 01:09:36 p.m.
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:38 [winword.exe]
ModuleName : C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
Command Line : "C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde
ProcessID : 3104
ThreadCreationTime : 09-05-2005 01:10:42 p.m.
BasePriority : Normal


#:39 [tw4win.exe]
ModuleName : C:\Archivos de programa\TRADOS\T65_LSP\TT\TW4Win.exe
Command Line : "C:\Archivos de programa\TRADOS\T65_LSP\TT\TW4Win.exe" "E:\2005\Translations.com\National Analysts\TM\National Analysts.tmw"
ProcessID : 3336
ThreadCreationTime : 09-05-2005 01:15:08 p.m.
BasePriority : Normal
FileVersion : TRADOS 6 6.5.5, Build 439
ProductVersion : TRADOS 6 6.5.5, Build 439
ProductName : TRADOS 6
CompanyName : TRADOS GmbH, Stuttgart
FileDescription : TRADOS Translator's Workbench
InternalName : TW4Win
LegalCopyright : Copyright © 1992-2004 TRADOS GmbH, TRADOS Ireland Ltd.
OriginalFilename : Tw4Win.exe
Comments : http://www.trados.com

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CommonName Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}

CommonName Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
Value :

CommonName Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}

Windows Object Recognized!
Type : RegData
Data : explorer.exe, msmsgs.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe, msmsgs.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 05-05-2015 04:54:04 p.m.
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 5



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
42 entries scanned.
New critical objects:0
Objects found so far: 5




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

10:53:05 a.m. Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:23:32.411
Objects scanned:154913
Objects identified:5
Objects ignored:0
New critical objects:5
  • 0

Advertisements


#2
[email protected];<'S

[email protected];<'S

    Member

  • Member
  • PipPipPip
  • 135 posts
ignacio,
Please can you try at least two if not more of these On-line scans
Panda
Symantec
McAfee
TrendMicro
Bit Defender
RAV
Kaspersky
CommandonDemand
Computer Associates
CyberTechHelp
PC Pitstop
Stinger

a2
or download and try
TrojanHunter (Note Trojan Scanner 30 day Trial)
After you have done the on-line scans please clear out your cache folder ie: temporary internet folder There are some free programs that you can use that will do that for you if needed like ;)
CCleaner also
please can you make sure that you still have “Ticks by these :
"Unload recognized processes during scanning",
"Let Windows remove files in use after reboot."
to do this Open Ad-aware SE
Click “settings” (the Gear)
then Click “Tweaks“,
then click “Scanning Engine”
Tick ."Unload recognized processes during scanning"
Then Click “Cleaning Engine”
And Tick
"Let Windows remove files in use after reboot."
then Click “proceed”.
now use the WebUpDate
(to make sure you are upto date) if you want to clean your PC then scan by doing a "Full Scan" then and once the scan has finished
mark and remove the items then Reboot (ie: Re-start your PC)
Then re-scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .

Please NOTE from the AAW SE help file, if you set "Read current settings from system:" under "default settings" in Ad-Aware SE,

Default IE Pages
Default homepage: Ad-Aware SE uses the defined homepage when recovering from a browser hijack

Default Search Engine: Ad-Aware SE uses the defined search engine when recovering from a browser hijack

[email protected];<'S :tazz:
  • 0

#3
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for your help. I followed your instructions and here's the new log:


Ad-Aware SE Build 1.05
Logfile Created on:Lunes, 09 de Mayo de 2005 05:18:30 p.m.
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CommonName(TAC index:7):3 total references
Tracking Cookie(TAC index:3):2 total references
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 50
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663

09-05-2005 10:11:56 a.m. Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 51
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663


09-05-2005 10:12:38 a.m. Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:21 %
Total physical memory:245232 kb
Available physical memory:49520 kb
Total page file size:599732 kb
Available on page file:153132 kb
Total virtual memory:2097024 kb
Available virtual memory:2009832 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


09/05/2005 05:18:30 p.m. - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 544
ThreadCreationTime : 09/05/2005 01:05:12 p.m.
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 592
ThreadCreationTime : 09/05/2005 01:05:15 p.m.
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 616
ThreadCreationTime : 09/05/2005 01:05:17 p.m.
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 660
ThreadCreationTime : 09/05/2005 01:05:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicación de servicios y controlador
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 672
ThreadCreationTime : 09/05/2005 01:05:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 832
ThreadCreationTime : 09/05/2005 01:05:22 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 916
ThreadCreationTime : 09/05/2005 01:05:24 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 1124
ThreadCreationTime : 09/05/2005 01:05:25 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1184
ThreadCreationTime : 09/05/2005 01:05:26 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1312
ThreadCreationTime : 09/05/2005 01:05:27 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1496
ThreadCreationTime : 09/05/2005 01:05:29 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [avgamsvr.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 1756
ThreadCreationTime : 09/05/2005 01:05:39 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 1796
ThreadCreationTime : 09/05/2005 01:05:39 p.m.
BasePriority : Normal
FileVersion : 7,1,0,285
ProductVersion : 7.1.0.285
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2004, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [mdm.exe]
ModuleName : C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
Command Line : "C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"
ProcessID : 1836
ThreadCreationTime : 09/05/2005 01:05:39 p.m.
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k imgsvc
ProcessID : 1876
ThreadCreationTime : 09/05/2005 01:05:40 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 1892
ThreadCreationTime : 09/05/2005 01:05:40 p.m.
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:17 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 568
ThreadCreationTime : 09/05/2005 01:05:47 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador de Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : EXPLORER.EXE

#:18 [shnlog.exe]
ModuleName : C:\WINDOWS\system32\shnlog.exe
Command Line : "C:\WINDOWS\system32\shnlog.exe"
ProcessID : 1228
ThreadCreationTime : 09/05/2005 01:05:52 p.m.
BasePriority : Normal

ProductVersion : 1.7

#:19 [khooker.exe]
ModuleName : C:\WINDOWS\system32\khooker.exe
Command Line : "C:\WINDOWS\system32\khooker.exe"
ProcessID : 1256
ThreadCreationTime : 09/05/2005 01:05:54 p.m.
BasePriority : Normal
FileVersion : 0, 0, 0, 2030
ProductVersion : 0, 0, 0, 2030
ProductName : SIS ® Compatible Super VGA keyboard daemon for Windows 2000/XP
CompanyName : Silicon Integrated Systems Corporation
FileDescription : SiS Compatible Super VGA Keyboard Daemon
InternalName : KHOOKER 2.03.50
LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002
OriginalFilename : KHOOKER.EXE
Comments : SiS Compatible Super VGA Keyboard Daemon

#:20 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 1264
ThreadCreationTime : 09/05/2005 01:05:55 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:21 [pctspk.exe]
ModuleName : C:\WINDOWS\system32\pctspk.exe
Command Line : "C:\WINDOWS\system32\pctspk.exe"
ProcessID : 1272
ThreadCreationTime : 09/05/2005 01:05:55 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : pctvoice Application
FileDescription : pctvoice MFC Application
InternalName : pctvoice
LegalCopyright : Copyright © 2001
OriginalFilename : pctvoice.EXE

#:22 [avgcc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 1484
ThreadCreationTime : 09/05/2005 01:05:57 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:23 [intmon.exe]
ModuleName : C:\WINDOWS\system32\intmon.exe
Command Line : intmon.exe
ProcessID : 1288
ThreadCreationTime : 09/05/2005 01:05:58 p.m.
BasePriority : Normal


#:24 [avgemc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 1572
ThreadCreationTime : 09/05/2005 01:05:59 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:25 [duesystraycd.exe]
ModuleName : C:\Archivos de programa\DUE\DUESystrayCD.exe
Command Line : "C:\Archivos de programa\DUE\DUESystrayCD.exe"
ProcessID : 1588
ThreadCreationTime : 09/05/2005 01:05:59 p.m.
BasePriority : Normal
FileVersion : 1.00.0283
ProductVersion : 1.00.0283
ProductName : DUESysTray
CompanyName : SIGNUM
InternalName : DUESysTrayCD
LegalCopyright : Desarrollado por Marco Mendoza para SIGNUM Cía. Ltda.
OriginalFilename : DUESysTrayCD.exe

#:26 [qoeloader.exe]
ModuleName : C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe
Command Line : "C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"
ProcessID : 1620
ThreadCreationTime : 09/05/2005 01:06:01 p.m.
BasePriority : Normal
FileVersion : 2.1.213.4
ProductVersion : 2.1.213.4
ProductName : QOELoader Application
CompanyName : Qurb, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
LegalCopyright : Copyright © 2002, 2003 Qurb, Inc. All rights reserved.
OriginalFilename : QOELoader.exe

#:27 [acrotray.exe]
ModuleName : C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
Command Line : "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
ProcessID : 1936
ThreadCreationTime : 09/05/2005 01:06:02 p.m.
BasePriority : Normal
FileVersion : 6.0.1.2004121400
ProductVersion : 6.0.1.2004121400
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:28 [skype.exe]
ModuleName : C:\Archivos de programa\Skype\Phone\Skype.exe
Command Line : "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
ProcessID : 964
ThreadCreationTime : 09/05/2005 01:06:07 p.m.
BasePriority : Normal


#:29 [hpohmr08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe"
ProcessID : 2132
ThreadCreationTime : 09/05/2005 01:06:15 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects

#:30 [hpotdd01.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
ProcessID : 2144
ThreadCreationTime : 09/05/2005 01:06:15 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:31 [hpoevm08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe" -Embedding
ProcessID : 2216
ThreadCreationTime : 09/05/2005 01:06:21 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:32 [msimn.exe]
ModuleName : C:\Archivos de programa\Outlook Express\msimn.exe
Command Line : "C:\Archivos de programa\Outlook Express\msimn.exe"
ProcessID : 2224
ThreadCreationTime : 09/05/2005 01:06:21 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
LegalCopyright : © 2004 Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : MSIMN.EXE

#:33 [hposts08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe" /CtxID "#Hewlett-Packard#hp psc 1200 series#1111599258" /Startup
ProcessID : 2356
ThreadCreationTime : 09/05/2005 01:06:25 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:34 [excel.exe]
ModuleName : C:\Archivos de programa\Microsoft Office\OFFICE11\EXCEL.EXE
Command Line : "C:\Archivos de programa\Microsoft Office\OFFICE11\EXCEL.EXE" /e
ProcessID : 2600
ThreadCreationTime : 09/05/2005 01:06:31 p.m.
BasePriority : Normal


#:35 [iexplore.exe]
ModuleName : C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
Command Line : "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE"
ProcessID : 2808
ThreadCreationTime : 09/05/2005 01:07:27 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : IEXPLORE.EXE

#:36 [ad-aware.exe]
ModuleName : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 3060
ThreadCreationTime : 09/05/2005 01:09:36 p.m.
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:37 [winword.exe]
ModuleName : C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
Command Line : "C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde
ProcessID : 3104
ThreadCreationTime : 09/05/2005 01:10:42 p.m.
BasePriority : Normal


#:38 [osd.exe]
ModuleName : C:\Archivos de programa\OSD\osd.exe
Command Line : "C:\Archivos de programa\OSD\osd.exe"
ProcessID : 3948
ThreadCreationTime : 09/05/2005 03:30:40 p.m.
BasePriority : Normal
FileVersion : 1, 1, 0, 1
ProductVersion : 1, 1, 0, 1
ProductName : OSD
CompanyName : Oxford University Press
FileDescription : Oxford Spanish Dictionary
InternalName : OSD
LegalCopyright : © OUP 2003
OriginalFilename : OSD.EXE
Comments : Software designed by Tony Smith ([email protected])

#:39 [tdtpro.exe]
ModuleName : C:\Archivos de programa\Word Magic Software\Translation Dictionary & Tools Professional\tdtpro.exe
Command Line : "C:\Archivos de programa\Word Magic Software\Translation Dictionary & Tools Professional\tdtpro.exe"
ProcessID : 308
ThreadCreationTime : 09/05/2005 07:09:26 p.m.
BasePriority : Normal
FileVersion : 3.0.14.102
ProductName : Word Magic Tools Professional
CompanyName : Word Magic Software Inc.
FileDescription : Word Magic Tools Professional Executable File
InternalName : tdtpro
LegalCopyright : Copyright 1993-2001 Word Magic Software Inc.
LegalTrademarks : Word Magic Software, Word Magic Tools
OriginalFilename : wmtpro.exe
Comments : Word Magic Tools Professional from Word Magic Software Inc.

#:40 [tw4win.exe]
ModuleName : C:\Archivos de programa\TRADOS\T65_LSP\TT\TW4Win.exe
Command Line : "C:\Archivos de programa\TRADOS\T65_LSP\TT\TW4Win.exe" "E:\2005\Translations.com\National Analysts\TM\National Analysts.tmw"
ProcessID : 2488
ThreadCreationTime : 09/05/2005 07:57:04 p.m.
BasePriority : Normal
FileVersion : TRADOS 6 6.5.5, Build 439
ProductVersion : TRADOS 6 6.5.5, Build 439
ProductName : TRADOS 6
CompanyName : TRADOS GmbH, Stuttgart
FileDescription : TRADOS Translator's Workbench
InternalName : TW4Win
LegalCopyright : Copyright © 1992-2004 TRADOS GmbH, TRADOS Ireland Ltd.
OriginalFilename : Tw4Win.exe
Comments : http://www.trados.com

#:41 [ose.exe]
ModuleName : C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE
Command Line : "C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE"
ProcessID : 2312
ThreadCreationTime : 09/05/2005 08:13:59 p.m.
BasePriority : Normal


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CommonName Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}

CommonName Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
Value :

CommonName Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}

Windows Object Recognized!
Type : RegData
Data : explorer.exe, msmsgs.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe, msmsgs.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 08/05/2008 03:49:38 p.m.
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:9
Value : Cookie:[email protected]/
Expires : 07/05/2015 03:57:06 p.m.
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 6



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
42 entries scanned.
New critical objects:0
Objects found so far: 6




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

05:39:10 p.m. Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:20:40.53
Objects scanned:143482
Objects identified:6
Objects ignored:0
New critical objects:6
  • 0

#4
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

List any files going to be deleted that are running

Exit Task Manager.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it for use while in Safe Mode.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

* Please reboot into Safe Mode by restarting your computer and tapping F8 continuously as your computer is booting up until a menu appears. use your up arrow key to highlight "Safe Mode", then hit enter

* Once in Safe Mode, please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Yes, we need you to go back into Safe Mode!

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new Ad-aware SE log.
  • 0

#5
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks a lot for your help. I did as instrcted, except for the ActiveScan step. When I hit the "Scan your pc" button, the spyware triggers and it takes me to http://www.quicknavigate.com. This is also my new homepage. What's strange about this, though, is that if I go to Tools > Internet options > General, the URL for my homepage is about:blank, but if I press the home button, it takes me to quicknavigate.

The good news is that though the disease is still there, some stuff improved. My display properties now show all the appropriate tabs, and not only 2. My desktop background back to normal (it showed some system warning message).

Here's the new AD Aware log. I'm also attaching screenshots for a "warning" message triggered by the virus, and the page that shows when I press the "Scan your PC".

Thanks!!!


Ad-Aware SE Build 1.05
Logfile Created on:Lunes, 09 de Mayo de 2005 09:04:31 p.m.
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CommonName(TAC index:7):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 51
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:15 %
Total physical memory:245232 kb
Available physical memory:36140 kb
Total page file size:599732 kb
Available on page file:391292 kb
Total virtual memory:2097024 kb
Available virtual memory:2047588 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


09-05-2005 09:04:31 p.m. - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 608
ThreadCreationTime : 09-05-2005 11:53:36 p.m.
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 732
ThreadCreationTime : 09-05-2005 11:53:41 p.m.
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 756
ThreadCreationTime : 09-05-2005 11:53:42 p.m.
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 800
ThreadCreationTime : 09-05-2005 11:53:44 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicación de servicios y controlador
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 812
ThreadCreationTime : 09-05-2005 11:53:45 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 972
ThreadCreationTime : 09-05-2005 11:53:48 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 1060
ThreadCreationTime : 09-05-2005 11:53:49 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 1300
ThreadCreationTime : 09-05-2005 11:53:51 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1328
ThreadCreationTime : 09-05-2005 11:53:51 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1456
ThreadCreationTime : 09-05-2005 11:53:52 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1608
ThreadCreationTime : 09-05-2005 11:53:54 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [avgamsvr.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 1900
ThreadCreationTime : 09-05-2005 11:54:04 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 1940
ThreadCreationTime : 09-05-2005 11:54:04 p.m.
BasePriority : Normal
FileVersion : 7,1,0,285
ProductVersion : 7.1.0.285
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2004, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [mdm.exe]
ModuleName : C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
Command Line : "C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"
ProcessID : 1980
ThreadCreationTime : 09-05-2005 11:54:05 p.m.
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k imgsvc
ProcessID : 2020
ThreadCreationTime : 09-05-2005 11:54:05 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 2040
ThreadCreationTime : 09-05-2005 11:54:06 p.m.
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:17 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 520
ThreadCreationTime : 09-05-2005 11:54:12 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador de Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : EXPLORER.EXE

#:18 [shnlog.exe]
ModuleName : C:\WINDOWS\system32\shnlog.exe
Command Line : "C:\WINDOWS\system32\shnlog.exe"
ProcessID : 1264
ThreadCreationTime : 09-05-2005 11:54:18 p.m.
BasePriority : Normal

ProductVersion : 1.7

#:19 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 1316
ThreadCreationTime : 09-05-2005 11:54:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:20 [intmon.exe]
ModuleName : C:\WINDOWS\system32\intmon.exe
Command Line : intmon.exe
ProcessID : 1500
ThreadCreationTime : 09-05-2005 11:54:21 p.m.
BasePriority : Normal


#:21 [khooker.exe]
ModuleName : C:\WINDOWS\system32\khooker.exe
Command Line : "C:\WINDOWS\system32\khooker.exe"
ProcessID : 1660
ThreadCreationTime : 09-05-2005 11:54:24 p.m.
BasePriority : Normal
FileVersion : 0, 0, 0, 2030
ProductVersion : 0, 0, 0, 2030
ProductName : SIS ® Compatible Super VGA keyboard daemon for Windows 2000/XP
CompanyName : Silicon Integrated Systems Corporation
FileDescription : SiS Compatible Super VGA Keyboard Daemon
InternalName : KHOOKER 2.03.50
LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002
OriginalFilename : KHOOKER.EXE
Comments : SiS Compatible Super VGA Keyboard Daemon

#:22 [pctspk.exe]
ModuleName : C:\WINDOWS\system32\pctspk.exe
Command Line : "C:\WINDOWS\system32\pctspk.exe"
ProcessID : 1760
ThreadCreationTime : 09-05-2005 11:54:24 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : pctvoice Application
FileDescription : pctvoice MFC Application
InternalName : pctvoice
LegalCopyright : Copyright © 2001
OriginalFilename : pctvoice.EXE

#:23 [avgcc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 1800
ThreadCreationTime : 09-05-2005 11:54:25 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:24 [avgemc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 476
ThreadCreationTime : 09-05-2005 11:54:26 p.m.
BasePriority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:25 [duesystraycd.exe]
ModuleName : C:\Archivos de programa\DUE\DUESystrayCD.exe
Command Line : "C:\Archivos de programa\DUE\DUESystrayCD.exe"
ProcessID : 1260
ThreadCreationTime : 09-05-2005 11:54:26 p.m.
BasePriority : Normal
FileVersion : 1.00.0283
ProductVersion : 1.00.0283
ProductName : DUESysTray
CompanyName : SIGNUM
InternalName : DUESysTrayCD
LegalCopyright : Desarrollado por Marco Mendoza para SIGNUM Cía. Ltda.
OriginalFilename : DUESysTrayCD.exe

#:26 [qoeloader.exe]
ModuleName : C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe
Command Line : "C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"
ProcessID : 1832
ThreadCreationTime : 09-05-2005 11:54:26 p.m.
BasePriority : Normal
FileVersion : 2.1.213.4
ProductVersion : 2.1.213.4
ProductName : QOELoader Application
CompanyName : Qurb, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
LegalCopyright : Copyright © 2002, 2003 Qurb, Inc. All rights reserved.
OriginalFilename : QOELoader.exe

#:27 [acrotray.exe]
ModuleName : C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
Command Line : "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
ProcessID : 276
ThreadCreationTime : 09-05-2005 11:54:27 p.m.
BasePriority : Normal
FileVersion : 6.0.1.2004121400
ProductVersion : 6.0.1.2004121400
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:28 [kemailkb.exe]
ModuleName : C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
Command Line : "C:\ARCHIV~1\KEMailKb\KEMailKb.EXE"
ProcessID : 1968
ThreadCreationTime : 09-05-2005 11:54:29 p.m.
BasePriority : Normal
FileVersion : 1,2,0,1
ProductVersion : 4, 15, 0, 2002
ProductName : Dritek System Inc. MMKeybd 04.15.2002 ( VC60 )
CompanyName : Dritek System Inc.
FileDescription : MultiMedia Keyboard
InternalName : MMKeybd
LegalCopyright : Copyright © 2001-2002 Dritek System Inc.
OriginalFilename : MMKeybd.exe

#:29 [skype.exe]
ModuleName : C:\Archivos de programa\Skype\Phone\Skype.exe
Command Line : "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
ProcessID : 1548
ThreadCreationTime : 09-05-2005 11:54:31 p.m.
BasePriority : Normal


#:30 [hpohmr08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe"
ProcessID : 2056
ThreadCreationTime : 09-05-2005 11:54:39 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects

#:31 [hpotdd01.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
ProcessID : 2092
ThreadCreationTime : 09-05-2005 11:54:39 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:32 [hpoevm08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe" -Embedding
ProcessID : 2164
ThreadCreationTime : 09-05-2005 11:54:45 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:33 [hpzipm12.exe]
ModuleName : C:\WINDOWS\system32\HPZipm12.exe
Command Line : C:\WINDOWS\system32\HPZipm12.exe
ProcessID : 2236
ThreadCreationTime : 09-05-2005 11:54:48 p.m.
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:34 [hposts08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe" /CtxID "#Hewlett-Packard#hp psc 1200 series#1111599258" /Startup
ProcessID : 2464
ThreadCreationTime : 09-05-2005 11:55:43 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:35 [notepad.exe]
ModuleName : C:\WINDOWS\system32\NOTEPAD.EXE
Command Line : "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Documents and Settings\Ignacio\Escritorio\Instrucciones Spyware.txt
ProcessID : 2776
ThreadCreationTime : 10-05-2005 12:01:19 a.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Bloc de notas
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : NOTEPAD.EXE

#:36 [iexplore.exe]
ModuleName : C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
Command Line : "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE"
ProcessID : 2792
ThreadCreationTime : 10-05-2005 12:01:25 a.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : IEXPLORE.EXE

#:37 [msimn.exe]
ModuleName : C:\Archivos de programa\Outlook Express\msimn.exe
Command Line : "C:\Archivos de programa\Outlook Express\msimn.exe"
ProcessID : 2964
ThreadCreationTime : 10-05-2005 12:02:51 a.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
LegalCopyright : © 2004 Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : MSIMN.EXE

#:38 [ad-aware.exe]
ModuleName : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 3068
ThreadCreationTime : 10-05-2005 12:04:12 a.m.
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CommonName Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}

CommonName Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
Value :

CommonName Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 3




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

09:31:44 p.m. Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:27:12.207
Objects scanned:176821
Objects identified:3
Objects ignored:0
New critical objects:3

Attached Thumbnails

  • My_new_home_page.JPG
  • Warning_message.JPG

  • 0

#6
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Hello and Welcome

Ad-aware has found objects on your computer

If you chose to clean your computer from what Ad-aware found please follow these instructions below…

Please make sure that you are using the * SE1R43 06.05.2005 * definition file.


Please launch Ad-Aware SE and click on the gear to access the Configuration Menu. Please make sure that this setting is applied.

Click on Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Please then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown in bold below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click OK.

Please note that the path above is of the default installion location for Ad-aware SE, if this is different, please adjust it to the location that you have installed it to.

When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.

If problems are caused by deleting a family, please leave it.

Please shutdown/restart your computer after removal, run a new full scan and post the results as a reply. Do not launch any programs or connect to the internet at this time.

Please then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Please remember when posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Please post back here

Good luck

Andy
  • 0

#7
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi! Here's the log file, which seems pretty good, though the home page "infection" still remains: although it is set to Google, it takes me to quicknavigate.com.

Thanks for your help!




Ad-Aware SE Build 1.05
Logfile Created on:Lunes, 23 de Mayo de 2005 07:51:09 p.m.
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R46 17.05.2005
Internal build : 54
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 474775 Bytes
Total size : 1435210 Bytes
Signature data size : 1404100 Bytes
Reference data size : 30598 Bytes
Signatures total : 40060
Fingerprints total : 883
Fingerprints size : 30250 Bytes
Target categories : 15
Target families : 674


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:13 %
Total physical memory:245232 kb
Available physical memory:31508 kb
Total page file size:599732 kb
Available on page file:433648 kb
Total virtual memory:2097024 kb
Available virtual memory:2047612 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


23-05-2005 07:51:09 p.m. - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 560
ThreadCreationTime : 23-05-2005 10:30:05 p.m.
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 608
ThreadCreationTime : 23-05-2005 10:30:09 p.m.
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 632
ThreadCreationTime : 23-05-2005 10:30:10 p.m.
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 676
ThreadCreationTime : 23-05-2005 10:30:12 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicación de servicios y controlador
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 688
ThreadCreationTime : 23-05-2005 10:30:13 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 840
ThreadCreationTime : 23-05-2005 10:30:16 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 924
ThreadCreationTime : 23-05-2005 10:30:17 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 1052
ThreadCreationTime : 23-05-2005 10:30:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1092
ThreadCreationTime : 23-05-2005 10:30:19 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1168
ThreadCreationTime : 23-05-2005 10:30:20 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1312
ThreadCreationTime : 23-05-2005 10:30:22 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [avgamsvr.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 1532
ThreadCreationTime : 23-05-2005 10:30:29 p.m.
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 1580
ThreadCreationTime : 23-05-2005 10:30:29 p.m.
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [mdm.exe]
ModuleName : C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
Command Line : "C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"
ProcessID : 1624
ThreadCreationTime : 23-05-2005 10:30:30 p.m.
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k imgsvc
ProcessID : 1664
ThreadCreationTime : 23-05-2005 10:30:30 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 1724
ThreadCreationTime : 23-05-2005 10:30:31 p.m.
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:17 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1828
ThreadCreationTime : 23-05-2005 10:30:31 p.m.
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador de Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : EXPLORER.EXE

#:18 [khooker.exe]
ModuleName : C:\WINDOWS\system32\khooker.exe
Command Line : "C:\WINDOWS\system32\khooker.exe"
ProcessID : 404
ThreadCreationTime : 23-05-2005 10:30:40 p.m.
BasePriority : Normal
FileVersion : 0, 0, 0, 2030
ProductVersion : 0, 0, 0, 2030
ProductName : SIS ® Compatible Super VGA keyboard daemon for Windows 2000/XP
CompanyName : Silicon Integrated Systems Corporation
FileDescription : SiS Compatible Super VGA Keyboard Daemon
InternalName : KHOOKER 2.03.50
LegalCopyright : Copyright © Silicon Integrated Systems Corp. 1998-2002
OriginalFilename : KHOOKER.EXE
Comments : SiS Compatible Super VGA Keyboard Daemon

#:19 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 832
ThreadCreationTime : 23-05-2005 10:30:44 p.m.
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:20 [pctspk.exe]
ModuleName : C:\WINDOWS\system32\pctspk.exe
Command Line : "C:\WINDOWS\system32\pctspk.exe"
ProcessID : 1412
ThreadCreationTime : 23-05-2005 10:31:21 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : pctvoice Application
FileDescription : pctvoice MFC Application
InternalName : pctvoice
LegalCopyright : Copyright © 2001
OriginalFilename : pctvoice.EXE

#:21 [avgcc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 1856
ThreadCreationTime : 23-05-2005 10:31:23 p.m.
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:22 [avgemc.exe]
ModuleName : C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
Command Line : "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe"
ProcessID : 1944
ThreadCreationTime : 23-05-2005 10:31:23 p.m.
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:23 [duesystraycd.exe]
ModuleName : C:\Archivos de programa\DUE\DUESystrayCD.exe
Command Line : "C:\Archivos de programa\DUE\DUESystrayCD.exe"
ProcessID : 1656
ThreadCreationTime : 23-05-2005 10:31:24 p.m.
BasePriority : Normal
FileVersion : 1.00.0283
ProductVersion : 1.00.0283
ProductName : DUESysTray
CompanyName : SIGNUM
InternalName : DUESysTrayCD
LegalCopyright : Desarrollado por Marco Mendoza para SIGNUM Cía. Ltda.
OriginalFilename : DUESysTrayCD.exe

#:24 [qoeloader.exe]
ModuleName : C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe
Command Line : "C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"
ProcessID : 128
ThreadCreationTime : 23-05-2005 10:31:24 p.m.
BasePriority : Normal
FileVersion : 2.1.213.4
ProductVersion : 2.1.213.4
ProductName : QOELoader Application
CompanyName : Qurb, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
LegalCopyright : Copyright © 2002, 2003 Qurb, Inc. All rights reserved.
OriginalFilename : QOELoader.exe

#:25 [acrotray.exe]
ModuleName : C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
Command Line : "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
ProcessID : 168
ThreadCreationTime : 23-05-2005 10:31:25 p.m.
BasePriority : Normal
FileVersion : 6.0.1.2004121400
ProductVersion : 6.0.1.2004121400
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:26 [kemailkb.exe]
ModuleName : C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
Command Line : "C:\ARCHIV~1\KEMailKb\KEMailKb.EXE"
ProcessID : 164
ThreadCreationTime : 23-05-2005 10:31:26 p.m.
BasePriority : Normal
FileVersion : 1,2,0,1
ProductVersion : 4, 15, 0, 2002
ProductName : Dritek System Inc. MMKeybd 04.15.2002 ( VC60 )
CompanyName : Dritek System Inc.
FileDescription : MultiMedia Keyboard
InternalName : MMKeybd
LegalCopyright : Copyright © 2001-2002 Dritek System Inc.
OriginalFilename : MMKeybd.exe

#:27 [skype.exe]
ModuleName : C:\Archivos de programa\Skype\Phone\Skype.exe
Command Line : "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
ProcessID : 500
ThreadCreationTime : 23-05-2005 10:31:30 p.m.
BasePriority : Normal


#:28 [hpohmr08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe"
ProcessID : 1256
ThreadCreationTime : 23-05-2005 10:31:36 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOHMR08.EXE
Comments : HP OfficeJet <Homer> Series COM Device Objects

#:29 [hpotdd01.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
ProcessID : 1840
ThreadCreationTime : 23-05-2005 10:31:37 p.m.
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:30 [hpoevm08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe" -Embedding
ProcessID : 284
ThreadCreationTime : 23-05-2005 10:31:42 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:31 [hpzipm12.exe]
ModuleName : C:\WINDOWS\system32\HPZipm12.exe
Command Line : C:\WINDOWS\system32\HPZipm12.exe
ProcessID : 1692
ThreadCreationTime : 23-05-2005 10:31:45 p.m.
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:32 [hposts08.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe" /CtxID "#Hewlett-Packard#hp psc 1200 series#1111599258" /Startup
ProcessID : 2164
ThreadCreationTime : 23-05-2005 10:34:02 p.m.
BasePriority : Normal
FileVersion : 4.2.0.038
ProductVersion : 2.4.2.038
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:33 [ad-aware.exe]
ModuleName : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2360
ThreadCreationTime : 23-05-2005 10:51:02 p.m.
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0


08:21:39 p.m. Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:30:29.300
Objects scanned:203848
Objects identified:0
Objects ignored:0
New critical objects:0
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi ignacio,
Nice job your Ad-aware log is clean!!!

We will need to take a deeper look here please,


Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder. Launch Hijack This, then press Scan, and press Save Log
This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.
Most things are harmless and needed so don't make any changes.
post a log here please.
  • 0

#9
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for your prompt reply. Here's the hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 10:55:24 p.m., on 23/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\khooker.exe
C:\WINDOWS\system32\pctspk.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\DUE\DUESystrayCD.exe
C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\ARCHIV~1\DAP\DAP.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.efe.es/esurgente/lenguaes/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpDDA5.tmp
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DUESystray] C:\Archivos de programa\DUE\DUESystrayCD.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [ScanSoft PDF Professional 3.0-reminder] "C:\Archivos de programa\ScanSoft\PDF Professional 3.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Datos de programa\ScanSoft\PDF Professional\3\Ereg\ereg.ini"
O4 - HKLM\..\Run: [KEMailKb] C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [ScanSoft PDF Converter 3.0-reminder] "C:\Archivos de programa\ScanSoft\PDF Converter 3.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Datos de programa\ScanSoft\PDF Converter\3\Ereg\ereg.ini"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Archivos de programa\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PDFCreateReminder] "C:\Archivos de programa\ScanSoft\PDF Create! 2\EREG\Ereg.exe" -r "C:\Archivos de programa\ScanSoft\PDF Create! 2\EREG\ereg.ini"
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Abrir PDF en Word (PDF Converter 3.0) - res://C:\Archivos de programa\ScanSoft\PDF Converter 3.0\IEShellExt.dll /600
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {06B92097-DD6A-4872-89FB-CED8216F2995} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {06B92097-DD6A-4872-89FB-CED8216F2995} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi ignacio and welcome back,
First some of these steps are repeatitive of Andy's earlier post, Just the same necessary,

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download smitfraud reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.efe.es/esurgente/lenguaes/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpDDA5.tmp
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe


Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0

Advertisements


#11
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks again for your help. Here are the two logs you requested.

ActiveScan:
Incident Status Location

Adware:Adware/Puper No disinfected C:\WINDOWS\system32\hhk.dll
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Adware:Adware/Aureate-Radiate No disinfected F:\Backup Ignacio\Translation Toolkit\Aureatex\Aureatex.exe[Aureate.exe][MSIPCSV.EXE]
Adware:Adware/Aureate-Radiate No disinfected F:\Backup Ignacio\Translation Toolkit\Aureatex\Aureatex.exe[Aureate.exe][IPCCLIENT.DLL]
Adware:Adware/Aureate-Radiate No disinfected F:\Backup Ignacio\Translation Toolkit\Aureatex\Aureatex.exe[Aureate.exe][HTMDENG.EXE]
Adware:Adware/Aureate-Radiate No disinfected F:\Backup Ignacio\Translation Toolkit\Aureatex\Aureatex.exe[Aureate.exe][AMCIS2.DLL]

###

HJT

Logfile of HijackThis v1.99.1
Scan saved at 09:23:07 a.m., on 24/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\khooker.exe
C:\WINDOWS\system32\pctspk.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DUESystray] C:\Archivos de programa\DUE\DUESystrayCD.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [ScanSoft PDF Professional 3.0-reminder] "C:\Archivos de programa\ScanSoft\PDF Professional 3.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Datos de programa\ScanSoft\PDF Professional\3\Ereg\ereg.ini"
O4 - HKLM\..\Run: [KEMailKb] C:\ARCHIV~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [ScanSoft PDF Converter 3.0-reminder] "C:\Archivos de programa\ScanSoft\PDF Converter 3.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Datos de programa\ScanSoft\PDF Converter\3\Ereg\ereg.ini"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Archivos de programa\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PDFCreateReminder] "C:\Archivos de programa\ScanSoft\PDF Create! 2\EREG\Ereg.exe" -r "C:\Archivos de programa\ScanSoft\PDF Create! 2\EREG\ereg.ini"
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Abrir PDF en Word (PDF Converter 3.0) - res://C:\Archivos de programa\ScanSoft\PDF Converter 3.0\IEShellExt.dll /600
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {06B92097-DD6A-4872-89FB-CED8216F2995} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {06B92097-DD6A-4872-89FB-CED8216F2995} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nice job the log is clean,
Lets just get rid of a couple items found by Active scan.


*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\hhk.dll 
C:\WINDOWS\system32\perfcii.ini  

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot please,


Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#13
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Awesome, man! This is looking better every minute. Here's the Silent Runners log you requested. Thanks a million!

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiS KHooker" = "C:\WINDOWS\system32\khooker.exe" ["Silicon Integrated Systems Corporation"]
"PCTVOICE" = "pctspk.exe" [empty string]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"AVG7_CC" = "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"DUESystray" = "C:\Archivos de programa\DUE\DUESystrayCD.exe" ["SIGNUM"]
"QOELOADER" = ""C:\Archivos de programa\Qurb\QSP-2.1.213.4\QOELoader.exe"" ["Qurb, Inc."]
"Acrobat Assistant 7.0" = ""C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"Default" = (no data)
"FineReader7NewsReaderPro" = ""C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"" ["ABBYY (BIT Software)"]
"ScanSoft PDF Professional 3.0-reminder" = ""C:\Archivos de programa\ScanSoft\PDF Professional 3.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Datos de programa\ScanSoft\PDF Professional\3\Ereg\ereg.ini"" [file not found]
"KEMailKb" = "C:\ARCHIV~1\KEMailKb\KEMailKb.EXE" ["Dritek System Inc."]
"ScanSoft PDF Converter 3.0-reminder" = ""C:\Archivos de programa\ScanSoft\PDF Converter 3.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Datos de programa\ScanSoft\PDF Converter\3\Ereg\ereg.ini"" ["ScanSoft, Inc."]
"SSBkgdUpdate" = ""C:\Archivos de programa\Archivos comunes\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PDF3 Registry Controller" = ""C:\Archivos de programa\ScanSoft\PDF Converter 3.0\\RegistryController.exe"" ["ScanSoft, Inc."]
"MSN Messenger" = "C:\WINDOWS\system32\msmsgs.exe" [file not found]
"Security iGuard" = "C:\Archivos de programa\Security iGuard\Security iGuard.exe" [file not found]
"PDFCreateReminder" = ""C:\Archivos de programa\ScanSoft\PDF Create! 2\EREG\Ereg.exe" -r "C:\Archivos de programa\ScanSoft\PDF Create! 2\EREG\ereg.ini"" ["ScanSoft, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\K-Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{EBDF1F20-C829-11D1-8233-0020AF3E97A9}" = "PractiCount (Business) CMExt"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\PCountBuCME.dll" ["Practiline Software"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5EB5D616-DC17-4f5c-BB4F-73D99A0C7C32}" = "ScanSoft PDF Converter 3.0 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ScanSoft\PDF Converter 3.0\ShellExt30.dll" ["ScanSoft, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\STDS_1.scr" [file not found]


Startup items in "Ignacio" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" [null data]
"hp psc 1000 series" -> shortcut to: "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 1200 series#1111599258" -> launches: "C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1111599258"" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{62999427-33FC-4BAF-9C9C-BCE6BD127F08}"
-> {CLSID}\(Default) = "DAP Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\DAP\DAPIEBar.dll" [empty string]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\
-> {CLSID}\(Default) = "Adobe PDF"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Referencia"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{06B92097-DD6A-4872-89FB-CED8216F2995}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{669695BC-A811-4A9D-8CDF-BA8C795F261C}\
"ButtonText" = "Run DAP"
"Exec" = "C:\ARCHIV~1\DAP\DAP.EXE" ["SpeedBit Ltd."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Referencia"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Machine Debug Manager, MDM, ""C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster
  • 0

#15
ignacio

ignacio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks, Don. I sent you a small donation to your paypal account.

Best,

Ignacio
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP