Tech Support Forum - View Single Post - Brower Hijacked !! Auto closes browser and/or opens unsolicited pages. Virtumondo??

maikelekiam · 11-07-2008, 04:34 PM

Hi, thanks for your help, I have translated from spanish to english ComboFix's log

ComboFix 08-11-07.01 - Administrator 2008-11-08 0:12:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.237 [1:00 GMT]
It runs from: c: \ Documents and Settings \ Administrator \ Desktop \ ComboFix.exe
* Resident AV is activated

[COLOR = RED] [b] WARNING - THIS MACHINE HAS NOT install the Recovery Console! [/ B] [/ COLOR]
.

Other (((((((((((((((((((((((((((((((((((( eliminations )))))))))))) )))))))))))))))))))))))))))))))))))))
.

c: \ windows \ system32 \ ckpkavtp.dll
c: \ windows \ system32 \ djntzp.dll
c: \ windows \ system32 \ egbxonrr.dll
c: \ windows \ system32 \ exgswwwn.dll
c: \ windows \ system32 \ fevlkf.dll
c: \ windows \ system32 \ fmxvfa.dll
c: \ windows \ system32 \ fwgvxswc.dll
c: \ windows \ system32 \ gkguew.dll
c: \ windows \ system32 \ gulpmvsl.ini
c: \ windows \ system32 \ ikjbpkhh.ini
c: \ windows \ system32 \ inmcvccj.ini
c: \ windows \ system32 \ islhurjm.dll
c: \ windows \ system32 \ jgqaho.dll
c: \ windows \ system32 \ jkkLDuTm.dll
c: \ windows \ system32 \ jwouqwfw.ini
c: \ windows \ system32 \ lmjedsbq.dll
c: \ windows \ system32 \ ltmikd.dll
c: \ windows \ system32 \ mccckmdv.dll
c: \ windows \ system32 \ mTuDLkkj.ini
c: \ windows \ system32 \ mTuDLkkj.ini2
c: \ windows \ system32 \ nkosawwn.dll
c: \ windows \ system32 \ ohranuer.dll
c: \ windows \ system32 \ ooctev.dll
c: \ windows \ system32 \ oqlyxf.dll
c: \ windows \ system32 \ pzxonv.dll
c: \ windows \ system32 \ qhxvti.dll
c: \ windows \ system32 \ qlxkemdw.dll
c: \ windows \ system32 \ qwpyunwq.dll
c: \ windows \ system32 \ rfhmqshg.dll
c: \ windows \ system32 \ rlxgaikj.ini
c: \ windows \ system32 \ rsbhqlhl.ini
c: \ windows \ system32 \ rypdtjjr.ini
c: \ windows \ system32 \ sgnxfoif.dll
c: \ windows \ system32 \ sootwuuc.ini
c: \ windows \ system32 \ tspjkyny.dll
c: \ windows \ system32 \ vscvswrh.dll
c: \ windows \ system32 \ wdffpv.dll
c: \ windows \ system32 \ wfwquowj.dll
c: \ windows \ system32 \ wfyribsd.ini
c: \ windows \ system32 \ wqqfcwob.ini
c: \ windows \ system32 \ yjsccw.dll
c: \ windows \ system32 \ ynykjpst.ini
c: \ windows \ system32 \ yrquqenn.ini
c: \ windows \ system32 \ zjxlfk.dll
c: \ windows \ system32 \ zzkntq.dll

.
(((((((((((((((((( Files created from 2008-10-07 - 2008-11-07 )))))))))))))))))) )))))))))))))))
.

