Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

System malfunction [RESOLVED]

Started by zuluguen , Jul 05 2005 08:12 AM

This topic is locked

#1
zuluguen

Posted 05 July 2005 - 08:12 AM

Member

Member
13 posts

Dear Sirs,
Please examine below HijackThis log file and let me know what to do in order to restore my system.
Many thanks in advance, best regards,
Zuluguen

Logfile of HijackThis v1.99.1
Scan saved at 16:07:58, on 05/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\oodag.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\crnz32.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\WinZip\Wzqkpick.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kuervo\Mis documentos\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nfljj.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 8
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Explorer.EXE] C:\WINDOWS\explorer.exe
O4 - HKLM\..\Run: [crnz32.exe] C:\WINDOWS\crnz32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Archivos de programa\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Archivos de programa\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [spywatch] C:\Archivos de programa\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...01e78/enter.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D8FBFC1-4DBC-4077-8ADD-FC122A81FBE5}: NameServer = 80.58.0.33,80.58.32.97
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\p46s0ej7eho.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syssf.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Shell32 - Unknown owner - C:\WINDOWS\system32\com\oboe32\shell32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Winlogon - Unknown owner - C:\WINDOWS\system32\com\oboe32\rundmc.exe (file missing)

#2
tampabelle

Posted 05 July 2005 - 09:06 AM

Member 5k

Retired Staff
6,363 posts

Hi zuluguen,

You have a bunch of infections. Lets us start with the most serious one.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#3
zuluguen

Posted 05 July 2005 - 12:56 PM

Member

Topic Starter
Member
13 posts

Dear Tampabelle,
First of all, thanks for your quick reply.
Below you'll find the log created by L2MFIX program.
Keep waiting for your answer.
Tks & rgds,
Zuluguen

