Problems with TROJANS that are hard to get rid of...

Viruses and worms
1

[color=blue]Well, hello, i am posting 'cause a problem with 3 trojans and the pops-up of several interne pages (of music, errorsafe software and antivirus software). The trojans are:
Win32:Dialer-988
win32:Agent-HZS
win32:VBStat-C

With Avast i was able to detect and to send them to the chest but every time i start the computer, the resilent protection shows the alerts for the same trojans i just dealed with!!

Mauserme, i tryed to copy the results of “hijackthis” in this post but i couldn’t because there is a limit of 1000 characters… should i try to send it to you in a personal messaje? or what should i do?.. thanks again

2

These are the results of “hijckthis” scaner:

Logfile of HijackThis v1.99.1
Scan saved at 01:08:31 p.m., on 29/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Archivos de programa\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\uaknyolm.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe
C:\Archivos de programa\Alwil Software\Avast4\ashSimpl.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [nTrayFw] C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [GPLv3] rundll32.exe “C:\WINDOWS\system32\kxvouybm.dll”,realset
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Archivos de programa\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe”
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Inicio rápido de Adobe Acrobat.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182137518248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182192437437
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\uaknyolm.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

3

Jeje, finaly i was able to post the hijackthis scaner results… :stuck_out_tongue:

4

Hi KLM,

Three suspicious entries:

C:\WINDOWS\system32\uaknyolm.exe
O4 - HKLM..\Run: [GPLv3] rundll32.exe “C:\WINDOWS\system32\kxvouybm.dll”,realset
O23 - Service: DomainService - - C:\WINDOWS\system32\uaknyolm.exe

And some adware:

O4 - Startup: PowerReg Scheduler.exe

Upload the suspicious files to VirusTotal for analysis (enable view hidden & system files first).

Have you tried the usual adware/spyware/Trojan removers?

DrWeb CureIT!
AVG Anti-Spyware Free (Requires Win2k/XP)
Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free

In the case of stubborn malware, check for rootkits:

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

5

FreewheelinFrank, thank for your advise… I tryed to send the archives by mail but the mail system doesn´t allow me to send them because their are infected… so I used the antivirus avast to scan the file “system32” but the results aren’t satisfactory…they say there are no virus… and right now i am trying to download the antispyware you recommended me…

6

Ok, i found out how to scan those archives in “virustotal”…the results say that es a trojan (and avast can’t detect it…snifff…). Now i am going to try the antispyware…

7

Ensure you send the sample/s to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

8

Uhh… that is going to be dificult DavidR… after instaling the antispyware all those archives were moved to quarentine… should i restore and send them to avast as you said?..

9

I would say Yes open the chest, add them to the User Files section of the avast chest and send them from there.

Once toy have added it to the chest (where it can do no harm), then delete the file in the location you restored it too as it still exists after adding it to the chest.

10

Well, ready, I did it. I send the messaje to avast through the avast chest; but the problem is that i couldn´t add an .exe that was identified by the antispyware (avg-antispyware7.5) as a high risk trojan. It says that the location is

C:\System Volume Information_restore{3CE6A2C2-82B8-4FE8-8902-A9CA6876B112}\RP39\A0005621.exe

but i first configure the files to see the ocult files and in spite of that i can’t find that location… can you help me once again DavidR?

11

And I have another question (i don’t know much about programing): WHAT DOES “HIJACKTHIS” DOES TO MY SYSTEM? and what does the results means?

I appreciate your help.

12

I’m glad you decided to post this in the public forum, KLM. You’re in good hands right now.

You don’t need to try to upload the System Volume detection - the file will be too large. That is one of your system restore points and any malware that might have been saved there will not harm you as long as you don’t restore your computer to a previous point.

Please post the full file name with path of the trojans so FwFrank and DavidR can have a better look at what they’re dealing with. The file name and path will look something like C:\windows\file.mal

When you run a scan, HJT enumerates various processes being run on your computer and lists the registry entires that load those processes. It doesn’t actually make any changes on its own. At this point its just an analysis tool.

Later, if you are asked to “fix” some of the lines this will remove them form the registry and the associated files can then be deleted.

13

If the files aren’t on avast Chest but on antispyware tool ones, can you extract them to another folder than the original one? If you can, maybe it will be safer and you’ll help avast to improve detection.

14

First to be able to see that it is a hidden folder, you need to show hidden files and folders. Windows Explorer, Tools, Folder Options, View, tick ‘Show hidden files and folders.’

