Tech Support Forum banner
Cancel

Virii/malware on my PC? Still there

Jump to Latest Follow
Status
Not open for further replies.
1 - 16 of 16 Posts
S

· Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Virii/malware on my PC?

Hello,

First of all, thank you in advance for your help.

Lately Im having problems with my PC. It gets stuck (all windows frozen, I can just move the pointer of the mouse) very often.

I have followed the 5 steps instructions and, again, I got stuck with Panda ActiveScan: after a few hours, when it was already 30% through and had found a few infected files, the system froze. I reboot it, went into Windows in safe mode and tried again, another 4 hours and stuck again.

Oh, and I use ESET Smart Security as antivirus and firewall. (Panda finds infected files, but when I run my copy of NOD32 it doesn't.)

Thank a lot again,

Sni

---

Deckard's System Scanner v20071014.68
Run by Labs on 2008-05-29 01:16:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
92: 2008-05-28 23:16:08 UTC - RP320 - Deckard's System Scanner Restore Point
91: 2008-05-28 15:00:31 UTC - RP319 - Software Distribution Service 3.0
90: 2008-05-28 01:55:46 UTC - RP318 - Punto de control del sistema
89: 2008-05-27 01:23:26 UTC - RP317 - Punto de control del sistema
88: 2008-05-26 00:54:19 UTC - RP316 - Manual


-- First Restore Point --
1: 2008-02-29 02:13:37 UTC - RP229 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-29 01:18:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Eazy-Ware\ezSched.exe
C:\Archivos de programa\ESET\ESET Smart Security\egui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\SmartSync Pro\SmartSync.exe
C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoHelper_en.exe
C:\Archivos de programa\Plaxo\3.12.0.48\plaxosystray.exe
C:\Archivos de programa\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Logitech\SetPoint\SetPoint.exe
C:\Archivos de programa\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\Archivos de programa\Photodex\ProShowProducer\scsiaccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Archivos de programa\Archivos comunes\Logitech\KhalShared\KHALMNPR.exe
C:\Archivos de programa\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Archivos de programa\Password Agent\PwAgent.exe
D:\DOWNLOAD\SECURITY\Deckard's System Scanner\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/webplayerdemo/en?rcv=1&dist=divxdotcom
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Archivos de programa\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Archivos de programa\Google\GoogleToolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\GoogleToolbar1.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Archivos de programa\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Archivos de programa\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EazyScheduler] C:\Archivos De Programa\Eazy-Ware\ezSched.exe
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnceEx: [Register Homesite+.exe] "C:\Archivos de programa\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER
O4 - HKCU\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /FU "C:\WINDOWS\TEMP\E_S168.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmartSync Pro] "C:\Archivos de programa\SmartSync Pro\SmartSync.exe" /Logon
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Archivos de programa\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoSysTray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Archivos de programa\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Archivos de programa\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Archivos de programa\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Inicio rápido de Microsoft Office OneNote 2003.lnk = C:\Archivos de programa\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Archivos de programa\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Archivos de programa\Archivos comunes\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Unknown owner - C:\Archivos de programa\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowProducer\scsiaccess.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe


--
End of file - 15314 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Archivos de programa\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Archivos de programa\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>

S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 QCMerced (Logitech QuickCam Communicate) - c:\windows\system32\drivers\lvcm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Adobe Version Cue CS2 - "c:\archivos de programa\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>
R2 Apple Mobile Device - "c:\archivos de programa\archivos comunes\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\archivos de programa\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 ScsiAccess - c:\archivos de programa\photodex\proshowproducer\scsiaccess.exe
R3 FLEXnet Licensing Service - "c:\archivos de programa\archivos comunes\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 NBService - c:\archivos de programa\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-22 12:21:00 298 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 01:08:07 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 01:08:06 0 d-------- C:\WINDOWS\LastGood
2008-05-28 14:53:24 0 d-------- C:\Archivos de programa\Panda Security
2008-05-20 12:43:52 0 d-------- C:\Archivos de programa\SDL International
2008-05-20 12:14:29 0 d-------- C:\Archivos de programa\KLC
2008-05-19 02:14:07 10375168 --a------ C:\Documents and Settings\Labs\ntuser.dat
2008-05-18 00:45:26 0 d-------- C:\Archivos de programa\Archivos comunes\ACD Systems
2008-05-18 00:45:26 0 d-------- C:\Archivos de programa\ACD Systems


