mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Foro referente al sistema operativo Windows XP
jotayes
Usuario linuxero
Usuario linuxero
Mensajes: 5
Registrado: 22 Mar 2010, 22:10
Contactar:

mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor jotayes » 22 Mar 2010, 22:27

mshaua32 de Winlogon Userinit, QUE ES ESTO ?
Esto está en los programas de arranque, pero he intentado buscar información y san google no lo conoce de nada. Sospecho que sea algún virus o spyware, pero no puedo encontrar información en ningún sitio.
Alguien sabe algo?

Muchíiiiiiisimas gracias.

Avatar de Usuario
Souto
Usuario Bill Gates
Usuario Bill Gates
Mensajes: 10665
Registrado: 25 Feb 2008, 10:21
Ubicación: Galicia
Agradecido : 6 veces
Agradecimiento recibido: 647 veces
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor Souto » 22 Mar 2010, 22:39

Sospechas bien.
1.Vete aquí
http://rapidshare.com/files/352260357/Winlogon.bat
he subido para tí un archivo (Winlogon). Descárgalo, doble clic sobre él y se abrirá un texto.
Pégalo en el foro, por favor.
2.Vete a esta página
http://www.trendsecure.com/portal/en-US ... s/download
Ahí tienes dos versiones de HijackThis para descargar. Elige la que tienes a la derecha Version 2.0.2 ( Installer)
La instalas la ejecutas, pulsas sobre la pestaña "Do a system scan and save a logfile".
Rematada la comprobación, se abrirá un archivo de texto, lo seleccionas todo y lo pegas también en este foro.


Saludos
Qui dove il mare luccica e tira forte il vento

jotayes
Usuario linuxero
Usuario linuxero
Mensajes: 5
Registrado: 22 Mar 2010, 22:10
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor jotayes » 22 Mar 2010, 23:06

Allá va todo.
Ayer ya hice también lo del HijackThis, y lo miré, pero como los buhos, me fijé mucho pero no vi nada, como si fuera chino mandarín.

Gracias.

***********************************************
C:\Windows\system32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s>>Winlogon.txt
start notepad Winlogon.txt

