0

I need help. Mi antivirus Mcaffe detect "New Poly Win32" virus but dont clean it. I have already install ewido security suit but i still whit the problem :cry: This is my Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 01:22:07 p.m., on 12/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\virus\security suite\ewidoctrl.exe
C:\virus\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\ELAN.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
c:\archivos de programa\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Messenger\msmsgs.exe
c:\archiv~1\mcafee.com\vso\mcvsftsn.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\UTIL\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ugugp.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {04194DC1-FE3C-EB9E-862A-625742602CF4} - C:\WINDOWS\msfn.dll
O2 - BHO: Class - {9563197D-CBB5-1E94-9E31-2D487926BBF9} - C:\WINDOWS\system32\addvu32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.3000.1001\es\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SonicFocus] "C:\Archivos de programa\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\system32\ELAN.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINDOWS\System32\kdpupd.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_46363] C:\WINDOWS\system32\ActiveScan\pavdr.exe 46363
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Startup: Speedy.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\UTIL\ACELER~1\dapextie.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O8 - Extra context menu item: Download &all with DAP - C:\UTIL\ACELER~1\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\JUEGOS\Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\JUEGOS\Poker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095556043625
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25FF35EC-C614-4275-A04A-CA7935F92A78}: NameServer = 200.48.225.130 200.48.225.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{25FF35EC-C614-4275-A04A-CA7935F92A78}: NameServer = 200.48.225.130 200.48.225.146
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apply.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\virus\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\virus\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client (nwclnt) - Unknown owner - C:\WINDOWS\system32\netclnt.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Thank you

5
Contributors
16
Replies
17
Views
12 Years
Discussion Span
Last Post by SArunSR
0

Hi,
Download CleanUp! and install it, do not run it now.

Download CWShredder. Download SpSeHjfix to the Desktop and then right click a blank part of Desktop & select new folder, call it spfix unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.

Run SpSeHjfix112 and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder, and click "Fix" button.

Now, run CleanUp!, click the "Options" button. Here move the "Quick Setup" slider to "Thorough CleanUp!" and click "OK" to warning message.
If you have any Favorites/Bookmarks, then uncheck the option "Delete Favorites/Bookamrks".
Exit from Options and in the main window, click "CleanUp!" to start cleaning. After cleaning, click "Close" and choose "Yes" to restart the PC.

Reboot the PC in Normal mode. Run HijackThis, click the "Do a system scan and save log" button, and post the log here along with SpSeHjFix log.

0

Now I have a bigger problem. Do NOT RUN Windows.

Error in EXPLORER.EXE. Do not find WININET.dll file

can I reinstall that file??

HEELP

0

I download from internet the file wininet.dll and copy in c:\windows\system32.

Now a new problem:

Drwtsn32.exe has detect an error and must close!

Do not run Windows.

Help.

0

Hi,Open NotePad, and copy the contents of the below "Quote" box:-

regedit /e backup.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Next, open a new empty file in NotePad, and copy the contents of the below "Quote" box:-

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug]

Go to File > Save As, and type the filename as Disable.REG and save it. Exit from NotePad.

Boot in safe mode. (Restart the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.)

Double-click on Test.bat first, and it gives a text file named Backup, please do not delete this file, as of now.

Next, double-click on Disable.REG and click "Yes" to merge it to Registry.

Restart the PC to normal mode, and check whether you get the error, and post back. Also, have you performed the scans given by me in my previous post?

0

In Safe Mode is the same problem (Error drwtsn32.exe).

Only the Safe Mode WITH PROMPT (CMD.exe) works fine.

I follow the instruction of your post but the problem continues.

have I performed the scans given for you in your previous post?
Not yet, this bigger problem dont let me..

This is the drwtsn32 log (Dr. Watson):

Exception of aplication:
Aplication: C:\WINDOWS\Explorer.EXE (pid=1328)
Date and time: 13/08/2005 a las 10:53:46.703
Number of exception: c0000005 (acces infraction)

*----> Sistem Information <----*
proces: x86 Family 15 Model 2 Stepping 9
Versión Windows : 5.1
Versión actual: 2600
Service Pack: 2
Type: Uniprocessor Free

*----> List of works <----*
0 System Process
4 System
340 smss.exe
416 csrss.exe
440 winlogon.exe
484 services.exe
496 lsass.exe
728 svchost.exe
776 svchost.exe
816 svchost.exe
864 svchost.exe
1184 spoolsv.exe
1328 Explorer.EXE
1492 SMax4PNP.exe
1648 ELAN.exe
1676 realsched.exe
1712 mcvsshld.exe
1720 mcagent.exe
1752 McUpdate.exe
1760 rundll32.exe
1780 zlclient.exe
1784 mcvsescn.exe
1828 msmsgs.exe
1844 RealPlay.exe
1928 drwtsn32.exe
1936 OSA.EXE