-- Find3M Report ---------------------------------------------------------------

2008-05-29 00:50:00 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Skype
2008-05-28 23:40:49 0 d-------- C:\Documents and Settings\Labs\Datos de programa\WTablet
2008-05-28 23:40:27 0 d-------- C:\Archivos de programa\Plaxo
2008-05-28 20:41:50 0 d-------- C:\Archivos de programa\SmartSync Pro
2008-05-28 18:10:24 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Canon
2008-05-25 00:57:59 0 d-------- C:\Archivos de programa\AnyCount 6.0
2008-05-24 19:10:17 54 ---h----- C:\WINDOWS\system32\anLabs.sys
2008-05-23 13:16:56 473036 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-05-23 13:16:56 84278 --a------ C:\WINDOWS\system32\perfc00A.dat
2008-05-20 12:53:37 0 d-------- C:\Documents and Settings\Labs\Datos de programa\SDL International
2008-05-20 12:47:23 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-05-20 12:42:02 0 d-------- C:\Archivos de programa\Java
2008-05-18 00:46:08 0 d-------- C:\Documents and Settings\Labs\Datos de programa\ACD Systems
2008-05-18 00:45:26 0 d-------- C:\Archivos de programa\Archivos comunes
2008-05-17 15:11:31 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Mozilla
2008-05-08 10:39:43 0 d-------- C:\Archivos de programa\Archivos comunes\Nikon
2008-05-02 21:28:14 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Adobe
2008-05-01 00:46:09 0 d-------- C:\Archivos de programa\iTunes
2008-04-26 23:24:55 0 d-------- C:\Archivos de programa\Tablet
2008-04-26 21:38:14 0 d-------- C:\Archivos de programa\TabletPen
2008-04-21 19:42:26 0 d-------- C:\Archivos de programa\Investintech.com Inc
2008-04-17 19:08:01 0 d-------- C:\Archivos de programa\Apple Software Update
2008-04-16 16:29:51 0 d-------- C:\Archivos de programa\iPod
2008-04-16 16:28:57 0 d-------- C:\Archivos de programa\QuickTime
2008-04-16 16:25:54 0 d-------- C:\Archivos de programa\Safari


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 22:57]
"LanguageShortcut"="C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe" [13/04/2006 11:09]
"SoundMan"="SOUNDMAN.EXE" [02/03/2006 07:22 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/08/2006 21:43]
"nwiz"="nwiz.exe" [11/08/2006 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/08/2006 21:43]
"Adobe Version Cue CS2"="C:\Archivos de programa\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 18:58]
"Acrobat Assistant 8.0"="C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22/10/2006 23:24]
"@"="" []
"NWEReboot"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/03/2007 15:57]
"EazyScheduler"="C:\Archivos De Programa\Eazy-Ware\ezSched.exe" [08/02/2007 13:46]
"egui"="C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" [29/02/2008 15:54]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.exe" [16/01/2007 05:00]
"Skype"="C:\Archivos de programa\Skype\Phone\Skype.exe" [01/02/2008 18:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/03/2006 14:00]
"SmartSync Pro"="C:\Archivos de programa\SmartSync Pro\SmartSync.exe" [31/01/2007 13:07]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [24/06/2007 18:29]
"PlaxoUpdate"="C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoHelper_en.exe" [06/05/2008 11:12]
"TomTomHOME.exe"="C:\Archivos de programa\TomTom HOME 2\HOMERunner.exe" [06/05/2008 10:42]
"PlaxoSysTray"="C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoSysTray.exe" [06/05/2008 11:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Archivos de programa\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

