Foro de InfoSpyware - Foro de Hijackthis - Foro de Virus

Hola guapo!!!
No se, no se.........
Vamos a ver si de una ..... vez, damos con el problema, creo que algo ha pillao, pero tu me contarás que para eso eres el experto. La verdad que recursos no te faltan .
Te pego el reporte:
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"NBJ" = ""C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead
Software AG"]
"EPSON Stylus C44 Series" =
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10I C2.EXE /P23 "EPSON Stylus
C44 Series" /M "Stylus C44"" ["SEIKO EPSON CORPORATION"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"SpeedTouch USB Diagnostics" = (empty string)
"MULTIMEDIA KEYBOARD" = "C:\Archivos de programa\Netropa\Multimedia
Keyboard\MMKeybd.exe" ["Netropa Corp."]
"ATIPTA" = "C:\Archivos de programa\ATI Technologies\ATI Control
Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software
Gmbh"]
"SunJavaUpdateSched" = "C:\Archivos de
programa\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
"MindSoft FreeRAM" = "C:\Archivos de programa\MindSoft\Utilities XP
7.8\FreeRAM.exe" [null data]
"EPSON Stylus C44 Series" =
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10I C2.EXE /P23 "EPSON Stylus
C44 Series" /O6 "USB001" /M "Stylus C44"" ["SEIKO EPSON CORPORATION"]
"SpySweeper" = ""C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe"
/startintray" ["Webroot Software, Inc."]
"KAVPersonal50" = ""C:\Archivos de programa\Kaspersky Lab\Kaspersky
Anti-Virus Personal Pro\kav.exe" /minimize" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper
Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "Adobe PDF Reader Link
Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de
programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems
Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Spybot -
Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper"
[from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\archivos de
programa\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla
del Panel de control"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de
HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon
Handler"
-> {CLSID}\InProcServer32\(Default) =
"C:\ARCHIV~1\MICROS~2\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de
programa\WinRAR\rarext.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll"
[MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll"
[MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll"
[MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu
Integration"
-> {CLSID}\InProcServer32\(Default) =
"C:\ARCHIV~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell
guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido
anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not
found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software,
Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido
anti-malware\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Kaspersky
Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de
programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido
anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de
programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Kaspersky
Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) =
"C:\ARCHIV~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de
programa\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\WINZIP\WZSHLSTB.DLL"
["WinZip Computing, Inc."]


Default executables:
--------------------

.HTA: HKLM\SOFTWARE\Classes\htafile\shell\open\command\
INFECTION WARNING! "Default" = "MSHTA.EXE "%1" %*" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Felicidad.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "almudena" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"WinZip Quick Pick" -> shortcut to: "C:\Archivos de
programa\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"Inicio rápido de Adobe Reader" -> shortcut to: "C:\Archivos de
programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems
Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\archivos de
programa\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\archivos de
programa\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\archivos de
programa\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll"
[MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Consola de Sun Java"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Archivos de programa\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe"
["ATI Technologies Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Archivos de
programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON
CORPORATION"]
ewido security suite control, ewido security suite control, "C:\Archivos de
programa\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Archivos de
programa\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter"
{"C:\WINDOWS\System32\w3ssl.dll" [MS]}
kavsvc, kavsvc, ""C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus
Personal Pro\kavsvc.exe"" ["Kaspersky Lab"]
Netropa NHK Server, nhksrv, "C:\Archivos de programa\Netropa\Multimedia
Keyboard\nhksrv.exe" [null data]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Archivos de programa\Webroot\Spy
Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe"
[MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E 96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 73 seconds, including 18 seconds for message
boxes)


MUCHAS GRACIAS GPASTOR

Esta línea pertenece a una vulnerabilidad de Windows:

Mas información en este enlace

Para solucionar esta vulnerabilidad debes seguir estos pasos:

Luego descarga el parche de la página de Microsoft

Por lo demás no hay nada sospechoso en ese reporte.

Reinicia la máquina y verifica los resultados.

Saludos

GPastor, ya he hecho lo que me has dicho y esto sigue igual, te queda algun as guardado bajo la manga???
Muchas Gracias

Por todas las pruebas que hemos hecho puedo decirte que la causa del problema no es un bicho.

Te recomiendo abrir un nuevo tema en el foro de Windows ya que lamentablemente con Hijackthis nada mas podemos hacer.

Saludos

Creo que directamente voy a formatear mi pc y empezar de nuevo, nunca lo he hecho pero dicen que asi se aprende, no???
Muchas gracias por todo y espero tardar un poco de tiempo en venir a darte la castaña.
Muchas gracias y un besote.