*----> List of módulos <----*
(0000000001000000 - 00000000010ff000: C:\WINDOWS\Explorer.EXE
(000000000ffd0000 - 000000000fff8000: C:\WINDOWS\system32\rsaenh.dll
(0000000010000000 - 000000001000d000: C:\virus\security suite\shellhook.dll
(0000000020000000 - 00000000202d6000: C:\WINDOWS\system32\xpsp2res.dll
(00000000365a0000 - 00000000365b5000: C:\MICROS~1\Office10\MCPS.DLL
(000000004eba0000 - 000000004ed43000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
(0000000058c30000 - 0000000058cc7000: C:\WINDOWS\system32\comctl32.dll
(00000000590e0000 - 00000000590ee000: C:\WINDOWS\system32\wshes.DLL
(00000000597f0000 - 0000000059844000: C:\WINDOWS\system32\NETAPI32.dll
(000000005b150000 - 000000005b188000: C:\WINDOWS\system32\UxTheme.dll
(000000005ba10000 - 000000005ba83000: C:\WINDOWS\System32\themeui.dll
(000000005cef0000 - 000000005cf5e000: C:\WINDOWS\system32\shimgvw.dll
(000000005cf60000 - 000000005cf86000: C:\WINDOWS\system32\ShimEng.dll
(0000000060a20000 - 0000000060a2e000: C:\WINDOWS\system32\MSISIP.DLL
(0000000061df0000 - 0000000061dfe000: C:\WINDOWS\system32\MFC42LOC.DLL
(000000006fdb0000 - 000000006ff7a000: C:\WINDOWS\AppPatch\AcGenral.DLL
(0000000070200000 - 0000000070294000: C:\WINDOWS\system32\WININET.dll
(0000000071a20000 - 0000000071a28000: C:\WINDOWS\system32\WS2HELP.dll
(0000000071a30000 - 0000000071a47000: C:\WINDOWS\system32\WS2_32.dll
(0000000071ce0000 - 0000000071cfc000: C:\WINDOWS\System32\ACTXPRXY.DLL
(0000000072c90000 - 0000000072c98000: C:\WINDOWS\system32\msacm32.drv
(0000000072ca0000 - 0000000072ca9000: C:\WINDOWS\system32\wdmaud.drv
(0000000073d50000 - 0000000073e4e000: C:\WINDOWS\system32\MFC42.DLL
(0000000074650000 - 0000000074677000: C:\WINDOWS\System32\msls31.dll
(0000000074a60000 - 0000000074a68000: C:\WINDOWS\System32\POWRPROF.dll
(0000000074a80000 - 0000000074a8a000: C:\WINDOWS\System32\BatMeter.dll
(0000000074e30000 - 0000000074e40000: C:\WINDOWS\system32\wshext.dll
(0000000075dd0000 - 0000000075e61000: C:\WINDOWS\system32\mlang.dll
(0000000075f30000 - 000000007602c000: C:\WINDOWS\system32\BROWSEUI.dll
(0000000076030000 - 0000000076095000: C:\WINDOWS\system32\MSVCP60.DLL
(0000000076310000 - 0000000076320000: C:\WINDOWS\System32\WINSTA.dll
(0000000076330000 - 0000000076335000: C:\WINDOWS\System32\MSIMG32.dll
(0000000076360000 - 00000000763aa000: C:\WINDOWS\system32\comdlg32.dll
(00000000763b0000 - 0000000076559000: C:\WINDOWS\system32\NETSHELL.dll
(00000000765b0000 - 00000000765cd000: C:\WINDOWS\System32\CSCDLL.dll
(00000000765d0000 - 00000000765f1000: C:\WINDOWS\System32\stobject.dll
(0000000076630000 - 00000000766e4000: C:\WINDOWS\system32\USERENV.dll
(0000000076890000 - 0000000076914000: C:\WINDOWS\system32\CRYPTUI.dll
(0000000076940000 - 0000000076948000: C:\WINDOWS\system32\LINKINFO.dll
(0000000076950000 - 0000000076976000: C:\WINDOWS\system32\ntshrui.dll
(0000000076ae0000 - 0000000076af1000: C:\WINDOWS\system32\ATL.DLL
(0000000076b00000 - 0000000076b2e000: C:\WINDOWS\system32\WINMM.dll
(0000000076bc0000 - 0000000076bef000: C:\WINDOWS\system32\credui.dll
(0000000076bf0000 - 0000000076c1e000: C:\WINDOWS\system32\WINTRUST.dll
(0000000076c50000 - 0000000076c78000: C:\WINDOWS\system32\IMAGEHLP.dll
(0000000076d20000 - 0000000076d39000: C:\WINDOWS\system32\iphlpapi.dll
(0000000076e40000 - 0000000076e4e000: C:\WINDOWS\system32\rtutils.dll
(0000000076f10000 - 0000000076f18000: C:\WINDOWS\System32\WTSAPI32.dll
(0000000076f20000 - 0000000076f4d000: C:\WINDOWS\system32\WLDAP32.dll
(0000000076f90000 - 000000007700f000: C:\WINDOWS\system32\CLBCATQ.DLL
(0000000077010000 - 00000000770e0000: C:\WINDOWS\system32\COMRes.dll
(00000000770f0000 - 000000007717c000: C:\WINDOWS\system32\OLEAUT32.dll
(0000000077230000 - 00000000772cd000: C:\WINDOWS\System32\urlmon.dll
(00000000773a0000 - 00000000774a2000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
(00000000774b0000 - 00000000775ec000: C:\WINDOWS\system32\ole32.dll
(0000000077730000 - 000000007789c000: C:\WINDOWS\system32\SHDOCVW.dll
(00000000778f0000 - 00000000779e7000: C:\WINDOWS\System32\SETUPAPI.dll
(00000000779f0000 - 0000000077a45000: C:\WINDOWS\System32\cscui.dll
(0000000077a50000 - 0000000077ae5000: C:\WINDOWS\system32\CRYPT32.dll
(0000000077af0000 - 0000000077b02000: C:\WINDOWS\system32\MSASN1.dll
(0000000077b10000 - 0000000077b32000: C:\WINDOWS\system32\appHelp.dll
(0000000077ba0000 - 0000000077ba7000: C:\WINDOWS\system32\midimap.dll
(0000000077bb0000 - 0000000077bc5000: C:\WINDOWS\system32\MSACM32.dll
(0000000077bd0000 - 0000000077bd8000: C:\WINDOWS\system32\VERSION.dll
(0000000077be0000 - 0000000077c38000: C:\WINDOWS\system32\msvcrt.dll
(0000000077d10000 - 0000000077da0000: C:\WINDOWS\system32\USER32.dll
(0000000077da0000 - 0000000077e4c000: C:\WINDOWS\system32\ADVAPI32.dll
(0000000077e50000 - 0000000077ee1000: C:\WINDOWS\system32\RPCRT4.dll
(0000000077ef0000 - 0000000077f36000: C:\WINDOWS\system32\GDI32.dll
(0000000077f40000 - 0000000077fb6000: C:\WINDOWS\system32\SHLWAPI.dll
(0000000077fc0000 - 0000000077fd1000: C:\WINDOWS\System32\Secur32.dll
(000000007c340000 - 000000007c396000: C:\WINDOWS\system32\MSVCR71.dll
(000000007c800000 - 000000007c901000: C:\WINDOWS\system32\kernel32.dll
(000000007c910000 - 000000007c9c6000: C:\WINDOWS\system32\ntdll.dll
(000000007c9d0000 - 000000007d1ee000: C:\WINDOWS\system32\SHELL32.dll
(000000007d4b0000 - 000000007d792000: C:\WINDOWS\System32\mshtml.dll

