13 replies to this topic

[sweet_b]

I analized my computer with NOD32 anitvirus system and it said about error and blocked files (4), i dont understand why happend this, and it also found this trojan:

C:\WINDOWS\system32\SiLeNtt\ana.exe - Win32/Bifrose.BCB (Troyano)

I clicked on the option to eliminate it but.. i want to know what is and if that can control my webcam and stole videos or any from my computer, and what can i do to protect my computer for virus, trojan, spyware...

I'll be glad if you can help me. Thanks in advance.

I paste the scanning register here:

Comienzo: 20/10/2007 13:44:09
Registro de sucesos
NOD32 Scanner versión 2604 (20071019) NT
- Está correcto en memoria operativa

Fecha: 20.10.2007 hora: 13:44:21
La Tecnología Anti-Stealth está activada.
Discos, carpetas y archivos analizados: C:; D:; E:
C:\pagefile.sys - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\NTUSER.DAT - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\NTUSER.DAT.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sexsy_18@hotmail.com\SharingMetadata\pending.dat - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sexsy_18@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\dfsr.db - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sexsy_18@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\fsr.log - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sexsy_18@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\fsrtmp.log - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sexsy_18@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\tmp.edb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sweet_bachelorette@hotmail.com\SharingMetadata\pending.dat - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sweet_bachelorette@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\dfsr.db - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sweet_bachelorette@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\fsr.log - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sweet_bachelorette@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\fsrtmp.log - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Messenger\sweet_bachelorette@hotmail.com\SharingMetadata\Working\database_C24_E864_24E8_51EE\tmp.edb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\chat512.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\chatmember256.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\chatmsg1024.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\chatmsg2048.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\chatmsg256.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\chatmsg512.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\contactgroup256.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\index2.dat - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\profile4096.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\transfer256.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\transfer512.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\user1024.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\user16384.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\user32768.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\user4096.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\Administrador\Datos de programa\Skype\lebeau_soleil\voicemail256.dbb - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat - Error abriendo archivo (El archivo está bloqueado) [4]
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - Error abriendo archivo (Acceso denegado) [4]
C:\WINDOWS\system32\config\default - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\default.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\SAM - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\SAM.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\SECURITY - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\software - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\software.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\system - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\config\system.LOG - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\drivers\sptd.sys - Error abriendo archivo (El archivo está bloqueado) [4]
C:\WINDOWS\system32\SiLeNtt\ana.exe - Win32/Bifrose.BCB (Troyano) - Eliminado
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd143\lestad_811@hotmail.com.ple - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd143\on3eon7@hotmail.com.ple - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\800px-Antalya_harbor_view_2004.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\800px-Manavgat_waterfall_by_tomgensler.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\800px-Mount_olympos_turkey.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\800px-Pamukkale00.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\casadevirgen.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\casas_1.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\hamam001.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\Istanbul_levent.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\lavirgen_1.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\sanjuan.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\Thumbs.db - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\thumb_marmol.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\thumb_templo.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\thumb_trajano.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd219\turquia.jpg - Error abriendo archivo (Acceso denegado) [4]
D:\RECYCLER\S-1-5-21-842925246-884357618-725345543-1003\Dd230\PowerDVD\Default.PLS - Error abriendo archivo (Acceso denegado) [4]
D:\System Volume Information\MountPointManagerRemoteDatabase - Error abriendo archivo (Acceso denegado) [4]
E:\System Volume Information\MountPointManagerRemoteDatabase - Error abriendo archivo (Acceso denegado) [4]
Cantidad de archivos analizados: 33062
Cantidad de amenazas detectadas: 1
Cantidad de archivos desinfectados: 1
Hora de finalización: 13:56:28 . Tiempo total de análisis: 727 seg (00:12:07)

Notas:
[4] El archivo no puede ser abierto. Es usado en exclusividad por otra aplicación.

[Jintan]

Hola sweet_b,

Welcome to WTT. You started out in the wrong way by posting additional requests, so be sure to only make one when asking for assistance. That infected file could have come by opening/clicking on and email file or through IRC channels, so the best defense for this often is you being cautious with those sources. Let's see what is loaded there now.

