Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

View previous topic View next topic Go down

Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Wed Feb 17, 2010 10:57 pm

Hi,



I've a computer infected by Win32/Nuqel.E, BankerFox.A, and I see unlimited pop-ups, being interrupted on navigation by some alert windows...

I can download programs but it can not to be runned nor installed (I've tried).

I can't open MyComputer nor execute any program without read: "The file wscntfy.exe is infected" and so similar other messages.

I don't find any of the virus files that is suposed I'm infected of (I've searched on the internet any solution before of discover GeekPolice.

It seems anything runs :sad:

¿What can I do? Thanx a lot.

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Wed Feb 17, 2010 10:59 pm

Hello.

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Wed Feb 17, 2010 11:07 pm

[You must be registered and logged in to see this link.] wrote:Hello.


3- Will IceSword open?



Yes, I could open it Smile

What I have to do now?

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Thu Feb 18, 2010 12:35 am

Anything will be tomorrow (it's 02h and I'm going to bed). I'll came again ready to follow next instructions.

Thanks.

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Fri Feb 19, 2010 12:11 am

Hello.

  • Now, on the left hand side tool, hit the Process button at the top of the list.
  • Just above the list, there is a log button, press that and save the log to your Desktop.
  • Next, hit the Startup on the left side list.
  • Press the log button again.
  • Post the two logs in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Fri Feb 19, 2010 12:31 am

Process:

System Idle Process
System
C:\Archivos de programa\DellTPad\ApntEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\stacsv.exe
C:\Archivos de programa\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Sigmatel\C-Major Audio\WDM\stsystra.exe
C:\Archivos de programa\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Archivos de programa\DellTPad\ApMsgFwd.exe
C:\Archivos de programa\Intel\Wireless\Bin\iFrmewrk.exe
C:\Archivos de programa\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Archivos de programa\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\WINDOWS\system32\smss.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Archivos de programa\Digital Line Detect\DLG.exe
C:\Archivos de programa\Launchy\Launchy.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Archivos de programa\OpenOffice.org 2.3\program\soffice.bin
C:\Archivos de programa\OpenOffice.org 2.3\program\soffice.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\DellTPad\hidfind.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
C:\Documents and Settings\Unique\Datos de programa\jbkisl\bmwosftav.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Archivos de programa\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Archivos de programa\Intel\Wireless\Bin\WLKEEPER.exe
C:\Archivos de programa\Canon\CAL\CALMAIN.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Archivos de programa\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Unique\Escritorio\IceSword122en\IceSword.exe

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Fri Feb 19, 2010 12:32 am

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Apoint
C:\Archivos de programa\DellTPad\Apoint.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /installquiet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVHotkey
rundll32.exe nvHotkey.dll,Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SigmatelSysTrayApp
%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelZeroConfig
"C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelWireless
"C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WavXMgr
C:\Archivos de programa\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecureUpgrade
C:\Archivos de programa\Wave Systems Corp\SecureUpgrade.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KADxMain
C:\WINDOWS\system32\KADxMain.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ISUSScheduler
"C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RoxioDragToDisc
"C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PDVDDXSrv
"C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ECenter
C:\Dell\E-Center\EULALauncher.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acrobat Assistant 7.0
"C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
"C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
baqbwgmb
C:\Documents and Settings\Unique\Datos de programa\jbkisl\bmwosftav.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast5
C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe /nogui

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
amva
C:\WINDOWS\system32\amvo.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
cdoosoft
C:\DOCUME~1\Unique\CONFIG~1\Temp\herss.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
baqbwgmb
C:\Documents and Settings\Unique\Datos de programa\jbkisl\bmwosftav.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
"C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Acelerador de inicio de AutoCAD.lnk
C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe (Remark£ºAcelera el inicio de AutoCAD rellenando la caché de disco)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Adobe Acrobat Speed Launcher.lnk
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Adobe Gamma.lnk
C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Bluetooth Manager.lnk
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
desktop.ini


C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Digital Line Detect.lnk
C:\Archivos de programa\Digital Line Detect\DLG.exe (Remark£º)

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
Launchy.lnk
C:\Archivos de programa\Launchy\Launchy.exe (Remark£º)

C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio
desktop.ini


C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio
OpenOffice.org 2.3.lnk
C:\Archivos de programa\OpenOffice.org 2.3\program\quickstart.exe (Remark£º)

C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio
Stardock ObjectDock.lnk
C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe (Remark£ºStardock ObjectDock)

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Fri Feb 19, 2010 1:25 am

Hi again.

That were my two logs created by IceSword.

I have a notice I think it can be helpful. My Windows Defender automatically starts and done his daily scan about 20 minutes ago. It detected a "TrojanDownloader:Win32Renos.KQ" with a Severe alert level. The action taken was to removing it.

The PopUp madness stopped!

I think that's important for if It have changed any thing about the two present logs.

Anyway, would be fantastic continue following instructions to be sure that the computer is really clean and running normally.

Thanks a lot!

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Fri Feb 19, 2010 11:50 pm

Hello.


  • Open IceSword again.
  • Go into the Process list again, and right click on the following filename:

    bmwosftav.exe

  • Select Terminate Process.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 12:05 am

[You must be registered and logged in to see this link.] wrote:Hello.


  • Open IceSword again.
  • Go into the Process list again, and right click on the following filename:

    bmwosftav.exe

  • Select Terminate Process.


I can't find this process (bmwosftav.exe) running right now on the computer.

Should I paste a new log from IceSword? Or download Malwarebytes' Anti-Malware and do what you wrote? Or...? Let me think

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sat Feb 20, 2010 12:13 am

Run MBAM, see if it will run now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 12:31 am

Cliking Finish


[You must be registered and logged in to see this link.] wrote:

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

An error ocurred>> Error code: 732 (12029, 0)

Anyway MBAM has been automatically launched after clicking Accept and I'm doing the Quick Scan... and being patient

Next post will be the log, I hope :p

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 12:42 am

The MBAM log:



Malwarebytes' Anti-Malware 1.44
Versión de la Base de Datos: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

20/02/2010 1:34:28
mbam-log-2010-02-20 (01-34-28).txt

Tipo de examen : Examen Rápido
Objetos examinados: 128958
Tiempo transcurrido: 9 minute(s), 28 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 1
Valores del Registro Infectados: 2
Elementos de Datos del Registro Infectados: 1
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\6phx.com (Spyware.OnlineGames) -> Quarantined and deleted successfully.

If any difficult about the language, I can change the MBAM language to english. I didn't think it before

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sat Feb 20, 2010 8:28 pm

No problem with language, I can read almost any log in any language - mainly because the filenames stay the same and are in the same location, so doesn't matter what the language.

You may have a flash drive infection.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 8:58 pm

[You must be registered and logged in to see this link.] wrote:No problem with language, I can read almost any log in any language - mainly because the filenames stay the same and are in the same location, so doesn't matter what the language

That's what I thought. It's not english or spanish or... it's computing language Open Grin

Scanning. The next, the two logs.