*----> Status subprocess 0x534 <----*

eax=00000024 ebx=00000000 ecx=00000006 edx=0007b4f0 esi=80040111 edi=00000024
eip=7c80ac9b esp=0007b4b4 ebp=0007b4bc iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
función: kernel32!GetProcAddress
7c80ac7b 0f8412600300 je kernel32!FindAtomW+0x7334 (7c840c93)
7c80ac81 8b450c mov eax,[ebp+0xc]
7c80ac84 5f pop edi
7c80ac85 5b pop ebx
7c80ac86 c9 leave
7c80ac87 c20800 ret 0x8
7c80ac8a 837d1000 cmp dword ptr [ebp+0x10],0x0
7c80ac8e 0f8581e6ffff jne kernel32!GetTickCount+0x69 (7c809315)
7c80ac94 33ff xor edi,edi
7c80ac96 e981e6ffff jmp kernel32!GetTickCount+0x70 (7c80931c)
ERROR -> 7c80ac9b 8b4e08 mov ecx,[esi+0x8] ds:0023:80040119=????????
7c80ac9e 8b5604 mov edx,[esi+0x4]
7c80aca1 f7d9 neg ecx
7c80aca3 1bc9 sbb ecx,ecx
7c80aca5 83e102 and ecx,0x2
7c80aca8 e97be6ffff jmp kernel32!GetTickCount+0x7c (7c809328)
7c80acad 90 nop
7c80acae 90 nop
7c80acaf 90 nop
7c80acb0 90 nop
7c80acb1 90 nop