C:\Documents and Settings\Labs\Men£ Inicio\Programas\Inicio\
Adobe Gamma.lnk - C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 20:16:50]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [07/05/2007 18:25:41]
Adobe Acrobat Synchronizer.lnk - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [23/10/2006 0:01:50]
ColorVisionStartup.lnk - C:\Archivos de programa\ColorVision\Utility\ColorVisionStartup.exe [31/01/2006 17:48:52]
Inicio r*pido de Microsoft Office OneNote 2003.lnk - C:\Archivos de programa\Microsoft Office\OFFICE11\ONENOTEM.EXE [06/08/2003 21:23:32]
Logitech SetPoint.lnk - C:\Archivos de programa\Logitech\SetPoint\SetPoint.exe [29/09/2007 14:32:58]
NkbMonitor.exe.lnk - C:\Archivos de programa\Nikon\PictureProject\NkbMonitor.exe [07/05/2007 23:42:34]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e95da29-d400-11dc-ba94-00e04d048101}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cc00dba-ec72-11dc-baaa-00e04d048101}]
- msnmsgr_plus.exe




-- End of Deckard's System Scanner: finished at 2008-05-29 01:18:39 ------------
 

Attachments

S

· Registered
Joined
·
9 Posts
Discussion Starter · #2 ·
Re: Virii/malware on my PC?

Hi,

I think I was finally able to fix the malware with Ad-Aware. If you don't see anything else I should worry about in the Deckard's report, please delete this post.

And thanks a lot.

Sni
 
S

· Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Hi,

I'm sorry. I thought I had solved my problem with Ad-Aware, but it is still there. So since I hadn't received help yet, I'll just copy my previous post.

Thanks!

Sni

--


Hello,

First of all, thank you in advance for your help.

Lately Im having problems with my PC. It gets stuck (all windows frozen, I can just move the pointer of the mouse) very often.

I have followed the 5 steps instructions and, again, I got stuck with Panda ActiveScan: after a few hours, when it was already 30% through and had found a few infected files, the system froze. I reboot it, went into Windows in safe mode and tried again, another 4 hours and stuck again.

Oh, and I use ESET Smart Security as antivirus and firewall. (Panda finds infected files, but when I run my copy of NOD32 it doesn't.)

Thank a lot again,

Sni

---

Deckard's System Scanner v20071014.68
Run by Labs on 2008-05-29 01:16:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
92: 2008-05-28 23:16:08 UTC - RP320 - Deckard's System Scanner Restore Point
91: 2008-05-28 15:00:31 UTC - RP319 - Software Distribution Service 3.0
90: 2008-05-28 01:55:46 UTC - RP318 - Punto de control del sistema
89: 2008-05-27 01:23:26 UTC - RP317 - Punto de control del sistema
88: 2008-05-26 00:54:19 UTC - RP316 - Manual


-- First Restore Point --
1: 2008-02-29 02:13:37 UTC - RP229 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-29 01:18:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Eazy-Ware\ezSched.exe
C:\Archivos de programa\ESET\ESET Smart Security\egui.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\SmartSync Pro\SmartSync.exe
C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoHelper_en.exe
C:\Archivos de programa\Plaxo\3.12.0.48\plaxosystray.exe
C:\Archivos de programa\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Logitech\SetPoint\SetPoint.exe
C:\Archivos de programa\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\Archivos de programa\Photodex\ProShowProducer\scsiaccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Archivos de programa\Archivos comunes\Logitech\KhalShared\KHALMNPR.exe
C:\Archivos de programa\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Archivos de programa\Password Agent\PwAgent.exe
D:\DOWNLOAD\SECURITY\Deckard's System Scanner\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/webplayerdem...ist=divxdotcom
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Archivos de programa\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Archivos de programa\Google\GoogleToolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\GoogleToolbar1.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Archivos de programa\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Archivos de programa\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EazyScheduler] C:\Archivos De Programa\Eazy-Ware\ezSched.exe
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnceEx: [Register Homesite+.exe] "C:\Archivos de programa\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER
O4 - HKCU\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /FU "C:\WINDOWS\TEMP\E_S168.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmartSync Pro] "C:\Archivos de programa\SmartSync Pro\SmartSync.exe" /Logon
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Archivos de programa\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoSysTray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Archivos de programa\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Archivos de programa\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Archivos de programa\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Inicio rápido de Microsoft Office OneNote 2003.lnk = C:\Archivos de programa\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Archivos de programa\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Archivos de programa\Archivos comunes\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Unknown owner - C:\Archivos de programa\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowProducer\scsiaccess.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe


--
End of file - 15314 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Archivos de programa\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Archivos de programa\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>

S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 QCMerced (Logitech QuickCam Communicate) - c:\windows\system32\drivers\lvcm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Adobe Version Cue CS2 - "c:\archivos de programa\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>
R2 Apple Mobile Device - "c:\archivos de programa\archivos comunes\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\archivos de programa\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 ScsiAccess - c:\archivos de programa\photodex\proshowproducer\scsiaccess.exe
R3 FLEXnet Licensing Service - "c:\archivos de programa\archivos comunes\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 NBService - c:\archivos de programa\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-22 12:21:00 298 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 01:08:07 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 01:08:06 0 d-------- C:\WINDOWS\LastGood
2008-05-28 14:53:24 0 d-------- C:\Archivos de programa\Panda Security
2008-05-20 12:43:52 0 d-------- C:\Archivos de programa\SDL International
2008-05-20 12:14:29 0 d-------- C:\Archivos de programa\KLC
2008-05-19 02:14:07 10375168 --a------ C:\Documents and Settings\Labs\ntuser.dat
2008-05-18 00:45:26 0 d-------- C:\Archivos de programa\Archivos comunes\ACD Systems
2008-05-18 00:45:26 0 d-------- C:\Archivos de programa\ACD Systems


-- Find3M Report ---------------------------------------------------------------

2008-05-29 00:50:00 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Skype
2008-05-28 23:40:49 0 d-------- C:\Documents and Settings\Labs\Datos de programa\WTablet
2008-05-28 23:40:27 0 d-------- C:\Archivos de programa\Plaxo
2008-05-28 20:41:50 0 d-------- C:\Archivos de programa\SmartSync Pro
2008-05-28 18:10:24 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Canon
2008-05-25 00:57:59 0 d-------- C:\Archivos de programa\AnyCount 6.0
2008-05-24 19:10:17 54 ---h----- C:\WINDOWS\system32\anLabs.sys
2008-05-23 13:16:56 473036 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-05-23 13:16:56 84278 --a------ C:\WINDOWS\system32\perfc00A.dat
2008-05-20 12:53:37 0 d-------- C:\Documents and Settings\Labs\Datos de programa\SDL International
2008-05-20 12:47:23 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-05-20 12:42:02 0 d-------- C:\Archivos de programa\Java
2008-05-18 00:46:08 0 d-------- C:\Documents and Settings\Labs\Datos de programa\ACD Systems
2008-05-18 00:45:26 0 d-------- C:\Archivos de programa\Archivos comunes
2008-05-17 15:11:31 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Mozilla
2008-05-08 10:39:43 0 d-------- C:\Archivos de programa\Archivos comunes\Nikon
2008-05-02 21:28:14 0 d-------- C:\Documents and Settings\Labs\Datos de programa\Adobe
2008-05-01 00:46:09 0 d-------- C:\Archivos de programa\iTunes
2008-04-26 23:24:55 0 d-------- C:\Archivos de programa\Tablet
2008-04-26 21:38:14 0 d-------- C:\Archivos de programa\TabletPen
2008-04-21 19:42:26 0 d-------- C:\Archivos de programa\Investintech.com Inc
2008-04-17 19:08:01 0 d-------- C:\Archivos de programa\Apple Software Update
2008-04-16 16:29:51 0 d-------- C:\Archivos de programa\iPod
2008-04-16 16:28:57 0 d-------- C:\Archivos de programa\QuickTime
2008-04-16 16:25:54 0 d-------- C:\Archivos de programa\Safari


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [07/12/2005 22:57]
"LanguageShortcut"="C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe" [13/04/2006 11:09]
"SoundMan"="SOUNDMAN.EXE" [02/03/2006 07:22 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/08/2006 21:43]
"nwiz"="nwiz.exe" [11/08/2006 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/08/2006 21:43]
"Adobe Version Cue CS2"="C:\Archivos de programa\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 18:58]
"Acrobat Assistant 8.0"="C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22/10/2006 23:24]
"@"="" []
"NWEReboot"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/03/2007 15:57]
"EazyScheduler"="C:\Archivos De Programa\Eazy-Ware\ezSched.exe" [08/02/2007 13:46]
"egui"="C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" [29/02/2008 15:54]
"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.exe" [16/01/2007 05:00]
"Skype"="C:\Archivos de programa\Skype\Phone\Skype.exe" [01/02/2008 18:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/03/2006 14:00]
"SmartSync Pro"="C:\Archivos de programa\SmartSync Pro\SmartSync.exe" [31/01/2007 13:07]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [24/06/2007 18:29]
"PlaxoUpdate"="C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoHelper_en.exe" [06/05/2008 11:12]
"TomTomHOME.exe"="C:\Archivos de programa\TomTom HOME 2\HOMERunner.exe" [06/05/2008 10:42]
"PlaxoSysTray"="C:\Archivos de programa\Plaxo\3.12.0.48\PlaxoSysTray.exe" [06/05/2008 11:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Archivos de programa\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

C:\Documents and Settings\Labs\Men£ Inicio\Programas\Inicio\
Adobe Gamma.lnk - C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 20:16:50]

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [07/05/2007 18:25:41]
Adobe Acrobat Synchronizer.lnk - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [23/10/2006 0:01:50]
ColorVisionStartup.lnk - C:\Archivos de programa\ColorVision\Utility\ColorVisionStartup.exe [31/01/2006 17:48:52]
Inicio r*pido de Microsoft Office OneNote 2003.lnk - C:\Archivos de programa\Microsoft Office\OFFICE11\ONENOTEM.EXE [06/08/2003 21:23:32]
Logitech SetPoint.lnk - C:\Archivos de programa\Logitech\SetPoint\SetPoint.exe [29/09/2007 14:32:58]
NkbMonitor.exe.lnk - C:\Archivos de programa\Nikon\PictureProject\NkbMonitor.exe [07/05/2007 23:42:34]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e95da29-d400-11dc-ba94-00e04d048101}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cc00dba-ec72-11dc-baaa-00e04d048101}]
- msnmsgr_plus.exe




-- End of Deckard's System Scanner: finished at 2008-05-29 01:18:39 ------------
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#4 ·
Hello Sni,

I think I was finally able to fix the malware with Ad-Aware.
Click to expand...
I'm not seeing anything that would cause the issue you've described. What did Ad-Aware find?
 
Save Share
S

· Registered
Joined
·
9 Posts
Discussion Starter · #5 ·
Ried said:
Hello Sni,

I'm not seeing anything that would cause the issue you've described. What did Ad-Aware find?
Click to expand...
Hi Ried,

I have run the online Panda ActiveScan 2.0 a few times. At a certain point (maybe 30% through and after finding a couple of infected files), the computer freezes. I have to reboot. I have even tried doing so from Windows in save mode to no avail. (I have even paid for the registered version of ActiveScan 2.0).

When I run Ad-Aware 2008 Pro, it cleans a few things and then tells me that there are a couple of files it cannot clean until I reboot. I reboot but it seems that the program cannot kill the two infected files. If I go to Statistics > General Statistics, I see "Total infections quarantined: 2". But I don't see the names of these two files nor their location. I have tried to find a log file from Ad-Aware with this info, but cannot.

Something else: NOD32 (Eset Smart Scurity) doesn't find anything special. And I don't remember where exactly, looking at different info from the system, I found something related to a file called "Win32 Backdoor RBot". Probably through MSConfig?

The fact is that every now and then (4 or 5 times a day at least) the system completely freezes.

Thanks in advance for your help!
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#6 ·
If it were an entry in the msconfig, I'd have seen it in the main.txt. Perhaps it was found in your System Volume Information - which would be where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

A few things I'd like you to do:

Open notepad and copy/paste the entire text inside the quote box below: (don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e95da29-d400-11dc-ba94-00e04d048101}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cc00dba-ec72-11dc-baaa-00e04d048101}]
Click to expand...
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:


Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

See if you can get this online scanner to complete for you. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs!
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

If the system still freezes....


This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I do not want it to clean--for now, I only want to see a Report of what it finds.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar, Go to Options>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects and Malware to Report
  • Next, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.
 
Save Share
S

· Registered
Joined
·
9 Posts
Discussion Starter · #7 ·
Hello Ried,

I apologize for for the delay, but I live in GMT+1.

The Kapersky online scan was successful, i.e., the PC didn't freeze during the scan. Please find attached the results. I hope they are useful.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 31, 2008 7:01:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 815499
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 325954
Number of viruses found: 1
Number of infected objects: 45
Number of suspicious objects: 0
Duration of the scan process: 06:50:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Datos de programa\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Laks\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Laks\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laks\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Laks\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Laks\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laks\Configuración local\Historial\History.IE5\MSHist012008053020080531\index.dat Object is locked skipped
C:\Documents and Settings\Laks\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Laks\ntuser.dat Object is locked skipped
C:\Documents and Settings\Laks\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{722B7C1C-52F1-46CF-90E5-9BAA9BDC96EE}\RP322\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0006 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0007 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0008 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0009 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0010 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0011 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip ZIP: infected - 7 skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0006 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0007 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0008 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0009 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0010 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0011 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE Inno: infected - 6 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0006 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0007 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0008 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0009 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0010 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0011 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip ZIP: infected - 7 skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0006 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0007 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0008 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0009 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0010 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0011 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE Inno: infected - 6 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0006 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0007 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0008 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0009 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0010 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE/data0011 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip/SETUP.EXE Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip ZIP: infected - 7 skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0006 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0007 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0008 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0009 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0010 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE/data0011 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE Inno: infected - 6 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#8 ·
Hello sni. No worries about the delay due to time zone differences. :smile:

Using 'My Computer', navigate to and delete the following Files (Right click and select 'Delete'):

D:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip
D:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE

E:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip
E:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE

G:\DOWNLOAD\UTILITIES\SBW Website Capture\sbwcc22.zip
G:\DOWNLOAD\UTILITIES\SBW Website Capture\SETUP.EXE


How is the system behaving now?
 
Save Share
S

· Registered
Joined
·
9 Posts
Discussion Starter · #9 ·
Hi Ried,

Thank you for your quick reply.

No need to delete anything from the register? You don't want me to run the agressive Dr. Web CureIt (without cleaning anything) just to make sure Kapersky is not missing something?

Sni
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#10 ·
How is the system behaving? I don't think your issues are malware related, but go ahead and run Dr Web. Let's see if it picks up anything else.
 
Save Share
S

· Registered
Joined
·
9 Posts
Discussion Starter · #11 ·
Ried said:
How is the system behaving? I don't think your issues are malware related, but go ahead and run Dr Web. Let's see if it picks up anything else.
Click to expand...
Hi,

The system is behaving perfectly now. Thanks a lot for your great help. Do you mind if we keep this thread open one more day just in case?

By the way... do you know what kind of threat were the files I deleted posing? Why did NOD32 (now ESET Smart Security) didn't spot it? Do you recomend I suscribe to Ad-Aware or some other similar software and use it paralel to NOD32? If I use Ad-Watch, it keeps asking me what to do with dozens of processes (block or ignore). And I don't know how to answer, because I don't have the leat idea of what they do.

Thanks a lot again,

Sni



Thanks
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#12 · (Edited)
Hi sni,

Those files I had you delete did not pose a serious threat:

Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
Click to expand...
See this link for a description --> http://www.emsisoft.com/en/malware/?Adware.Win32.Aureate

No problem keeping the thread open for another day or so. :sayyes:


In the meantime, to help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Do you recomend I suscribe to Ad-Aware or some other similar software and use it paralel to NOD32?
Click to expand...
Spybot - Search & Destroy 1.5 may be more to your liking:

After you download and install Spybot S&D, run Spybot and click on the 'Search for Updates' button. Install any updates that are available.
  • Now click Mode menu and choose 'Advanced Mode'.
  • Click on Immunize to your left.
  • Next, click the Immunize button on top to Immunize your computer - you need to do this each time there is an update.
  • Click 'Check for Problems' and fix all the entries, which are indicated in RED.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly post back in a day or so and let me know if we may consider this thread resolved.
 
Save Share
S

· Registered
Joined
·
9 Posts
Discussion Starter · #13 ·
Hi Ried,

Thank you very very much for your great help. I really appreciate it!

Can I still bother you with another couple of questions?

Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

If this was not a virus, what was it? Does it still make sense this is what was making everything freeze in my PC?

Spybot - Search & Destroy 1.5 may be more to your liking:

Why do you say this may be more to my liking? Because it runs on the background without asking me to take action every 2 seconds?

And last but not least, do I need all the free software you are recommending in spite of the fact that I'm using NOD32? Are there any non-free versions you would recommend?

Thanks again!

Daniel
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#14 ·
Hi Daniel,

Spybot S&D does have active protection as well - referred to as 'TeaTimer'. I found the alerts more detailed hence, easier to decide what to do.


Infected: not-a-virus:AdWare.Win32.Aureate.a skipped

If this was not a virus, what was it? Does it still make sense this is what was making everything freeze in my PC?
Click to expand...
It was Adware. Refer to the link I gave you earlier --> http://www.emsisoft.com/en/malware/?Adware.Win32.Aureate. It explains what Adware is.


It's never a good idea to have more than 1 AV and 1 third-party Firewall installed as they will conflict with one another and can cause system hangs and instability. However, you want to set up a multi-layered level of protection for your system. Anti Malware programs are quite different from Anti Virus and Firewall programs.

AV's and Firewalls aren't meant (and probably won't at least for the present time) to block out bad sites. Nor is a firewall going to automatically block malware. It's preconfigured with some default settings and everything else is left up to the user. So if a user allows a malware (say a trojan) to access the internet, the firewall will give it access. A firewall is only good if the user uses it wisely, hence the recommendations I gave you in my last reply.

All these programs do different things. I'm sure some of them may have features that are similar and may even "overlap" in a way. But for the most part, they will only have a "piece" of what other programs can do completely. For example, IE-Spyad is used to block cookies from malware related sites. IE-Spyad will also block out some bad ActiveX controls, but SpywareBlaster probably does a more thorough job in this since it's focused in that area only.

Spyware Blaster focuses on bad ActiveX controls that try to download on your computer. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database, and list of restricted sites--after you've installed it, launch the program and click on each of the tabs on the main display page.
 
Save Share
S

· Registered
Joined
·
9 Posts
Discussion Starter · #15 ·
Ried said:
Hi Daniel,

Spybot S&D does have active protection as well - referred to as 'TeaTimer'. I found the alerts more detailed hence, easier to decide what to do.


It was Adware. Refer to the link I gave you earlier --> http://www.emsisoft.com/en/malware/?Adware.Win32.Aureate. It explains what Adware is.

Hi Ried,

I read the info provided in the link, but found it a bit ambiguous. It doesn't say what it does exactly. I mean, it doesn't say if Adware.Win32.Aureate is a HiJacker, Spyware or what. And doesn't explain how does it creep into the PC. And I don't see any relationship between the adware and the fact that the PC was freezing a few times a day.

By the way... do you recommend A-Squared as an anti-malware better than the other ones?

Thanks a lot again,:pray:

Daniel
Click to expand...
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#16 ·
Here's a better description, courtesy of Google. :wink:

http://www.symantec.com/security_response/writeup.jsp?docid=2004-092116-5254-99
Adware.Aureate is an advertising program that displays banner ads and sends user information to a central server at adsoftware.com. At the time of this writing, the server at adsoftware.com was not functioning.
Symptoms.


Aureate is installed with shareware and freeware programs.
Click to expand...
Malware can affect each computer in a different fashion. Your case wasn't so cut and dry that I could say 'yes--this is what did it'. Temp and Temp Internet files were cleaned when you ran dss.exe. We also took out some registry entries and those adware infected files, so it could have been any one of those things, or a combination thereof.

As far as recommending any paid programs, I'm sorry but I cannot endorse any in particular. You may want to inquire in the General Computer Security section of this forum where other users can share their opinions with you. :smile:
 
Save Share
1 - 16 of 16 Posts
Status
Not open for further replies.
About this Discussion
15 Replies
2 Participants
Last post:
Ried
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top