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MSSYCLM]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h44m0eh1eh4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C8A3B7ED-157C-FB14-A59C-25AC1415E921}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Hoja de propiedades de archivos multimedia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Administraci¢n de esc ner ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguridad NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propiedades del archivo de documentos OLE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del adaptador de pantalla"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n CPL del monitor de pantalla"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Extensi¢n de paneo de pantalla del Panel de control"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguridad DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidad"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Extensi¢n de copia de discos"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensiones del shell para objetos de la red de Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="Administraci¢n de monitor ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="Administraci¢n de impresora ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensiones del shell para compresi¢n de archivos"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Extensi¢n del shell de impresora en Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Men£ de contexto de cifrado"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Malet¡n"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Extensi¢n de icono de HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fuentes"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil de ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguridad de impresoras"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensiones de interfaz para uso compartido"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n PKO cifrada"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Extensi¢n de firma cifrada"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Conexiones de red"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Conexiones de red"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&C maras y esc neres"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&C maras y esc neres"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="&C maras y esc neres"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&C maras y esc neres"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&C maras y esc neres"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensiones del shell para Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="V¡nculos a datos de Microsoft"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tareas programadas"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tareas y men£ Inicio"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Buscar"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ayuda y soporte t‚cnico"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ejecutar..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Correo electr¢nico"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fuentes"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Herramientas administrativas"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de herramientas de Microsoft Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Estado de la descarga"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Carpeta Shell aumentada"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Carpeta 2 Shell aumentada"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Banda del explorador de Microsoft"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Banda de b£squeda"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Banda multimedia"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="B£squeda en panel"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="B£squeda Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilidad de opciones del rbol de Registro"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Direcci¢n"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Cuadro de la direcci¢n"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autocompletar de Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autocompleta MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Lista autocompleta MRU personalizada"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra de progreso emergente"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Analizador de Barra de direcciones"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autocompleta de la historia de Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autocompleta de la carpeta Shell de Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Contenedor de la Lista m£ltiple de Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Men£ de sitio de bandas Shell"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Barra de escritorio Shell"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Asistencia al usuario"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Configuraci¢n de carpeta global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Servicio de Historial de las direcciones URL de Microsoft"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historial"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Archivos temporales de Internet"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Hook de b£squeda de direcciones URL de Microsoft"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Pantalla de bienvenida de IE4 Suite"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Banda de Explorador"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Carpeta del cach‚ de ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Carpeta de suscripciones"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Administrador de aplicaciones de Shell"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplicaciones instaladas"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extractor de vistas en miniatura de archivos GDI+"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Controlador de la informaci¢n de resumen para vistas en miniatura (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Extractor de vistas en miniatura HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Asistente para la publicaci¢n en Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Pedido de impresiones v¡a web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objeto de Asistente de publicaci¢n de shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Asistente para obtener pasaporte"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Cuentas de usuario"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Archivo de canal"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Acceso directo al canal"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Objeto de control de canal"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Carpeta de archivos sin conexi¢n"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personas..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}"="Nero Shell Extension Property Sheet"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Men£ de carpeta Shell"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Seguimiento de men£ Shell"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Sitio del men£"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Men£ Barra de escritorio"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&V¡nculos"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Im genes en miniatura"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Vista de la carpeta de automatizaci¢n de Shell"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Men£ Inicio"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="P gina de los tipos de archivo"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="Hook de los tipos de archivo MIME"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Vistas en miniatura"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Propiedades del extractor de im genes predeterminado"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5E7D9611-0A92-11D6-BCC6-C117EB0C4E52}"="RStudio Menu Handler"
"{3C7BE262-0E51-11D6-BCC6-A29C3C5B2152}"="R-Undelete"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Property Sheet Shell Extension"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}\InprocServer32]
@="C:\\WINDOWS\\system32\\srell32.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
kulbu.dll Sat 11 Jun 2005 0:20:36 A.... 0 0,00 K
irsecsnp.dll Thu 30 Jun 2005 18:44:52 ..S.R 236.146 230,61 K
wininet.dll Mon 2 May 2005 22:56:48 A.... 660.480 645,00 K
nfljj.dll Wed 8 Jun 2005 16:55:54 A.... 66.560 65,00 K
cdfview.dll Mon 2 May 2005 22:56:44 A.... 151.552 148,00 K
browseui.dll Mon 2 May 2005 22:56:44 A.... 1.020.416 996,50 K
ndrshe.dll Tue 21 Jun 2005 21:26:04 ..S.R 234.784 229,28 K
mshtmled.dll Mon 2 May 2005 22:56:46 A.... 448.512 438,00 K
cdm.dll Thu 26 May 2005 4:16:24 A.... 75.544 73,77 K
msrating.dll Mon 2 May 2005 22:56:46 A.... 146.432 143,00 K
iepeers.dll Mon 2 May 2005 22:56:44 A.... 250.880 245,00 K
xpsp3res.dll Tue 17 May 2005 2:42:14 ..... 16.896 16,50 K
netku.dll Wed 8 Jun 2005 0:29:30 A.... 125.126 122,19 K
msi.dll Wed 4 May 2005 14:45:32 A.... 2.890.240 2,75 M
ntfn32.dll Wed 8 Jun 2005 11:17:32 ..... 124.416 121,50 K
iuengine.dll Thu 26 May 2005 4:16:24 A.... 198.424 193,77 K
wuapi.dll Thu 26 May 2005 4:16:30 A.... 466.200 455,27 K
kt82l7~1.dll Tue 21 Jun 2005 21:24:04 ..S.R 236.652 231,11 K
s32evnt1.dll Fri 13 May 2005 19:50:10 A.... 91.856 89,70 K
hhsetup.dll Fri 27 May 2005 4:08:06 A.... 41.472 40,50 K
itircl.dll Fri 27 May 2005 4:08:06 A.... 155.136 151,50 K
itss.dll Fri 27 May 2005 4:08:06 A.... 137.216 134,00 K
urlmon.dll Mon 2 May 2005 22:56:46 A.... 604.672 590,50 K
mshtml.dll Mon 2 May 2005 22:56:46 A.... 3.011.072 2,87 M
shlwapi.dll Mon 2 May 2005 22:56:46 A.... 474.112 463,00 K
shdocvw.dll Mon 2 May 2005 22:56:46 A.... 1.484.288 1,41 M
pngfilt.dll Mon 2 May 2005 22:56:46 A.... 39.424 38,50 K
inseng.dll Mon 2 May 2005 22:56:44 A.... 96.768 94,50 K
wuaueng.dll Thu 26 May 2005 4:16:30 A.... 1.343.768 1,28 M
wuaueng1.dll Thu 26 May 2005 4:16:30 A.... 195.352 190,77 K
wucltui.dll Thu 26 May 2005 4:16:30 A.... 128.280 125,27 K
wups2.dll Thu 26 May 2005 4:16:30 A.... 18.200 17,77 K
wuweb.dll Thu 26 May 2005 4:16:30 A.... 173.536 169,47 K
omeacc.dll Fri 24 Jun 2005 21:33:36 ..S.R 234.272 228,78 K
mrrating.dll Fri 24 Jun 2005 21:33:48 ..S.R 234.272 228,78 K
kadmlt47.dll Fri 24 Jun 2005 22:36:20 ..S.R 234.272 228,78 K
maang.dll Fri 24 Jun 2005 23:57:24 ..S.R 234.272 228,78 K
mkfutil.dll Fri 24 Jun 2005 23:57:28 ..S.R 234.272 228,78 K
wjnnls.dll Sat 25 Jun 2005 1:12:28 ..S.R 234.272 228,78 K
wthip6.dll Sat 25 Jun 2005 1:12:34 ..S.R 234.272 228,78 K
jhvaprxy.dll Fri 24 Jun 2005 22:36:24 ..S.R 234.272 228,78 K
myxml2.dll Sat 25 Jun 2005 2:40:36 ..S.R 234.272 228,78 K
mfxml2.dll Sat 25 Jun 2005 2:40:40 ..S.R 234.272 228,78 K
mwxbse35.dll Sat 25 Jun 2005 4:03:46 ..S.R 234.272 228,78 K
ormidi32.dll Sat 25 Jun 2005 4:03:40 ..S.R 234.272 228,78 K
nfrshe.dll Sat 25 Jun 2005 5:32:44 ..S.R 234.272 228,78 K
nnrshe.dll Sat 25 Jun 2005 5:32:48 ..S.R 234.272 228,78 K
j20s0c~1.dll Fri 17 Jun 2005 3:16:16 ..S.R 234.999 229,49 K
vkr.dll Thu 30 Jun 2005 18:26:26 ..S.R 233.596 228,12 K
fkwpp.dll Sat 25 Jun 2005 6:59:52 ..S.R 234.272 228,78 K
mv04l9~1.dll Sun 26 Jun 2005 10:51:58 ..S.R 234.272 228,78 K
m2ju0c~1.dll Tue 21 Jun 2005 21:04:42 ..S.R 234.784 229,28 K
kt42l7~1.dll Fri 1 Jul 2005 11:35:12 ..S.R 236.199 230,66 K
g0220a~1.dll Thu 30 Jun 2005 19:22:28 ..S.R 236.146 230,61 K
jt0m07~1.dll Sat 2 Jul 2005 11:59:08 ..S.R 236.306 230,77 K
wups.dll Thu 26 May 2005 4:16:30 A.... 41.240 40,27 K
i8jq0i~1.dll Tue 5 Jul 2005 16:14:28 ..S.R 233.118 227,65 K
h44m0e~1.dll Tue 5 Jul 2005 5:57:04 ..S.R 236.199 230,66 K
winsusrm.dll Tue 5 Jul 2005 15:46:50 A.... 264 0,26 K
srell32.dll Tue 5 Jul 2005 20:40:36 ..S.R 236.199 230,66 K
appqx.dll Wed 29 Jun 2005 9:29:48 A.... 125.126 122,19 K

