Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Trojan Pws-lsp & Spam-xarvester On My Pc
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 04-29-2007, 06:24 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Trojan Pws-lsp & Spam-xarvester On My Pc
Hi Folks!!!:

My Mcafee caught two trojans called "SPAM-XARVESTER" & "PWS-LSP".

About SPAM-XARVESTER: It was removed and deleted by McAfee but everytime I reboot my PC it appears again and again. How can I delete it definitively?. I reboot my PC on Safe Mode but problems can not be resolved.

About PWS-LSP: Macfee couldn't quarentined or removed and my internet connection is out off since that moment (I'm writing from my wife's PC). I used many pc scans online and ad-aware programmss before loss my internet connection but the I know VIRUS is still on computer because I can't use my internet connection. Is there any way I can get it off my system. I have windows XP-SP2 and please note that I cannot access the Internet on my home computer so any assistance I can get will be greatly appreciated.
I can´t not actualize my Mcaffe because I lost my internet connection.
Excuse for my horrible english!!.
Thanks to all.
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-30-2007, 07:13 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


"spam Xarvester" & "pws-lsp" Trojans
Hi Folks:

My antivirus McAfee detected these 2 trojans:

SPAM-XARVESTER: it was deleted but when I reboot my PC McAffe alerts me that this trojan was found and deleted it. This message appears everytime I connect my PC. How can I resiolve this problem??.

PWS-LSP: McAfee found this trojan and deleted it yesterday on "kgc.dll" file but when I rebooted my Pc this morning a new message appears warm me that McAfee found this trojan again in other file: "dcexlmfnd.dll"...and it's impossible clean, quarentine o delete it. How can resolve this problem too.

I Attach you my HiojackThis file:



Logfile of HijackThis v1.99.1
Scan saved at 14:18:43, on 30/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Propietario\Mis documentos\Nuevo Maletín\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Archivos de programa\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\archiv~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [H2O] C:\Archivos de programa\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dcexlmfnd.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/act...a/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32A997A7-3D6C-4FD1-B199-21207B14BDA8}: NameServer = 195.235.113.3,195.235.96.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\archiv~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Programador de LiveUpdate automático - Unknown owner - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Archivos de programa\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)


Thank you very much.
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-01-2007, 06:53 PM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
  1. Download combofix.exe to your desktop.
  2. Double click on combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 10:22 AM   #4 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hello again and here they are my ComboFix & HijackThis Logs:

COMBOFIX LOG:
============


"Propietario" - 07-05-02 18:03:54 Service Pack 2 [SAFE MODE]
ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Propietario\Escritorio\


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Adobe
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 01:23 -------- d-------- C:\Archivos de programa\total video converter
2007-04-25 03:22 -------- d-------- C:\Archivos de programa\quicktime
2007-04-25 01:24 -------- d-------- C:\Archivos de programa\soulseek
2007-04-19 15:15 -------- d-------- C:\Archivos de programa\foobar2000
2007-04-17 09:13 -------- d-------- C:\Archivos de programa\ccleaner
2007-04-16 12:30 -------- d-------- C:\Archivos de programa\emule
2007-04-10 12:46 -------- d-------- C:\Archivos de programa\monkey's audio
2007-03-30 14:40 -------- d-------- C:\Archivos de programa\cleaner 5 ez
2007-03-30 10:04 -------- d-------- C:\Archivos de programa\sopcast
2007-03-26 16:48 71610 --a------ C:\WINDOWS\system32\perfc00a.dat
2007-03-26 16:48 446582 --a------ C:\WINDOWS\system32\perfh00a.dat
2007-03-24 02:58 -------- d-------- C:\Archivos de programa\Archivos comunes\native instruments
2007-03-23 19:24 -------- d-------- C:\Archivos de programa\syncrosoft
2007-03-23 18:56 -------- d-------- C:\Archivos de programa\rddrv001
2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 22:01 -------- d-------- C:\Archivos de programa\msxml 4.0
2007-03-08 18:08 -------- d--h----- C:\Archivos de programa\installshield installation information
2007-03-08 18:08 -------- d-------- C:\Archivos de programa\surpac
2007-03-08 17:36 578560 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-17 02:31 907673 --a------ C:\Archivos de programa\newcdext.exe
2007-02-05 22:18 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-02 11:57 232839 --a------ C:\Archivos de programa\svrecorder.zip


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
{089FD14D-132B-48FC-8861-0048AE113215} C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-02 1802
C:\ComboFix-quarantined-files.txt ... 07-05-02 18:06
C:\ComboFix2.txt ... 07-04-19 01:26
===========



HIJACKTHIS Log now:


Logfile of HijackThis v1.99.1
Scan saved at 18:10:06, on 02/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Propietario\Mis documentos\Nuevo Maletín\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Archivos de programa\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\archiv~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [H2O] C:\Archivos de programa\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/act...a/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32A997A7-3D6C-4FD1-B199-21207B14BDA8}: NameServer = 195.235.113.3,195.235.96.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\archiv~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Programador de LiveUpdate automático - Unknown owner - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Archivos de programa\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)


I can not connect to internet. I'm writing from my wife's PC.
Thanks for your reply and interest.
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 10:38 AM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
It appears as though you ran ComboFix twice.

Please post C:\ComboFix2.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 11:30 AM   #6 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Sorry I don't understand you...:-(...

I don't find C:\ComboFix2.txt.

I post you all my ComboFix txt:

==========================
========================== FIRST TXT>>>>>>>>>>
==========================
Code:
04-01-15 08:01      53299    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
04-05-14 12:30      61440    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wanpacket.dll.vir
04-05-14 12:30      81920    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
04-05-14 12:37      32896    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
04-05-14 14:02      225280    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
06-06-29 14:10      1656    --a------    C:\Qoobox\Quarantine\C\INSTALL.LOG.vir
06-09-22 04:03      813    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\PROPIE~1\ESCRIT~1\Internet Explorer.lnk.vir
07-04-19 01:24      1326    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NM.reg.cf
07-04-19 01:24      1334    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
07-04-19 01:24      2426    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cf
07-04-19 01:24      8830    --a------    C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Listado de rutas de carpetas para el volumen HP_PAVILION
El n£mero de serie del volumen es 38DB-C9FD
C:\QOOBOX
\---Quarantine
    +---C
    |   |   INSTALL.LOG.vir
    |   |   
    |   +---DOCUME~1
    |   |   \---PROPIE~1
    |   |       \---ESCRIT~1
    |   |               Internet Explorer.lnk.vir
    |   |               
    |   \---WINDOWS
    |       \---system32
    |           |   packet.dll.vir
    |           |   pthreadVC.dll.vir
    |           |   wanpacket.dll.vir
    |           |   wpcap.dll.vir
    |           |   
    |           \---drivers
    |                   npf.sys.vir
    |                   
    \---Registry_backups
            LEGACY_NM.reg.cf
            LEGACY_NPF.reg.cf
            services_nm.reg.cf
            services_NPF.reg.cf
======================================
====================================== SECOND TXT>>>>>>
======================================




"Propietario" - 07-05-02 19:11:45 Service Pack 2 [SAFE MODE]
ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Propietario\Escritorio\


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Adobe
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 01:23 -------- d-------- C:\Archivos de programa\total video converter
2007-04-25 03:22 -------- d-------- C:\Archivos de programa\quicktime
2007-04-25 01:24 -------- d-------- C:\Archivos de programa\soulseek
2007-04-19 15:15 -------- d-------- C:\Archivos de programa\foobar2000
2007-04-17 09:13 -------- d-------- C:\Archivos de programa\ccleaner
2007-04-16 12:30 -------- d-------- C:\Archivos de programa\emule
2007-04-10 12:46 -------- d-------- C:\Archivos de programa\monkey's audio
2007-03-30 14:40 -------- d-------- C:\Archivos de programa\cleaner 5 ez
2007-03-30 10:04 -------- d-------- C:\Archivos de programa\sopcast
2007-03-26 16:48 71610 --a------ C:\WINDOWS\system32\perfc00a.dat
2007-03-26 16:48 446582 --a------ C:\WINDOWS\system32\perfh00a.dat
2007-03-24 02:58 -------- d-------- C:\Archivos de programa\Archivos comunes\native instruments
2007-03-23 19:24 -------- d-------- C:\Archivos de programa\syncrosoft
2007-03-23 18:56 -------- d-------- C:\Archivos de programa\rddrv001
2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 22:01 -------- d-------- C:\Archivos de programa\msxml 4.0
2007-03-08 18:08 -------- d--h----- C:\Archivos de programa\installshield installation information
2007-03-08 18:08 -------- d-------- C:\Archivos de programa\surpac
2007-03-08 17:36 578560 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-17 02:31 907673 --a------ C:\Archivos de programa\newcdext.exe
2007-02-05 22:18 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-02 11:57 232839 --a------ C:\Archivos de programa\svrecorder.zip


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
{089FD14D-132B-48FC-8861-0048AE113215} C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-02 19:13:11
C:\ComboFix-quarantined-files.txt ... 07-05-02 19:13
C:\ComboFix2.txt ... 07-05-02 18:06
C:\ComboFix3.txt ... 07-04-19 01:26


============================
============================ THIRTH TXT>>>>>>>>>>>>
=============================


"Propietario" - 07-05-02 18:03:54 Service Pack 2 [SAFE MODE]
ComboFix 07-04-19.1V - Running from: C:\Documents and Settings\Propietario\Escritorio\


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Adobe
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 01:23 -------- d-------- C:\Archivos de programa\total video converter
2007-04-25 03:22 -------- d-------- C:\Archivos de programa\quicktime
2007-04-25 01:24 -------- d-------- C:\Archivos de programa\soulseek
2007-04-19 15:15 -------- d-------- C:\Archivos de programa\foobar2000
2007-04-17 09:13 -------- d-------- C:\Archivos de programa\ccleaner
2007-04-16 12:30 -------- d-------- C:\Archivos de programa\emule
2007-04-10 12:46 -------- d-------- C:\Archivos de programa\monkey's audio
2007-03-30 14:40 -------- d-------- C:\Archivos de programa\cleaner 5 ez
2007-03-30 10:04 -------- d-------- C:\Archivos de programa\sopcast
2007-03-26 16:48 71610 --a------ C:\WINDOWS\system32\perfc00a.dat
2007-03-26 16:48 446582 --a------ C:\WINDOWS\system32\perfh00a.dat
2007-03-24 02:58 -------- d-------- C:\Archivos de programa\Archivos comunes\native instruments
2007-03-23 19:24 -------- d-------- C:\Archivos de programa\syncrosoft
2007-03-23 18:56 -------- d-------- C:\Archivos de programa\rddrv001
2007-03-17 15:45 293376 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 22:01 -------- d-------- C:\Archivos de programa\msxml 4.0
2007-03-08 18:08 -------- d--h----- C:\Archivos de programa\installshield installation information
2007-03-08 18:08 -------- d-------- C:\Archivos de programa\surpac
2007-03-08 17:36 578560 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-17 02:31 907673 --a------ C:\Archivos de programa\newcdext.exe
2007-02-05 22:18 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-02 11:57 232839 --a------ C:\Archivos de programa\svrecorder.zip


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670} C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
{089FD14D-132B-48FC-8861-0048AE113215} C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\ARCHIV~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-02 1802
C:\ComboFix-quarantined-files.txt ... 07-05-02 18:06
C:\ComboFix2.txt ... 07-04-19 01:26

======================================
======================================
======================================


Thanks and excuse my horrible english
FJ (Let me know is all it's ok now)
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 12:05 PM   #7 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hello again TETONBOB!!:

Finally I can send you the last ComboFix Log (I called it "ComoboFix-new").
I downloaded ComboFix from link you posted me & I put it on my Desktop...I run it and when it finished told me a "Log was posted on C:\Combofix.txt" and Inmediately a window was opened automatically and I saved on a disquette. I'm sending this log from my wife's PC.

The Log is as follow:


"Propietario" - 2007-05-02 19:55:06 Service Pack 2 [SAFE MODE]
ComboFix 07-05.03.V - Running from: "C:\Documents and Settings\Propietario\Escritorio\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 10:55:06 -------- d-----w C:\Archivos de programa\Ares
2007-04-30 23:23:21 -------- d-----w C:\Archivos de programa\Total Video Converter
2007-04-27 11:00:43 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\MSN6
2007-04-25 22:52:30 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\SiteAdvisor
2007-04-25 01:22:43 -------- d-----w C:\Archivos de programa\QuickTime
2007-04-24 23:24:59 -------- d-----w C:\Archivos de programa\Soulseek
2007-04-19 13:15:07 -------- d-----w C:\Archivos de programa\foobar2000
2007-04-17 07:13:34 -------- d-----w C:\Archivos de programa\CCleaner
2007-04-16 10:30:25 -------- d-----w C:\Archivos de programa\eMule
2007-04-10 10:46:42 -------- d-----w C:\Archivos de programa\Monkey's Audio
2007-03-30 12:40:26 -------- d-----w C:\Archivos de programa\Cleaner 5 EZ
2007-03-30 08:04:53 -------- d-----w C:\Archivos de programa\SopCast
2007-03-26 14:48:46 71,610 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-03-26 14:48:46 446,582 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-03-24 00:58:19 -------- d-----w C:\Archivos de programa\Archivos comunes\Native Instruments
2007-03-23 17:26:52 -------- d-----w C:\Archivos de programa\Archivos comunes\Korg
2007-03-23 17:24:50 -------- d-----w C:\Archivos de programa\Syncrosoft
2007-03-23 16:56:03 -------- d-----w C:\Archivos de programa\RdDrv001
2007-03-17 13:45:06 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 20:01:46 -------- d-----w C:\Archivos de programa\MSXML 4.0
2007-03-08 16:08:16 -------- d-----w C:\Archivos de programa\SURPAC
2007-03-08 16:08:14 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-03-08 15:36:30 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:30 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:30 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:32:46 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-17 00:31:32 907,673 ----a-w C:\Archivos de programa\NewCDExt.exe
2007-02-05 20:18:39 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4efb-9B51-7695ECA05670}"="C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll"
"{089FD14D-132B-48FC-8861-0048AE113215}"="C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\ARCHIV~1\SPYBOT~1\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"H2O"="C:\\Archivos de programa\\SyncroSoft\\Pos\\H2O\\cledx.exe"
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 19:55:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-02 19:56:04
C:\ComboFix-quarantined-files.txt ... 2007-05-02 19:56
C:\ComboFix2.txt ... 2007-05-02 19:13
C:\ComboFix3.txt ... 2007-05-02 18:06







Thank you again!!
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 07:49 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Each time you run ComboFix, it overwrites the existing log, renames C:\ComboFix.txt to ComboFix2.txt, ComboFix2.txt becomes ComboFix3.txt, ComboFix3.txt is deleted.....now that you've run it so many times, the original log is gone....which would have shown me what was removed. All I wanted was the already existing logs.

From this output, it seems as though you ran ComboFix even before posting here?

C:\ComboFix3.txt ... 07-04-19 01:26


You've also been running ComboFix in safe mode for some reason.....ComboFix is designed to be best run in normal mode.....I can see there may be a language barrier, so if there is something you don't understand as we go forward.....please ask first, before doing anything.

It also appears your last HijackThis log was taken from Safe Mode.

I need a HijackThis log from Normal Mode, please.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 09:22 PM   #9 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Ok. Sorry for all inconvenients I'm causeing you.
I don't know almost anything about PC and this situation with viruses is getting nervous for me. Sorry, sorry...

I post you a new ComboFix and HijackThis on Normal Mode. I let you know I´ve run Ccleaner this afternoon:


****COMBOFIX******

"Propietario" - 2007-05-03 4:52:52 Service Pack 2
ComboFix 07-05.03.V - Running from: "C:\Documents and Settings\Propietario\Escritorio\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-03 to 2007-05-03 ))))))))))))))))))))))))))))))))))


2007-05-02 19:56 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Escritorio
2007-05-02 13:27 <DIR> d-------- C:\DOCUME~1\NETWOR~1\DATOSD~1\SiteAdvisor
2007-05-01 15:19 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-01 00:37 <DIR> d-------- C:\csscod
2007-04-30 18:03 <DIR> d-------- C:\DOCUME~1\PROPIE~1\.housecall6.6
2007-04-30 13:54 1,310,720 --ah----- C:\DOCUME~1\ADMINI~2\NTUSER.DAT
2007-04-30 13:54 <DIR> dr-h----- C:\DOCUME~1\ADMINI~2\Datos de programa
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Mis documentos
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Men£ Inicio
2007-04-30 13:54 <DIR> dr------- C:\DOCUME~1\ADMINI~2\Favoritos
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Plantillas
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Impresoras
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Entorno de red
2007-04-30 13:54 <DIR> d--h----- C:\DOCUME~1\ADMINI~2\Configuraci¢n local
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\WINDOWS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\Escritorio
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\VERITAS
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\Symantec
2007-04-30 13:54 <DIR> d-------- C:\DOCUME~1\ADMINI~2\DATOSD~1\InterTrust
2007-04-23 16:47 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 15:42 2,566,736 --a------ C:\Archivos de programa\spywareblastersetup351.exe
2007-04-23 15:42 <DIR> d-------- C:\Archivos de programa\SpywareBlaster
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Escritorio
2007-04-20 23:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DATOSD~1\SiteAdvisor
2007-04-20 23:30 <DIR> d-------- C:\Archivos de programa\SiteAdvisor
2007-04-20 23:28 1,418,608 --a------ C:\Archivos de programa\saSetup-SiteAdvisor McAfee.exe
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\PROPIE~1\DATOSD~1\SiteAdvisor
2007-04-20 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\SiteAdvisor
2007-04-20 18:48 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-04-15 01:13 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Native Instruments
2007-04-08 21:15 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Digidesign


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-03 01:22:31 -------- d-----w C:\Archivos de programa\CCleaner
2007-05-02 21:37:15 -------- d-----w C:\Archivos de programa\Cleaner 5 EZ
2007-05-01 10:55:06 -------- d-----w C:\Archivos de programa\Ares
2007-04-30 23:23:21 -------- d-----w C:\Archivos de programa\Total Video Converter
2007-04-27 11:00:43 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\MSN6
2007-04-25 22:52:30 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1.\SiteAdvisor
2007-04-25 01:22:43 -------- d-----w C:\Archivos de programa\QuickTime
2007-04-24 23:24:59 -------- d-----w C:\Archivos de programa\Soulseek
2007-04-19 13:15:07 -------- d-----w C:\Archivos de programa\foobar2000
2007-04-16 10:30:25 -------- d-----w C:\Archivos de programa\eMule
2007-04-10 10:46:42 -------- d-----w C:\Archivos de programa\Monkey's Audio
2007-03-30 08:04:53 -------- d-----w C:\Archivos de programa\SopCast
2007-03-26 14:48:46 71,610 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-03-26 14:48:46 446,582 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-03-24 00:58:19 -------- d-----w C:\Archivos de programa\Archivos comunes\Native Instruments
2007-03-23 17:26:52 -------- d-----w C:\Archivos de programa\Archivos comunes\Korg
2007-03-23 17:24:50 -------- d-----w C:\Archivos de programa\Syncrosoft
2007-03-23 16:56:03 -------- d-----w C:\Archivos de programa\RdDrv001
2007-03-17 13:45:06 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 20:01:46 -------- d-----w C:\Archivos de programa\MSXML 4.0
2007-03-08 16:08:16 -------- d-----w C:\Archivos de programa\SURPAC
2007-03-08 16:08:14 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-03-08 15:36:30 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:30 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:30 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:32:46 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-17 00:31:32 907,673 ----a-w C:\Archivos de programa\NewCDExt.exe
2007-02-05 20:18:39 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4efb-9B51-7695ECA05670}"="C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll"
"{089FD14D-132B-48FC-8861-0048AE113215}"="C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\ARCHIV~1\SPYBOT~1\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"TkBellExe"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"AdaptecDirectCD"="\"C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VSOCheckTask"="\"C:\\ARCHIV~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Archivos de programa\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Archivos de programa\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\ARCHIV~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\ARCHIV~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"_AntiSpyware"="c:\\archiv~1\\mcafee\\MCAFEE~1\\masalert.exe"
"Adobe Photo Downloader"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"SiteAdvisor"="C:\\Archivos de programa\\SiteAdvisor\\6066\\SiteAdv.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Suite"="regedit -s c:\\windows\\temp\\adj_hp.reg"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.fcbarcelona.es/imagenes/h...mpnouthumb.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\ARCHIV~1\\MI696F~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrnSys Executable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PrnSys"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\hp print screen utility\\PrnSys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecuUFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="c:\\docume~1\\propie~1\\config~1\\temp\\secuufd.exe sys_auto_run C:\\DOCUME~1\\PROPIE~1\\CONFIG~1\\Temp\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Archivos de programa\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee AntiSpyware.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-03 04:59:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-03 5:00:20
C:\ComboFix-quarantined-files.txt ... 2007-05-03 05:00
C:\ComboFix2.txt ... 2007-05-02 19:56
C:\ComboFix3.txt ... 2007-05-02 19:13

==============================================
==============================================


*******HIJACKTHIS***********


Logfile of HijackThis v1.99.1
Scan saved at 5:04:51, on 03/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
c:\archiv~1\mcafee\mcafee antispyware\massrv.exe
c:\archivos de programa\mcafee.com\agent\mcdetect.exe
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
c:\ARCHIV~1\mcafee.com\vso\OasClnt.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
c:\archivos de programa\mcafee.com\agent\mcagent.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\rnathchk.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\archiv~1\mcafee\MCAFEE~1\masalert.exe
C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Propietario\Mis documentos\Nuevo Maletín\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\ARCHIV~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Archivos de programa\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Archivos de programa\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\archiv~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/act...a/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32A997A7-3D6C-4FD1-B199-21207B14BDA8}: NameServer = 195.235.113.3,195.235.96.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Archivos de programa\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\archiv~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\archivos de programa\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Programador de LiveUpdate automático - Unknown owner - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Archivos de programa\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

================================
================================


I tell you one more thing: viruses infected "ndis.sys" file (c:\WINDOWS\system32\drivers). This infected file was in the same folder than "ndis non infected file" that was renamed as "ndis(2)". Finally I could delete this "ndis" infected file and I left "ndis-non infected file" in that folder...but I can not connect to internet. Is it possible this internet error connection was caused for that reason??.
Thanks again...and sorry again
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 09:54 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hi FJ -

Please do not run ComboFix again, unless I specifically say to. All that does is remove the old logs at this point....it's not cleaning anything.

Let's see if we can get your internet connection back.

Download LSPFix.exe

Double click on LSPFix.exe to run it.

If there are any file names listed in the right-hand pane, please write them down and report them here. DO NOT DO ANYTHING ELSE with LSPFix until you report to me, and hear back from me.

Here's an image of the tool.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 05-02-2007 at 09:55 PM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 03:42 AM   #11 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hi Tetonbob:

I run LSPFix.exe with this results:

Keep pane
========
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 03:54 AM   #12 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hi Tetonbob:

I run LSPFix with these results:

Keep pane (left hand)
========

File Description
----- -----------

mswsock.dll TCpip
winrnr.dll NTDS
rsvpsp.dll (Protocol handler)


Remove pane (right hand)
==========

Empty (any file on it)

****************
*****************


I remember two days ago I deleted "hua.dll (Procotol handler)" from Keep pane manually because my antivirus McAfee told me this file was infected by PSW-LSP virus. I clicked on "I know what I'm doing" option.
Thanks TetonBob (don't worry I won't run ComboFix again until you say me I have to do it).
FRanciso Javier
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 06:42 AM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
So, you've already run LSPFix before on your own, and it removed an LSP hijacker, and you still have no internet....hmmm.

Run LSPFix, and just click on Finish. Then close LSPFix.

Then do this:

Go to Start > Run > then paste in this single line command & click OK:
netsh winsock reset catalog
Reboot your system.

Try internet again.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 08:56 AM   #14 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hi Again...

I run LSPFix...clicked on finish and it was colosed.

Then, I went to "Star" (Inicio)> Run (Ejecutar) and pasted "netsh winsock reset catalog" on the command line...

Finally I rebooted my PC and...INTERNET DOESN´T WORK.

I don't know what can I do?.
Thanks for your patient.
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 04:13 PM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Download Winsock2Fix and extract it to your desktop.

Winsock2Fix is used to repair the LSP Chain on Windows XP computers.

When you run it, click on ReG-Backup button first to backup the registry, and then click on the Fix button.

Reboot your system.

Try your internet again.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 06:00 PM   #16 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hi TetonBob:

I downloaded Winsock2Fix from my wife's PC and I recorded on CD-R and then I pasted on my desktop and I run from my desktop but I couldn´t make a Backup. Give me errors and for this reason I didn´t click on fix button.

I read on internet (from my wife's PC...) there is a Winsock XP Fix (specially for Windows XP...my system is "XP"): http://wwww.configurarequipos.com/de...sockxpfix.html.

I think that while Winsock2Fix give me backup errors I must not run it, don't you?.
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 06:17 PM   #17 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Cry Re: Trojan Pws-lsp & Spam-xarvester On My Pc
One more thing...

On my Net Connections Folder ONLY appears an old RDSI connection (with modem + telephone) and LAN or ADSL connection is absolutely missing and for this reason I can't configure a new ADSL connection.

I think told you that info on my previous messages...

One more time...excuse my bad english.
FJ
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 06:38 PM   #18 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
You could use this version of WinsockFix:

Download WinsockFix http://www.greyknight17.com/spy/WinsockFix.zip and unzip it. Then double click on WinsockFix.exe to run it.

But it seems like this is the critical thing:

Quote:
Originally Posted by fjfm View Post
One more thing...
On my Net Connections Folder ONLY appears an old RDSI connection (with modem + telephone) and LAN or ADSL connection is absolutely missing and for this reason I can't configure a new ADSL connection.

I think told you that info on my previous messages...

One more time...excuse my bad english.
FJ


First time you've mentioned this, I think, at least with those details.

Seems like you need to create a new connection, then.

Network Connections>Network Tasks>Create a new connection

Connect to the Internet> Set up my connection manually>connect using a broadband connection which is always on>Finish.

Follow the prompts.

You may need to contact your ISP for help in properly setting up your LAN/ADSL connection.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-04-2007, 07:24 PM   #19 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 16
OS: Windows XP Home Edition


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Heyyyyy TETONBOB!!!!!!!!!!!!!!!!!!

Thank you very much for all your helping!!!!!!!!.

My ADSL runs again!!!!!!!.

As I said you Trojans infected my PC and ndis file was infected, this Trojan created a new "ndis file" (274 Kb) and Renamed the original "Ndis file as "Ndis(2)(179 Kb)...well...When I deleted this infected file I renamed non infected file (Ndis2) as "ndis.sys" but this extension file was in it and really when I saw complete extension of this file it appears as "ndis.sys.sys" and for this reason my Ehernet adadpter not recognized it and my LAN/ADSL link was missing and my internet connection too.

Finally I resolved this problem thanks to my wife's cousin and my great friend...TetonBob (...from this great country called "USA"....)
Thanks again my friend
Fco.Javier (from Sevilla-SPAIN)
fjfm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-04-2007, 07:58 PM   #20 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,206
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan Pws-lsp & Spam-xarvester On My Pc
Hola, Francisco Javier.

I'm glad you have your internet back now. I wish my Spanish were better, so we could have more clearly communicated.

I'm sorry I wasn't better able to understand the clue you dropped earlier about the ndis.sys file, and glad you figured it out.

It would be prudent to run one online scan, to see if anything is lurking.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Also, post a new HijackThis log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:56 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85