The C:\System Volume Information folder is a part of the system restore function and as such is protected by windows. Personally I wouldn’t worry about that one (as mauserme said it could be quite large), but I would say you should clean your C:\System Volume Information folder that will remove infected restore points.

Create Clean Restore Point - Clear old Restore Points.
Once you are clear of infection create a clean System Restore point:

  1. Click Start, All Programs, Accessories, System tools, System Restore.
  2. In the pop-up that appears fill in the radio button to Create a Restore Point
  3. Click NEXT
  4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
  5. Click CREATE

You now have a clean restore point, you should clear the old ones:

  1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
  2. Click OK on the C: drive
  3. Click the More Options tab
  4. In the System Restore section click the Clean Up button
15

Very well, as you recomended mauserme:

This are some of the routes of the other trojans:

  1. Adware.Virtumonde is in C:\WINDOWS\system32\byxyyyy.dll

  2. trojan.Agent.aoy is in C:\System Volume Information_restore{3CE6A2C2-82B8-4FE8-8902-A9CA6876B112}\RP39\A0005621.exe

The second one has traces in several archives (.exe). I only mentioned one…

And, DavidR. You said that after “cleaning” my system i should create a clean system restore point. By cleaning you mean eliminate all the files and folders infected that are in quarantine in the AVG anti-spyware?, and i was unable to acces to the folder C:\system volume information\ It said that the access was restricted…

16

I think it would be good if you run ComboFix which you should download from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it will produce a log for you. Post that log and a new HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Also note that i would like you to run ComboFix first. Then, before you run HijackThis, rename the program file from hijackthis.exe to hijackKLM.exe and run it from that.

17

Virtumonde can be difficult to remove. There is a specialist tool you can use here:

http://www.atribune.org/content/view/24/2/

If you have run the scanners I mentioned, you need to run HijackThis! again and check that the following entries have gone:

C:\WINDOWS\system32\uaknyolm.exe O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\kxvouybm.dll",realset O23 - Service: DomainService - - C:\WINDOWS\system32\uaknyolm.exe

If they are still there, you will need to remove them manually.

Run HijackThis! again, tick the box next to these entries, claick ‘fix’ and reboot into safe mode.

Delete the file C:\WINDOWS\system32\kxvouybm.dll

Remove the service DomainService as described here:

http://www.bleepingcomputer.com/tutorials/tutorial42.html#O23Diag

If the malware resists removal, come back and tell us: there are more powerful methods of removal.

18

When you have cleaned up your computer, check for out-of-date, unpatched and insecure versions of software which can allow infections such as Vundo. In particular, look for older versions of Sun Java lurking on your computer.

http://secunia.com/software_inspector/

19

That is what I mean, there is little point in creating a restore point if there are any infections on the loose. So at the end of this process.

There are some that say whilst you are trying to cure/remove infected files you should have system restore disabled (and reboot, clears ALL restore points). As any infected file that happens to be in a system folder or one protected by system restore then it would create a restore point with a copy of that file. This may have been why these infected files are in the system volume information folder.

20

Good Mauserme here it is (PART 1):

ComboFix 07-06-18.2 - C:\Documents and Settings\Horacio Morales\Escritorio\ComboFix.exe
“Horacio Morales” - 2007-06-30 8:41:03 - Service Pack 2 NTFS
((((((((((( V Log )))))))))))))

C:\WINDOWS\system32\ijrryuwj.dll
C:\WINDOWS\system32\liadtnjc.dll
C:\WINDOWS\system32\vpknvwqt.dll
C:\WINDOWS\system32\jwuyrrji.ini
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.bak2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.bak2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\byxyyyy.dll

      • POST RUN FILES/FOLDERS * * * * * *

(((((((((( Files Created from 2007-05-28 to 2007-06-30 ))))))))))))))))))))