2008-11-04 21:47. 2008-11-04 21:47 <DIR> d -------- C: \ rsit
2008-11-04 21:36. 2008-11-04 21:38 250 - a ------ c: \ windows \ gmer.ini
2008-10-27 20:04. 2008-11-04 21:47 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-10-27 20:03. 2008-10-27 20:03 812344 - a ------ C: \ HJTInstall.exe
2008-10-12 12:25. 2008-10-12 12:25 <DIR> d -------- C: \ Program Files
2008-10-12 10:29. 2008-10-12 12:24 <DIR> d -------- C: \ Program Files \ EsetOnlineScanner
2008-10-12 09:44. 2008-10-12 09:45 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware
2008-10-12 09:44. 2008-09-09 23:04 38528 - a ------ c: \ windows \ system32 \ drivers \ mbamswissarmy.sys
2008-10-12 09:44. 2008-09-09 23:03 17200 - a ------ c: \ windows \ system32 \ drivers \ mbam.sys
2008-10-12 09:28. 2008-10-12 09:28 <DIR> d -------- C: \ Documents and Settings \ Administrator \ Application Data \ Malwarebytes
2008-10-12 09:27. 2008-10-12 09:27 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes
2008-10-11 20:22. 2008-10-11 20:22 95 - a ------ c: \ windows \ Wininit.ini
2008-10-11 19:48. 2008-10-11 19:53 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008-10-11 19:48. 2008-10-11 19:48 <DIR> d -------- C: \ Program Files \ Spybot - Search & Destroy
2008-10-09 17:05. 2008-10-09 17:05 <DIR> d -------- C: \ Program Files \ ScanSoft
2008-10-09 17:00. 2008-10-09 17:01 <DIR> d -------- C: \ Program Files \ Microsoft AutoRoute
2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ system32 \ Xircom
2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ system32 \ restore
2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ srchasst
2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ msagent
2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Program Files \ microsoft frontpage
2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ system32 \ OOBE
2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ system32 \ is
2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ system32 \ bits
2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ l2schemas
2008-10-07 20:23. 2008-10-07 20:27 <DIR> d -------- C: \ Windows \ ServicePackFiles
2008-10-07 20:16. 2008-10-07 20:27 <DIR> d -------- C: \ Windows \ EHome

.
(((((((((((((((((((((((((((((((((((((( Report Find3M )))))))))) )))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 23:11 --------- ----- w d c: \ Documents and Settings \ All Users \ Application Data \ Google Updater
2008-11-04 20:21 --------- ----- w d c: \ Program Files \ ElcomSoft
2008-10-28 19:36 --------- ----- w d c: \ Program Files \ Eset
2008-10-12 08:10 --------- ----- w d c: \ Program Files \ PDF Password Remover v2.5
2008-10-12 08:10 --------- ----- w d c: \ Program Files \ Google
2008-10-10 22:38 90,112 ---- aw c: \ windows \ DUMP6d24.tmp
2008-10-10 22:37 98,304 ---- aw c: \ windows \ DUMP2334.tmp
2008-10-10 22:36 98,304 ---- aw c: \ windows \ DUMP3407.tmp
2008-10-10 21:11 --------- ----- w d c: \ Documents and Settings \ Administrator \ Application Data \ uTorrent
2008-10-07 19:43 96384 ---- aw c: \ windows \ system32 \ drivers \ sptd9725.sys
2008-09-30 18:13 --------- ----- w d c: \ Program Files \ Picasa2
2008-09-17 17:17 --------- ----- w d c: \ Documents and Settings \ Administrator \ Application Data \ Ahead
.

((((((((((((((((((((((((((((( Snapshot@2008-10-28_20.42.41.23 )))))))))) )))))))))))))))))))))))))))))))
.
+ 2008-11-04 20:36:55 884736 ---- aw c: \ windows \ gmer.dll
+ 2008-04-17 20:13:02 811008 ---- aw c: \ windows \ gmer.exe
+ 2008-11-04 20:36:56 85969 ---- aw c: \ windows \ system32 \ drivers \ gmer.sys
- 2008-10-28 19:40:47 53248 ---- aw c: \ windows \ temp \ catchme.dll
+ 2008-11-07 23:16:28 53248 ---- aw c: \ windows \ temp \ catchme.dll
.
((((((((((((((((((((((((((((((((( Loading Points Reg )))))))))))))) ))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legitimate default entries are not displayed
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"ctfmon.exe" = "c: \ windows \ system32 \ ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"nod32kui" = "c: \ Program Files \ Eset \ nod32kui.exe" [2008-06-04 921600]
"SoundMAXPnP" = "c: \ Program Files \ Analog Devices \ SoundMAX \ SMax4PNP.exe" [2004-10-14 1388544]
"IgfxTray" = "c: \ windows \ system32 \ igfxtray.exe" [2004-10-08 155,648]
"HotKeysCmds" = "c: \ windows \ system32 \ hkcmd.exe" [2004-10-08 126,976]
"THotkey" = "c: \ Program Files \ Toshiba \ Toshiba Applet \ thotkey.exe" [2004-12-14 368,640]
"64769aed" = "c: \ windows \ system32 \ tspjkyny.dll" [BU]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"CTFMON.EXE" = "c: \ windows \ system32 \ CTFMON.EXE" [2008-04-14 15360]

