Error Message Saying: "Your system could become unstable"

[SpikeDelight]

I keep getting this error message when I start up my computer or when it
comes away from sleep mode. It just started around yesterday or 2 days ago.
It reads:

Your system could become unstable

A potential problem has been detected and Windows has been
shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - AddressF73120AE base at C00000, DateStamp
36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

I have no idea what this is but it seems like it's serious. The only thing
is the incorrect grammar (Windows has been shutdown buggy application) makes
me suspicious. If someone could help me out that would be great.

 

[Dustin Harper]

It is a virus. Here is a post in another forum from Amol Sable, Security
Analyst (Secur-i Group), with a link to rid yourself of the virus:

Common symptoms:
================================================================================
==============

1]Systems drives show red cross in front of each drive icon [probably
showing disconnected state of the logical drive]

2]System alerts:
a] NT_kernel error 1256
b] A potential problem has been detected and Windows has been shutdown buggy
application to prevent damage to your computer.
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

3]Several pos*.tmp files created in system drive.

4]Two new shortcuts created on Desktop
a] Windows Update [ http://storageprotector.com/clean/p=60&gai....]
b] Help an Support Center [ http://storageprotector.com/clean/p=61&gai....]

Both point to some suspicious links [not the authentic Windows Update
Server]


Screenshot of an infected desktop with a few alerts:
http://img265.imageshack.us/img265/8682/sceenkb9.jpg

================================================================================
==============

Discussion:
Interestingly, there's a thread initiated in the bitDefender AntiVirus
Forum - since YESTERDAY, discussing this issue:
http://forum.bitdefender.com/index.php?showtopic=3561

================================================================================
==============

Fix:
VundoFix AND Combofix utilities are successfully used to detect several
malicious files indicating infection. This utility also has an option of
removing the infection.

VundoFix
http://www.tinyurl.com/9uaag

Combofix
http://tinyurl.com/22n35l

 

[SpikeDelight]

Thank you but neither of these applications work. After the VundoFix is done
scanning for files when I press Remove Vundo it just restarts my computer
immediately. And the ComboFix won't open. A message comes up saying that
it's not a valid system32 application.

It is a virus. Here is a post in another forum from Amol Sable, Security
Analyst (Secur-i Group), with a link to rid yourself of the virus:

Common symptoms:
================================================================================
==============

1]Systems drives show red cross in front of each drive icon [probably
showing disconnected state of the logical drive]

2]System alerts:
a] NT_kernel error 1256
b] A potential problem has been detected and Windows has been shutdown buggy
application to prevent damage to your computer.
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

3]Several pos*.tmp files created in system drive.

4]Two new shortcuts created on Desktop
a] Windows Update [ http://storageprotector.com/clean/p=60&gai....]
b] Help an Support Center [ http://storageprotector.com/clean/p=61&gai....]

Both point to some suspicious links [not the authentic Windows Update
Server]


Screenshot of an infected desktop with a few alerts:
http://img265.imageshack.us/img265/8682/sceenkb9.jpg

================================================================================
==============

Discussion:
Interestingly, there's a thread initiated in the bitDefender AntiVirus
Forum - since YESTERDAY, discussing this issue:
http://forum.bitdefender.com/index.php?showtopic=3561

================================================================================
==============

Fix:
VundoFix AND Combofix utilities are successfully used to detect several
malicious files indicating infection. This utility also has an option of
removing the infection.

VundoFix
http://www.tinyurl.com/9uaag

Combofix
http://tinyurl.com/22n35l



--
Dustin Harper
(e-mail address removed)
http://www.vistarip.com

I keep getting this error message when I start up my computer or when it
comes away from sleep mode. It just started around yesterday or 2 days
ago.
It reads:

Your system could become unstable

A potential problem has been detected and Windows has been
shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - AddressF73120AE base at C00000, DateStamp
36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

I have no idea what this is but it seems like it's serious. The only
thing
is the incorrect grammar (Windows has been shutdown buggy application)
makes
me suspicious. If someone could help me out that would be great.

 

[Malke]

Thank you but neither of these applications work. After the VundoFix is done
scanning for files when I press Remove Vundo it just restarts my computer
immediately. And the ComboFix won't open. A message comes up saying that
it's not a valid system32 application.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed below (not here, please):

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/


Malke

 

[Francisco]

Alguien me puede ayudar por favor



Logfile of HijackThis v1.99.1
Scan saved at 12:26:59 p.m., on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Archivos de programa\Microsoft SQL Server\MSSQL$RIIAL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\iTunes\iTunesHelper .exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Francisco\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Vínculos
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvtr.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
- C:\Archivos de programa\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos
de programa\google\googletoolbar2.dll
O3 - Toolbar: VelocidadSimple toolbar -
{4AD56E6F-7074-41EE-8A40-583C2C76EFCD} - C:\Archivos de
programa\VelocidadSimple\SCToolbar.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor]
"C:\ARCHIV~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Archivos de programa\Trend
Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [ec760852] rundll32.exe "C:\WINDOWS\system32\dwhrpgdu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de
programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de
programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de
programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos
comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de
programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de
programa\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [cwriter] C:\Archivos de
programa\VelocidadSimple\cwriter.exe
O4 - HKLM\..\Run: [VelocidadSimple] C:\Archivos de
programa\VelocidadSimple\scrmain.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG
Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [math online] C:\DOCUME~1\FRANCI~1\DATOSD~1\THUNKB~1\Road
locks.exe
O4 - HKCU\..\Run: [WINSOS VERIFY] "C:\Archivos de
programa\Winsos\WINSOS.EXE" MINI
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows
Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de
programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orb] "C:\Archivos de programa\Winamp
Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [AROReminder] C:\Archivos de programa\Advanced Registry
Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [updateMgr] C:\Archivos de programa\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [slide.exe] c:\archivos de programa\slide\slide.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe"
/nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [himem] "c:\windows\himem.exe" 3fff 8ffff
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos
comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de
programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de
programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de
programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Archivos de
programa\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Abrir en nueva ficha de fondo -
res://C:\Archivos de programa\Windows Live
Toolbar\Components\es-xl\msntabres.dll.mui/229?92e6449290814811838e2ddb4d5f0728
O8 - Extra context menu item: Abrir en nueva ficha en primer plano -
res://C:\Archivos de programa\Windows Live
Toolbar\Components\es-xl\msntabres.dll.mui/230?92e6449290814811838e2ddb4d5f0728
O8 - Extra context menu item: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar a Microsoft Excel -
res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de
programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Estadísticas del componente Web Anti-Virus -
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky
Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
- C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer -
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows
Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de
programa\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\archivos de programa\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety
Center Base Module) -
http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) -
http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\ARCHIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
C:\ARCHIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
C:\Archivos de programa\Archivos comunes\Pure Networks Shared\puresp3.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de
programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Archivos de
programa\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service
(file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de
programa\Archivos comunes\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development
Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de
programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Inc. - C:\Archivos
de programa\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner -
C:\WINDOWS\system32\itnwspyc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de
programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de
programa\Ahead\InCD\InCDsrv.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos
de programa\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner -
C:\WINDOWS\system32\windows
O23 - Service: MSSQL$RIIAL - Unknown owner - c:\Archivos de
programa\Microsoft SQL Server\MSSQL$RIIAL\Binn\sqlservr.exe" -sRIIAL (file
missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner -
C:\Archivos de programa\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc. - C:\Archivos de programa\Pure Networks\Network
Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown
owner - C:\Archivos de programa\Trend Micro\Internet Security\SfCtlCom.exe
(file missing)
O23 - Service: SQLAgent$RIIAL - Unknown owner - c:\Archivos de
programa\Microsoft SQL Server\MSSQL$RIIAL\Binn\sqlagent.EXE" -i RIIAL (file
missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service
(TMBMServer) - Unknown owner - C:\Archivos de programa\Trend
Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner -
C:\ARCHIV~1\TRENDM~1\INTERN~2\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner -
C:\Archivos de programa\Trend Micro\Internet Security\TmProxy.exe (file
missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner -
C:\Archivos de programa\Windows Live\installer\WLSetupSvc.exe

 

[Francisco]

este mi

Logfile of HijackThis v1.99.1
Scan saved at 12:26:59 p.m., on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Archivos de programa\Microsoft SQL Server\MSSQL$RIIAL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\iTunes\iTunesHelper .exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Francisco\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
wmplayer.exe

//ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =

*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Vínculos
R3 - URLSearchHook: Barra Yahoo! con bloqueador de ventanas emergentes -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvtr.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Archivos de programa\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos
de

programa\google\googletoolbar2.dll
O3 - Toolbar: VelocidadSimple toolbar -
{4AD56E6F-7074-41EE-8A40-583C2C76EFCD} -

C:\Archivos de programa\VelocidadSimple\SCToolbar.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor]

"C:\ARCHIV~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Archivos de programa\Trend
Micro\Internet

Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [ec760852] rundll32.exe "C:\WINDOWS\system32\dwhrpgdu.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de
programa\QuickTime\QTTask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de
programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de

programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos

comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de
programa\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de
programa\Adobe\Photoshop

Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [cwriter] C:\Archivos de
programa\VelocidadSimple\cwriter.exe
O4 - HKLM\..\Run: [VelocidadSimple] C:\Archivos de

programa\VelocidadSimple\scrmain.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG

Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [math online] C:\DOCUME~1\FRANCI~1\DATOSD~1\THUNKB~1\Road
locks.exe
O4 - HKCU\..\Run: [WINSOS VERIFY] "C:\Archivos de
programa\Winsos\WINSOS.EXE" MINI
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows

Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Archivos de

programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orb] "C:\Archivos de programa\Winamp
Remote\bin\OrbTray.exe"

/background
O4 - HKCU\..\Run: [AROReminder] C:\Archivos de programa\Advanced Registry

Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [updateMgr] C:\Archivos de programa\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [slide.exe] c:\archivos de programa\slide\slide.exe
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe"
/nosplash

/minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [himem] "c:\windows\himem.exe" 3fff 8ffff
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos

comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de
programa\Adobe\Acrobat

6.0\Distillr\acrotray.exe
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de

programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de

programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Archivos de

programa\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Abrir en nueva ficha de fondo -
res://C:\Archivos de

programa\Windows Live

Toolbar\Components\es-xl\msntabres.dll.mui/229?92e6449290814811838e2ddb4d5f0728
O8 - Extra context menu item: Abrir en nueva ficha en primer plano -

res://C:\Archivos de programa\Windows Live

Toolbar\Components\es-xl\msntabres.dll.mui/230?92e6449290814811838e2ddb4d5f0728
O8 - Extra context menu item: Add to Windows &Live Favorites -

http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar a Microsoft Excel -

res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Archivos

de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de

programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Estadísticas del componente Web Anti-Virus -

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky

Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Agregar entrada - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Agregar entrada en Windows Live Writer -

{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Archivos

de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de
programa\Messenger\msmsgs.exe

(file missing)
O10 - Unknown file in Winsock LSP: c:\archivos de programa\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Archivos

de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety
Center Base

Module) -
http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) -

http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\ARCHIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\ARCHIV~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
C:\Archivos de

programa\Archivos comunes\Pure Networks Shared\puresp3.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de
programa\Archivos

comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Archivos de

programa\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service
(file

missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de
programa\Archivos

comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development
Group -

C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de

programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Inc. - C:\Archivos
de

programa\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner -
C:\WINDOWS\system32\itnwspyc.exe (file

missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -
C:\Archivos de

programa\Archivos comunes\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de

programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de

programa\Ahead\InCD\InCDsrv.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de

programa\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner -

C:\WINDOWS\system32\windows
O23 - Service: MSSQL$RIIAL - Unknown owner - c:\Archivos de
programa\Microsoft SQL

Server\MSSQL$RIIAL\Binn\sqlservr.exe" -sRIIAL (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner -

C:\Archivos de programa\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe" -k

runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc.

- C:\Archivos de programa\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown
owner -

C:\Archivos de programa\Trend Micro\Internet Security\SfCtlCom.exe (file
missing)
O23 - Service: SQLAgent$RIIAL - Unknown owner - c:\Archivos de
programa\Microsoft SQL

Server\MSSQL$RIIAL\Binn\sqlagent.EXE" -i RIIAL (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service
(TMBMServer) -

Unknown owner - C:\Archivos de programa\Trend Micro\BM\TMBMSRV.exe" /service
(file

missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner -

C:\ARCHIV~1\TRENDM~1\INTERN~2\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner -
C:\Archivos de

programa\Trend Micro\Internet Security\TmProxy.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner -
C:\Archivos

de programa\Windows Live\installer\WLSetupSvc.exe


------------------------------------------------------------------------------------------

 

[Malke]

este mi

Logfile of HijackThis v1.99.1

(snip)

Francisco -

1. You've posted to an English-speaking newsgroup. You should find a
Spanish-speaking one in this list here:

http://aumha.org/nntp.htm - list of MS newsgroups

Look for groups with *.es.

2. You also posted to an old, closed thread. You should make a new one.

3. We don't analyze HijackThis logs in the MS newsgroups because a) of
privacy issues; b) and because it takes a great deal of time and
expertise to analyze HJT logs and you won't get the help you need in a
newsgroup. Instead, register at one of the specialty forums listed below
(in no particular order) and post your log there to get guided help.
Read the posting FAQ first at whatever forum you choose.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5


Malke

 

[ckcplay2]

--The exact thing is happening to me and i am running Windows XP SP2 What
can I do or where can I go to solve this problem??
Kelly

 

[grayzieuk]

--The exact thing is happening to me and i am running Windows XP SP2 What
can I do or where can I go to solve this problem??
Kelly








- Show quoted text -

I have just spent the last two days trying to detect and remove this
from one of the systems here where i work. This finally did the trick
for me. With a little manual help afterwards

http://www.superantispyware.com

Download install the above. Complete a full update and then a full
system scan.

Remove any detected Spyware/ Malware

Down load hijack this and post the results then someone can look at
what is left and advise you further.

Grayzieuk