Tech Support Forum - View Single Post - Trojan Pws-lsp & Spam-xarvester On My Pc

fjfm · 05-02-2007, 12:05 PM

Hello again TETONBOB!!:

Finally I can send you the last ComboFix Log (I called it "ComoboFix-new").
I downloaded ComboFix from link you posted me & I put it on my Desktop...I run it and when it finished told me a "Log was posted on C:\Combofix.txt" and Inmediately a window was opened automatically and I saved on a disquette. I'm sending this log from my wife's PC.

The Log is as follow:

"Propietario" - 2007-05-02 19:55:06 Service Pack 2 [SAFE MODE]
ComboFix 07-05.03.V - Running from: "C:\Documents and Settings\Propietario\Escritorio\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))

2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-01 10:55:06 -------- d-----w C:\Archivos de programa\Ares
2007-04-30 23:23:21 -------- d-----w C:\Archivos de programa\Total Video Converter
2007-04-27 11:00:43 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\MSN6
2007-04-25 22:52:30 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\SiteAdvisor
2007-04-25 01:22:43 -------- d-----w C:\Archivos de programa\QuickTime
2007-04-24 23:24:59 -------- d-----w C:\Archivos de programa\Soulseek
2007-04-19 13:15:07 -------- d-----w C:\Archivos de programa\foobar2000
2007-04-17 07:13:34 -------- d-----w C:\Archivos de programa\CCleaner
2007-04-16 10:30:25 -------- d-----w C:\Archivos de programa\eMule
2007-04-10 10:46:42 -------- d-----w C:\Archivos de programa\Monkey's Audio
2007-03-30 12:40:26 -------- d-----w C:\Archivos de programa\Cleaner 5 EZ
2007-03-30 08:04:53 -------- d-----w C:\Archivos de programa\SopCast
2007-03-26 14:48:46 71,610 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-03-26 14:48:46 446,582 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-03-24 00:58:19 -------- d-----w C:\Archivos de programa\Archivos comunes\Native Instruments
2007-03-23 17:26:52 -------- d-----w C:\Archivos de programa\Archivos comunes\Korg
2007-03-23 17:24:50 -------- d-----w C:\Archivos de programa\Syncrosoft
2007-03-23 16:56:03 -------- d-----w C:\Archivos de programa\RdDrv001
2007-03-17 13:45:06 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 20:01:46 -------- d-----w C:\Archivos de programa\MSXML 4.0
2007-03-08 16:08:16 -------- d-----w C:\Archivos de programa\SURPAC
2007-03-08 16:08:14 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-03-08 15:36:30 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:30 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:30 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:32:46 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-17 00:31:32 907,673 ----a-w C:\Archivos de programa\NewCDExt.exe
2007-02-05 20:18:39 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4efb-9B51-7695ECA05670}"="C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll"
"{089FD14D-132B-48FC-8861-0048AE113215}"="C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\ARCHIV~1\SPYBOT~1\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 19:55:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-02 19:56:04
C:\ComboFix-quarantined-files.txt ... 2007-05-02 19:56
C:\ComboFix2.txt ... 2007-05-02 19:13
C:\ComboFix3.txt ... 2007-05-02 18:06

Thank you again!!
FJ

05-02-2007, 12:05 PM	#7 (permalink)
fjfm Registered User Join Date: Apr 2007 Posts: 16 OS: Windows XP Home Edition	Re: Trojan Pws-lsp & Spam-xarvester On My Pc Hello again TETONBOB!!: Finally I can send you the last ComboFix Log (I called it "ComoboFix-new"). I downloaded ComboFix from link you posted me & I put it on my Desktop...I run it and when it finished told me a "Log was posted on C:\Combofix.txt" and Inmediately a window was opened automatically and I saved on a disquette. I'm sending this log from my wife's PC. The Log is as follow: "Propietario" - 2007-05-02 19:55:06 Service Pack 2 [SAFE MODE] ComboFix 07-05.03.V - Running from: "C:\Documents and Settings\Propietario\Escritorio\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 )))))))))))))))))))))))))))))))))) 2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio 2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor 2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-05-01 00:37 <DIR> d-------- C:\csscod 2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6 2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT 2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa 2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos 2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio 2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red 2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec 2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust 2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe 2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster 2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio 2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor 2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor 2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe 2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor 2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor 2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software 2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys 2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments 2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-01 10:55:06 -------- d-----w C:\Archivos de programa\Ares 2007-04-30 23:23:21 -------- d-----w C:\Archivos de programa\Total Video Converter 2007-04-27 11:00:43 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\MSN6 2007-04-25 22:52:30 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\SiteAdvisor 2007-04-25 01:22:43 -------- d-----w C:\Archivos de programa\QuickTime 2007-04-24 23:24:59 -------- d-----w C:\Archivos de programa\Soulseek 2007-04-19 13:15:07 -------- d-----w C:\Archivos de programa\foobar2000 2007-04-17 07:13:34 -------- d-----w C:\Archivos de programa\CCleaner 2007-04-16 10:30:25 -------- d-----w C:\Archivos de programa\eMule 2007-04-10 10:46:42 -------- d-----w C:\Archivos de programa\Monkey's Audio 2007-03-30 12:40:26 -------- d-----w C:\Archivos de programa\Cleaner 5 EZ 2007-03-30 08:04:53 -------- d-----w C:\Archivos de programa\SopCast 2007-03-26 14:48:46 71,610 ----a-w C:\WINDOWS\system32\perfc00A.dat 2007-03-26 14:48:46 446,582 ----a-w C:\WINDOWS\system32\perfh00A.dat 2007-03-24 00:58:19 -------- d-----w C:\Archivos de programa\Archivos comunes\Native Instruments 2007-03-23 17:26:52 -------- d-----w C:\Archivos de programa\Archivos comunes\Korg 2007-03-23 17:24:50 -------- d-----w C:\Archivos de programa\Syncrosoft 2007-03-23 16:56:03 -------- d-----w C:\Archivos de programa\RdDrv001 2007-03-17 13:45:06 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-09 20:01:46 -------- d-----w C:\Archivos de programa\MSXML 4.0 2007-03-08 16:08:16 -------- d-----w C:\Archivos de programa\SURPAC 2007-03-08 16:08:14 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information 2007-03-08 15:36:30 578,560 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:30 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:30 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:32:46 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-17 00:31:32 907,673 ----a-w C:\Archivos de programa\NewCDExt.exe 2007-02-05 20:18:39 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{02478D38-C3F9-4efb-9B51-7695ECA05670}"="C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll" "{089FD14D-132B-48FC-8861-0048AE113215}"="C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll" "{53707962-6F74-2D53-2644-206D7942484F}"="C:\ARCHIV~1\SPYBOT~1\SDHelper.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "KBD"="C:\\HP\\KBD\\KBD.EXE" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe" "TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot" "QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime" "AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask" "VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe" "OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe" "MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe" "MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe" "_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe" "Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe" "SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk" "backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\system32\\RAMASST.exe " "item"="RAMASST" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="apdproxy" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tfswctrl" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hkcmd" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\hkcmd.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PrnSys" "hkey"="HKLM" "command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ps2" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\ps2.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RECGUARD" "hkey"="HKLM" "command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hpgs2wnd" "hkey"="HKLM" "command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Archivos de programa\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HTTPFilter HTTPFilter\0\0 DcomLaunch DcomLaunch\0TermService\0\0 WudfServiceGroup WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\McAfee AntiSpyware.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-02 19:55:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-02 19:56:04 C:\ComboFix-quarantined-files.txt ... 2007-05-02 19:56 C:\ComboFix2.txt ... 2007-05-02 19:13 C:\ComboFix3.txt ... 2007-05-02 18:06 Thank you again!! FJ