c: \ Documents and Settings \ All Users \ Start Menu £ \ Programs \ Startup \
RAMASST.lnk - c: \ windows \ system32 \ RAMASST.exe [2008-06-05 155648]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ system]
"DisableStatusMessages" = 0 (0x0)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer]
"NoDesktopCleanupWizard" = 1 (0x1)
"ForceClassicControlPanel" = 1 (0x1)

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer]
"NoSMHelp" = 1 (0x1)
"NoSMConfigurePrograms" = 1 (0x1)
"NoSMMyPictures" = 1 (0x1)
"NoResolveTrack" = 1 (0x1)
"NoResolveSearch" = 1 (0x1)

[HKEY_USERS \. Default \ software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer]
"NoSMHelp" = 1 (0x1)
"NoSMConfigurePrograms" = 1 (0x1)
"NoSMMyPictures" = 1 (0x1)
"NoResolveTrack" = 1 (0x1)
"NoResolveSearch" = 1 (0x1)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"UIHost" = hex (2): 58,50,69,7 a, 65.5 f, 4c, 6f, 67.6 f, 6e, 2e, 65,78,65,00

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows]
"AppInit_DLLs" = jgqaho.dll ltmikd.dll yjsccw.dll

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ drivers32]
"VIDC.X264" = x264vfw.dll
"VIDC.3iv2" = 3ivxVfWCodec.dll

[HKLM \ ~ \ services \ sharedaccess \ parameters \ FirewallPolicy \ StandardProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 0 (0x0)

[HKLM \ ~ \ services \ sharedaccess \ parameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ Sessmgr.exe" =
"c: \ \ Program Files \ \ Skype \ Phone \ \ Skype.exe" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"c: \ \ Program Files \ \ Malwarebytes' Anti-Malware \ \ mbam.exe" =

[HKLM \ ~ \ services \ sharedaccess \ parameters \ FirewallPolicy \ StandardProfile \ GloballyOpenPorts \ List]
"57214: TCP" = 57214: TCP: Pando P2P Listening TCP Port
"57214: UDP" = 57214: UDP: Pando P2P UDP Port Listening
"4662: TCP" = 4662: TCP: uTORRENT

S2 gupdate1c8e071a1913dc0; Google Update Service (gupdate1c8e071a1913dc0); c: \ Program Files \ Google \ Update \ GoogleUpdate.exe [2008-08-29 133104]
S3 iscFlash; iscFlash; c: \ windows \ Temp \ isc10tmp \ iscflash.sys []
S3 mpr_freader; MPR FileReader Driver c: \ Program Files \ Multi Password Recovery \ mpr_freader.sys []
S3 USBSTOR; Device USB mass storage of data; c: \ windows \ system32 \ DRIVERS \ USBSTOR.SYS [2008-04-13 26368]

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ mountpoints2 \ (9e6caec0-3340-11dd-ab62-963b1372dd69)]
\ Shell \ AutoRun \ command - F: \ Autorun.exe

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ mountpoints2 \ (9e6caec2-3340-11dd-ab62-963b1372dd69)]
\ Shell \ AutoRun \ command - F: \ Autorun.exe
.
Content folder 'Scheduled Tasks'