*----> Seguimiento regresivo de pila <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\WININET.dll -
ChildEBP RetAddr Args to Child
0007b4bc 7c80eaf6 0007b4d8 80040111 0007b4f0 kernel32!GetProcAddress+0x73
0007b4fc 7c80eb8b 80040111 00125a48 7ffdec00 kernel32!CreateMutexW+0x3f
0007b51c 70224daf 80040111 00125a48 702780a0 kernel32!CreateMutexA+0x4c
7c920331 408b0000 9090c334 8b909090 ec8b55ff WININET!InternetSetCookieExW+0x2d91
0018a164 006f0052 0074006f 005c0025 00790073 0x408b0000
006d0065 00000000 00000000 00000000 00000000 0x6f0052

*----> Muestra de pilas sin procesar <----*
000000000007b4b4 68 4e 22 70 00 00 00 00 - fc b4 07 00 f6 ea 80 7c hN"p...........|
000000000007b4c4 d8 b4 07 00 11 01 04 80 - f0 b4 07 00 68 4e 22 70 ............hN"p
000000000007b4d4 00 ec fd 7f aa f0 91 7c - 00 ec fd 7f 06 00 00 00 .......|........
000000000007b4e4 08 b5 07 00 a0 80 27 70 - 03 00 00 00 06 00 08 00 ......'p........
000000000007b4f4 00 ec fd 7f 00 00 00 00 - 1c b5 07 00 8b eb 80 7c ...............|
000000000007b504 11 01 04 80 48 5a 12 00 - 00 ec fd 7f 48 5a 12 00 ....HZ......HZ..
000000000007b514 03 00 04 00 a0 80 27 70 - 31 03 92 7c af 4d 22 70 ......'p1..|.M"p
000000000007b524 11 01 04 80 48 5a 12 00 - a0 80 27 70 00 00 00 00 ....HZ....'p....
000000000007b534 01 00 00 00 48 5a 12 00 - 4c 4d 22 70 b0 90 27 70 ....HZ..LM"p..'p
000000000007b544 48 5a 12 00 84 b5 07 00 - 00 00 00 00 00 00 00 00 HZ..............
000000000007b554 04 4d 22 70 48 5a 12 00 - f6 4c 22 70 10 5b 22 70 .M"pHZ...L"p.["p
000000000007b564 69 39 20 70 01 00 00 00 - 40 04 00 00 00 00 00 00 i9 p....@.......
000000000007b574 00 00 00 00 00 00 00 00 - 0f 00 00 00 04 00 00 00 ................
000000000007b584 c0 b6 07 00 a1 4b 21 70 - 3c 55 22 70 0e 00 00 00 .....K!p<U"p....
000000000007b594 38 90 27 70 00 00 00 00 - 00 00 00 00 d8 a7 18 00 8.'p............
000000000007b5a4 44 b6 07 00 44 b6 07 00 - 44 b6 07 00 20 00 00 00 D...D...D... ...
000000000007b5b4 20 00 00 00 a8 e2 4c 7d - 88 6e 10 00 00 01 04 80 .....L}.n......
000000000007b5c4 b8 34 12 00 00 00 00 00 - 88 61 14 00 84 07 12 00 .4.......a......
000000000007b5d4 88 48 4c 7d d6 7e 00 00 - 34 b7 07 00 cc 39 f5 77 .HL}.~..4....9.w
000000000007b5e4 a8 03 00 00 02 00 00 00 - 00 00 00 00 44 ba 07 00 ............D...

*----> Status subprocess 0x5a0 <----*

eax=77e56bf0 ebx=00000000 ecx=00000000 edx=100e2000 esi=000d7a48 edi=00000000
eip=7c91eb94 esp=0195fe1c ebp=0195ff80 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
función: ntdll!KiFastSystemCallRet
7c91eb89 90 nop
7c91eb8a 90 nop
ntdll!KiFastSystemCall:
7c91eb8b 8bd4 mov edx,esp
7c91eb8d 0f34 sysenter
7c91eb8f 90 nop
7c91eb90 90 nop
7c91eb91 90 nop
7c91eb92 90 nop
7c91eb93 90 nop
ntdll!KiFastSystemCallRet:
7c91eb94 c3 ret
7c91eb95 8da42400000000 lea esp,[esp]
7c91eb9c 8d642400 lea esp,[esp]
7c91eba0 90 nop
7c91eba1 90 nop
7c91eba2 90 nop
7c91eba3 90 nop
7c91eba4 90 nop
ntdll!KiIntSystemCall:
7c91eba5 8d542408 lea edx,[esp+0x8]
7c91eba9 cd2e int 2e