Please download HijackThis from Here. Then click on the downloaded file, install HijackThis, and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.

Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.

[sweet_b]

Thanks for replay and sorry if i did something wrong, i posted 3 times because every time after i post, it appeared a page that said ERROR so i thought i didnt post anything and i did it again. Forgive me, my english is not good, but i didnt find anything from the win32\bofrose.. in spanish so i tried to ask here and i dont understand much the rules of phorum.

I try to do exactly what you said before and this are the results, i hope i did it ok.

Logfile of HijackThis v1.99.1
Scan saved at 22:51:42, on 21/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Lexmark 2400 Series\ezprint.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgrssvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\ARCHIV~1\Grisoft\AVG7\avgfwsrv.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.windowsue.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsue.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer proporcionado por Windows uE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Barra de herramientas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Archivos de programa\Lexmark Toolbar\toolband.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Lexmark Barra de herramientas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Archivos de programa\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Archivos de programa\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Archivos de programa\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Archivos de programa\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Gizmo Project] C:\Archivos de programa\Gizmo Project\Gizmo.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.liv...es/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1186265344234
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://anasbasement....ad/MsnPUpld.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com.../crusher-mx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe




"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Skype" = ""C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"msnmsgr" = ""C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background" [MS]
"Yahoo! Pager" = ""C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nod32kui" = ""C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"lxcrmon.exe" = ""C:\Archivos de programa\Lexmark 2400 Series\lxcrmon.exe"" [null data]
"EzPrint" = ""C:\Archivos de programa\Lexmark 2400 Series\ezprint.exe"" ["Lexmark International Inc."]
"FaxCenterServer" = ""C:\Archivos de programa\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"LXCRCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16" [MS]
"Gizmo Project" = "C:\Archivos de programa\Gizmo Project\Gizmo.exe" [file not found]
"!AVG Anti-Spyware" = ""C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Lexmark Barra de herramientas"
\InProcServer32\(Default) = "C:\Archivos de programa\Lexmark Toolbar\toolband.dll" [null data]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"
-> {HKLM...CLSID} = "GMail Drive"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"
-> {HKLM...CLSID} = "GMailFS Property Sheet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"
-> {HKLM...CLSID} = "GMailFS Drop Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"
-> {HKLM...CLSID} = "GMailFS Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mis carpetas para compartir"
\InProcServer32\(Default) = "C:\Archivos de programa\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\ARCHIV~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> avgwlntf\DLLName = "avgwlntf.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\ARCHIV~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" [null data]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_DWORD) hex:0x00000001
{Remove "Click here to begin" from Start button}

"NoSMHelp" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSMMyPictures" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove My Pictures icon from Start Menu}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableStatusMessages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"VerboseStatus" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoInternetOpenWith" = (REG_DWORD) hex:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"





"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Skype" = ""C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"msnmsgr" = ""C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background" [MS]
"Yahoo! Pager" = ""C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"nod32kui" = ""C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"lxcrmon.exe" = ""C:\Archivos de programa\Lexmark 2400 Series\lxcrmon.exe"" [null data]
"EzPrint" = ""C:\Archivos de programa\Lexmark 2400 Series\ezprint.exe"" ["Lexmark International Inc."]
"FaxCenterServer" = ""C:\Archivos de programa\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"LXCRCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16" [MS]
"Gizmo Project" = "C:\Archivos de programa\Gizmo Project\Gizmo.exe" [file not found]
"!AVG Anti-Spyware" = ""C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Lexmark Barra de herramientas"
\InProcServer32\(Default) = "C:\Archivos de programa\Lexmark Toolbar\toolband.dll" [null data]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {HKLM...CLSID} = "Extensión de paneo de pantalla del Panel de control"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"
-> {HKLM...CLSID} = "GMail Drive"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"
-> {HKLM...CLSID} = "GMailFS Property Sheet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"
-> {HKLM...CLSID} = "GMailFS Drop Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"
-> {HKLM...CLSID} = "GMailFS Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Mis carpetas para compartir"
\InProcServer32\(Default) = "C:\Archivos de programa\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\ARCHIV~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> avgwlntf\DLLName = "avgwlntf.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\ARCHIV~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Archivos de programa\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Archivos de programa\Eset\nodshex.dll" [null data]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Archivos de programa\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Archivos de programa\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_DWORD) hex:0x00000001
{Remove "Click here to begin" from Start button}