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 9:05 pm

OTL.exe > Part #1


OTL logfile created on: 20/02/2010 21:54:22 - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Unique\Escritorio
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 70,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 186,19 Gb Total Space | 8,26 Gb Free Space | 4,44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D30MPK3J
Current User Name: Unique
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/20 21:53:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Unique\Escritorio\OTL.exe
PRC - [2010/02/11 19:53:42 | 002,756,488 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/02/11 19:53:39 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/03/09 04:19:15 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Archivos de programa\Java\jre6\bin\jqs.exe
PRC - [2008/04/23 01:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/03/26 10:31:49 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/12/18 12:43:34 | 000,274,432 | ---- | M] () -- C:\Archivos de programa\Launchy\Launchy.exe
PRC - [2007/12/05 21:07:38 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Archivos de programa\Sigmatel\C-Major Audio\WDM\stsystra.exe
PRC - [2007/12/05 21:07:34 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/11/13 17:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Archivos de programa\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 17:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Archivos de programa\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/11/08 23:50:10 | 001,552,384 | ---- | M] () -- C:\Archivos de programa\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PRC - [2007/09/23 19:27:38 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Archivos de programa\DellTPad\hidfind.exe
PRC - [2007/09/23 19:27:30 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Archivos de programa\DellTPad\Apoint.exe
PRC - [2007/09/23 19:27:28 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Archivos de programa\DellTPad\ApMsgFwd.exe
PRC - [2007/09/23 19:27:28 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Archivos de programa\DellTPad\ApntEx.exe
PRC - [2007/09/14 11:53:16 | 000,218,424 | ---- | M] (Wave Systems Corp.) -- C:\Archivos de programa\Wave Systems Corp\SecureUpgrade.exe
PRC - [2007/09/10 10:55:04 | 000,092,160 | ---- | M] (Wave Systems Corp.) -- C:\Archivos de programa\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
PRC - [2007/09/07 18:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) -- C:\Archivos de programa\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
PRC - [2007/07/25 17:41:42 | 000,647,168 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/07/25 17:32:50 | 000,823,296 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/07/25 17:32:34 | 000,294,912 | ---- | M] (Intel(R) Corporation) -- C:\Archivos de programa\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/07/25 17:30:36 | 000,974,848 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/07/25 17:29:38 | 000,987,136 | ---- | M] (Intel Corporation ) -- C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/07/25 17:26:14 | 000,491,520 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/07/25 17:22:44 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/07/20 17:53:52 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Archivos de programa\Dell\QuickSet\NicConfigSvc.exe
PRC - [2007/06/13 14:22:28 | 001,035,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/31 16:50:40 | 000,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/04/30 18:43:54 | 003,450,608 | ---- | M] (Stardock) -- C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe
PRC - [2007/01/11 21:43:46 | 002,150,400 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2006/12/19 15:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) -- C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2006/12/18 16:22:14 | 000,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2006/12/15 12:41:30 | 002,170,880 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Archivos de programa\Digital Line Detect\DLG.exe
PRC - [2006/11/03 17:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Windows Defender\MSASCui.exe
PRC - [2006/11/03 17:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Archivos de programa\Windows Defender\MsMpEng.exe
PRC - [2006/11/02 15:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
PRC - [2006/10/27 21:13:48 | 000,270,336 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2006/10/20 18:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2006/08/17 10:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/04/29 06:32:56 | 000,049,152 | ---- | M] (Dassault Systemes) -- C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
PRC - [2006/02/07 00:00:20 | 000,311,296 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
PRC - [2006/01/24 00:14:10 | 000,069,632 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2005/09/30 18:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Archivos de programa\Canon\CAL\CALMAIN.exe
PRC - [2004/07/27 17:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2010/02/20 21:53:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Unique\Escritorio\OTL.exe
MOD - [2007/04/30 18:18:50 | 000,112,400 | ---- | M] () -- C:\Archivos de programa\Stardock\ObjectDock\DockShellHook.dll
MOD - [2006/08/25 09:46:28 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/11 19:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/02/11 19:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/02/11 19:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/12/30 12:35:11 | 000,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Archivos de programa\Google\Update\GoogleUpdate.exe -- (gupdate) Servicio Google Update (gupdate)
SRV - [2009/03/27 09:01:34 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/09 04:19:15 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Archivos de programa\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/04/18 14:06:01 | 000,085,096 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/04/11 17:02:53 | 000,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2007/12/05 21:07:34 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2007/11/08 23:50:10 | 001,552,384 | ---- | M] () [Auto | Running] -- C:\Archivos de programa\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2007/09/13 15:31:44 | 000,192,512 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Archivos de programa\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe -- (WaveEnrollmentService)
SRV - [2007/09/07 18:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Archivos de programa\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2007/08/31 18:39:18 | 000,486,400 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Archivos de programa\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2007/07/25 17:41:42 | 000,647,168 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2007/07/25 17:32:34 | 000,294,912 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Archivos de programa\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)
SRV - [2007/07/25 17:29:38 | 000,987,136 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2007/07/25 17:22:44 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2007/07/20 17:53:52 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Archivos de programa\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2007/05/31 16:50:40 | 000,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/12/19 15:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2006/11/03 17:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Archivos de programa\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/09/14 15:54:34 | 000,073,728 | ---- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Archivos de programa\Archivos comunes\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/04/29 06:32:56 | 000,049,152 | ---- | M] (Dassault Systemes) [Auto | Running] -- C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe -- (BBDemon)
SRV - [2005/09/30 18:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Archivos de programa\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/10/22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 19:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/02/11 19:42:34 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/02/11 19:42:13 | 000,162,512 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/02/11 19:39:01 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/02/11 19:38:34 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/02/11 19:38:23 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/02/11 19:38:07 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2008/03/26 10:17:22 | 000,021,393 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2007/12/05 21:07:36 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/12/02 19:26:28 | 000,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2007/12/02 19:26:22 | 000,989,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/12/02 19:26:20 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/12/02 19:26:20 | 000,211,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/11/28 17:18:24 | 000,062,208 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/11/13 11:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/09/23 19:27:26 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/09/10 10:55:00 | 000,161,280 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
DRV - [2007/09/07 10:57:14 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
DRV - [2007/09/06 10:18:40 | 000,018,176 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WaveFDE.sys -- (WaveFDE)
DRV - [2007/08/12 19:05:34 | 002,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Controlador del adaptador Intel(R)
DRV - [2007/05/31 16:50:20 | 006,727,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/05/29 16:29:30 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/04/26 15:29:30 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2007/04/26 15:29:28 | 000,073,600 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2007/04/26 15:29:28 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/04/26 15:29:28 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2007/04/26 15:29:26 | 000,113,920 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2007/04/26 15:29:26 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2007/04/26 15:29:24 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2007/03/18 16:44:38 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/12/19 15:21:52 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Archivos de programa\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
DRV - [2006/11/02 13:32:32 | 000,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
DRV - [2006/08/18 14:18:12 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 14:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 14:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 14:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 14:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 14:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 14:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 14:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 12:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 11:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 11:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/24 04:00:00 | 000,036,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/07/21 12:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2004/08/20 13:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/20 13:00:00 | 000,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2004/08/12 18:45:54 | 000,137,728 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2003/07/11 14:22:08 | 000,014,912 | ---- | M] (IBM) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\LUMDriver.sys -- (LUMDriver)
DRV - [2002/12/17 04:41:10 | 000,076,288 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2001/08/22 22:33:56 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 23:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 23:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 23:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 23:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 23:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 22:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 22:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 22:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 22:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 22:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 22:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 22:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 22:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 22:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 21:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.fotolog.com/labruixaavorrida"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.19
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.1.5
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.2.1
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.4
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.5.1


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Archivos de programa\Mozilla Firefox\components [2010/02/19 15:47:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Archivos de programa\Mozilla Firefox\plugins [2010/02/19 15:47:46 | 000,000,000 | ---D | M]

[2008/10/28 18:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Extensions
[2010/02/20 21:47:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\extensions
[2009/10/09 13:11:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/07/11 13:42:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\extensions\ca@dictionaries.addons.mozilla.org
[2008/07/03 08:15:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2009/01/31 12:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\extensions\es-es@dictionaries.addons.mozilla.org
[2010/02/11 19:56:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\extensions\personas@christopher.beard
[2010/02/20 21:47:01 | 000,000,000 | ---D | M] -- C:\Archivos de programa\Mozilla Firefox\extensions
[2010/01/20 18:04:25 | 000,003,996 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\drae.xml
[2010/01/20 18:04:25 | 000,000,751 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\eBay-es.xml
[2010/01/20 18:04:25 | 000,001,178 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\wikipedia-es.xml
[2010/01/20 18:04:25 | 000,000,798 | ---- | M] () -- C:\Archivos de programa\Mozilla Firefox\searchplugins\yahoo-es.xml