*----> Seguimiento regresivo de pila <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
0195ff80 77e56c22 0195ffa8 77e56a3b 000d7a48 ntdll!KiFastSystemCallRet
0195ff88 77e56a3b 000d7a48 0191eef4 7c92825d RPCRT4!I_RpcBCacheFree+0x5ea
0195ffa8 77e56c0a 000d7900 0195ffec 7c80b50b RPCRT4!I_RpcBCacheFree+0x403
0195ffb4 7c80b50b 000e2050 0191eef4 7c92825d RPCRT4!I_RpcBCacheFree+0x5d2
0195ffec 00000000 77e56bf0 000e2050 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Muestra de pilas sin procesar <----*
000000000195fe1c 99 e3 91 7c 03 67 e5 77 - ac 01 00 00 70 ff 95 01 ...|.g.w....p...
000000000195fe2c 00 00 00 00 b0 46 0e 00 - 54 ff 95 01 00 b4 10 e2 .....F..T.......
000000000195fe3c e0 94 17 e2 01 00 00 00 - 00 00 00 00 40 00 00 00 ............@...
000000000195fe4c 01 00 00 00 01 00 00 00 - 60 bb 84 f4 80 4c 3c 82 ........`....L<.
000000000195fe5c 38 b0 54 80 00 00 00 00 - 6c bb 84 f4 6c bb 84 f4 8.T.....l...l...
000000000195fe6c 70 f6 3f 82 03 ec 4e 80 - 04 00 00 00 10 00 00 00 p.?...N.........
000000000195fe7c 10 b5 fc 81 62 00 00 00 - ae 2d 45 f8 f7 01 00 00 ....b....-E.....
000000000195fe8c 74 d3 38 82 e8 d0 38 82 - 70 d3 38 82 74 bb 84 f4 t.8...8.p.8.t...
000000000195fe9c e3 3e 4e 80 08 e0 fa 81 - 00 50 f1 81 c0 f9 df ff .>N......P......
000000000195feac 00 50 f1 05 90 bb 84 f4 - b1 a1 22 f8 00 00 00 00 .P........".....
000000000195febc 01 3f 25 f8 00 50 f1 81 - ac bb 84 f4 ed 3e 25 f8 .?%..P.......>%.
000000000195fecc 50 83 04 82 01 3f 25 f8 - 00 50 f1 81 6c e2 fa 81 P....?%..P..l...
000000000195fedc 01 00 00 00 c8 bb 84 f4 - 85 2d 25 f8 00 50 f1 81 .........-%..P..
000000000195feec 6a 00 24 f8 00 00 00 00 - 95 ab 22 f8 50 83 04 82 j.$.......".P...
000000000195fefc 00 00 00 00 f9 ab 4d 80 - 08 e0 fa 81 38 80 04 82 ......M.....8...
000000000195ff0c ff ff ff ff 46 02 00 00 - 44 3f 11 82 24 bc 84 f4 ....F...D?..$...
000000000195ff1c 62 c8 4d 80 6a c8 4d 80 - 14 3f 11 82 a8 3d 11 82 b.M.j.M..?...=..
000000000195ff2c dc 3d 11 82 80 ff 95 01 - 99 66 e5 77 4c ff 95 01 .=.......f.wL...
000000000195ff3c a9 66 e5 77 ed 10 91 7c - a8 18 0e 00 50 20 0e 00 .f.w...|....P ..
000000000195ff4c 00 a2 2f 4d ff ff ff ff - 00 5d 1e ee ff ff ff ff ../M.....]......

*----> Status subprocess 0x5a4 <----*

eax=774c319a ebx=00007530 ecx=7ffdf000 edx=00000000 esi=00000000 edi=0199ff50
eip=7c91eb94 esp=0199ff20 ebp=0199ff78 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

función: ntdll!KiFastSystemCallRet
7c91eb89 90 nop
7c91eb8a 90 nop
ntdll!KiFastSystemCall:
7c91eb8b 8bd4 mov edx,esp
7c91eb8d 0f34 sysenter
7c91eb8f 90 nop
7c91eb90 90 nop
7c91eb91 90 nop
7c91eb92 90 nop
7c91eb93 90 nop
ntdll!KiFastSystemCallRet:
7c91eb94 c3 ret
7c91eb95 8da42400000000 lea esp,[esp]
7c91eb9c 8d642400 lea esp,[esp]
7c91eba0 90 nop
7c91eba1 90 nop
7c91eba2 90 nop
7c91eba3 90 nop
7c91eba4 90 nop
ntdll!KiIntSystemCall:
7c91eba5 8d542408 lea edx,[esp+0x8]
7c91eba9 cd2e int 2e