2007-06-30 08:40 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 18:51 d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\WinZip
2007-06-29 16:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-29 10:42 d-------- C:\Archivos de programa\Activision
2007-06-24 09:37 d-------- C:\DOCUME~1\HORACI~1\DATOSD~1\AdobeUM
2007-06-24 09:27 d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Adobe Systems
2007-06-24 09:27 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-06-23 23:43 4,628 --a------ C:\WINDOWS\system32\wncrcfvn.exe
2007-06-21 23:49 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-06-21 12:28 20,352 --a------ C:\DOCUME~1\HORACI~1\DATOSD~1\GDIPFONTCACHEV1.DAT
2007-06-20 19:37 d-------- C:\Archivos de programa\MSXML 4.0
2007-06-20 19:33 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-20 19:33 d-------- C:\Archivos de programa\Winamp
2007-06-20 19:32 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-06-20 19:30 d-------- C:\Archivos de programa\DivX
2007-06-20 19:05 d-------- C:\DOCUME~1\HORACI~1\DATOSD~1\Ahead
2007-06-20 19:03 d-------- C:\Archivos de programa\Nero
2007-06-20 19:03 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-06-20 09:15 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-19 23:46 d-------- C:\DOCUME~1\HORACI~1\DATOSD~1\Microsoft Games
2007-06-19 23:29 d-------- C:\Archivos de programa\Microsoft Games
2007-06-19 22:00 d-------- C:\Archivos de programa\LimeWire
2007-06-19 21:56 d-------- C:\DOCUME~1\HORACI~1\DATOSD~1\Google
2007-06-19 21:56 d-------- C:\Archivos de programa\Google
2007-06-19 11:09 d-------- C:\DOCUME~1\HORACI~1\DATOSD~1\fltk.org
2007-06-19 07:45 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-18 22:26 d-------- C:\Archivos de programa\Liquid Entertainment
2007-06-18 21:59 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-18 21:59 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-18 21:59 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-18 21:59 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-06-18 21:59 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-18 21:59 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-18 21:59 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-18 21:59 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-18 21:59 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-18 21:59 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-18 21:59 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-06-18 21:57 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-06-18 21:57 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-06-18 21:57 d-------- C:\Archivos de programa\CONEXANT
2007-06-18 21:37 0 --a------ C:\WINDOWS\PowerReg.dat
2007-06-18 20:54 dr------- C:\DOCUME~1\LOCALS~1\Favoritos
2007-06-18 20:09 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-18 20:09 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-18 20:09 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-18 20:09 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-18 20:09 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-18 20:09 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-18 20:09 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-18 20:09 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-18 20:09 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-18 20:09 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-18 20:09 d-------- C:\Archivos de programa\Alwil Software
2007-06-18 13:20 d-------- C:\WINDOWS\system32\es-es
2007-06-18 13:18 d-------- C:\WINDOWS\network diagnostic
2007-06-18 12:37 d–h----- C:\WINDOWS$hf_mig$
2007-06-18 12:37 d-------- C:\WINDOWS\system32\PreInstall
2007-06-18 12:28 d-------- C:\DOCUME~1\LOCALS~1\Men£ Inicio
2007-06-18 12:27 d-------- C:\WINDOWS\Prefetch
2007-06-18 12:09 d-------- C:\WINDOWS\provisioning
2007-06-18 12:09 d-------- C:\WINDOWS\peernet
2007-06-18 12:07 d-------- C:\WINDOWS\ServicePackFiles
2007-06-18 12:04 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-06-18 12:03 d-------- C:\WINDOWS\EHome
2007-06-18 10:56 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-06-18 10:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-06-18 10:26 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-17 22:56 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-06-17 22:56 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-06-17 22:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2007-06-17 22:56 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-06-17 22:56 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-06-17 22:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-06-17 22:56 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-06-17 22:56 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-06-17 22:56 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-06-17 22:56 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-06-17 22:56 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-06-17 22:56 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2007-06-17 22:56 332,288 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-06-17 22:56 243,200 --a------ C:\WINDOWS\system32\es.dll
2007-06-17 22:56 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2007-06-17 22:56 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-06-17 22:56 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-06-17 22:56 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2007-06-17 22:56 1,284,608 --a------ C:\WINDOWS\system32\ole32.dll
2007-06-17 22:56 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-06-17 22:55 241,152 --a------ C:\WINDOWS\system32\srrstr.dll
2007-06-17 22:53 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-06-17 22:53 d–h-c— C:\WINDOWS$xpsp1hfm$
2007-06-17 22:47 d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Windows Genuine Advantage
2007-06-17 22:36 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-06-17 22:36 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-06-17 22:36 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-06-17 22:36 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-06-17 22:36 d-------- C:\WINDOWS\system32\bits
2007-06-17 22:34 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-06-17 22:34 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-06-17 22:34 33,624 --a------ C:\WINDOWS\system32\wups.dll