O1 HOSTS File: ([2008/07/13 20:59:01 | 000,000,548 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DIALux 3.1 ULDBrowserHelper Class) - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Archivos de programa\DIALux\DLXShellExtension.dll (DIAL GmbH, Germany)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Archivos de programa\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Archivos de programa\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Archivos de programa\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast5] C:\Archivos de programa\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [ECenter] C:\dell\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [IntelWireless] C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDVDDXSrv] C:\Archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SecureUpgrade] C:\Archivos de programa\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Archivos de programa\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [WavXMgr] C:\Archivos de programa\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Archivos de programa\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Acelerador de inicio de AutoCAD.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe (Autodesk, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Bluetooth Manager.lnk = C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Digital Line Detect.lnk = C:\Archivos de programa\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Launchy.lnk = C:\Archivos de programa\Launchy\Launchy.exe ()
O4 - Startup: C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio\OpenOffice.org 2.3.lnk = C:\Archivos de programa\OpenOffice.org 2.3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Unique\Menú Inicio\Programas\Inicio\Stardock ObjectDock.lnk = C:\Archivos de programa\Stardock\ObjectDock\ObjectDock.exe (Stardock)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Archivos de programa\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 80.58.61.250 80.58.61.254
O18 - Protocol\Handler\dialux {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Archivos de programa\DIALux\DLXToolBox.dll (DIAL GmbH, Germany)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\lledo {54DB67D8-DE43-4362-BDA8-9C574379CAD5} - C:\Archivos de programa\Archivos comunes\Lledo\DatabaseTools.dll ()
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Archivos de programa\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\gemsafe: DllName - C:\Archivos de programa\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll - C:\Archivos de programa\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
O24 - Desktop Components:0 (Mi página de inicio actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Unique\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Unique\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Archivos de programa\Windows Defender\MpShHook.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/09/08 17:04:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/10/23 10:41:37 | 000,000,057 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/10/24 17:31:08 | 000,002,352 | ---- | M] () - C:\autorun.PNF -- [ NTFS ]
O33 - MountPoints2\{031e2296-5460-11de-bf60-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
O33 - MountPoints2\{2232c527-f949-11de-80c4-001e37c4a700}\Shell\AutoRun\command - "" = f2kmj.exe
O33 - MountPoints2\{2232c527-f949-11de-80c4-001e37c4a700}\Shell\open\Command - "" = f2kmj.exe
O33 - MountPoints2\{2c1a6a38-6ace-11dd-bdaf-001e37c4a700}\Shell - "" = AutoRun
O33 - MountPoints2\{33513dc6-e67a-11dd-be95-001e37c4a700}\Shell\AutoRun\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
O33 - MountPoints2\{33513dc6-e67a-11dd-be95-001e37c4a700}\Shell\open\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
O33 - MountPoints2\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\Shell - "" = AutoRun
O33 - MountPoints2\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O33 - MountPoints2\{568e6c25-f02d-11de-80b0-001e37c4a700}\Shell\AutoRun\command - "" = set21\ago1opa.exe
O33 - MountPoints2\{77e5316e-f434-11dd-beaf-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
O33 - MountPoints2\{7e9b2d28-2360-11de-bf05-001e37c4a700}\Shell\Auto\command - "" = msnmsgr_plus.exe
O33 - MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\Shell\AutoRun\command - "" = E:\iqe68o.bat -- File not found
O33 - MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\Shell\explore\Command - "" = E:\iqe68o.bat -- File not found
O33 - MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\Shell\open\Command - "" = E:\iqe68o.bat -- File not found
O33 - MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\Shell\AutoRun\command - "" = u.bat
O33 - MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\Shell\explore\Command - "" = u.bat
O33 - MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\Shell\open\Command - "" = u.bat
O33 - MountPoints2\{9460c970-0af1-11dd-bcf9-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
O33 - MountPoints2\{99d04404-5897-11de-bf6b-001e37c4a700}\Shell\AutoRun\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
O33 - MountPoints2\{99d04404-5897-11de-bf6b-001e37c4a700}\Shell\open\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
O33 - MountPoints2\{b14b4b24-e186-11de-808a-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
O33 - MountPoints2\{b2932efe-de7e-11dd-be88-001e37c4a700}\Shell - "" = AutoRun
O33 - MountPoints2\{b2932efe-de7e-11dd-be88-001e37c4a700}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{b2932eff-de7e-11dd-be88-001e37c4a700}\Shell\AutoRun\command - "" = G:\601ugf.exe -- File not found
O33 - MountPoints2\{b2932eff-de7e-11dd-be88-001e37c4a700}\Shell\open\Command - "" = G:\601ugf.exe -- File not found
O33 - MountPoints2\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe -- File not found
O33 - MountPoints2\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\Shell\open\command - "" = E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe -- File not found
O33 - MountPoints2\{c67a306f-a740-11dd-be11-001e37c4a700}\Shell\AutoRun\command - "" = G:\q3kku.exe -- File not found
O33 - MountPoints2\{c67a306f-a740-11dd-be11-001e37c4a700}\Shell\open\Command - "" = G:\q3kku.exe -- File not found
O33 - MountPoints2\{d5cb4650-694d-11dd-bdab-001e37c4a700}\Shell - "" = AutoRun
O33 - MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\Shell\AutoRun\command - "" = F:\iqe68o.bat -- File not found
O33 - MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\Shell\explore\Command - "" = F:\iqe68o.bat -- File not found
O33 - MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\Shell\open\Command - "" = F:\iqe68o.bat -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*


Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 9:06 pm

OTL.exe> Part #2



========== Files/Folders - Created Within 30 Days ==========

[2010/02/20 21:53:15 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Unique\Escritorio\OTL.exe
[2010/02/20 01:36:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\NTRU Cryptosystems
[2010/02/20 01:17:41 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Unique\Escritorio\mbam-setup.exe
[2010/02/19 02:48:42 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/02/19 02:48:41 | 000,162,512 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/02/19 02:48:40 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/02/19 02:48:39 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/02/19 02:48:38 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/02/19 02:48:38 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/02/19 02:48:38 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/02/19 02:48:26 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/02/19 02:48:26 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/02/18 00:23:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\virus intento carlos
[2010/02/18 00:06:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\IceSword122en
[2010/02/17 22:33:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Datos de programa\Malwarebytes
[2010/02/17 22:33:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/17 22:33:48 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/17 22:33:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Malwarebytes
[2010/02/17 22:33:47 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Malwarebytes' Anti-Malware
[2010/02/17 21:47:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Alwil Software
[2010/02/17 21:32:40 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/02/17 21:32:35 | 000,207,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/02/17 21:32:35 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/02/17 21:32:09 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/17 21:31:35 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Archivos comunes\PC Tools
[2010/02/17 21:31:34 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Spyware Doctor
[2010/02/17 21:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Datos de programa\PC Tools
[2010/02/17 21:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\PC Tools
[2010/02/17 21:29:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\TEMP
[2010/02/17 10:06:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Unique\PrivacIE
[2010/02/17 09:59:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Datos de programa\jbkisl
[2010/02/17 09:59:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Configuración local\Datos de programa\jbkisl
[2010/02/15 01:20:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\Dex T2 + T3
[2010/02/15 01:10:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\D&D
[2010/02/14 00:54:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\Moonlight T1
[2010/02/11 22:15:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Mis documentos\cançons
[2010/02/11 22:12:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Mis documentos\dialogues
[2010/02/11 22:09:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Mis documentos\words
[2010/02/07 14:13:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\2010 París
[2010/02/06 19:47:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\PB T4
[2010/02/05 17:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\baberos
[2010/02/05 14:02:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\2010 París _1 104CANON
[2010/02/05 13:52:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\2010 París _3 105CANON
[2010/02/05 13:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\2010 París _2 104CANON
[2010/01/29 16:50:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Escritorio\pariss
[2010/01/23 15:36:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Unique\Mis documentos\Descargas
[2009/12/30 12:40:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Google
[2009/12/30 12:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Google
[2009/09/17 22:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft
[2008/12/03 11:14:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Datos de programa\Microsoft
[2008/07/18 14:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\PCHealth
[2008/03/26 10:17:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Datos de programa\Intel
[2008/03/26 10:17:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Datos de programa\Intel
[2004/09/08 17:11:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft
[2004/09/08 16:55:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Datos de programa\Microsoft
[48 C:\Documents and Settings\Unique\Escritorio\*.tmp files -> C:\Documents and Settings\Unique\Escritorio\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/20 21:53:20 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Unique\Escritorio\OTL.exe
[2010/02/20 21:47:10 | 000,055,944 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/02/20 02:20:21 | 000,001,012 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/02/20 01:40:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/20 01:39:19 | 000,000,344 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/02/20 01:37:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/20 01:36:39 | 000,001,084 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/20 01:36:37 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/20 01:36:24 | 000,002,363 | ---- | M] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Acrobat Speed Launcher.lnk