*----> Seguimiento regresivo de pila <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll -
ChildEBP RetAddr Args to Child
0199ff78 7c802451 0000ea60 00000000 0199ffb4 ntdll!KiFastSystemCallRet
0199ff88 774c2fcb 0000ea60 000e08e8 774c314d kernel32!Sleep+0xf
0199ffb4 7c80b50b 000e08e8 7c920945 7c92094e ole32!StringFromGUID2+0x2d1
0199ffec 00000000 774c319a 000e08e8 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Muestra de pilas sin procesar <----*
000000000199ff20 5c d8 91 7c ed 23 80 7c - 00 00 00 00 50 ff 99 01 \..|.#.|....P...
000000000199ff30 50 25 80 7c f0 56 5d 77 - 30 75 00 00 14 00 00 00 P%.|.V]w0u......
000000000199ff40 01 00 00 00 00 00 00 00 - 00 00 00 00 10 00 00 00 ................
000000000199ff50 00 ba 3c dc ff ff ff ff - 08 4f 4b 77 50 ff 99 01 ..<......OKwP...
000000000199ff60 30 ff 99 01 10 76 0d 00 - dc ff 99 01 f3 99 83 7c 0....v.........|
000000000199ff70 58 24 80 7c 00 00 00 00 - 88 ff 99 01 51 24 80 7c X$.|........Q$.|
000000000199ff80 60 ea 00 00 00 00 00 00 - b4 ff 99 01 cb 2f 4c 77 `............/Lw
000000000199ff90 60 ea 00 00 e8 08 0e 00 - 4d 31 4c 77 00 00 00 00 `.......M1Lw....
000000000199ffa0 45 09 92 7c e8 08 0e 00 - 00 00 4b 77 b5 31 4c 77 E..|......Kw.1Lw
000000000199ffb0 4e 09 92 7c ec ff 99 01 - 0b b5 80 7c e8 08 0e 00 N..|.......|....
000000000199ffc0 45 09 92 7c 4e 09 92 7c - e8 08 0e 00 00 b0 fd 7f E..|N..|........
000000000199ffd0 00 46 3c 82 c0 ff 99 01 - a0 80 24 82 ff ff ff ff .F<.......$.....
000000000199ffe0 f3 99 83 7c 18 b5 80 7c - 00 00 00 00 00 00 00 00 ...|...|........
000000000199fff0 00 00 00 00 9a 31 4c 77 - e8 08 0e 00 00 00 00 00 .....1Lw........
00000000019a0000 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019a0010 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019a0020 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019a0030 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019a0040 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019a0050 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> Status subprocess 0x5b0 <----*

eax=00597c90 ebx=77d1b762 ecx=019df9e8 edx=7c91eb94 esi=010460d8 edi=00000000
eip=7c91eb94 esp=019dff14 ebp=019dff44 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

función: ntdll!KiFastSystemCallRet
7c91eb89 90 nop
7c91eb8a 90 nop
ntdll!KiFastSystemCall:
7c91eb8b 8bd4 mov edx,esp
7c91eb8d 0f34 sysenter
7c91eb8f 90 nop
7c91eb90 90 nop
7c91eb91 90 nop
7c91eb92 90 nop
7c91eb93 90 nop
ntdll!KiFastSystemCallRet:
7c91eb94 c3 ret
7c91eb95 8da42400000000 lea esp,[esp]
7c91eb9c 8d642400 lea esp,[esp]
7c91eba0 90 nop
7c91eba1 90 nop
7c91eba2 90 nop
7c91eba3 90 nop
7c91eba4 90 nop
ntdll!KiIntSystemCall:
7c91eba5 8d542408 lea edx,[esp+0x8]
7c91eba9 cd2e int 2e

*----> Seguimiento regresivo de pila <----*
*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\Explorer.EXE
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\SHLWAPI.dll -
ChildEBP RetAddr Args to Child
019dff44 01011e8b 00000000 019dffb4 77f5f5de ntdll!KiFastSystemCallRet
019dff50 77f5f5de 010460d8 0000005c 00860044 Explorer+0x11e8b
019dffb4 7c80b50b 00000000 0000005c 00860044 SHLWAPI!Ordinal505+0x369
019dffec 00000000 77f5f56f 0007fdbc 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Muestra de pilas sin procesar <----*
00000000019dff14 f5 93 d1 77 40 1a 00 01 - 00 00 00 00 d8 60 04 01 ...w@........`..
00000000019dff24 00 00 00 00 6e 00 01 00 - 13 01 00 00 09 00 00 00 ....n...........
00000000019dff34 00 00 00 00 3b 1f 01 00 - 90 01 00 00 2c 01 00 00 ....;.......,...
00000000019dff44 50 ff 9d 01 8b 1e 01 01 - 00 00 00 00 b4 ff 9d 01 P...............
00000000019dff54 de f5 f5 77 d8 60 04 01 - 5c 00 00 00 44 00 86 00 ...w.`..\...D...
00000000019dff64 bc fd 07 00 62 1e 01 01 - b1 79 01 01 1c 02 00 00 ....b....y......
00000000019dff74 d8 60 04 01 08 00 00 00 - 00 00 00 00 00 00 00 00 .`..............
00000000019dff84 00 00 00 00 00 00 00 00 - a0 36 6b 81 41 a8 4f 80 .........6k.A.O.
00000000019dff94 00 00 00 00 00 00 00 00 - 00 00 00 00 21 a8 4f 80 ............!.O.
00000000019dffa4 9c 7c 8c f4 00 00 00 00 - 00 00 00 00 dc e2 91 7c .|.............|
00000000019dffb4 ec ff 9d 01 0b b5 80 7c - 00 00 00 00 5c 00 00 00 .......|....\...
00000000019dffc4 44 00 86 00 bc fd 07 00 - 00 d0 fd 7f 00 46 3c 82 D............F<.
00000000019dffd4 c0 ff 9d 01 b8 39 6e 81 - ff ff ff ff f3 99 83 7c .....9n........|
00000000019dffe4 18 b5 80 7c 00 00 00 00 - 00 00 00 00 00 00 00 00 ...|............
00000000019dfff4 6f f5 f5 77 bc fd 07 00 - 00 00 00 00 00 00 00 00 o..w............
00000000019e0004 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019e0014 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019e0024 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019e0034 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000019e0044 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> Status subprocess 0x5b4 <----*

