SpySheriff help please

[hroachen]

Just got infected with SpySheriff today, tried some fixes online but can't seem to get rid of it. Here's a HJT scan log, I did this in XP, not in safe mode, if I need to post something else, please advise.

Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:54:59 AM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
F:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\pdtr\leus.exe
F:\WINDOWS\System32\l?gonui.exe
C:\winstall.exe
F:\WINDOWS\System32\vxh8jkdq2.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\tardisnt.exe
F:\WINDOWS\System32\devldr32.exe
F:\Documents and Settings\Hector E. Roachen\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\System32\kernels32.exe
O2 - BHO: (no name) - {104CDAD8-191C-37EF-6956-4B31C4BEFFED} - F:\WINDOWS\System32\bcj.dll
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - F:\WINDOWS\System32\ztoolb005.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] F:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [QOELOADER] "F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] F:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] F:\WINDOWS\System32\uibuvp.exe
O4 - HKCU\..\Run: [wupd] F:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Rhee] F:\Program Files\pdtr\leus.exe
O4 - HKCU\..\Run: [Arhhvf] F:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] F:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095861830985
O21 - SSODL: Pdf995 - {CB7B4BFB-1DFB-4FCB-B4CA-89AD286CADFD} - c:\pdf995\winnyor32.dll (file missing)
O21 - SSODL: System - {A062FCC0-6E67-4068-8B5F-74F8F8D32D30} - vr_sys.dll (file missing)
O21 - SSODL: Adobe Photoshop v4.0 - {2D630DD4-B4E1-50DC-C403-3D1AF52B381B} - f:\program files\adobe\photoshop\kezuen2.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - F:\WINDOWS\svchost.exe (file missing)
O23 - Service: RadClock - Unknown owner - F:\WINDOWS\system32\RadClock.exe
O23 - Service: Tardis time service (Tardis) - Unknown owner - F:\WINDOWS\System32\tardisnt.exe

 

[smbd]

Directions are here. Note, they differ from one OS to another.

 

[hroachen]

Directions are here. Note, they differ from one OS to another.

I'm okay with those directions right up to the point where it says:
* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

Add entries from the HJT log to be fixed here

I'm not sure what it means to "put a check by these" or "add entries from the HJT log to be fixed here"

Thanks again

 

[hroachen]

I tried to follow the instructions smbd pointed me at, but ran into some questions as per my past post.

Here's the latest HJT log, just done in safe mode, as well as an ewido scan and an Active Scan log:

HJT first:

Logfile of HijackThis v1.99.1
Scan saved at 12:07:28 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.exe
F:\Documents and Settings\Hector E. Roachen\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\System32\kernels32.exe
O2 - BHO: (no name) - {104CDAD8-191C-37EF-6956-4B31C4BEFFED} - F:\WINDOWS\System32\bcj.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - F:\WINDOWS\System32\ztoolb005.dll
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System] F:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [QOELOADER] "F:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] F:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] F:\WINDOWS\System32\uibuvp.exe
O4 - HKCU\..\Run: [wupd] F:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Rhee] F:\Program Files\pdtr\leus.exe
O4 - HKCU\..\Run: [Arhhvf] F:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [SNInstall] F:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095861830985
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O21 - SSODL: Pdf995 - {CB7B4BFB-1DFB-4FCB-B4CA-89AD286CADFD} - c:\pdf995\winnyor32.dll (file missing)
O21 - SSODL: System - {A062FCC0-6E67-4068-8B5F-74F8F8D32D30} - vr_sys.dll (file missing)
O21 - SSODL: Adobe Photoshop v4.0 - {2D630DD4-B4E1-50DC-C403-3D1AF52B381B} - f:\program files\adobe\photoshop\kezuen2.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - F:\WINDOWS\svchost.exe (file missing)
O23 - Service: RadClock - Unknown owner - F:\WINDOWS\system32\RadClock.exe
O23 - Service: Tardis time service (Tardis) - Unknown owner - F:\WINDOWS\System32\tardisnt.exe


ewido now:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:20:23 PM, 7/15/2005
+ Report-Checksum: 9AB932E0

+ Scan result:

C:\WINDOWS\Cookies\trips@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\WINDOWS\Cookies\trips@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Cookies\trips@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Cookies\trips@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
F:\Documents and Settings\Hector E. Roachen\Cookies\hector e. roachen@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup


::Report End

finally, Active Scan:


Incident Status Location

Possible Virus. No disinfected F:\WINDOWS\System32\bcj.dll
Adware:adware/azesearch No disinfected F:\DOCUMENTS AND SETTINGS\HECTOR E. ROACHEN\FAVORITES\SPORTS\Auto racing.url
Adware:adware/adsmart No disinfected F:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/mediatickets No disinfected F:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
Spyware:spyware/istbar No disinfected F:\DOCUMENTS AND SETTINGS\HECTOR E. ROACHEN\FAVORITES\Adult Sites
Adware:adware/ilookup No disinfected F:\DOCUMENTS AND SETTINGS\HECTOR E. ROACHEN\FAVORITES\Gambling
Adware:adware/spywareno No disinfected HKEY_CURRENT_USER\SOFTWARE\SNO
Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\IESecurity.dll
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Can someone advise me o nthe next step? I'm still getting the icon in the tray with the "your system is infected" popup.

Thanks for any help.

 

[hroachen]

I guess I'll just go ahead and format the XP partition and reinstall. This thing is kicking my ***. Thanks anyway.

 

[shadoefax]

i too have been infected with this spysheriff! i have already tried hijackthis! i have also seleted many uneseccary item including this spysheriff thing but it stills pops up when i boot up my pc this is my logfile....

Logfile of HijackThis v1.99.1
Scan saved at 02:01:26 a.m., on 21/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\ARCHIVOS DE PROGRAMA\PERSYSTEMS\PERAV\PAV.EXE
C:\ARCHIVOS DE PROGRAMA\PERSYSTEMS\PERAV\PERVAC.EXE
C:\ARCHIVOS DE PROGRAMA\PERSYSTEMS\PERAV\PERTSK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\CAPGEDZAC.PIF
C:\WINDOWS\EDISPAC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\SAVE\SAVE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ADKOI[E.SCR
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SYMCSVC.EXE
C:\WINSTALL.EXE
C:\WINSTALL.EXE
C:\ARCHIVOS DE PROGRAMA\CAERE\OMNIPAGEPRO90\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\ESCRITORIO\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEESLA/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.buscamelo.com/search.php?keywords=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=C:\WINDOWS\CapGEDZAC.pif
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Archivos de programa\NewDotNet\newdotnet6_38.dll
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\ARCHIVOS DE PROGRAMA\IMESH\IMESH5\IMESHBHO.DLL
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\ARCHIVOS DE PROGRAMA\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Barrita.com - {478F2598-FF02-11D7-93B2-CEFDD0413D40} - C:\ARCHIVOS DE PROGRAMA\INFOSOFT\CLICKDIARIO\BARRITA\BARRITA.OCX
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\ARCHIVOS DE PROGRAMA\IMESHBAR\BAR\1.BIN\IMESHBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Archivos de programa\Save\Save.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARCHIV~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WinregB] C:\WINDOWS\SYSTEM\adKoi[E.scr
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERSYS~1\PERAV\PAV.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINSTALL.EXE
O4 - HKCU\..\RunServices: [wupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Persystems\Perav\PAV.EXE
O4 - Startup: reminder-Registro del producto ScanSoft.lnk = C:\Archivos de programa\Caere\OmniPagePro90\EREG\REMIND32.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O13 - DefaultPrefix: http://www.barrita.com/r.asp?a=
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {697E51CB-6BBF-492E-8580-C204AFD30976} (isInstallCAB.ucInstallCab) - http://www.barrita.com/ISINSTALLCAB.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {22222222-2222-2222-2200-000000000000} - mhtml:file://c:\archivos%20de%20programa\save\save.htm!file:///edispaC.exe
O16 - DPF: {1E5592CB-8F5B-46F8-9EA6-65C01213808A} (InstaladorBetyByte Control) - http://www.cocacola.es/uploads/cab/instaladorbetybyte.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = adsl
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.48.225.130,200.48.225.146
O18 - Filter: text/html - {F79B2338-A6E7-46D4-9201-422AA6E74F43} - C:\WINDOWS\EAGLEFLT.DLL
O21 - SSODL: System - {B0F19380-F460-11D9-B978-000D87788033} - vr_sys.dll (file missing)


btw some folder names are in spanish archivos de programas mean program files ty in advance!!!!!!