Tech Support Forum - View Single Post - Trojan Pws-lsp & Spam-xarvester On My Pc

fjfm · 05-02-2007, 10:22 AM

Hello again and here they are my ComboFix & HijackThis Logs:

COMBOFIX LOG:
============

"Propietario" - 07-05-02 18:03:54 Service Pack 2 [SAFE MODE]
ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Propietario\Escritorio\

((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))

2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Adobe
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-01 01:23 -------- d-------- C:\Archivos de programa\total video converter
2007-04-25 03:22 -------- d-------- C:\Archivos de programa\quicktime
2007-04-25 01:24 -------- d-------- C:\Archivos de programa\soulseek
2007-04-19 15:15 -------- d-------- C:\Archivos de programa\foobar2000
2007-04-17 09:13 -------- d-------- C:\Archivos de programa\ccleaner
2007-04-16 12:30 -------- d-------- C:\Archivos de programa\emule
2007-04-10 12:46 -------- d-------- C:\Archivos de programa\monkey's audio
2007-03-30 14:40 -------- d-------- C:\Archivos de programa\cleaner 5 ez
2007-03-30 10:04 -------- d-------- C:\Archivos de programa\sopcast
2007-03-26 16:48 71610 --a------ C:\WINDOWS\system32\perfc00a.dat
2007-03-26 16:48 446582 --a------ C:\WINDOWS\system32\perfh00a.dat
2007-03-24 02:58 -------- d-------- C:\Archivos de programa\Archivos comunes\native instruments
2007-03-23 19:24 -------- d-------- C:\Archivos de programa\syncrosoft
2007-03-23 18:56 -------- d-------- C:\Archivos de programa\rddrv001
2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 22:01 -------- d-------- C:\Archivos de programa\msxml 4.0
2007-03-08 18:08 -------- d--h----- C:\Archivos de programa\installshield installation information
2007-03-08 18:08 -------- d-------- C:\Archivos de programa\surpac
2007-03-08 17:36 578560 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-17 02:31 907673 --a------ C:\Archivos de programa\newcdext.exe
2007-02-05 22:18 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-02 11:57 232839 --a------ C:\Archivos de programa\svrecorder.zip

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
{089FD14D-132B-48FC-8861-0048AE113215} C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-02 18

02
C:\ComboFix-quarantined-files.txt ... 07-05-02 18:06
C:\ComboFix2.txt ... 07-04-19 01:26
===========

HIJACKTHIS Log now:

Logfile of HijackThis v1.99.1
Scan saved at 18:10:06, on 02/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Propietario\Mis documentos\Nuevo Maletín\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Archivos de programa\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\archiv~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [H2O] C:\Archivos de programa\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/act...a/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32A997A7-3D6C-4FD1-B199-21207B14BDA8}: NameServer = 195.235.113.3,195.235.96.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\archiv~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Programador de LiveUpdate automático - Unknown owner - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Archivos de programa\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

I can not connect to internet. I'm writing from my wife's PC.
Thanks for your reply and interest.
FJ

05-02-2007, 10:22 AM	#4 (permalink)
fjfm Registered User Join Date: Apr 2007 Posts: 16 OS: Windows XP Home Edition	Re: Trojan Pws-lsp & Spam-xarvester On My Pc Hello again and here they are my ComboFix & HijackThis Logs: COMBOFIX LOG: ============ "Propietario" - 07-05-02 18:03:54 Service Pack 2 [SAFE MODE] ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Propietario\Escritorio\ ((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 )))))))))))))))))))))))))))))))))) 2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio 2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor 2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-05-01 00:37 <DIR> d-------- C:\csscod 2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6 2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT 2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa 2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos 2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio 2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Adobe 2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe 2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster 2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio 2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor 2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor 2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe 2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor 2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor 2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software 2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys 2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments 2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-01 01:23 -------- d-------- C:\Archivos de programa\total video converter 2007-04-25 03:22 -------- d-------- C:\Archivos de programa\quicktime 2007-04-25 01:24 -------- d-------- C:\Archivos de programa\soulseek 2007-04-19 15:15 -------- d-------- C:\Archivos de programa\foobar2000 2007-04-17 09:13 -------- d-------- C:\Archivos de programa\ccleaner 2007-04-16 12:30 -------- d-------- C:\Archivos de programa\emule 2007-04-10 12:46 -------- d-------- C:\Archivos de programa\monkey's audio 2007-03-30 14:40 -------- d-------- C:\Archivos de programa\cleaner 5 ez 2007-03-30 10:04 -------- d-------- C:\Archivos de programa\sopcast 2007-03-26 16:48 71610 --a------ C:\WINDOWS\system32\perfc00a.dat 2007-03-26 16:48 446582 --a------ C:\WINDOWS\system32\perfh00a.dat 2007-03-24 02:58 -------- d-------- C:\Archivos de programa\Archivos comunes\native instruments 2007-03-23 19:24 -------- d-------- C:\Archivos de programa\syncrosoft 2007-03-23 18:56 -------- d-------- C:\Archivos de programa\rddrv001 2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-09 22:01 -------- d-------- C:\Archivos de programa\msxml 4.0 2007-03-08 18:08 -------- d--h----- C:\Archivos de programa\installshield installation information 2007-03-08 18:08 -------- d-------- C:\Archivos de programa\surpac 2007-03-08 17:36 578560 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-17 02:31 907673 --a------ C:\Archivos de programa\newcdext.exe 2007-02-05 22:18 185344 --a------ C:\WINDOWS\system32\upnphost.dll 2007-02-02 11:57 232839 --a------ C:\Archivos de programa\svrecorder.zip (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll {089FD14D-132B-48FC-8861-0048AE113215} C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll {53707962-6F74-2D53-2644-206D7942484F} C:\ARCHIV~1\SPYBOT~1\SDHelper.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "KBD"="C:\\HP\\KBD\\KBD.EXE" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe" "TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot" "QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime" "AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask" "VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe" "OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe" "MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe" "MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe" "_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe" "Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe" "SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk" "backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\system32\\RAMASST.exe " "item"="RAMASST" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="apdproxy" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tfswctrl" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hkcmd" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\hkcmd.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PrnSys" "hkey"="HKLM" "command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ps2" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\ps2.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RECGUARD" "hkey"="HKLM" "command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hpgs2wnd" "hkey"="HKLM" "command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Archivos de programa\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\McAfee AntiSpyware.job ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-05-02 1802 C:\ComboFix-quarantined-files.txt ... 07-05-02 18:06 C:\ComboFix2.txt ... 07-04-19 01:26 =========== HIJACKTHIS Log now: Logfile of HijackThis v1.99.1 Scan saved at 18:10:06, on 02/05/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Propietario\Mis documentos\Nuevo Maletín\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Archivos de programa\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [_AntiSpyware] c:\archiv~1\mcafee\MCAFEE~1\masalert.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [H2O] C:\Archivos de programa\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [SiteAdvisor] C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI699F~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/act...a/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{32A997A7-3D6C-4FD1-B199-21207B14BDA8}: NameServer = 195.235.113.3,195.235.96.90 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\archiv~1\mcafee\mcafee antispyware\massrv.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Programador de LiveUpdate automático - Unknown owner - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Archivos de programa\SiteAdvisor\6066\SAService.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing) I can not connect to internet. I'm writing from my wife's PC. Thanks for your reply and interest. FJ