eax=7c93798d ebx=00000000 ecx=77da6a51 edx=77da6a18 esi=ffffffff edi=7c91fb78
eip=7c91eb94 esp=01a1ff9c ebp=01a1ffb4 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

función: ntdll!KiFastSystemCallRet
7c91eb89 90 nop
7c91eb8a 90 nop
ntdll!KiFastSystemCall:
7c91eb8b 8bd4 mov edx,esp
7c91eb8d 0f34 sysenter
7c91eb8f 90 nop
7c91eb90 90 nop
7c91eb91 90 nop
7c91eb92 90 nop
7c91eb93 90 nop
ntdll!KiFastSystemCallRet:
7c91eb94 c3 ret
7c91eb95 8da42400000000 lea esp,[esp]
7c91eb9c 8d642400 lea esp,[esp]
7c91eba0 90 nop
7c91eba1 90 nop
7c91eba2 90 nop
7c91eba3 90 nop
7c91eba4 90 nop
ntdll!KiIntSystemCall:
7c91eba5 8d542408 lea edx,[esp+0x8]
7c91eba9 cd2e int 2e

*----> Seguimiento regresivo de pila <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
01a1ffb4 7c80b50b 00000000 7c91fb78 ffffffff ntdll!KiFastSystemCallRet
01a1ffec 00000000 7c93798d 00000000 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Muestra de pilas sin procesar <----*
0000000001a1ff9c 5c d8 91 7c d4 79 93 7c - 01 00 00 00 ac ff a1 01 \..|.y.|........
0000000001a1ffac 00 00 00 00 00 00 00 80 - ec ff a1 01 0b b5 80 7c ...............|
0000000001a1ffbc 00 00 00 00 78 fb 91 7c - ff ff ff ff 00 00 00 00 ....x..|........
0000000001a1ffcc 00 a0 fd 7f 00 46 3c 82 - c0 ff a1 01 d8 80 24 82 .....F<.......$.
0000000001a1ffdc ff ff ff ff f3 99 83 7c - 18 b5 80 7c 00 00 00 00 .......|...|....
0000000001a1ffec 00 00 00 00 00 00 00 00 - 8d 79 93 7c 00 00 00 00 .........y.|....
0000000001a1fffc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2000c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2003c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2004c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2005c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2006c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2007c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2008c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a2009c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a200ac 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a200bc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000001a200cc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> Estado para identificador de subproceso 0x5b8 <----*

eax=bb40ff08 ebx=00000000 ecx=7c9d6400 edx=00000079 esi=00000000 edi=000004a0
eip=7c91eb94 esp=01a5f16c ebp=01a5f1d4 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

función: ntdll!KiFastSystemCallRet
7c91eb89 90 nop
7c91eb8a 90 nop
ntdll!KiFastSystemCall:
7c91eb8b 8bd4 mov edx,esp
7c91eb8d 0f34 sysenter
7c91eb8f 90 nop
7c91eb90 90 nop
7c91eb91 90 nop
7c91eb92 90 nop
7c91eb93 90 nop
ntdll!KiFastSystemCallRet:
7c91eb94 c3 ret
7c91eb95 8da42400000000 lea esp,[esp]
7c91eb9c 8d642400 lea esp,[esp]
7c91eba0 90 nop
7c91eba1 90 nop
7c91eba2 90 nop
7c91eba3 90 nop
7c91eba4 90 nop
ntdll!KiIntSystemCall:
7c91eba5 8d542408 lea edx,[esp+0x8]
7c91eba9 cd2e int 2e

0

Hi,
Boot in Safe Mode or Command Prompt mode, and type sfc /scannow and press ENTER key. This runs System File Checker which scans the system files and restores them if any of them is found to be missing or corrupt. You may require Windows CD.