[2010/02/20 01:36:20 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Unique\Configuración local\Datos de programa\WavXMapDrive.bat
[2010/02/20 01:36:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/20 01:36:11 | 2145,353,728 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/20 01:35:34 | 012,320,768 | -H-- | M] () -- C:\Documents and Settings\Unique\NTUSER.DAT
[2010/02/20 01:23:38 | 000,077,370 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\MBAMimage.JPG
[2010/02/20 01:18:56 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Unique\Escritorio\mbam-setup.exe
[2010/02/20 00:57:36 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Unique\Mis documentos\Cuando accedí a ser tu amante estaba convencida de que mi desdén por tu vulgaridad y tu asombrosa falta de escrúpulos cercenaría cualquier posibilidad de que sintiera algo por ti pero.doc
[2010/02/19 18:35:04 | 000,000,504 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Unique.job
[2010/02/19 02:48:39 | 000,002,958 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/18 00:03:59 | 002,205,157 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\IceSword122en.zip
[2010/02/17 18:22:28 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Unique\Mis documentos\ensalada parisienne.doc
[2010/02/17 10:17:30 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/17 10:17:28 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Unique\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/14 16:58:18 | 000,192,557 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\12219uv_500.jpg
[2010/02/14 16:51:26 | 000,436,298 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\33tjt3a.jpg
[2010/02/14 16:51:06 | 000,438,635 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\12219uv.jpg
[2010/02/14 16:50:47 | 000,469,233 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\ekgr4o.jpg
[2010/02/14 16:49:39 | 000,268,248 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\3610748372_5a5f4d4220.jpg
[2010/02/14 16:48:33 | 000,116,588 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\3618591863_bd288563e8.jpg
[2010/02/12 16:07:40 | 000,081,565 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\1265361799715_f.jpg
[2010/02/11 23:30:09 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Unique\Mis documentos\test.doc
[2010/02/11 19:53:57 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/02/11 19:53:36 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/02/11 19:42:34 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/02/11 19:42:13 | 000,162,512 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/02/11 19:39:01 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/02/11 19:38:34 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/02/11 19:38:31 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/02/11 19:38:23 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/02/11 19:38:07 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/02/11 01:41:10 | 000,055,944 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/02/09 21:03:41 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\onomatopeia.doc
[2010/02/09 20:53:04 | 000,032,116 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent 4.jpg
[2010/02/09 20:52:52 | 000,144,935 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent 3.jpg
[2010/02/09 20:52:44 | 000,176,848 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent 2.jpg
[2010/02/09 20:52:25 | 000,160,419 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent.jpg
[2010/02/05 09:25:38 | 000,070,408 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/02/05 09:17:56 | 000,233,136 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/01/29 17:05:31 | 000,113,213 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\xacobeo.jpg
[2010/01/26 08:37:53 | 000,047,835 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\Elisa.jpg
[2010/01/23 17:09:37 | 000,119,967 | ---- | M] () -- C:\Documents and Settings\Unique\Escritorio\1264259782313_f.jpg
[48 C:\Documents and Settings\Unique\Escritorio\*.tmp files -> C:\Documents and Settings\Unique\Escritorio\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/20 01:23:38 | 000,077,370 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\MBAMimage.JPG
[2010/02/20 00:57:35 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Unique\Mis documentos\Cuando accedí a ser tu amante estaba convencida de que mi desdén por tu vulgaridad y tu asombrosa falta de escrúpulos cercenaría cualquier posibilidad de que sintiera algo por ti pero.doc
[2010/02/18 00:02:17 | 002,205,157 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\IceSword122en.zip
[2010/02/17 21:32:40 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/02/17 21:32:35 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/02/17 21:32:35 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/02/17 21:32:09 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/02/17 18:22:00 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Unique\Mis documentos\ensalada parisienne.doc
[2010/02/14 16:58:15 | 000,192,557 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\12219uv_500.jpg
[2010/02/14 16:51:26 | 000,436,298 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\33tjt3a.jpg
[2010/02/14 16:51:05 | 000,438,635 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\12219uv.jpg
[2010/02/14 16:50:47 | 000,469,233 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\ekgr4o.jpg
[2010/02/14 16:49:38 | 000,268,248 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\3610748372_5a5f4d4220.jpg
[2010/02/14 16:48:29 | 000,116,588 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\3618591863_bd288563e8.jpg
[2010/02/12 16:07:38 | 000,081,565 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\1265361799715_f.jpg
[2010/02/09 21:03:41 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\onomatopeia.doc
[2010/02/09 20:53:03 | 000,032,116 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent 4.jpg
[2010/02/09 20:52:51 | 000,144,935 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent 3.jpg
[2010/02/09 20:52:43 | 000,176,848 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent 2.jpg
[2010/02/09 20:52:24 | 000,160,419 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\les bessones del carrer de ponent.jpg
[2010/02/05 14:02:38 | 000,345,550 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\IMG_2181.JPG
[2010/02/05 14:02:38 | 000,183,817 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\IMG_2191.JPG
[2010/02/05 14:02:38 | 000,173,370 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\IMG_2183.JPG
[2010/01/29 17:05:29 | 000,113,213 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\xacobeo.jpg
[2010/01/26 08:37:50 | 000,047,835 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\Elisa.jpg
[2010/01/23 18:02:22 | 002,003,787 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\Matea_IMG_1014_superponer x2.jpg
[2010/01/23 17:25:28 | 000,025,230 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\1199824150_f.jpg
[2010/01/23 17:25:28 | 000,010,932 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\1181048936_f.jpg
[2010/01/23 17:19:45 | 000,014,779 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\1209120554_f.jpg
[2010/01/23 17:09:36 | 000,119,967 | ---- | C] () -- C:\Documents and Settings\Unique\Escritorio\1264259782313_f.jpg
[2009/10/09 17:10:18 | 000,000,103 | ---- | C] () -- C:\WINDOWS\Dialux.ini
[2009/06/13 01:14:57 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/20 12:14:34 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\Unique\Datos de programa\applications.log
[2008/10/25 09:30:06 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/07/19 19:14:24 | 000,000,099 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2008/07/04 14:32:40 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/12 19:22:59 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2008/04/16 17:50:38 | 000,638,305 | ---- | C] () -- C:\Archivos de programa\microstation_v8_xm_instruccions_installacio.pdf
[2008/04/12 10:40:54 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Unique\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/11 17:32:24 | 000,000,615 | ---- | C] () -- C:\WINDOWS\MaxwellRender.ini
[2008/03/31 19:40:07 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Unique\Configuración local\Datos de programa\fusioncache.dat
[2008/03/31 19:40:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Unique\Configuración local\Datos de programa\WavXMapDrive.bat
[2008/03/26 10:34:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/03/26 10:34:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/03/26 10:31:23 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/03/26 10:31:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/03/26 10:24:31 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2008/03/26 10:21:57 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2008/03/26 10:21:57 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2008/03/26 09:52:34 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/03/26 09:52:34 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/03/26 09:52:33 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/03/26 09:52:32 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/03/26 09:50:48 | 000,001,417 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/09/13 15:42:30 | 000,499,712 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2007/09/13 15:42:30 | 000,471,040 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2007/09/13 15:42:28 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2007/09/13 15:42:28 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2007/09/13 15:42:28 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2007/09/13 15:42:28 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2007/09/13 15:42:26 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2007/09/13 15:42:26 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2007/09/13 15:42:26 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2007/09/13 15:42:26 | 000,434,176 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2007/09/13 15:36:24 | 000,438,272 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2007/09/12 16:05:08 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2007/09/12 16:04:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2007/09/12 16:04:26 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2007/09/12 16:04:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2007/09/12 16:03:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2007/09/12 16:03:24 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2007/09/12 16:03:04 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2007/09/12 16:02:44 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2007/09/12 16:02:22 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2007/09/12 16:02:02 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2007/09/10 10:53:26 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2007/06/15 11:19:20 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2006/11/07 05:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/14 12:02:10 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
[2006/06/12 09:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll
[2005/09/02 15:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 22:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/09/10 14:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/09/10 14:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2004/09/08 17:00:30 | 000,003,656 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/07/20 18:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 15:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/04/11 12:14:14 | 000,005,827 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Datos de programa\TEMP:DFC5A2B2
< End of report >


Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 9:08 pm

Extras.txt


OTL Extras logfile created on: 20/02/2010 21:54:22 - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Unique\Escritorio
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0A | Country: España | Language: ESN | Date Format: dd/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 70,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 186,19 Gb Total Space | 8,26 Gb Free Space | 4,44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D30MPK3J
Current User Name: Unique
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] --
.scr [@ = MicroStation Resource] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Archivos de programa\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Archivos de programa\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Archivos de programa\MSN Messenger\livecall.exe" = C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Archivos de programa\Windows Live\Messenger\wlcsdk.exe" = C:\Archivos de programa\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Archivos de programa\Next Limit\Maxwell\mxcl.exe" = C:\Archivos de programa\Next Limit\Maxwell\mxcl.exe:*:Enabled:mxcl -- ()
"C:\Archivos de programa\Google\Google SketchUp 6\SketchUp.exe" = C:\Archivos de programa\Google\Google SketchUp 6\SketchUp.exe:*:Enabled:SketchUp Application -- (Google, Inc.)
"C:\Archivos de programa\MSN Messenger\livecall.exe" = C:\Archivos de programa\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\orbixd.exe" = C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\orbixd.exe:*:Disabled:orbixd -- ()
"C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CNEXT.exe" = C:\Archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CNEXT.exe:*:Disabled:CATIA -- (Dassault Systemes)
"C:\Archivos de programa\VideoLAN\VLC\vlc.exe" = C:\Archivos de programa\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Archivos de programa\Spotify\spotify.exe" = C:\Archivos de programa\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\Archivos de programa\Windows Live\Messenger\wlcsdk.exe" = C:\Archivos de programa\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{103906AD-C60E-4E65-BC84-CE980D19CE41}" = Shockwave Player
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2411" = CanoScan LiDE 70
"{12E75B98-8463-4C1F-8DDA-F6CF31566A55}" = Google SketchUp Pro 6
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1BA838EE-C905-4EC5-BD77-332FDF76D346}" = Bentley MicroStation V8 XM Edition 08.09.04.51
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0C0A-1E257A25E34D}" = Adobe Photoshop CS2
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{24A494F3-5B5F-4183-9F7D-9CE82812C1FC}" = tsp patch
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 13
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.1
"{27E25625-DB51-42E6-BEB7-0C8DC878770C}" = Broadcom ASF Management Applications
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{342F5437-C87D-4BB5-89B9-B23E16C6A395}" = Microsoft VC80 Support DLLs
"{350C9C0A-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}" = Preboot Manager
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{405C32CF-9C6F-49B3-9436-3F5FDBE7B3CE}" = Microsoft .NET Framework 2.0 Language Pack - ESN
"{40F4ABE2-ED6B-4358-BD18-3A1C97FD6278}" = Maxwell for Rhinoceros 4
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4BF18ED6-C888-4BCF-A4AF-AC7A16305BC1}" = GemSafe Standard Edition 5.1
"{5081528F-5DD5-49BA-8213-9A6A13502497}" = Sentinel System Driver 5.41.1 (32-bit)
"{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
"{5783F2D7-0111-0409-0010-0060B0CE6BBA}" = Autodesk CAD Manager Tools
"{5783F2D7-4001-040A-0002-0060B0CE6BBA}" = AutoCAD 2006 - Español
"{5783F2D7-6001-0409-0002-0060B0CE6BBA}" = AutoCAD 2008 - English
"{5C2CBFFD-FC3B-4AA9-993B-CE2B8DA25B87}" = Rhinoceros 4.0
"{5EC5F187-9D2B-4051-8906-88656819A869}" = Dell Drivers MSI
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = Los Sims 2
"{7148F0A8-6813-11D6-A77B-00B0D0142040}" = Java 2 Runtime Environment, SE v1.4.2_04
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = Analizador y SDK de MSXML 4.0 SP2
"{786C5747-1437-443D-B06E-79A00FE45110}" = Adobe Stock Photos 1.0
"{7BA9849D-55BE-498F-8200-732BE70418C8}" = PlugIn Lledó 10 / 2004
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{83169D43-4660-4347-BC95-E9D6E6BE65CE}" = Microsoft .NET Framework 1.1 Spanish Language Pack
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{8B4AE751-7055-4518-87B0-E148A8D50D0A}" = Macromedia FreeHand MX
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8D7BD6EE-C597-4375-B07F-A91FC78991C7}" = V-Ray for SketchUp 6
"{8EDBA74D-0686-4C99-BFDD-F894678E5103}" = Adobe Common File Installer
"{90110C0A-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{90F50409-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications (R) Core
"{90F60C0A-6000-11D3-8CFE-0150048383C9}" = Visual Basic for Applications (R) Core - Spanish
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9593C6E5-205E-45C3-B785-05CF146CA76A}" = biolsp patch
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A093D83F-429A-4AB2-A0CD-1F7E9C7B764A}" = Trusted Drive Manager
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Embassy Trust Suite by Wave Systems
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AF4505CB-C93A-4B29-91B9-F15767AF43BE}" = AutoCAD 2008 Network License Activation Utility
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{BCBA1B06-0AB4-4FA8-8544-D174FC0B0B12}" = Solid Edge V18
"{BD8A0C60-1AEB-11D6-B8E1-00025521AE60}" = VBA (3821b)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C12D609B-EB71-411B-82C3-9BE6D40435D7}" = Google SketchUp LayOut 6
"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"{D7E7EC5E-4349-4E40-B37C-4342188B86EC}" = Monopoly
"{D9FCA292-1186-421F-8D93-9A5D272AD5D0}" = IntelliSonic Speech Enhancement
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{E9787678-551D-4478-9682-DBB587257110}" = Adobe Help Center 1.0
"{EB459C2F-41CA-4222-B9CA-F8EBA40B8DAB}" = Google SketchUp 6 Exporters
"{EB4DF30B-102B-4F0C-927A-D50E037A325D}" = AuthenTec Fingerprint Sensor Minimum Install
"{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"{ECC22AFA-B905-4A6A-8072-10F52B9E09B7}" = Wave Infrastructure Installer
"{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"{EF05BA0F-AC15-4D12-AC5C-276225F5E751}" = Gemalto
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1802FA6-54E9-4B24-BD2A-B50866819795}" = EMBASSY Trust Suite by Wave Systems
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Herramienta de diagnóstico del módem
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F702E0D5-FA81-48AB-B18F-B2BCC64F572F}" = Google SketchUp 7
"{FBEC50B7-537C-4A0E-8B0B-F7A8F8BF13CE}" = upekmsi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FE2F2589-96A6-4F38-98F5-DDAC34BD41B9}" = Autodesk Network License Manager
"{FEC193E4-6C5F-40E9-A249-7D8C8404A9EC}" = NTRU TCG Software Stack
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AutoCAD 2008 - English" = AutoCAD 2008 - English
"avast5" = avast! Free Antivirus
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"CanoScan Toolbox 5.0" = Canon CanoScan Toolbox 5.0
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"CSCLIB" = Canon Camera Support Core Library
"Dassault Systemes B17_0" = Dassault Systemes Software B17
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"DIALux" = DIALux 4.7
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"EOS Utility" = Canon Utilities EOS Utility
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software
"InstallShield_{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager
"InstallShield_{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2}" = Document Manager Lite
"InstallShield_{53333479-6A52-4816-8497-5C52B67ED339}" = EMBASSY Security Setup
"InstallShield_{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}" = Secure Update
"InstallShield_{E738A392-F690-4A9D-808E-7BAF80E0B398}" = ESC Home Page Plugin
"InstallShield_{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}" = Security Wizards
"InstallShield_{EEAFE1E5-076B-430A-96D9-B567792AFA88}" = EMBASSY Security Center
"Launchy_21344213_is1" = Launchy 2.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MaxwellExport_is1" = MaxwellExport (Version 1.10)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0 Language Pack - ESN" = Paquete de idioma de Microsoft .NET Framework 2.0 - ESN
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero7_is1" = Nero 7.10.1.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSS" = Norton Security Scan
"NVIDIA Drivers" = NVIDIA Drivers
"ObjectDock" = ObjectDock
"POV-Ray for Windows v3.6" = POV-Ray for Windows v3.6.0
"ProInst" = Software Intel(R) PROSet/Wireless
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SearchAssist" = SearchAssist
"SELPHY ES1 Printer Software Guide1" = Canon Utilities SELPHY Guía del software de la SELPHY ES1
"Spotify" = Spotify
"Spyware Doctor" = Spyware Doctor 7.0
"VLC media player" = VideoLAN VLC media player 0.8.6e
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Reproductor de Windows Media 11
"WinEva6" = WinEva6 6.06
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = Compresor WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/02/2010 6:24:33 | Computer Name = D30MPK3J | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 17/02/2010 6:32:23 | Computer Name = D30MPK3J | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 17/02/2010 13:04:48 | Computer Name = D30MPK3J | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: Nss.exe, versión 2.4.1.29, módulo que
no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 17/02/2010 15:26:52 | Computer Name = D30MPK3J | Source = Application Hang | ID = 1002
Description = Aplicación que no responde: wmplayer.exe, versión 11.0.5721.5145,
módulo que no responde hungapp, versión 0.0.0.0, dirección que no responde 0x00000000.

Error - 17/02/2010 15:30:53 | Computer Name = D30MPK3J | Source = PerfNet | ID = 2005
Description = No se puede leer datos de rendimiento del servicio Servidor. No se
devolverán datos de rendimiento del servidor en esta muestra. El código de error
devuelto está en los datos DWORD 0, IOSB.Status es DWORD 1 e IOSB.Information es
DWORD 2.

Error - 17/02/2010 15:30:53 | Computer Name = D30MPK3J | Source = PerfNet | ID = 2006
Description = No se puede leer datos de rendimiento de la cola del servidor del
servicio Servidor. No se devolverán datos de rendimiento de la cola del servidor
en esta muestra. El código de error devuelto está en los datos DWORD 0, IOSB.Status
es DWORD 1 e IOSB.Information es DWORD 2.

Error - 17/02/2010 17:03:58 | Computer Name = D30MPK3J | Source = PerfNet | ID = 2004
Description = No se puede abrir el servicio Servidor. No se devolverán datos de rendimiento
del servidor. El código de error devuelto está en los datos DWORD 0.

Error - 18/02/2010 20:31:18 | Computer Name = D30MPK3J | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 18/02/2010 21:45:15 | Computer Name = D30MPK3J | Source = Broadcom ASF IP and SMBIOS Mailbox Monitor | ID = 0
Description =

Error - 19/02/2010 13:00:21 | Computer Name = D30MPK3J | Source = crypt32 | ID = 131080
Description = Error en la recuperación de actualización automática del número de
secuencia de la lista raíz de terceros de:
con el error: A connection with the server could not be established

[ System Events ]
Error - 17/02/2010 17:03:04 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Generate Activation Context para C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe.
Mensaje
de error referencia: La operación se ha completado correctamente. .

Error - 17/02/2010 17:08:23 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842784
Description = No se encontró el ensamblaje dependiente Microsoft.VC90.MFC y el error
final fue El ensamblaje referido no está instalado en su sistema.

Error - 17/02/2010 17:08:23 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Resolve Partial Assembly para Microsoft.VC90.MFC. Mensaje
de error referencia: El ensamblaje referido no está instalado en su sistema. .

Error - 17/02/2010 17:08:23 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Generate Activation Context para C:\Archivos de programa\Alwil
Software\Avast5\AvastUI.exe. Mensaje de error referencia: La operación se ha completado
correctamente. .

Error - 18/02/2010 20:18:44 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842784
Description = No se encontró el ensamblaje dependiente Microsoft.VC90.MFC y el error
final fue El ensamblaje referido no está instalado en su sistema.

Error - 18/02/2010 20:18:44 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Resolve Partial Assembly para Microsoft.VC90.MFC. Mensaje
de error referencia: El ensamblaje referido no está instalado en su sistema. .

Error - 18/02/2010 20:18:44 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Generate Activation Context para C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe.
Mensaje
de error referencia: La operación se ha completado correctamente. .

Error - 18/02/2010 20:30:15 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842784
Description = No se encontró el ensamblaje dependiente Microsoft.VC90.MFC y el error
final fue El ensamblaje referido no está instalado en su sistema.

Error - 18/02/2010 20:30:15 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Resolve Partial Assembly para Microsoft.VC90.MFC. Mensaje
de error referencia: El ensamblaje referido no está instalado en su sistema. .

Error - 18/02/2010 20:30:15 | Computer Name = D30MPK3J | Source = SideBySide | ID = 16842811
Description = Error en Generate Activation Context para C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe.
Mensaje
de error referencia: La operación se ha completado correctamente. .


< End of report >

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sat Feb 20, 2010 11:39 pm

Hello.
Well, there's the flash drive infection I was looking for.