"NoSMHelp" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSMMyPictures" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove My Pictures icon from Start Menu}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableStatusMessages" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"VerboseStatus" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoInternetOpenWith" = (REG_DWORD) hex:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrador\Configuración local\Datos de programa\Microsoft\Wallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 24
C:\WINDOWS\system32\avgfwafu.dll ["GRISOFT, s.r.o."], 06 - 10
%SystemRoot%\system32\mswsock.dll [MS], 11 - 13, 16 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 14 - 15


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}"
-> {HKLM...CLSID} = "Lexmark Barra de herramientas"
\InProcServer32\(Default) = "C:\Archivos de programa\Lexmark Toolbar\toolband.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = (no title provided)
-> {HKLM...CLSID} = "Lexmark Barra de herramientas"
\InProcServer32\(Default) = "C:\Archivos de programa\Lexmark Toolbar\toolband.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Referencia"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Consola de Sun Java"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Archivos de programa\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Referencia"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG Firewall, AVGFwSrv, "C:\ARCHIV~1\Grisoft\AVG7\avgfwsrv.exe /srvfsys" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Resident Shield Service, AvgCoreSvc, "C:\ARCHIV~1\Grisoft\AVG7\avgrssvc.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
lxcr_device, lxcr_device, "C:\WINDOWS\system32\lxcrcoms.exe -service" [" "]
NOD32 Kernel Service, NOD32krn, ""C:\Archivos de programa\Eset\nod32krn.exe"" ["Eset "]
Servicio Lector del diario USN de Carpetas para compartir de Messenger, usnjsvc, ""C:\Archivos de programa\MSN Messenger\usnsvc.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
2400 Series Port\Driver = "lxcrlmpm.DLL" [" "]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [empty string]


---------- (launch time: 2007-10-21 23:01:30)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 33 seconds.
---------- (total run time: 86 seconds)

[Jintan]

No infection showing, but some unusual policy restrictions. Normally when the Start button is clicked, in the menu display is the "Set Program Access and Defaults". But here it shows as disabled, so would not show there. Do you know what made such setting changes?


Let's see if any other infection is found. Disable your antivirus program (remember to re-enable it once this scan is complete) and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export the scan report". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.

[sweet_b]

I don't know about the settings changes All i know is, that when i get my computer it was fine, then i had to format ( i dont remember why) so my brother did it, but he format only C . When i use to have a problem, i press the button to restore system, but after my brother made format, i dont have that option anymore, and there are many thing i cant do, like create an administrator user and change the type, and it suppose my user is administrator. When i do scan, it saids all files blocked (like the first post up there). So maybe the changes are because something my brother did, maybe i did without know, because when i have virus or something, i download programs and i try to do it by myself when i dont have anyone to help me. Yesterday, after i sent the results post, i used the AVG anti-rootkit, and never found anything, then i used AVG anti-spyware, AVG 7.5, Ad-aware SE, and it founds some things and eliminate them, then i run it again and appear, so i open register and deleted the files that the scan found. Today i check all and didnt find anything, then i check my USB where i keep my homework and the files i saved before format and it found a horse trojan ( something like that) and removed it. My computer it still slow, and i think.. because i download many anti virus-spyware programs?? i want to have all protection, but not many programs, so would be nice if you recomend me something. Anyway, from now i'll be cautious with everything i open. BitDefender sent me a message of error and it couldn't make the update, anyway i scanned and didnt find anything. BitDefender Online Scanner - Real Time Virus Report Generated at: Mon, Oct 22, 2007 - 19:32:03 -------------------------------------------------------------------------------- Scan Info Scanned Files 51111 Infected Files 0 Virus Detected No virus found. -------------------------------------------------------------------------------- This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

[sweet_b]

HI.. i KNOW MAYBE I SHOULD WAIT FOR THE REPLAY BUT I AM REALLY CONCERNED ABOUT MY COMPUTER..