********************************

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
DefaultDomainName REG_SZ AYESTARA-FIL2SA
DefaultUserName REG_SZ Pedro
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShutdownWithoutLogon REG_SZ 0
Userinit REG_SZ C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\mshaua32.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD 0xffffffff
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 0x1
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 0x1
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0x0
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 0x1
ShowLogonOptions REG_DWORD 0x0
AltDefaultUserName REG_SZ Pedro
AltDefaultDomainName REG_SZ AYESTARA-FIL2SA
<Sin nombre> REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
<Sin nombre> REG_SZ Inalámbrico
DllName REG_EXPAND_SZ gptext.dll
NoGPOListChanges REG_DWORD 0x1
NoUserPolicy REG_DWORD 0x1
ProcessGroupPolicy REG_SZ ProcessWIRELESSPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}
<Sin nombre> REG_SZ Folder Redirection
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
DllName REG_EXPAND_SZ fdeploy.dll
NoMachinePolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x0
NoBackgroundPolicy REG_DWORD 0x0
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
EventSources REG_MULTI_SZ (Folder Redirection,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
Status REG_DWORD 0x0
RsopStatus REG_DWORD 0x0
LastPolicyTime REG_DWORD 0xc5526a
PrevSlowLink REG_DWORD 0x0
PrevRsopLogging REG_DWORD 0x1
ForceRefreshFG REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<Sin nombre> REG_SZ Cuota de discos de Microsoft
NoMachinePolicy REG_DWORD 0x0
NoUserPolicy REG_DWORD 0x1
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x0
RequiresSuccessfulRegistry REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x0
DllName REG_EXPAND_SZ dskquota.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}
<Sin nombre> REG_SZ Programador de paquetes QoS
ProcessGroupPolicy REG_SZ ProcessPSCHEDPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
Status REG_DWORD 0x0
RsopStatus REG_DWORD 0x80070032
LastPolicyTime REG_DWORD 0xc5526a
PrevSlowLink REG_DWORD 0x0
PrevRsopLogging REG_DWORD 0x1
ForceRefreshFG REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}
<Sin nombre> REG_SZ Secuencias de comandos
ProcessGroupPolicy REG_SZ ProcessScriptsGroupPolicy
ProcessGroupPolicyEx REG_SZ ProcessScriptsGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateScriptsGroupPolicy
DllName REG_EXPAND_SZ gptext.dll
NoSlowLink REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
NotifyLinkTransition REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}
<Sin nombre> REG_SZ Asignación de zonas de Internet Explorer
DllName REG_EXPAND_SZ iedkcs32.dll
ProcessGroupPolicy REG_SZ ProcessGroupPolicyForZoneMap
NoGPOListChanges REG_DWORD 0x1
RequiresSucessfulRegistry REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessSecurityPolicyGPO
GenerateGroupPolicy REG_SZ SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel REG_DWORD 0x1
ProcessGroupPolicyEx REG_SZ SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel REG_DWORD 0x1
DllName REG_EXPAND_SZ scecli.dll
<Sin nombre> REG_SZ Security
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
EnableAsynchronousProcessing REG_DWORD 0x1
MaxNoGPOListChangesInterval REG_DWORD 0x3c0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
ProcessGroupPolicy REG_SZ ProcessGroupPolicy
DllName REG_EXPAND_SZ iedkcs32.dll
<Sin nombre> REG_SZ Personalización de Internet Explorer
NoSlowLink REG_DWORD 0x1
NoBackgroundPolicy REG_DWORD 0x0
NoGPOListChanges REG_DWORD 0x1
NoMachinePolicy REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy REG_SZ SceProcessEFSRecoveryGPO
DllName REG_EXPAND_SZ scecli.dll
<Sin nombre> REG_SZ EFS recovery
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1
RequiresSuccessfulRegistry REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<Sin nombre> REG_SZ Instalación de software
DllName REG_EXPAND_SZ appmgmts.dll
ProcessGroupPolicyEx REG_SZ ProcessGroupPolicyObjectsEx
GenerateGroupPolicy REG_SZ GenerateGroupPolicy
NoBackgroundPolicy REG_DWORD 0x0
RequiresSucessfulRegistry REG_DWORD 0x0
NoSlowLink REG_DWORD 0x1
PerUserLocalSettings REG_DWORD 0x1
EventSources REG_MULTI_SZ (Application Management,Application)\0(MsiInstaller,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}
<Sin nombre> REG_SZ Seguridad IP
ProcessGroupPolicy REG_SZ ProcessIPSECPolicy
DllName REG_EXPAND_SZ gptext.dll
NoUserPolicy REG_DWORD 0x1
NoGPOListChanges REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Asistente de ayuda REG_DWORD 0x0
TsInternetUser REG_DWORD 0x0
SQLAgentCmdExec REG_DWORD 0x0
NetShowServices REG_DWORD 0x0
HelpAssistant REG_DWORD 0x0
IWAM_ REG_DWORD 0x10000
IUSR_ REG_DWORD 0x10000
VUSR_ REG_DWORD 0x10000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials

**************************************************************************************************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:47, on 22/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Eset\nod32kui.exe
C:\ARCHIV~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\ARCHIV~1\MICROS~4\rapimgr.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Archivos de programa\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Archivos de programa\Last.fm\LastFM.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\ARCHIV~1\BILLPS~1\WINPAT~1\WinPatrolEx.exe
C:\Documents and Settings\Pedro\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
c:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Archivos de programa\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\mshaua32.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Archivos de programa\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Archivos de programa\Stopzilla!\Toolbar\SZSG.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {AC716D9C-A4A4-7A2F-B927-F7C77AF53259} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Archivos de programa\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: (no name) - {DBD646AE-161A-0D25-1CEC-2F11881598FA} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es\msntb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Archivos de programa\Stopzilla!\Toolbar\SZSG.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinPatrol] C:\ARCHIV~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-343818398-630328440-725345543-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Maria Carmen')
O4 - HKUS\S-1-5-21-343818398-630328440-725345543-1006\..\Run: [Google Update] "C:\Documents and Settings\Maria Carmen\Configuración local\Datos de programa\Google\Update\GoogleUpdate.exe" /c (User 'Maria Carmen')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZJ
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://www.earthetc.com/ecwplugins/NCS.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {AE4CEC9D-C836-4579-829B-4C345101B3B9} (GVista Terrain Renderer) - http://sitna.cfnavarra.es/3d/PlugIn/gvista2709.cab
O16 - DPF: {DF7A9F1F-E06B-4BE7-A27E-1BE7EA5AFC1C} - http://www.infodialer3000.com/perfiles2 ... as3000.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F309A12-3A66-4EFA-B9BE-BF21FC934589}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F309A12-3A66-4EFA-B9BE-BF21FC934589}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS3\Services\Tcpip\..\{0F309A12-3A66-4EFA-B9BE-BF21FC934589}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\eEBSVC.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Servicio Google Update (gupdate) (gupdate) - Google Inc. - C:\Archivos de programa\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: PaTENT MPI - Unknown owner - C:\MSC\marc2001\patentmpi\PaTENTi.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Archivos de programa\Archivos comunes\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://sitna.cfnavarra.es/imagenes/pixel.gif

--
End of file - 10176 bytes
************************************************************************

Avatar de Usuario
helheim
Usuario Bill Gates
Usuario Bill Gates
Mensajes: 5001
Registrado: 20 Abr 2008, 11:38
Agradecido : 24 veces
Agradecimiento recibido: 169 veces
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor helheim » 23 Mar 2010, 00:15

Como el jefe lo mismo está ya en el séptimo sueño, me meto por aquí y hago de él.

Pulsa las teclas Windows + R y escribe regedit

A continuación navega por esta ruta:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

En la ventana de la derecha busca "Userinit" y haz un doble clic sobre él. En la nueva ventana que se te abrirá verás un recuadro titulado "Información del valor". Borra lo que hay en ese recuadro (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\mshaua32.exe,) y déjalo exactamente como te pongo aquí abajo:

C:\Windows\system32\userinit.exe,

P.D: De todas formas el maestro le echará seguramente un vistazo más en profundidad al log del Winlogon (hasta donde yo ya no puedo llegar) y te dirá lo que sea.

------------------------------------------


Con respecto al log del Hijackthis, Ejecuta de nuevo HijackThis (con todos los programas cerrados), pulsa sobre "Do a system scan only", marca las siguientes entradas del log y pulsa "Fix Checked":

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AC716D9C-A4A4-7A2F-B927-F7C77AF53259} - (no file)
O3 - Toolbar: (no name) - {DBD646AE-161A-0D25-1CEC-2F11881598FA} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... jhtml?p=ZJ


Una vez hecho eso pasa CCLEANER y limpia tanto Archivos Temporales como el Registro (pásalo tantas veces como sea necesario hasta no encontrar nada).

Yo pasaría además Malwarebytes Anti-Malware (haciendo un escaneo completo).

Malwarebytes Anti-Malware (MANUAL)

Péganos el reporte del Malwarebytes Anti-Malware (tras realizar un ESCANEO COMPLETO recuerda enviar todo lo que encuentre a la cuarentena ANTES DE COPIAR EL REPORTE).

Un saludo.
La experiencia es una llama que alumbra quemando (Benito Pérez Galdós)

Avatar de Usuario
Souto
Usuario Bill Gates
Usuario Bill Gates
Mensajes: 10665
Registrado: 25 Feb 2008, 10:21
Ubicación: Galicia
Agradecido : 6 veces
Agradecimiento recibido: 647 veces
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor Souto » 23 Mar 2010, 10:08

Como el jefe lo mismo está ya en el séptimo sueño,

¡¡Vaya fama que tengo de bella durmiente!!. Pero comprendereis que levatándome a las 6,30 y dada mi avanzada edad (según mis hijos ya soy un anciano :? ), uno ya no está para muchos trotes.
Lo que ha dicho helheim va a misa.
Malagente ha metido las narices en tu sistema y con las actuaciones propuestas debiera quedar como una patena .

Saludos
Qui dove il mare luccica e tira forte il vento

jotayes
Usuario linuxero
Usuario linuxero
Mensajes: 5
Registrado: 22 Mar 2010, 22:10
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor jotayes » 27 Mar 2010, 00:42

Hola, angeles de la guardia, a ver si a la tercera va la vencida; que he escrito esto ya dos veces en la web del foro y se me ha ido a hacer puñetas. Ahora lo intento con el editor y ya lo pasaré cuando lo acabe.
Cuento lo que he hecho.
He editado el Registro y lo he modificado como dices. Despues de clicar en Userinit, aparece la caja para modificar el contenido, lo borro, escribo el nuevo contenido, doy Aceptar y se modifica el contenido del registro, pero........ algo hago mal. Si vuelvo a clicar en Userinit me aparece la caja para modificar con el mismo contenido que la primeera vez, como si no se hubiera modificado anteriormente. Lo he hecho varias veces, modificando el dato y aceptando, cerrando el registro y sin cerrarlo pero el resultado es el mismo: el registro parece tener el mismo contenido aunque en pantalla se vea como modificado.
Además el bicho que tengo sigue activo porque me ha cambiado el archivo teóricamente malo y ahora se llama msshhr32.exe, que tambien intento quitar su llamada del userinit del registro y sigue estando ahí.

Con los escaneos del Malware-Bytes ha pasado lo suyo también: la primera vez que lanzo el escaneo completo el ordenador se ha bloqueado cuando llevaba catorce horas andando (tengo dos discos con seis particiones en total y 500 gigas).
Lo he lanzado otra vez y ha cascado a las 6 o 7 horas. He lanzado un escaneo rápido de la unidad del sistema (C:) para que por lo menos se pudiera ver algo. Esta ha terminado, he pasado a cuarentena y borrado el resultado, que es el primer escaneo que adjunto. Despues he hecho otros dos escaneos, el segundo ya era completo de todas las unidades y tambien pego los resultados.

Tambien creo que este bicho está borrando archivos porque el CCLEANER, despues de borrar todo lo que decía hoy dice que faltan dos DLL COMPARTIDA FALTANTE y que son del STOPZILLA, otro antimalware que tengo instalado.

Despues del folklore que tengo montado con esto, ya no se si se men olvidado cosas o no.

Gracias por vuestra paciencia y lamento dar tanta molestia.

PedroJ.


************************************************************************************************************
Malwarebytes' Anti-Malware 1.44
Versión de la Base de Datos: 3903
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

24/03/2010 13:09:23
mbam-log-2010-03-24 (13-09-23).txt

Tipo de examen : Examen Rápido
Objetos examinados: 162199
Tiempo transcurrido: 7 minute(s), 41 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 118
Valores del Registro Infectados: 3
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 20
Ficheros Infectados: 72

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
C:\Archivos de programa\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kiko\Datos de programa\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kiko\Datos de programa\FunWebProducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kiko\Datos de programa\FunWebProducts\Data\Kiko (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Ficheros Infectados:
C:\Archivos de programa\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared\Cache\MailStampBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared\Cache\MyStationeryBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3BROVLY.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\2.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\avatar.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\bgfader.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\close.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\common-x.css (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\common.css (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\htmlctrl.js (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\include.js (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\index.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\loading.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\login.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\logo.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\max.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\min.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\noflash.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\spacer.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\spacer.swf (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\unmax.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\wardrobe.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Avatar\COMMON\window.ico (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\0002D1AE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\000C43D4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\000C4645.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\000C49C0.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\000C4DB8.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\000C51CF.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\001ADC86.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\001ADE2C.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\001AE04F.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\001AE233.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\01692781 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\055CD37B.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\055CD7B1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\055CDA70.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Archivos de programa\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kiko\Datos de programa\FunWebProducts\Data\Kiko\avatar.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

************************************************************************************************************

Malwarebytes' Anti-Malware 1.44
Versión de la Base de Datos: 3903
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

24/03/2010 23:28:24
mbam-log-2010-03-24 (23-28-24).txt

Tipo de examen : Examen Completo (C:\|)
Objetos examinados: 288373
Tiempo transcurrido: 1 hour(s), 31 minute(s), 4 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 4
Valores del Registro Infectados: 1
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\drivers\Cossacks 2 PATCH\sfdrvpatch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.

*****************************************************************************************************

Malwarebytes' Anti-Malware 1.44
Versión de la Base de Datos: 3903
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

26/03/2010 18:24:22
mbam-log-2010-03-26 (18-24-22).txt

Tipo de examen : Examen Completo (C:\|F:\|G:\|H:\|O:\|P:\|Q:\|)
Objetos examinados: 567518
Tiempo transcurrido: 11 hour(s), 25 minute(s), 17 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 4
Valores del Registro Infectados: 1
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 13

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
F:\Archivos de programa\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\Archivos de programa\spybot\Spybot - Search & Destroy\blindman.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\Archivos de programa\Steinberg\Cubase SX 3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
F:\Archivos de programa\Archivos comunes\iS3\Anti-Spyware\iS3SiteBlocker.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\Archivos de programa\Torrent101\TorrentManager.dll (Trojan.BitRoll) -> Quarantined and deleted successfully.
F:\Documents and Settings\Kiko\Menú Inicio\Programas\Inicio\winesm32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\Kiko\Configuración local\Temp\oIOn.exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
F:\Documents and Settings\Kiko\Configuración local\Archivos temporales de Internet\Content.IE5\SH6RO9YB\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\Kiko\Escritorio\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\Documents and Settings\Pedro\Mis documentos\Downloads\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\mqsvc.exe (SpamTool.Rlsloup) -> Quarantined and deleted successfully.
F:\WINDOWS\ServicePackFiles\i386\mqsvc.exe (SpamTool.Rlsloup) -> Quarantined and deleted successfully.
H:\VARIOS\ignorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
*****************************************************************************************************

jotayes
Usuario linuxero
Usuario linuxero
Mensajes: 5
Registrado: 22 Mar 2010, 22:10
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor jotayes » 27 Mar 2010, 16:29

Hola.
Parece que se ha resuelto.
El NOD32 ya detectó y eliminó como troyano el mshaua32 y el fileassassin acabó con el otro archivo.
Estoy haciendo chequeos con el Antimalware y con el NOD32, pero son lentos y a veces se quedan colgados, con lo que tengo que volver a empezar. Los hago por tramos para que vayan terminado y saquen el informe.
Solo falta saber cuales y cuantos son los archivos que supongo han desaparecido y qué otras cosas hacía el bicho.
Informaré de lo que vaya sabiendo.

MUCHIIIIIIIIIIIIIIISIMAS GRACIAS.

Avatar de Usuario
Souto
Usuario Bill Gates
Usuario Bill Gates
Mensajes: 10665
Registrado: 25 Feb 2008, 10:21
Ubicación: Galicia
Agradecido : 6 veces
Agradecimiento recibido: 647 veces
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor Souto » 27 Mar 2010, 16:37

La verdad es que tienes ó tenías ahí (a estas alturas ya no lo se) un buen pudridero.
Has hecho un buentrabajo.
se modifica el contenido del registro, pero........ algo hago mal. Si vuelvo a clicar en Userinit me aparece la caja para modificar con el mismo contenido que la primeera vez, como si no se hubiera modificado anteriormente.

No haces nada mal.Después de hacer ese cambio pulsa la tecla F5, abre de nuevo la clave y comprueba si ya está con el valor correcto. Si no es así, probablemente es que por causa de la infección has perdido derechos sobre la clave (no tienes permiso para modificarla)

Arranca en modo seguro (pulsar F8 varias veces nada más encender el equipo), elige "modo seguro", inicia con la cuenta "Administrador" y realiza ese cambio en el Registro. Reinicia el equipo, entra en modo normal con tu cuenta y comprueba si el tema está resuelto.

Vuelve a pasar un antivirus pero arrancando en Modo seguro.

Saludos
Qui dove il mare luccica e tira forte il vento

jotayes
Usuario linuxero
Usuario linuxero
Mensajes: 5
Registrado: 22 Mar 2010, 22:10
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor jotayes » 27 Mar 2010, 16:55

Hola.
En estos momentos el registro está correcto. Entre los borrados de los dos archivos, los escaneos, las reinicializaciones y los constantes intentos de poner bien el registro, ya no tengo claro en qué momento quedó libre de bichos (si es que lo está).

Seguiré con tus consejos y ya contaré.

Gracias.

Avatar de Usuario
helheim
Usuario Bill Gates
Usuario Bill Gates
Mensajes: 5001
Registrado: 20 Abr 2008, 11:38
Agradecido : 24 veces
Agradecimiento recibido: 169 veces
Contactar:

Re: mshaua32 de Winlogon Userinit, QUE ES ESTO ?

Mensajepor helheim » 28 Mar 2010, 02:20

Yo haría un análisis más en profundidad del equipo porque el reporte de Malwarebytes indicaba que ese equipo estaba infectadísimo....

Ahora activa MOSTRAR ARCHIVOS OCULTOS y realiza los siguientes pasos:

1) Desactivar "Restaurar Sistema" (En Windows XP).
2) Descarga, instala y actualiza: Spywareblaster, SUPERAntiSpyware Free Edition, Spybot - Search & Destroy y Malwarebytes Anti-Malware.
3) Reinicia en "Modo Seguro con funciones de Red" (Pulsando varias veces F8 al iniciar o reiniciar el ordenador hasta que te aparezca la ventana de inicio avanzado).
4) Pasa Spybot - Search & Destroy MANUAL, SUPERAntiSpyware Free Edition (MANUAL) (ANÁLISIS COMPLETO), Malwarebytes Anti-Malware (MANUAL) (ANÁLISIS COMPLETO) e inmuniza tu navegador con el Spywareblaster (MANUAL).
5) Limpia tanto los archivos temporales como el registro con CCLEANER.
6) Pasa un par de antivirus online (Bitdefender, Panda Online estarían bien). Deberás pasar ambos con Internet Explorer.
7) Vuelve a pasar el Ccleaner.
8) Reinicia en Modo Normal
9) Activa "Restaurar Sistema" y crea un Punto de Restauración (En Windows XP) si ves que el ordenador quedó desinfectado.

Péganos el reporte del Malwarebytes Anti-Malware (tras realizar un ESCANEO COMPLETO recuerda enviar todo lo que encuentre a la cuarentena ANTES DE COPIAR EL REPORTE).

Por último vuelve a desactivar “Mostrar Archivos Ocultos” (sería el proceso contrario al manual que te puse antes).
La experiencia es una llama que alumbra quemando (Benito Pérez Galdós)


Volver a “Windows XP / X64”

¿Quién está conectado?

Usuarios navegando por este Foro: Yahoo [Bot] y 1 invitado