Before we clean this, please plug in any removal media.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O4 - HKLM..\Run: [] File not found
    O32 - AutoRun File - [2009/10/23 10:41:37 | 000,000,057 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2009/10/24 17:31:08 | 000,002,352 | ---- | M] () - C:\autorun.PNF -- [ NTFS ]
    O33 - MountPoints2\{031e2296-5460-11de-bf60-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
    O33 - MountPoints2\{2232c527-f949-11de-80c4-001e37c4a700}\Shell\AutoRun\command - "" = f2kmj.exe
    O33 - MountPoints2\{2232c527-f949-11de-80c4-001e37c4a700}\Shell\open\Command - "" = f2kmj.exe
    O33 - MountPoints2\{2c1a6a38-6ace-11dd-bdaf-001e37c4a700}\Shell - "" = AutoRun
    O33 - MountPoints2\{33513dc6-e67a-11dd-be95-001e37c4a700}\Shell\AutoRun\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
    O33 - MountPoints2\{33513dc6-e67a-11dd-be95-001e37c4a700}\Shell\open\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
    O33 - MountPoints2\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\Shell - "" = AutoRun
    O33 - MountPoints2\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{568e6c25-f02d-11de-80b0-001e37c4a700}\Shell\AutoRun\command - "" = set21\ago1opa.exe
    O33 - MountPoints2\{77e5316e-f434-11dd-beaf-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
    O33 - MountPoints2\{7e9b2d28-2360-11de-bf05-001e37c4a700}\Shell\Auto\command - "" = msnmsgr_plus.exe
    O33 - MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\Shell\AutoRun\command - "" = E:\iqe68o.bat -- File not found
    O33 - MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\Shell\explore\Command - "" = E:\iqe68o.bat -- File not found
    O33 - MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\Shell\open\Command - "" = E:\iqe68o.bat -- File not found
    O33 - MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\Shell\AutoRun\command - "" = u.bat
    O33 - MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\Shell\explore\Command - "" = u.bat
    O33 - MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\Shell\open\Command - "" = u.bat
    O33 - MountPoints2\{9460c970-0af1-11dd-bcf9-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
    O33 - MountPoints2\{99d04404-5897-11de-bf6b-001e37c4a700}\Shell\AutoRun\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
    O33 - MountPoints2\{99d04404-5897-11de-bf6b-001e37c4a700}\Shell\open\command - "" = E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe -- File not found
    O33 - MountPoints2\{b14b4b24-e186-11de-808a-001e37c4a700}\Shell\AutoRun\command - "" = E:\set21\ago1opa.exe -- File not found
    O33 - MountPoints2\{b2932efe-de7e-11dd-be88-001e37c4a700}\Shell - "" = AutoRun
    O33 - MountPoints2\{b2932efe-de7e-11dd-be88-001e37c4a700}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{b2932eff-de7e-11dd-be88-001e37c4a700}\Shell\AutoRun\command - "" = G:\601ugf.exe -- File not found
    O33 - MountPoints2\{b2932eff-de7e-11dd-be88-001e37c4a700}\Shell\open\Command - "" = G:\601ugf.exe -- File not found
    O33 - MountPoints2\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe -- File not found
    O33 - MountPoints2\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\Shell\open\command - "" = E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe -- File not found
    O33 - MountPoints2\{c67a306f-a740-11dd-be11-001e37c4a700}\Shell\AutoRun\command - "" = G:\q3kku.exe -- File not found
    O33 - MountPoints2\{c67a306f-a740-11dd-be11-001e37c4a700}\Shell\open\Command - "" = G:\q3kku.exe -- File not found
    O33 - MountPoints2\{d5cb4650-694d-11dd-bdab-001e37c4a700}\Shell - "" = AutoRun
    O33 - MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\Shell\AutoRun\command - "" = F:\iqe68o.bat -- File not found
    O33 - MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\Shell\explore\Command - "" = F:\iqe68o.bat -- File not found
    O33 - MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\Shell\open\Command - "" = F:\iqe68o.bat -- File not found



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sat Feb 20, 2010 11:58 pm

Let's go !


========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\autorun.inf moved successfully.
C:\autorun.PNF moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{031e2296-5460-11de-bf60-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{031e2296-5460-11de-bf60-001e37c4a700}\ not found.
File E:\set21\ago1opa.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2232c527-f949-11de-80c4-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2232c527-f949-11de-80c4-001e37c4a700}\ not found.
File f2kmj.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2232c527-f949-11de-80c4-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2232c527-f949-11de-80c4-001e37c4a700}\ not found.
File f2kmj.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2c1a6a38-6ace-11dd-bdaf-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2c1a6a38-6ace-11dd-bdaf-001e37c4a700}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{33513dc6-e67a-11dd-be95-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33513dc6-e67a-11dd-be95-001e37c4a700}\ not found.
File E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{33513dc6-e67a-11dd-be95-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33513dc6-e67a-11dd-be95-001e37c4a700}\ not found.
File E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ac583c7-1b4d-11dd-bd2a-001e37c4a700}\ not found.
File D:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{568e6c25-f02d-11de-80b0-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{568e6c25-f02d-11de-80b0-001e37c4a700}\ not found.
File set21\ago1opa.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77e5316e-f434-11dd-beaf-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77e5316e-f434-11dd-beaf-001e37c4a700}\ not found.
File E:\set21\ago1opa.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7e9b2d28-2360-11de-bf05-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7e9b2d28-2360-11de-bf05-001e37c4a700}\ not found.
File msnmsgr_plus.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8024e0fc-e171-11dd-be8c-001e37c4a700}\ not found.
File E:\iqe68o.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8024e0fc-e171-11dd-be8c-001e37c4a700}\ not found.
File E:\iqe68o.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8024e0fc-e171-11dd-be8c-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8024e0fc-e171-11dd-be8c-001e37c4a700}\ not found.
File E:\iqe68o.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\ not found.
File u.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\ not found.
File u.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92eb5a6f-93dc-11dd-bdf2-001e37c4a700}\ not found.
File u.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9460c970-0af1-11dd-bcf9-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9460c970-0af1-11dd-bcf9-001e37c4a700}\ not found.
File E:\set21\ago1opa.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{99d04404-5897-11de-bf6b-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99d04404-5897-11de-bf6b-001e37c4a700}\ not found.
File E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{99d04404-5897-11de-bf6b-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99d04404-5897-11de-bf6b-001e37c4a700}\ not found.
File E:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\usr.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b14b4b24-e186-11de-808a-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b14b4b24-e186-11de-808a-001e37c4a700}\ not found.
File E:\set21\ago1opa.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2932efe-de7e-11dd-be88-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2932efe-de7e-11dd-be88-001e37c4a700}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2932efe-de7e-11dd-be88-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2932efe-de7e-11dd-be88-001e37c4a700}\ not found.
File F:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2932eff-de7e-11dd-be88-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2932eff-de7e-11dd-be88-001e37c4a700}\ not found.
File G:\601ugf.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2932eff-de7e-11dd-be88-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b2932eff-de7e-11dd-be88-001e37c4a700}\ not found.
File G:\601ugf.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\ not found.
File E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9db71f4-5115-11dd-bd8d-001e37c4a700}\ not found.
File E:\RECYCLER\S-1-6-21-1254946310-2159485961-600003330-2501\shellopen.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c67a306f-a740-11dd-be11-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c67a306f-a740-11dd-be11-001e37c4a700}\ not found.
File G:\q3kku.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c67a306f-a740-11dd-be11-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c67a306f-a740-11dd-be11-001e37c4a700}\ not found.
File G:\q3kku.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5cb4650-694d-11dd-bdab-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d5cb4650-694d-11dd-bdab-001e37c4a700}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\ not found.
File F:\iqe68o.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\ not found.
File F:\iqe68o.bat not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f87b7ea9-dfdc-11dd-be8b-001e37c4a700}\ not found.
File F:\iqe68o.bat not found.

OTL by OldTimer - Version 3.1.30.1 log created on 02212010_005518

That was! And without reboot the computer.

PS.- Do I had to have CONNECTED the external USB HD (the one I think could came the infection)??

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sun Feb 21, 2010 12:08 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java 2 Runtime Environment, SE v1.4.2_04
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) 6 Update 13

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sun Feb 21, 2010 12:52 am

Did you read my PS.- note?



Here I bring the Combo-Fix log:



ComboFix 10-02-20.03 - Unique 21/02/2010 1:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2046.1383 [GMT 1:00]
Running from: c:\documents and settings\Unique\Escritorio\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AegisP.inf
c:\windows\EventSystem.log
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVPSYS
-------\Service_AVPsys
-------\Legacy_STacSV
-------\Service_STacSV


((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-20 23:55 . 2010-02-20 23:55 -------- d-----w- C:\_OTL
2010-02-19 01:48 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-19 01:48 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-19 01:48 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-19 01:48 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-19 01:48 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-19 01:48 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-19 01:48 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-19 01:48 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-19 01:48 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-17 21:33 . 2010-02-17 21:33 -------- d-----w- c:\documents and settings\Unique\Datos de programa\Malwarebytes
2010-02-17 21:33 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 21:33 . 2010-02-17 21:33 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
2010-02-17 21:33 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 21:33 . 2010-02-20 00:22 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2010-02-17 20:47 . 2010-02-17 20:47 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Alwil Software
2010-02-17 20:32 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-17 20:32 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-17 20:32 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-17 20:32 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-17 20:31 . 2010-02-17 20:32 -------- d-----w- c:\archivos de programa\Archivos comunes\PC Tools
2010-02-17 20:31 . 2010-02-17 20:32 -------- d-----w- c:\archivos de programa\Spyware Doctor
2010-02-17 20:31 . 2010-02-17 20:31 -------- d-----w- c:\documents and settings\Unique\Datos de programa\PC Tools
2010-02-17 20:31 . 2010-02-17 20:31 -------- d-----w- c:\documents and settings\All Users\Datos de programa\PC Tools
2010-02-17 20:29 . 2010-02-19 01:13 -------- d---a-w- c:\documents and settings\All Users\Datos de programa\TEMP
2010-02-17 09:06 . 2010-02-17 09:06 -------- d-sh--w- c:\documents and settings\Unique\PrivacIE
2010-02-17 08:59 . 2010-02-19 01:10 -------- d-----w- c:\documents and settings\Unique\Datos de programa\jbkisl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 00:38 . 2008-04-12 20:15 -------- d-----w- c:\documents and settings\Unique\Datos de programa\OpenOffice.org2
2010-02-21 00:15 . 2008-03-26 09:11 -------- d-----w- c:\archivos de programa\Java
2010-02-20 01:20 . 2008-04-13 13:10 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Google Updater
2010-02-19 17:00 . 2009-09-17 21:29 -------- d-----w- c:\archivos de programa\Archivos comunes\Symantec Shared
2010-02-17 20:48 . 2008-04-01 19:55 -------- d-----w- c:\archivos de programa\Alwil Software
2010-02-17 10:40 . 2009-04-24 18:36 -------- d-----w- c:\documents and settings\Unique\Datos de programa\Spotify
2010-02-11 00:41 . 2008-03-26 08:56 55944 ----a-w- c:\windows\system32\nvModes.dat
2010-02-06 13:44 . 2008-03-26 09:31 -------- d-----w- c:\archivos de programa\Google
2010-01-26 19:27 . 2009-11-24 21:09 79488 ----a-w- c:\documents and settings\Unique\Datos de programa\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 10:12 . 2009-10-03 08:33 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-01 23:21 . 2008-06-15 18:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2008-04-16 16:50 . 2008-04-16 16:50 638305 ----a-w- c:\archivos de programa\microstation_v8_xm_instruccions_installacio.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\archivos de programa\DellTPad\Apoint.exe" [2007-09-23 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"SigmatelSysTrayApp"="c:\archivos de programa\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]
"IntelZeroConfig"="c:\archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"WavXMgr"="c:\archivos de programa\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\archivos de programa\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Acrobat Assistant 7.0"="c:\archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Windows Defender"="c:\archivos de programa\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"avast5"="c:\archiv~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"ISUSPM Startup"="c:\archiv~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-20 15360]
"DWQueuedReporting"="c:\archiv~1\ARCHIV~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\Unique\Men£ Inicio\Programas\Inicio\
OpenOffice.org 2.3.lnk - c:\archivos de programa\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
Stardock ObjectDock.lnk - c:\archivos de programa\Stardock\ObjectDock\ObjectDock.exe [2008-4-11 3450608]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Acelerador de inicio de AutoCAD.lnk - c:\archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-4-11 25214]
Adobe Gamma.lnk - c:\archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Bluetooth Manager.lnk - c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\archivos de programa\Digital Line Detect\DLG.exe [2008-3-26 50688]
Launchy.lnk - c:\archivos de programa\Launchy\Launchy.exe [2008-4-11 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 15:20 73728 ----a-w- c:\archivos de programa\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Next Limit\\Maxwell\\mxcl.exe"=
"c:\\Archivos de programa\\Google\\Google SketchUp 6\\SketchUp.exe"=
"c:\\Archivos de programa\\Dassault Systemes\\B17\\intel_a\\code\\bin\\orbixd.exe"=
"c:\\Archivos de programa\\Dassault Systemes\\B17\\intel_a\\code\\bin\\CNEXT.exe"=
"c:\\Archivos de programa\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Spotify\\spotify.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [17/02/2010 21:32 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19/02/2010 2:48 162512]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [11/07/2003 14:22 14912]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 15:21 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19/02/2010 2:48 19024]
R2 BBDemon;Backbone Service;c:\archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe [29/04/2006 6:32 49152]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [08/09/2004 16:46 5120]
R2 WinDefend;Windows Defender;c:\archivos de programa\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 13:32 97536]
S2 gupdate;Servicio Google Update (gupdate);c:\archivos de programa\Google\Update\GoogleUpdate.exe [30/12/2009 12:35 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-26 08:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-12-30 11:35]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-12-30 11:35]

2010-02-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\archivos de programa\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]

2010-02-19 c:\windows\Tasks\Norton Security Scan for Unique.job
- c:\archivos de programa\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-03 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\archivos de programa\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: lledo - {54DB67D8-DE43-4362-BDA8-9C574379CAD5} - c:\archivos de programa\Archivos comunes\Lledo\DatabaseTools.dll
FF - ProfilePath - c:\documents and settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-21 01:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|ù•9~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1240)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(4684)
c:\windows\system32\WININET.dll
c:\archivos de programa\Stardock\ObjectDock\DockShellHook.dll
c:\archivos de programa\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\archivos de programa\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\archivos de programa\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'explorer.exe'(5952)
c:\windows\system32\WININET.dll
c:\archivos de programa\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\browselc.dll
c:\archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\PortableDeviceApi.dll
c:\archivos de programa\Microsoft Office\OFFICE11\msohev.dll
c:\archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\Intel\Wireless\Bin\S24EvMon.exe
c:\archivos de programa\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\System32\SCardSvr.exe
c:\archivos de programa\DellTPad\ApMsgFwd.exe
c:\archivos de programa\DellTPad\HidFind.exe
c:\archivos de programa\DellTPad\Apntex.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\archivos de programa\OpenOffice.org 2.3\program\soffice.exe
c:\archivos de programa\OpenOffice.org 2.3\program\soffice.BIN
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\archivos de programa\Intel\Wireless\Bin\EvtEng.exe
c:\archivos de programa\Dell\QuickSet\NICCONFIGSVC.exe
c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\windows\system32\nvsvc32.exe
c:\archivos de programa\Intel\Wireless\Bin\RegSrvc.exe
c:\archivos de programa\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\archivos de programa\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\archivos de programa\Intel\Wireless\Bin\WLKeeper.exe
c:\archivos de programa\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\archivos de programa\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-02-21 01:45:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 00:45

Pre-Run: 10.060.374.016 bytes libres
Post-Run: 29.704.056.832 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7F83C9E51E387A51F7F04A0CF7980758



Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sun Feb 21, 2010 1:47 am

Hello.
No, just saw your edit now.

Did you have the removal media plugged in when Combofix was run? if so, don't worrry, Combofix didn't find any autorun.inf file present, and Combofix has also switched off autorun/autoplay.

One last leftover to deal with.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sun Feb 21, 2010 2:28 am

[You must be registered and logged in to see this link.] wrote:
No, just saw your edit now.

Did you have the removal media plugged in when Combofix was run? if so, don't worrry, Combofix didn't find any autorun.inf file present, and Combofix has also switched off autorun/autoplay.

I hadn't anything plugged in to the computer. Was absoƖute unplugged from external devices.