Note that, there is a SPACE between sfc and /. After SFC is run, please check whether you get any errors and post back the results.

0

The SFC is not working.
Show me this error:

"can't start a search of protect system files.
Error Code 0x000006ba (Server RCP is not avalaible)"

HELP.

0

1. See if the information in this Microsoft article helps you fix the SFC error; it would be good to see if we can get you to a point where you can run the SFC scan.

2. Is it possible that you got the wrong version of the wininet.dll file?

Also, the following might help:

* Click on the "Run..." option under your Start menu and type the following in the resulting "Open:" box:

regsvr32 c:\windows\system32\wininet.dll

Reboot and see if the problem persists.

0

@DMR, thank you very much, for your help:D
@arcangel_1231, are you receiving the "New Poly Win32" alert from McAfee? Have you performed the steps provided by me in previous post? If not, please run those tools and post the results.

0

@DMR, thank you very much, for your help:D

You're welcome swatkat, and thanks for having a look at that thread I was trouble with. :)

arcangel_1231,

For the benefit of other members who might encounter similar problems, can you please tell us which of our suggestions finally helped to solve your problem?

Also, please do follow up on swatkat's previously-posted suggestions and let us know the results so that we can be sure that your system is really clean.

Thanks.

0

Hi,
I have a similiar problem. I have followed your instructions but I am hesitant to click fix checked. Can I post my logs for your review? And if so, is there any issue of whatever this is going with them?

Thanks,
Jim

0

Hi jimnbcc,
Welcome to Daniweb :) New Poly Win32 is actually a heuristic detection by McAfee, and the infected filenames can vary from one PC to other. So it's better to post your log here. Please start a new topic and post a new HijackThis log in that topic only. You can start a new topic in Viruses, Spyware and other net nasties section by clicking the "New Topic" button at the top-left corner of that page.

0

Hi jimnbcc,
Welcome to Daniweb :) New Poly Win32 is actually a heuristic detection by McAfee, and the infected filenames can vary from one PC to other. So it's better to post your log here. Please start a new topic and post a new HijackThis log in that topic only. You can start a new topic in Viruses, Spyware and other net nasties section by clicking the "New Topic" button at the top-left corner of that page.

Hi Swatkit,

Attached is the log from last nights run. I will open a thread in the forum 'Viruses...' and post the log from tonights run.

Thanks,
Jim

Attachments
Logfile of HijackThis v1.99.1
Scan saved at 9:33:31 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\Vibe\CONNEC~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ePOAgent\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE.tmp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\rewu\hcup.exe
C:\winstall.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {B7AB7AD2-46BB-CA24-9B31-457CF005AB51} - C:\WINNT\system32\apihb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [FE.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE.tmp.exe
O4 - HKLM\..\Run: [FE.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FE.tmp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Unbc] C:\Program Files\rewu\hcup.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted IP range: http://198.164.135.10
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4897
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nbccwood.nb.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nbccwood.nb.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nbccwood.nb.ca
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Vibe\CONNEC~1\app\pppoeservice.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
0

jimnbcc,

Please follow swatkat's advice:

Please start a new topic and post a new HijackThis log in that topic only. You can start a new topic in Viruses, Spyware and other net nasties section by clicking the "New Topic" button at the top-left corner of that page.

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules


Thanks for understanding.

0

Hi,
I have a similiar problem. I have followed your instructions but I am hesitant to click fix checked. Can I post my logs for your review? And if so, is there any issue of whatever this is going with them?

Thanks,
Jim

Hi Swatkit,

Attached is the log from last nights run. I will open a thread in the forum 'Viruses...' and post the log from tonights run.

Thanks,
Jim

I got a NewPoly Win32 virus yesterday.It places itself in the C:\Windows\Temp folder & keeps
multiplying & gives itself different codes to escape antivirus software.It slows down the
computer really bad.It took me 15 mins. to go to a webpage & 45 mins. to write a CD.
AVG, McAfee couldn't detect it in the morning.Then, I ran BitDefender in the evening & it
couldn't detect either, but McAfee detected it after I ran BitDefender.McAfee is the only AV
which detects this new virus, but itcannot clean or delete or quarantine it.
Then, I ran Task Manager, ended all processes except Windows system processes,I even shut
all antivirus software.I went to the Temp folder & deleted the virus and then the entire
Temp folder successfully.The virus cropped up again on restart, I did the same actions &
deleted it again.One interesting thing is that it hasn't affected other users on the same
computer.Then, I uninstalled some software which I suspected.Today, I started again & found
no virus so far.Hope this is useful for some people.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.