2008-11-07 c: \ windows \ Tasks \ GoogleUpdateTaskMachine.job
- C: \ Program Files \ Google \ Update \ GoogleUpdate.exe [2008-08-29 23:42]
.
- - - - ORPHANS Remove - - - --

BHO-(3a1b5168-e70f-44d3-9374-2d7e2ee2d181) - c: \ windows \ system32 \ yjsccw.dll
BHO-(4FC43E8F-827D-4EDB-9EBD-54B7B90D6D31) - c: \ windows \ system32 \ jkkLDuTm.dll

.
------- ------- Supplemental Analysis
.
FireFox -: Profile - c: \ Documents and Settings \ Administrator \ Application Data \ Mozilla \ Firefox \ Profiles \ n1ai0fhk.default \
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.es
FF -: plugin - c: \ Program Files \ Adobe \ Acrobat 7.0 \ Reader \ Browser \ nppdf32.dll
FF -: plugin - c: \ Program Files \ Google \ Google Earth Plugin \ npgeplugin.dll
FF -: plugin - c: \ Program Files \ Google \ Google Updater \ 2.4.1368.5602 \ npCIDetect13.dll
FF -: plugin - c: \ Program Files \ Google \ Update \ 1.2.131.25 \ npGoogleOneClick6.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava11.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava12.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava13.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava14.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava32.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJPI150_07.dll
FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPOJI610.dll
FF -: plugin - c: \ Program Files \ Picasa2 \ npPicasa2.dll
.

************************************************** ************************

catchman 0.3.1367 W2K/XP/Vista - rootkit / stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 00:16:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C: \ sccfg.sys 370 bytes

The scan was completed successfully
Hidden Files: 1

************************************************** ************************
.
--------------------- DLLs loaded under running processes ---------------------

PROCESS: c: \ windows \ system32 \ lsass.exe
-> C: \ Program Files \ Eset \ pr_imon.dll
.
Other processes running ------------------------ ---------------------- --
.
c: \ windows \ system32 \ DVDRAMSV.exe
c: \ Program Files \ Google \ Common \ Google Updater \ GoogleUpdaterService.exe
c: \ Program Files \ Eset \ nod32krn.exe
c: \ Program Files \ CyberLink \ Shared files \ RichVideo.exe
c: \ Program Files \ Analog Devices \ SoundMAX \ SMAgent.exe
c: \ Program Files \ toshiba \ TOSHIBA Applet \ TAPPSRV.exe
c: \ windows \ system32 \ wdfmgr.exe
c: \ windows \ system32 \ wscntfy.exe
.
************************************************** ************************
.
Time completed: 2008-11-08 0:18:34 - Rebooting the machine
ComboFix-quarantined-files.txt 2008-11-07 23:18:28
ComboFix2.txt 2008-10-28 20:02:19
ComboFix3.txt 2008-10-28 19:43:22

Pre-Run: 16,424,349,696 bytes free
Post-Run: 16,414,814,208 bytes free

229 E O F --- --- 2008-10-09 17:30:22

Logfile of HijackThis v1.99.1
Scan saved at 12:28:56 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\Archivos de programa\toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [THotkey] C:\Archivos de programa\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [64769aed] rundll32.exe "C:\WINDOWS\system32\tspjkyny.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E963EE0-F698-40FA-8DE4-BBBC3D2D2899}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jgqaho.dll ltmikd.dll yjsccw.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate1c8e071a1913dc0) (gupdate1c8e071a1913dc0) - Unknown owner - C:\Archivos de programa\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Archivos de programa\toshiba\TOSHIBA Applet\TAPPSRV.exe

11-07-2008, 04:34 PM	#3 (permalink)
maikelekiam Registered User Join Date: Sep 2006 Posts: 14 OS: xp	Re: Brower Hijacked !! Auto closes browser and/or opens unsolicited pages. Virtumondo Hi, thanks for your help, I have translated from spanish to english ComboFix's log ComboFix 08-11-07.01 - Administrator 2008-11-08 0:12:36.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.237 [1:00 GMT] It runs from: c: \ Documents and Settings \ Administrator \ Desktop \ ComboFix.exe * Resident AV is activated [COLOR = RED] [b] WARNING - THIS MACHINE HAS NOT install the Recovery Console! [/ B] [/ COLOR] . Other (((((((((((((((((((((((((((((((((((( eliminations )))))))))))) ))))))))))))))))))))))))))))))))))))) . c: \ windows \ system32 \ ckpkavtp.dll c: \ windows \ system32 \ djntzp.dll c: \ windows \ system32 \ egbxonrr.dll c: \ windows \ system32 \ exgswwwn.dll c: \ windows \ system32 \ fevlkf.dll c: \ windows \ system32 \ fmxvfa.dll c: \ windows \ system32 \ fwgvxswc.dll c: \ windows \ system32 \ gkguew.dll c: \ windows \ system32 \ gulpmvsl.ini c: \ windows \ system32 \ ikjbpkhh.ini c: \ windows \ system32 \ inmcvccj.ini c: \ windows \ system32 \ islhurjm.dll c: \ windows \ system32 \ jgqaho.dll c: \ windows \ system32 \ jkkLDuTm.dll c: \ windows \ system32 \ jwouqwfw.ini c: \ windows \ system32 \ lmjedsbq.dll c: \ windows \ system32 \ ltmikd.dll c: \ windows \ system32 \ mccckmdv.dll c: \ windows \ system32 \ mTuDLkkj.ini c: \ windows \ system32 \ mTuDLkkj.ini2 c: \ windows \ system32 \ nkosawwn.dll c: \ windows \ system32 \ ohranuer.dll c: \ windows \ system32 \ ooctev.dll c: \ windows \ system32 \ oqlyxf.dll c: \ windows \ system32 \ pzxonv.dll c: \ windows \ system32 \ qhxvti.dll c: \ windows \ system32 \ qlxkemdw.dll c: \ windows \ system32 \ qwpyunwq.dll c: \ windows \ system32 \ rfhmqshg.dll c: \ windows \ system32 \ rlxgaikj.ini c: \ windows \ system32 \ rsbhqlhl.ini c: \ windows \ system32 \ rypdtjjr.ini c: \ windows \ system32 \ sgnxfoif.dll c: \ windows \ system32 \ sootwuuc.ini c: \ windows \ system32 \ tspjkyny.dll c: \ windows \ system32 \ vscvswrh.dll c: \ windows \ system32 \ wdffpv.dll c: \ windows \ system32 \ wfwquowj.dll c: \ windows \ system32 \ wfyribsd.ini c: \ windows \ system32 \ wqqfcwob.ini c: \ windows \ system32 \ yjsccw.dll c: \ windows \ system32 \ ynykjpst.ini c: \ windows \ system32 \ yrquqenn.ini c: \ windows \ system32 \ zjxlfk.dll c: \ windows \ system32 \ zzkntq.dll . (((((((((((((((((( Files created from 2008-10-07 - 2008-11-07 )))))))))))))))))) ))))))))))))))) . 2008-11-04 21:47. 2008-11-04 21:47 <DIR> d -------- C: \ rsit 2008-11-04 21:36. 2008-11-04 21:38 250 - a ------ c: \ windows \ gmer.ini 2008-10-27 20:04. 2008-11-04 21:47 <DIR> d -------- C: \ Program Files \ Trend Micro 2008-10-27 20:03. 2008-10-27 20:03 812344 - a ------ C: \ HJTInstall.exe 2008-10-12 12:25. 2008-10-12 12:25 <DIR> d -------- C: \ Program Files 2008-10-12 10:29. 2008-10-12 12:24 <DIR> d -------- C: \ Program Files \ EsetOnlineScanner 2008-10-12 09:44. 2008-10-12 09:45 <DIR> d -------- C: \ Program Files \ Malwarebytes' Anti-Malware 2008-10-12 09:44. 2008-09-09 23:04 38528 - a ------ c: \ windows \ system32 \ drivers \ mbamswissarmy.sys 2008-10-12 09:44. 2008-09-09 23:03 17200 - a ------ c: \ windows \ system32 \ drivers \ mbam.sys 2008-10-12 09:28. 2008-10-12 09:28 <DIR> d -------- C: \ Documents and Settings \ Administrator \ Application Data \ Malwarebytes 2008-10-12 09:27. 2008-10-12 09:27 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Malwarebytes 2008-10-11 20:22. 2008-10-11 20:22 95 - a ------ c: \ windows \ Wininit.ini 2008-10-11 19:48. 2008-10-11 19:53 <DIR> d -------- C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy 2008-10-11 19:48. 2008-10-11 19:48 <DIR> d -------- C: \ Program Files \ Spybot - Search & Destroy 2008-10-09 17:05. 2008-10-09 17:05 <DIR> d -------- C: \ Program Files \ ScanSoft 2008-10-09 17:00. 2008-10-09 17:01 <DIR> d -------- C: \ Program Files \ Microsoft AutoRoute 2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ system32 \ Xircom 2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ system32 \ restore 2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ srchasst 2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Windows \ msagent 2008-10-07 20:43. 2008-10-07 20:43 <DIR> d -------- C: \ Program Files \ microsoft frontpage 2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ system32 \ OOBE 2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ system32 \ is 2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ system32 \ bits 2008-10-07 20:26. 2008-10-07 20:26 <DIR> d -------- C: \ Windows \ l2schemas 2008-10-07 20:23. 2008-10-07 20:27 <DIR> d -------- C: \ Windows \ ServicePackFiles 2008-10-07 20:16. 2008-10-07 20:27 <DIR> d -------- C: \ Windows \ EHome . (((((((((((((((((((((((((((((((((((((( Report Find3M )))))))))) ))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 23:11 --------- ----- w d c: \ Documents and Settings \ All Users \ Application Data \ Google Updater 2008-11-04 20:21 --------- ----- w d c: \ Program Files \ ElcomSoft 2008-10-28 19:36 --------- ----- w d c: \ Program Files \ Eset 2008-10-12 08:10 --------- ----- w d c: \ Program Files \ PDF Password Remover v2.5 2008-10-12 08:10 --------- ----- w d c: \ Program Files \ Google 2008-10-10 22:38 90,112 ---- aw c: \ windows \ DUMP6d24.tmp 2008-10-10 22:37 98,304 ---- aw c: \ windows \ DUMP2334.tmp 2008-10-10 22:36 98,304 ---- aw c: \ windows \ DUMP3407.tmp 2008-10-10 21:11 --------- ----- w d c: \ Documents and Settings \ Administrator \ Application Data \ uTorrent 2008-10-07 19:43 96384 ---- aw c: \ windows \ system32 \ drivers \ sptd9725.sys 2008-09-30 18:13 --------- ----- w d c: \ Program Files \ Picasa2 2008-09-17 17:17 --------- ----- w d c: \ Documents and Settings \ Administrator \ Application Data \ Ahead . ((((((((((((((((((((((((((((( Snapshot@2008-10-28_20.42.41.23 )))))))))) ))))))))))))))))))))))))))))))) . + 2008-11-04 20:36:55 884736 ---- aw c: \ windows \ gmer.dll + 2008-04-17 20:13:02 811008 ---- aw c: \ windows \ gmer.exe + 2008-11-04 20:36:56 85969 ---- aw c: \ windows \ system32 \ drivers \ gmer.sys - 2008-10-28 19:40:47 53248 ---- aw c: \ windows \ temp \ catchme.dll + 2008-11-07 23:16:28 53248 ---- aw c: \ windows \ temp \ catchme.dll . ((((((((((((((((((((((((((((((((( Loading Points Reg )))))))))))))) )))))))))))))))))))))))))))))))))))) . . * Note * empty entries & legitimate default entries are not displayed REGEDIT4 [HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] "ctfmon.exe" = "c: \ windows \ system32 \ ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] "nod32kui" = "c: \ Program Files \ Eset \ nod32kui.exe" [2008-06-04 921600] "SoundMAXPnP" = "c: \ Program Files \ Analog Devices \ SoundMAX \ SMax4PNP.exe" [2004-10-14 1388544] "IgfxTray" = "c: \ windows \ system32 \ igfxtray.exe" [2004-10-08 155,648] "HotKeysCmds" = "c: \ windows \ system32 \ hkcmd.exe" [2004-10-08 126,976] "THotkey" = "c: \ Program Files \ Toshiba \ Toshiba Applet \ thotkey.exe" [2004-12-14 368,640] "64769aed" = "c: \ windows \ system32 \ tspjkyny.dll" [BU] [HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] "CTFMON.EXE" = "c: \ windows \ system32 \ CTFMON.EXE" [2008-04-14 15360] c: \ Documents and Settings \ All Users \ Start Menu £ \ Programs \ Startup \ RAMASST.lnk - c: \ windows \ system32 \ RAMASST.exe [2008-06-05 155648] [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ system] "DisableStatusMessages" = 0 (0x0) [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer] "NoDesktopCleanupWizard" = 1 (0x1) "ForceClassicControlPanel" = 1 (0x1) [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer] "NoSMHelp" = 1 (0x1) "NoSMConfigurePrograms" = 1 (0x1) "NoSMMyPictures" = 1 (0x1) "NoResolveTrack" = 1 (0x1) "NoResolveSearch" = 1 (0x1) [HKEY_USERS \. Default \ software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer] "NoSMHelp" = 1 (0x1) "NoSMConfigurePrograms" = 1 (0x1) "NoSMMyPictures" = 1 (0x1) "NoResolveTrack" = 1 (0x1) "NoResolveSearch" = 1 (0x1) [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] "UIHost" = hex (2): 58,50,69,7 a, 65.5 f, 4c, 6f, 67.6 f, 6e, 2e, 65,78,65,00 [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows] "AppInit_DLLs" = jgqaho.dll ltmikd.dll yjsccw.dll [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ drivers32] "VIDC.X264" = x264vfw.dll "VIDC.3iv2" = 3ivxVfWCodec.dll [HKLM \ ~ \ services \ sharedaccess \ parameters \ FirewallPolicy \ StandardProfile] "DisableUnicastResponsesToMulticastBroadcast" = 0 (0x0) [HKLM \ ~ \ services \ sharedaccess \ parameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List] "% windir% \ \ system32 \ \ Sessmgr.exe" = "c: \ \ Program Files \ \ Skype \ Phone \ \ Skype.exe" = "% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" = "c: \ \ Program Files \ \ Malwarebytes' Anti-Malware \ \ mbam.exe" = [HKLM \ ~ \ services \ sharedaccess \ parameters \ FirewallPolicy \ StandardProfile \ GloballyOpenPorts \ List] "57214: TCP" = 57214: TCP: Pando P2P Listening TCP Port "57214: UDP" = 57214: UDP: Pando P2P UDP Port Listening "4662: TCP" = 4662: TCP: uTORRENT S2 gupdate1c8e071a1913dc0; Google Update Service (gupdate1c8e071a1913dc0); c: \ Program Files \ Google \ Update \ GoogleUpdate.exe [2008-08-29 133104] S3 iscFlash; iscFlash; c: \ windows \ Temp \ isc10tmp \ iscflash.sys [] S3 mpr_freader; MPR FileReader Driver c: \ Program Files \ Multi Password Recovery \ mpr_freader.sys [] S3 USBSTOR; Device USB mass storage of data; c: \ windows \ system32 \ DRIVERS \ USBSTOR.SYS [2008-04-13 26368] [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ mountpoints2 \ (9e6caec0-3340-11dd-ab62-963b1372dd69)] \ Shell \ AutoRun \ command - F: \ Autorun.exe [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ mountpoints2 \ (9e6caec2-3340-11dd-ab62-963b1372dd69)] \ Shell \ AutoRun \ command - F: \ Autorun.exe . Content folder 'Scheduled Tasks' 2008-11-07 c: \ windows \ Tasks \ GoogleUpdateTaskMachine.job - C: \ Program Files \ Google \ Update \ GoogleUpdate.exe [2008-08-29 23:42] . - - - - ORPHANS Remove - - - -- BHO-(3a1b5168-e70f-44d3-9374-2d7e2ee2d181) - c: \ windows \ system32 \ yjsccw.dll BHO-(4FC43E8F-827D-4EDB-9EBD-54B7B90D6D31) - c: \ windows \ system32 \ jkkLDuTm.dll . ------- ------- Supplemental Analysis . FireFox -: Profile - c: \ Documents and Settings \ Administrator \ Application Data \ Mozilla \ Firefox \ Profiles \ n1ai0fhk.default \ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.es FF -: plugin - c: \ Program Files \ Adobe \ Acrobat 7.0 \ Reader \ Browser \ nppdf32.dll FF -: plugin - c: \ Program Files \ Google \ Google Earth Plugin \ npgeplugin.dll FF -: plugin - c: \ Program Files \ Google \ Google Updater \ 2.4.1368.5602 \ npCIDetect13.dll FF -: plugin - c: \ Program Files \ Google \ Update \ 1.2.131.25 \ npGoogleOneClick6.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava11.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava12.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava13.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava14.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJava32.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPJPI150_07.dll FF -: plugin - c: \ Program Files \ Java \ jre1.5.0_07 \ bin \ NPOJI610.dll FF -: plugin - c: \ Program Files \ Picasa2 \ npPicasa2.dll . ************************************************ ******************** catchman 0.3.1367 W2K/XP/Vista - rootkit / stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-08 00:16:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C: \ sccfg.sys 370 bytes The scan was completed successfully Hidden Files: 1 ********************************************** ******************** . --------------------- DLLs loaded under running processes --------------------- PROCESS: c: \ windows \ system32 \ lsass.exe -> C: \ Program Files \ Eset \ pr_imon.dll . Other processes running ------------------------ ---------------------- -- . c: \ windows \ system32 \ DVDRAMSV.exe c: \ Program Files \ Google \ Common \ Google Updater \ GoogleUpdaterService.exe c: \ Program Files \ Eset \ nod32krn.exe c: \ Program Files \ CyberLink \ Shared files \ RichVideo.exe c: \ Program Files \ Analog Devices \ SoundMAX \ SMAgent.exe c: \ Program Files \ toshiba \ TOSHIBA Applet \ TAPPSRV.exe c: \ windows \ system32 \ wdfmgr.exe c: \ windows \ system32 \ wscntfy.exe . ********************************************** ********************** . Time completed: 2008-11-08 0:18:34 - Rebooting the machine ComboFix-quarantined-files.txt 2008-11-07 23:18:28 ComboFix2.txt 2008-10-28 20:02:19 ComboFix3.txt 2008-10-28 19:43:22 Pre-Run: 16,424,349,696 bytes free Post-Run: 16,414,814,208 bytes free 229 E O F --- --- 2008-10-09 17:30:22 Logfile of HijackThis v1.99.1 Scan saved at 12:28:56 AM, on 11/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Archivos de programa\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Archivos de programa\Eset\nod32krn.exe C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\system32\hkcmd.exe C:\Archivos de programa\Toshiba\Toshiba Applet\thotkey.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe C:\Archivos de programa\toshiba\TOSHIBA Applet\TAPPSRV.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Archivos de programa\Mozilla Firefox\firefox.exe C:\Archivos de programa\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [THotkey] C:\Archivos de programa\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [64769aed] rundll32.exe "C:\WINDOWS\system32\tspjkyny.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3E963EE0-F698-40FA-8DE4-BBBC3D2D2899}: NameServer = 208.67.222.222,208.67.220.220 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: jgqaho.dll ltmikd.dll yjsccw.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Google Update Service (gupdate1c8e071a1913dc0) (gupdate1c8e071a1913dc0) - Unknown owner - C:\Archivos de programa\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Archivos de programa\Archivos comunes\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Archivos de programa\toshiba\TOSHIBA Applet\TAPPSRV.exe