AFTER I POSTED THE LAST MESSAGE HERE, WHEN IT SUPPOSE MY COMPUTER IS CLEAN.. I OPENED MY MESSENGER AND THEN I CLICKED ON THE BUTTON "EVENTS" (I HAVE MSN PLUS) AND SUDDENLDY I SAW LIKE 7 MAIL ADRESSES THAT I DONT KNOW AND I DON'T EVEN HAVE IN MY CONTACT LIST! AND IN THAT LIST OF THE EVENTS SAID I UNBLOKED THEM! BUT I SEARCH IN MY MAIL AND I DIDNT HAVE ANY OPF THOSE MAILS, THEN (I DID WRONG BUT..) I OPENED WINDOWS CONVERSATION FROM THE EVENTS MSN PLUS AND I BLOCKED THEM AND CLOSED AGAIN..

I OPEN THE REGEDIT AND I SEARCH FOR BIFROSE AND I FOUND IT! IT SUPPOSE TO BE DELETED AND CLEAN.. SO I ELIMINATE THOSE FILES.. BUT I THINK THE BEST IS CANCEL MY MESSENGER ACCOUNT AND FORMAT MY COMPUTER.

THE PROBLEM IS I HAVE 3 ACCOUNT.. HOW CAN I KNOW IF ALL ARE INFECTED OR HAVE A BAD MAIL ... SHOULD I CLOSE ALL? ......

I AM USING MY LAPTOP BUT.. I AM NOT SURE IS THAT IS SAFE OR IS THE SAME THING..

I KNOW I'M TOO DESPERATE BUT ONE MAIL FROM SCHOOL, OTHER FOR FAMILY AND OTHER FOR FRIENDS.. SO IS VERY IMPORTANT FOR ME TO BE SAFE.

THANK YOU VERY MUCH IN ADVANCE, I WAIT FOR YOUR ANSWER.

[Jintan]

To be straight up here there has yet to be any infection showing in any logs posted. When you say you located "BIFROSE" in the registry, you actually found the word "BIFROSE"? This is an infection designation but not actually a named item used by infection. The policy settings are not those seen placed by infection - just not normally seen in logs so good to check with you on. But so far you have one AV alert on a file and some unfamiliar email account names, but nothing I might work with as far as suggested removal steps.

Is this folder still located there?

C:\WINDOWS\system32\SiLeNtt

[sweet_b]

I didnt understand much what you said , but... yes, i found this name "bifrose" and i found it like bifrose.bcb and below it another names like syspare, all in red symbols.

this C:\WINDOWS\system32\SiLeNtt i didnt find it inside the folfer system32, but when i make search with tools to find folders and files, and i found it. There is nothing inside and it said is hidden atributes (or something like that)

and i removed the programs (HijackThis and silent runners) before i found the bifrose thing in registry. did i do wrong?

the antivirus and antispyware dont detect anything by now.

Edited by sweet_b, 23 October 2007 - 07:27 PM.

[Jintan]

It would seem perhaps the items you located named "bifrose" may have been put there by your protective software, though without more information I am only guessing. For now, if no scans locate anything and it is not repeating your system appears to be okay.

[sweet_b]

ok, thank you very much for all your help, i have a question about some sites.. hi5 and facebook, are dangerous sites? can i get virus or spyware.. from those? Thanks for all, ana.

[Jintan]

I was more than glad to review things with you here. I stay aware of many sites known for bad things, and don't recall either of those websites listed as harmful.

[sweet_b]

Ok, thank you for your patience, my english is so bad that sometimes i just understood half of what you said so, i think there are no more problems now? i can let you take a break from me

[Jintan]

Hablo Español un poquito. Esté bien.

[sweet_b]

Gracias!! take care!!!!!!!!