61 items found: 61 files (28 H/S), 0 directories.
Total of file sizes: 21.376.940 bytes 20,38 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
El volumen de la unidad C no tiene etiqueta.
El n£mero de serie del volumen es: 1356-18E1

Directorio de C:\WINDOWS\System32

05/07/2005 20:40 236.199 srell32.dll
05/07/2005 16:14 233.118 i8jq0i15e8.dll
05/07/2005 05:57 236.199 h44m0eh1eh4.dll
02/07/2005 11:59 236.306 jt0m07d1e.dll
01/07/2005 11:35 236.199 kt42l7ho1.dll
30/06/2005 19:22 236.146 g0220afoed2c0.dll
30/06/2005 18:44 236.146 irsecsnp.dll
30/06/2005 18:26 233.596 vkr.dll
26/06/2005 10:51 234.272 mv04l9dq1.dll
25/06/2005 06:59 234.272 FKWPP.DLL
25/06/2005 05:32 234.272 nnrshe.dll
25/06/2005 05:32 234.272 nfrshe.dll
25/06/2005 04:03 234.272 mwxbse35.dll
25/06/2005 04:03 234.272 OrMidi32.dll
25/06/2005 02:40 234.272 mfxml2.dll
25/06/2005 02:40 234.272 myxml2.dll
25/06/2005 01:12 234.272 wthip6.dll
25/06/2005 01:12 234.272 wjnnls.dll
24/06/2005 23:57 234.272 mkfutil.dll
24/06/2005 23:57 234.272 maang.dll
24/06/2005 22:36 234.272 jHvaprxy.dll
24/06/2005 22:36 234.272 kadmlt47.dll
24/06/2005 21:33 234.272 mrrating.dll
24/06/2005 21:33 234.272 omeacc.dll
21/06/2005 21:26 234.784 ndrshe.dll
21/06/2005 21:24 236.652 kt82l7lo1.dll
21/06/2005 21:04 234.784 m2ju0c19ef.dll
17/06/2005 03:16 234.999 j20s0cd7ef0.dll
02/01/2005 14:59 8 F87AAFEF35.sys
02/01/2005 14:59 848 KGyGaAvL.sys
04/11/2004 22:21 <DIR> Microsoft
04/11/2004 21:41 <DIR> dllcache
08/04/2002 17:34 6.144 access.ctl
31 archivos 6.580.480 bytes
2 dirs 15.710.715.904 bytes libres

#4
tampabelle

Posted 05 July 2005 - 01:55 PM

Member 5k

Retired Staff
6,363 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

#5
zuluguen

Posted 05 July 2005 - 06:53 PM

Member

Topic Starter
Member
13 posts

Dear Tampabelle,
Find below both logs.
Again, many thanks for your time and fast replies.
Rgds,
Zuluguen

L2Mfix 1.03

Running From:
C:\Documents and Settings\Kuervo\Escritorio\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administradores
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Kuervo\Escritorio\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Kuervo\Escritorio\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1328 'explorer.exe'
Killing PID 1328 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1412 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\irsecsnp.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\ndrshe.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\kt82l7lo1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\omeacc.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mrrating.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\kadmlt47.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\maang.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mkfutil.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\wjnnls.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\wthip6.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\jHvaprxy.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\myxml2.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mfxml2.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mwxbse35.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\OrMidi32.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\nfrshe.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\nnrshe.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\j20s0cd7ef0.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\vkr.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\FKWPP.DLL
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\mv04l9dq1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\m2ju0c19ef.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\kt42l7ho1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\g0220afoed2c0.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\jt0m07d1e.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\i8jq0i15e8.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\ktr8l79u1.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\vubsub.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\srell32.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\pugfilt.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 archivos copiados.
deleting: C:\WINDOWS\system32\irsecsnp.dll
Successfully Deleted: C:\WINDOWS\system32\irsecsnp.dll
deleting: C:\WINDOWS\system32\ndrshe.dll
Successfully Deleted: C:\WINDOWS\system32\ndrshe.dll
deleting: C:\WINDOWS\system32\kt82l7lo1.dll
Successfully Deleted: C:\WINDOWS\system32\kt82l7lo1.dll
deleting: C:\WINDOWS\system32\omeacc.dll
Successfully Deleted: C:\WINDOWS\system32\omeacc.dll
deleting: C:\WINDOWS\system32\mrrating.dll
Successfully Deleted: C:\WINDOWS\system32\mrrating.dll
deleting: C:\WINDOWS\system32\kadmlt47.dll
Successfully Deleted: C:\WINDOWS\system32\kadmlt47.dll
deleting: C:\WINDOWS\system32\maang.dll
Successfully Deleted: C:\WINDOWS\system32\maang.dll
deleting: C:\WINDOWS\system32\mkfutil.dll
Successfully Deleted: C:\WINDOWS\system32\mkfutil.dll
deleting: C:\WINDOWS\system32\wjnnls.dll
Successfully Deleted: C:\WINDOWS\system32\wjnnls.dll
deleting: C:\WINDOWS\system32\wthip6.dll
Successfully Deleted: C:\WINDOWS\system32\wthip6.dll
deleting: C:\WINDOWS\system32\jHvaprxy.dll
Successfully Deleted: C:\WINDOWS\system32\jHvaprxy.dll
deleting: C:\WINDOWS\system32\myxml2.dll
Successfully Deleted: C:\WINDOWS\system32\myxml2.dll
deleting: C:\WINDOWS\system32\mfxml2.dll
Successfully Deleted: C:\WINDOWS\system32\mfxml2.dll
deleting: C:\WINDOWS\system32\mwxbse35.dll
Successfully Deleted: C:\WINDOWS\system32\mwxbse35.dll
deleting: C:\WINDOWS\system32\OrMidi32.dll
Successfully Deleted: C:\WINDOWS\system32\OrMidi32.dll
deleting: C:\WINDOWS\system32\nfrshe.dll
Successfully Deleted: C:\WINDOWS\system32\nfrshe.dll
deleting: C:\WINDOWS\system32\nnrshe.dll
Successfully Deleted: C:\WINDOWS\system32\nnrshe.dll
deleting: C:\WINDOWS\system32\j20s0cd7ef0.dll
Successfully Deleted: C:\WINDOWS\system32\j20s0cd7ef0.dll
deleting: C:\WINDOWS\system32\vkr.dll
Successfully Deleted: C:\WINDOWS\system32\vkr.dll
deleting: C:\WINDOWS\system32\FKWPP.DLL
Successfully Deleted: C:\WINDOWS\system32\FKWPP.DLL
deleting: C:\WINDOWS\system32\mv04l9dq1.dll
Successfully Deleted: C:\WINDOWS\system32\mv04l9dq1.dll
deleting: C:\WINDOWS\system32\m2ju0c19ef.dll
Successfully Deleted: C:\WINDOWS\system32\m2ju0c19ef.dll
deleting: C:\WINDOWS\system32\kt42l7ho1.dll
Successfully Deleted: C:\WINDOWS\system32\kt42l7ho1.dll
deleting: C:\WINDOWS\system32\g0220afoed2c0.dll
Successfully Deleted: C:\WINDOWS\system32\g0220afoed2c0.dll
deleting: C:\WINDOWS\system32\jt0m07d1e.dll
Successfully Deleted: C:\WINDOWS\system32\jt0m07d1e.dll
deleting: C:\WINDOWS\system32\i8jq0i15e8.dll
Successfully Deleted: C:\WINDOWS\system32\i8jq0i15e8.dll
deleting: C:\WINDOWS\system32\ktr8l79u1.dll
Successfully Deleted: C:\WINDOWS\system32\ktr8l79u1.dll
deleting: C:\WINDOWS\system32\vubsub.dll
Successfully Deleted: C:\WINDOWS\system32\vubsub.dll
deleting: C:\WINDOWS\system32\srell32.dll
Successfully Deleted: C:\WINDOWS\system32\srell32.dll
deleting: C:\WINDOWS\system32\pugfilt.dll
Successfully Deleted: C:\WINDOWS\system32\pugfilt.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: irsecsnp.dll (deflated 5%)
adding: ndrshe.dll (deflated 4%)
adding: kt82l7lo1.dll (deflated 5%)
adding: omeacc.dll (deflated 4%)
adding: mrrating.dll (deflated 4%)
adding: kadmlt47.dll (deflated 4%)
adding: maang.dll (deflated 4%)
adding: mkfutil.dll (deflated 4%)
adding: wjnnls.dll (deflated 4%)
adding: wthip6.dll (deflated 4%)
adding: jHvaprxy.dll (deflated 4%)
adding: myxml2.dll (deflated 4%)
adding: mfxml2.dll (deflated 4%)
adding: mwxbse35.dll (deflated 4%)
adding: OrMidi32.dll (deflated 4%)
adding: nfrshe.dll (deflated 4%)
adding: nnrshe.dll (deflated 4%)
adding: j20s0cd7ef0.dll (deflated 4%)
adding: vkr.dll (deflated 4%)
adding: FKWPP.DLL (deflated 4%)
adding: mv04l9dq1.dll (deflated 4%)
adding: m2ju0c19ef.dll (deflated 4%)
adding: kt42l7ho1.dll (deflated 5%)
adding: g0220afoed2c0.dll (deflated 5%)
adding: jt0m07d1e.dll (deflated 5%)
adding: i8jq0i15e8.dll (deflated 4%)
adding: ktr8l79u1.dll (deflated 4%)
adding: vubsub.dll (deflated 5%)
adding: srell32.dll (deflated 5%)
adding: pugfilt.dll (deflated 5%)
adding: guard.tmp (deflated 5%)
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 37%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 66%)
adding: lo2.txt (deflated 84%)
adding: test2.txt (deflated 16%)
adding: test3.txt (deflated 16%)
adding: test5.txt (deflated 16%)
adding: test.txt (deflated 81%)
adding: xfind.txt (deflated 75%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/35C0AC3F-4CCE-415F-BF54-A825FC25ECF6.reg (deflated 70%)
adding: backregs/4DFB2E34-40E1-4B78-896F-AD662CC1D2A7.reg (deflated 70%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Read BUILTIN\Usuarios avanzados
(ID-IO) ALLOW Read BUILTIN\Usuarios avanzados
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: irsecsnp.dll
deleting local copy: ndrshe.dll
deleting local copy: kt82l7lo1.dll
deleting local copy: omeacc.dll
deleting local copy: mrrating.dll
deleting local copy: kadmlt47.dll
deleting local copy: maang.dll
deleting local copy: mkfutil.dll
deleting local copy: wjnnls.dll
deleting local copy: wthip6.dll
deleting local copy: jHvaprxy.dll
deleting local copy: myxml2.dll
deleting local copy: mfxml2.dll
deleting local copy: mwxbse35.dll
deleting local copy: OrMidi32.dll
deleting local copy: nfrshe.dll
deleting local copy: nnrshe.dll
deleting local copy: j20s0cd7ef0.dll
deleting local copy: vkr.dll
deleting local copy: FKWPP.DLL
deleting local copy: mv04l9dq1.dll
deleting local copy: m2ju0c19ef.dll
deleting local copy: kt42l7ho1.dll
deleting local copy: g0220afoed2c0.dll
deleting local copy: jt0m07d1e.dll
deleting local copy: i8jq0i15e8.dll
deleting local copy: ktr8l79u1.dll
deleting local copy: vubsub.dll
deleting local copy: srell32.dll
deleting local copy: pugfilt.dll
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\irsecsnp.dll
C:\WINDOWS\system32\ndrshe.dll
C:\WINDOWS\system32\kt82l7lo1.dll
C:\WINDOWS\system32\omeacc.dll
C:\WINDOWS\system32\mrrating.dll
C:\WINDOWS\system32\kadmlt47.dll
C:\WINDOWS\system32\maang.dll
C:\WINDOWS\system32\mkfutil.dll
C:\WINDOWS\system32\wjnnls.dll
C:\WINDOWS\system32\wthip6.dll
C:\WINDOWS\system32\jHvaprxy.dll
C:\WINDOWS\system32\myxml2.dll
C:\WINDOWS\system32\mfxml2.dll
C:\WINDOWS\system32\mwxbse35.dll
C:\WINDOWS\system32\OrMidi32.dll
C:\WINDOWS\system32\nfrshe.dll
C:\WINDOWS\system32\nnrshe.dll
C:\WINDOWS\system32\j20s0cd7ef0.dll
C:\WINDOWS\system32\vkr.dll
C:\WINDOWS\system32\FKWPP.DLL
C:\WINDOWS\system32\mv04l9dq1.dll
C:\WINDOWS\system32\m2ju0c19ef.dll
C:\WINDOWS\system32\kt42l7ho1.dll
C:\WINDOWS\system32\g0220afoed2c0.dll
C:\WINDOWS\system32\jt0m07d1e.dll
C:\WINDOWS\system32\i8jq0i15e8.dll
C:\WINDOWS\system32\ktr8l79u1.dll
C:\WINDOWS\system32\vubsub.dll
C:\WINDOWS\system32\srell32.dll
C:\WINDOWS\system32\pugfilt.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}"=-
"{4DFB2E34-40E1-4B78-896F-AD662CC1D2A7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{35C0AC3F-4CCE-415F-BF54-A825FC25ECF6}]
[-HKEY_CLASSES_ROOT\CLSID\{4DFB2E34-40E1-4B78-896F-AD662CC1D2A7}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 2:51:40, on 06/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\WINDOWS\crnz32.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\Archivos de programa\WinZip\Wzqkpick.exe
C:\WINDOWS\system32\oodag.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kuervo\Mis documentos\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D54F6CB9-5429-9A95-7B59-D291228E70B8} - C:\WINDOWS\apiyk.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 8
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Explorer.EXE] C:\WINDOWS\explorer.exe
O4 - HKLM\..\Run: [crnz32.exe] C:\WINDOWS\crnz32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Archivos de programa\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Archivos de programa\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [ntsd.exe] C:\WINDOWS\system32\ntsd.exe
O4 - HKLM\..\RunOnce: [syssf.exe] C:\WINDOWS\system32\syssf.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [spywatch] C:\Archivos de programa\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...01e78/enter.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D8FBFC1-4DBC-4077-8ADD-FC122A81FBE5}: NameServer = 80.58.0.33,80.58.32.97
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syssf.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Shell32 - Unknown owner - C:\WINDOWS\system32\com\oboe32\shell32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Winlogon - Unknown owner - C:\WINDOWS\system32\com\oboe32\rundmc.exe (file missing)

#6
tampabelle

Posted 05 July 2005 - 07:24 PM

Member 5k

Retired Staff
6,363 posts

Hi zuluguen,

Please visit this site - http://www.spywarewa...nti-spyware.htm - and more about SpyFighter and BulletProof, two softwares that you have installed on your PC. These are best removed.

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\phbgz.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D54F6CB9-5429-9A95-7B59-D291228E70B8} - C:\WINDOWS\apiyk.dll
O4 - HKLM\..\Run: [crnz32.exe] C:\WINDOWS\crnz32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Archivos de programa\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Archivos de programa\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\RunOnce: [ntsd.exe] C:\WINDOWS\system32\ntsd.exe
O4 - HKLM\..\RunOnce: [syssf.exe] C:\WINDOWS\system32\syssf.exe
O4 - HKCU\..\Run: [spywatch] C:\Archivos de programa\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...01e78/enter.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

3. Remove Infections

Click on Start ---> Run. Type Services.msc and hit enter. In the right hand pane locate the item - Network Security Service. Right click on it and then click on properties. In the Startup Type choose the option Disable.

Repeat the process with - Shell32 and Winlogon.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

4. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

BulletProof
SpyFighter

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Archivos de programa\SpyFighter
C:\Archivos de programa\BulletProofSoft.com

C:\WINDOWS\phbgz.dll
C:\WINDOWS\apiyk.dll
C:\WINDOWS\crnz32.exe
C:\WINDOWS\system32\ntsd.exe
C:\WINDOWS\system32\syssf.exe
C:\WINDOWS\system32\com\oboe32\shell32.exe
C:\WINDOWS\system32\com\oboe32\rundmc.exe

Run CleanUp and delete all temp files including temporary internet files.

Run Ewido and do a full scan. Save the scan report.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

#7
zuluguen

Posted 06 July 2005 - 03:37 AM

Member

Topic Starter
Member
13 posts

Hi Tampabelle,
Following you indications, following you'll find the requested log files.
Apart from that, I couldn't find:
O4 - HKLM\..\RunOnce: [ntsd.exe] C:\WINDOWS\system32\ntsd.exe

Also couldn't uninstall BulletProof and SpyFighter, because they didn't appear within the Add or Remove Programs Window

Finally also:
Couldn't find: C:\Archivos de programa\BulletProofSoft.com
Couldn't find: C:\WINDOWS\system32\com\oboe32\rundmc.exe

Looking forward to your reply, rgds,
Zuluguen

P.S: 'Limpio' means clean

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 11:18:41, 06/07/2005
+ Report-Checksum: 30729F43

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{031788DE-6282-F9CD-262A-AA22CDA2B068} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{07D80144-9372-FEAC-AEDD-21AE8732F067} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{0AD1A770-F33D-516E-A6BD-A3AEB8568EAC} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{16C710FD-4C93-9C02-15FC-681DF7937350} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{1D3E7FA6-E393-C514-F461-E0B59435D825} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{30C5202D-2CDD-8C6D-6CD3-86CBAC73988B} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{5B9A8BE3-69A5-661B-3BB5-FA99E29D5453} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{8A50C2FE-C00E-0C19-DC1A-BCABABE155C3} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{DF7066E9-8EE8-8682-F43E-2BF8E7E7D760} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{E365460D-7563-2763-5E38-85F172854EAC} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{F3267BA7-14CC-4368-6BFC-E59341D01507} -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Classes\CLSID\{FC955BB2-DAA2-E394-1DD3-E8A207B823A6} -> Spyware.BetterInternet : Limpio con backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Limpio con backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Limpio con backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winds_24 -> Spyware.CoolWebSearch : Limpio con backup
C:\WINDOWS\SYSTEM32\mfcgf.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\nfljj.dll -> Spyware.SearchPage : Limpio con backup
C:\WINDOWS\SYSTEM32\sdkps.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\mszt32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\netku.dll -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\SYSTEM32\ntfn32.dll -> TrojanDownloader.Agent.bc : Limpio con backup
C:\WINDOWS\SYSTEM32\adddv32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\netja.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\Com\oboe32\systray.exe -> Backdoor.Iroffer.1213.a : Limpio con backup
C:\WINDOWS\SYSTEM32\d3fk.exe -> Trojan.Agent.em : Limpio con backup
C:\WINDOWS\SYSTEM32\iepa.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\addoy32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\ntwa32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\msic32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\appqx.dll -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\SYSTEM32\winpo.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\mfchf.exe -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\SYSTEM32\apieh.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\ipaa.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\apiwp.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\SYSTEM32\egyym.dll -> Spyware.SearchPage : Limpio con backup
C:\WINDOWS\SYSTEM32\netbg.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\d3ze.dll -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\rzkudx.txt -> TrojanDownloader.Agent.ap : Limpio con backup
C:\WINDOWS\n_qxyywt.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\n_jnaqno.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\n_cmccmu.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\iconu.exe -> Spyware.Zestyfind : Limpio con backup
C:\WINDOWS\winmd.dll -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\n_ypqcgb.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\n_bwwshh.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\systl.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\wingr32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\msvh32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\crff.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\ntzf.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\ntpo32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\applo.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\sysqe32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\apicd32.dll -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\wnazrs.txt -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\appjv.dll -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\leepyo.txt -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\eewday.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\ecuas.dll -> Spyware.SearchPage : Limpio con backup
C:\WINDOWS\crtc.exe -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\jmmsbe.txt -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\msls.exe -> TrojanDownloader.Agent.bq : Limpio con backup
C:\WINDOWS\apimc32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\mfcij32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\addbl32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\javaqm.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\appox32.exe -> Trojan.Agent.bi : Limpio con backup
C:\WINDOWS\sdkiq32.exe -> Trojan.Agent.bi : Limpio con backup
C:\Archivos de programa\Hewlett-Packard\Memories Disc\hpodlog.exe -> Heuristic.Win32.Hijacker1 : Limpio con backup
C:\WinXp2\thanks7.exe -> Spyware.Hijacker.Generic : Limpio con backup
C:\Documents and Settings\Kuervo\Configuración local\Archivos temporales de Internet\Content.IE5\4LQBST6J\AppWrap[1].exe -> Spyware.Zestyfind : Limpio con backup
C:\Documents and Settings\Kuervo\Mis documentos\Downloads\backups\backup-20050706-101446-473.dll -> TrojanDownloader.Agent.bq : Limpio con backup

::Fin Report

Logfile of HijackThis v1.99.1
Scan saved at 11:26:36, on 06/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\oodag.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Ahead\InCD\InCD.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\WinZip\Wzqkpick.exe
C:\Documents and Settings\Kuervo\Mis documentos\Downloads\HijackThis.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 8
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Explorer.EXE] C:\WINDOWS\explorer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\archivos de programa\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D8FBFC1-4DBC-4077-8ADD-FC122A81FBE5}: NameServer = 80.58.0.33,80.58.32.97
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe

#8
tampabelle

Posted 06 July 2005 - 10:31 AM

Member 5k

Retired Staff
6,363 posts

Hi zuluguen,

Copy the following in a text file in notepad and save it as peek.bat (make sure the Save as Type is set to All Files) -

regedit /e C:\peek1.txt "HKLM\SOFTWARE\Classes\CLSID\{031788DE-6282-F9CD-262A-AA22CDA2B068}"
regedit /e C:\peek2.txt "HKLM\SOFTWARE\Classes\CLSID\{07D80144-9372-FEAC-AEDD-21AE8732F067}"
regedit /e C:\peek3.txt "HKLM\SOFTWARE\Classes\CLSID\{0AD1A770-F33D-516E-A6BD-A3AEB8568EAC}"
regedit /e C:\peek4.txt "HKLM\SOFTWARE\Classes\CLSID\{16C710FD-4C93-9C02-15FC-681DF7937350}"
regedit /e C:\peek5.txt "HKLM\SOFTWARE\Classes\CLSID\{1D3E7FA6-E393-C514-F461-E0B59435D825}"
regedit /e C:\peek6.txt "HKLM\SOFTWARE\Classes\CLSID\{30C5202D-2CDD-8C6D-6CD3-86CBAC73988B}"
regedit /e C:\peek7.txt "HKLM\SOFTWARE\Classes\CLSID\{5B9A8BE3-69A5-661B-3BB5-FA99E29D5453}"
regedit /e C:\peek8.txt "HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}"
regedit /e C:\peek9.txt "HKLM\SOFTWARE\Classes\CLSID\{8A50C2FE-C00E-0C19-DC1A-BCABABE155C3}"
regedit /e C:\peek10.txt "HKLM\SOFTWARE\Classes\CLSID\{DF7066E9-8EE8-8682-F43E-2BF8E7E7D760}"
regedit /e C:\peek11.txt "HKLM\SOFTWARE\Classes\CLSID\{E365460D-7563-2763-5E38-85F172854EAC}"
regedit /e C:\peek12.txt "HKLM\SOFTWARE\Classes\CLSID\{F3267BA7-14CC-4368-6BFC-E59341D01507}"
regedit /e C:\peek13.txt "HKLM\SOFTWARE\Classes\CLSID\{FC955BB2-DAA2-E394-1DD3-E8A207B823A6}"
regedit /e C:\peek14.txt "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins"
regedit /e C:\peek15.txt "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE"
regedit /e C:\peek16.txt "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW"
regedit /e C:\peek17.txt "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winds_24"

del C:\look.txt

type peek1.txt>>C:\look.txt
type peek2.txt>>C:\look.txt
type peek3.txt>>C:\look.txt
type peek4.txt>>C:\look.txt
type peek5.txt>>C:\look.txt
type peek6.txt>>C:\look.txt
type peek7.txt>>C:\look.txt
type peek8.txt>>C:\look.txt
type peek9.txt>>C:\look.txt
type peek10.txt>>C:\look.txt
type peek11.txt>>C:\look.txt
type peek12.txt>>C:\look.txt
type peek13.txt>>C:\look.txt
type peek14.txt>>C:\look.txt
type peek15.txt>>C:\look.txt
type peek16.txt>>C:\look.txt
type peek17.txt>>C:\look.txt

del C:\peek*.txt

Run peek.bat. It will create a text file called look.txt in C:\ folder.

Reboot the PC in Safe Mode.

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.

Locate and delete the following files -

C:\WINDOWS\SYSTEM32\mfcgf.exe
C:\WINDOWS\SYSTEM32\nfljj.dll
C:\WINDOWS\SYSTEM32\sdkps.exe
C:\WINDOWS\SYSTEM32\mszt32.exe
C:\WINDOWS\SYSTEM32\netku.dll
C:\WINDOWS\SYSTEM32\ntfn32.dll
C:\WINDOWS\SYSTEM32\adddv32.exe
C:\WINDOWS\SYSTEM32\netja.exe
C:\WINDOWS\SYSTEM32\Com\oboe32\systray.exe
C:\WINDOWS\SYSTEM32\d3fk.exe
C:\WINDOWS\SYSTEM32\iepa.exe
C:\WINDOWS\SYSTEM32\addoy32.exe
C:\WINDOWS\SYSTEM32\ntwa32.exe
C:\WINDOWS\SYSTEM32\msic32.exe
C:\WINDOWS\SYSTEM32\appqx.dll
C:\WINDOWS\SYSTEM32\winpo.exe
C:\WINDOWS\SYSTEM32\mfchf.exe
C:\WINDOWS\SYSTEM32\apieh.exe
C:\WINDOWS\SYSTEM32\ipaa.exe
C:\WINDOWS\SYSTEM32\apiwp.exe
C:\WINDOWS\SYSTEM32\egyym.dll
C:\WINDOWS\SYSTEM32\netbg.exe
C:\WINDOWS\d3ze.dll
C:\WINDOWS\rzkudx.txt
C:\WINDOWS\n_qxyywt.txt
C:\WINDOWS\n_jnaqno.txt
C:\WINDOWS\n_cmccmu.txt
C:\WINDOWS\iconu.exe
C:\WINDOWS\winmd.dll
C:\WINDOWS\n_ypqcgb.txt
C:\WINDOWS\n_bwwshh.txt
C:\WINDOWS\systl.exe
C:\WINDOWS\wingr32.exe
C:\WINDOWS\msvh32.exe
C:\WINDOWS\crff.exe
C:\WINDOWS\ntzf.exe
C:\WINDOWS\ntpo32.exe
C:\WINDOWS\applo.exe
C:\WINDOWS\sysqe32.exe
C:\WINDOWS\apicd32.dll
C:\WINDOWS\wnazrs.txt
C:\WINDOWS\appjv.dll
C:\WINDOWS\leepyo.txt
C:\WINDOWS\eewday.txt
C:\WINDOWS\ecuas.dll
C:\WINDOWS\crtc.exe
C:\WINDOWS\jmmsbe.txt
C:\WINDOWS\msls.exe
C:\WINDOWS\apimc32.exe
C:\WINDOWS\mfcij32.exe
C:\WINDOWS\addbl32.exe
C:\WINDOWS\javaqm.exe
C:\WINDOWS\appox32.exe
C:\WINDOWS\sdkiq32.exe
C:\Archivos de programa\Hewlett-Packard\Memories Disc\hpodlog.exe
C:\WinXp2\thanks7.exe
C:\Documents and Settings\Kuervo\Configuración local\Archivos temporales de Internet\Content.IE5\4LQBST6J\AppWrap[1].exe
C:\Documents and Settings\Kuervo\Mis documentos\Downloads\backups\backup-20050706-101446-473.dll

Reboot the PC in Normal mode and post the look.txt file here

#9
zuluguen

Posted 07 July 2005 - 07:26 AM

Member

Topic Starter
Member
13 posts

Dear Sir,
I must have done something wrongly when following your instructions.
I couldn't find none of the files to be deleted listed in your last reply. Furthermore, the file generated by the peek.bat, that is look.txt, is zero lenght. It's got not a single character; that's why I'm not enclosing it.
Sorry for any inconvenience this may cause to you, regards,
Zuluguen

#10
tampabelle

Posted 07 July 2005 - 10:08 AM

Member 5k

Retired Staff
6,363 posts

Your HJT log is clean.

Please reboot the PC in Safe Mode.

Run Ewido full scan and save the scan report.

Reboot the PC in normal mode and post the Ewido scan report here

Edited by tampabelle, 07 July 2005 - 10:10 AM.

#11
zuluguen

Posted 08 July 2005 - 09:37 AM

Member

Topic Starter
Member
13 posts

Hi Tampabelle,
Below Ewido report says there are no infections at all, but the computer stills works slowly.
I forgot to mention in previous communication that there are many zero lenght .EXE files in C:\WINDOWS and C:\WINDOWS\SYSTEM32, and the names of many of them are very similar to those listed in your previous reply.
Keep waiting for your answer, tks + rgds,
Zuluguen

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 17:26:08, 08/07/2005
+ Report-Checksum: 1B86E506

+ Scan result:

No se han encontrado archivos infectados!

::Fin Report

#12
tampabelle

Posted 08 July 2005 - 09:53 AM

Member 5k

Retired Staff
6,363 posts

Hi Zuluguen,

Can you do the following -

Click on Start ---> Run. Type in cmd and hit enter.

Type cd c:\Windows and hit enter.

type dir *.exe >>C:\look1.txt and hit enter

type cd system32 and hit enter

type dir *.exe >>C:\look2.txt and hit enter

Attach the look1.txt and look2.txt files with your next reply

#13
zuluguen

Posted 08 July 2005 - 12:04 PM

Member

Topic Starter
Member
13 posts

Hi,
There they are.
Rgds,
Zuluguen

Attached Files

look2.txt 23.58KB 159 downloads
look1.txt 8.4KB 120 downloads

#14
tampabelle

Posted 08 July 2005 - 09:11 PM

Member 5k

Retired Staff
6,363 posts

Hi Zuluguen,

U have presented me with a nice issue.

We need to verify that there is no hidden infection.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

rkfiles.zip
About:Buster
CWShredder

Unzip rkfiles.zip. Run rkfiles.bat. Wait for the log file to open in Notepad. Save the log file.

Update About:Buster
* Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
* Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
* Click "OK" at the prompt with instructions.
* Click "Update" and then "Check For Update" to begin the update process.
* If any updates exist please download them by clicking "Download Update" then click the X to close that window.
* Now close About:Buster
Update CWShredder* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:* Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
* Click Yes to allow it to shutdown explorer.exe.
* It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
* When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
* Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!Reboot your computer into normal windows.

Post the logs from rkfiles and About:Buster here

#15
zuluguen

Posted 09 July 2005 - 01:39 PM

Member

Topic Starter
Member
13 posts

Hello again,
Attached you will find the logs requested.
There are still many zero length files in both C:\WINDOWS and C:\WINDOWS\SYSTEM32 of different types (.EXE, .INI, .TXT, .LOG, and so on), all of them within June and July 2005, when everything seemed to begin. Does it make any sense to you?
Tks + rgds,
Zulugen