Let's go with the log


ComboFix 10-02-20.03 - Unique 21/02/2010 3:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2046.1429 [GMT 1]
Running from: c:\documents and settings\Unique\Escritorio\Combo-Fix.exe
Command switches used :: c:\documents and settings\Unique\Escritorio\CFScript.txt.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-20 23:55 . 2010-02-20 23:55 -------- d-----w- C:\_OTL
2010-02-19 01:48 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-19 01:48 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-19 01:48 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-19 01:48 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-19 01:48 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-19 01:48 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-19 01:48 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-19 01:48 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-19 01:48 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-17 21:33 . 2010-02-17 21:33 -------- d-----w- c:\documents and settings\Unique\Datos de programa\Malwarebytes
2010-02-17 21:33 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 21:33 . 2010-02-17 21:33 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes
2010-02-17 21:33 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 21:33 . 2010-02-20 00:22 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2010-02-17 20:47 . 2010-02-17 20:47 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Alwil Software
2010-02-17 20:32 . 2010-02-05 08:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-17 20:32 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-17 20:32 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-17 20:32 . 2010-02-05 08:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-17 20:31 . 2010-02-17 20:32 -------- d-----w- c:\archivos de programa\Archivos comunes\PC Tools
2010-02-17 20:31 . 2010-02-17 20:32 -------- d-----w- c:\archivos de programa\Spyware Doctor
2010-02-17 20:31 . 2010-02-17 20:31 -------- d-----w- c:\documents and settings\Unique\Datos de programa\PC Tools
2010-02-17 20:31 . 2010-02-17 20:31 -------- d-----w- c:\documents and settings\All Users\Datos de programa\PC Tools
2010-02-17 20:29 . 2010-02-19 01:13 -------- d---a-w- c:\documents and settings\All Users\Datos de programa\TEMP
2010-02-17 09:06 . 2010-02-17 09:06 -------- d-sh--w- c:\documents and settings\Unique\PrivacIE
2010-02-17 08:59 . 2010-02-19 01:10 -------- d-----w- c:\documents and settings\Unique\Datos de programa\jbkisl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 00:38 . 2008-04-12 20:15 -------- d-----w- c:\documents and settings\Unique\Datos de programa\OpenOffice.org2
2010-02-21 00:15 . 2008-03-26 09:11 -------- d-----w- c:\archivos de programa\Java
2010-02-20 01:20 . 2008-04-13 13:10 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Google Updater
2010-02-19 17:00 . 2009-09-17 21:29 -------- d-----w- c:\archivos de programa\Archivos comunes\Symantec Shared
2010-02-17 20:48 . 2008-04-01 19:55 -------- d-----w- c:\archivos de programa\Alwil Software
2010-02-17 10:40 . 2009-04-24 18:36 -------- d-----w- c:\documents and settings\Unique\Datos de programa\Spotify
2010-02-11 00:41 . 2008-03-26 08:56 55944 ----a-w- c:\windows\system32\nvModes.dat
2010-02-06 13:44 . 2008-03-26 09:31 -------- d-----w- c:\archivos de programa\Google
2010-01-26 19:27 . 2009-11-24 21:09 79488 ----a-w- c:\documents and settings\Unique\Datos de programa\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-14 10:12 . 2009-10-03 08:33 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-01 23:21 . 2008-06-15 18:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2008-04-16 16:50 . 2008-04-16 16:50 638305 ----a-w- c:\archivos de programa\microstation_v8_xm_instruccions_installacio.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\archivos de programa\DellTPad\Apoint.exe" [2007-09-23 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"SigmatelSysTrayApp"="c:\archivos de programa\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]
"IntelZeroConfig"="c:\archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"WavXMgr"="c:\archivos de programa\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\archivos de programa\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\archivos de programa\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\archivos de programa\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Acrobat Assistant 7.0"="c:\archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Windows Defender"="c:\archivos de programa\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"avast5"="c:\archiv~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"ISUSPM Startup"="c:\archiv~1\ARCHIV~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-20 15360]
"DWQueuedReporting"="c:\archiv~1\ARCHIV~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\Unique\Men£ Inicio\Programas\Inicio\
OpenOffice.org 2.3.lnk - c:\archivos de programa\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
Stardock ObjectDock.lnk - c:\archivos de programa\Stardock\ObjectDock\ObjectDock.exe [2008-4-11 3450608]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Acelerador de inicio de AutoCAD.lnk - c:\archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-4-11 25214]
Adobe Gamma.lnk - c:\archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Bluetooth Manager.lnk - c:\archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\archivos de programa\Digital Line Detect\DLG.exe [2008-3-26 50688]
Launchy.lnk - c:\archivos de programa\Launchy\Launchy.exe [2008-4-11 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 15:20 73728 ----a-w- c:\archivos de programa\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Next Limit\\Maxwell\\mxcl.exe"=
"c:\\Archivos de programa\\Google\\Google SketchUp 6\\SketchUp.exe"=
"c:\\Archivos de programa\\Dassault Systemes\\B17\\intel_a\\code\\bin\\orbixd.exe"=
"c:\\Archivos de programa\\Dassault Systemes\\B17\\intel_a\\code\\bin\\CNEXT.exe"=
"c:\\Archivos de programa\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\Spotify\\spotify.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [17/02/2010 21:32 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19/02/2010 2:48 162512]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [11/07/2003 14:22 14912]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 15:21 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19/02/2010 2:48 19024]
R2 BBDemon;Backbone Service;c:\archivos de programa\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe [29/04/2006 6:32 49152]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [08/09/2004 16:46 5120]
R2 WinDefend;Windows Defender;c:\archivos de programa\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 13:32 97536]
S2 gupdate;Servicio Google Update (gupdate);c:\archivos de programa\Google\Update\GoogleUpdate.exe [30/12/2009 12:35 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-26 08:01]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-12-30 11:35]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2009-12-30 11:35]

2010-02-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\archivos de programa\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]

2010-02-19 c:\windows\Tasks\Norton Security Scan for Unique.job
- c:\archivos de programa\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-03 14:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: Convert link target to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\archivos de programa\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: lledo - {54DB67D8-DE43-4362-BDA8-9C574379CAD5} - c:\archivos de programa\Archivos comunes\Lledo\DatabaseTools.dll
FF - ProfilePath - c:\documents and settings\Unique\Datos de programa\Mozilla\Firefox\Profiles\1dh83251.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\archivos de programa\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\archivos de programa\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\archivos de programa\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-21 03:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|ù•9~*]
"A0C0110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1240)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\archivos de programa\Stardock\ObjectDock\DockShellHook.dll
c:\archivos de programa\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-21 03:22:31
ComboFix-quarantined-files.txt 2010-02-21 02:22
ComboFix2.txt 2010-02-21 00:46

Pre-Run: 29.746.659.328 bytes libres
Post-Run: 29.725.458.432 bytes libres

- - End Of File - - 660C809B916F4D31D91C7D02384656C6

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sun Feb 21, 2010 4:30 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sun Feb 21, 2010 6:58 pm

Done. Combo-Fix is uninstalled.

I think the computer is running pretty well!!
Right On!

Do you think we should "clean" some else more? Or looks everything so well?

And what do you recommend to get installed on the computer to keep it safely? (in addition to Windows Defender and Avast Home 5.0).

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Sun Feb 21, 2010 8:19 pm

This should be okay now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Sun Feb 21, 2010 9:13 pm

Great!

And should I install some protection software apart from the Windows Defender and the Avast Home 5.0?

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Mon Feb 22, 2010 1:02 am

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Mon Feb 22, 2010 8:52 pm

Thank you so much. My sister (her computer was the infected one) was so interested in to know the last information.


Only one more question. I think the infection could came from an external USB hard drive used for storage and back-up copies.

How should I scan it to not being infected again? Any remarkable instruction?

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Mon Feb 22, 2010 9:04 pm

Hello.
The loading point is removed, is it just one removalable drive you think is infected?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Mon Feb 22, 2010 9:36 pm

Yes it is.

But it wasn't plugged in when we did all the clean process.

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Mon Feb 22, 2010 9:37 pm

Please download [You must be registered and logged in to see this link.] to your Desktop and run it by double clicking the program's icon.

  1. Wait a couple of seconds for initial scan to finish.
  2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
  3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
  4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Mon Feb 22, 2010 9:59 pm

The log! (I think I didn't do it well Let me think )

I plugged in the (same) Hard Drive (the one it could have the virus inside) on each usb port.

It was that?


USBNoRisk 2.5 (26 July 2009) by bobby

Started at 22/02/2010 22:44:28

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {f5053ce0-ff50-11dc-bcee-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for f5053ce0-ff50-11dc-bcee-806d6172696f
----------------------------------------
Desktop.ini found at C:\i386\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
----------------------------------------
HKCR\CLSID\{7BD29E00-76C1-11CF-9DD0-00A0C9034933}\DefaultIcon,@ = C:\WINDOWS\system32\ieframe.dll,-20780
HKCR\CLSID\{7BD29E00-76C1-11CF-9DD0-00A0C9034933}\InProcServer32,@ = C:\WINDOWS\system32\ieframe.dll
HKLM\Software\Classes\CLSID\{7BD29E00-76C1-11CF-9DD0-00A0C9034933}\DefaultIcon,@ = C:\WINDOWS\system32\ieframe.dll,-20780
HKLM\Software\Classes\CLSID\{7BD29E00-76C1-11CF-9DD0-00A0C9034933}\InProcServer32,@ = C:\WINDOWS\system32\ieframe.dll
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 22/02/2010 22:44:49

Scanning for connected USB mass storage...
----------------------------------------
E: {5c290f6d-0874-11dd-bcf4-001e37c4a700}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for 5c290f6d-0874-11dd-bcf4-001e37c4a700
----------------------------------------

----------------------------------------
Desktop.ini found at E:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive E:
========================================

========================================
Removed E:
========================================


New device connected at 22/02/2010 22:45:22

Scanning for connected USB mass storage...
----------------------------------------
E: {5c290f6d-0874-11dd-bcf4-001e37c4a700}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for 5c290f6d-0874-11dd-bcf4-001e37c4a700
----------------------------------------

----------------------------------------
Desktop.ini found at E:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive E:
========================================

========================================
Removed E:
========================================


New device connected at 22/02/2010 22:46:09

Scanning for connected USB mass storage...
----------------------------------------
E: {5c290f6d-0874-11dd-bcf4-001e37c4a700}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for 5c290f6d-0874-11dd-bcf4-001e37c4a700
----------------------------------------

----------------------------------------
Desktop.ini found at E:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive E:
========================================


Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Belahzur on Mon Feb 22, 2010 10:01 pm

Hello.
Looks good, no autorun file found on the removable media. Smile It's not infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected by Nuqel.E, BankerFox.A, unlimited pop-ups

Post by Sanddj on Mon Feb 22, 2010 10:15 pm

Yeah, I read that there isn't any autorun.inf, the one Avast 4.8 warning me about the virus, (before updating to the 5.0).

I see I understood it well Big Grin


I'm going to take a look to all the advices of the previous page.

I hope I don't need to contact you again in the future (but only 'cause that'd mean that I got infected again) LOL Banner

So I think that's all. Thank you very much for your help and your patience


Sanddj

Sanddj
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-02-17
OS OS : Windows XP updated to SP3
Points Points : 25153
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum