Jump to content

Merda, I did something wrong and I'm infected


DanPi

Recommended Posts

I've tried to follow your basic steps but I didn't succeed:

- I've downloaded Malwarebytes and updated it but during the execution it stopped running

- I did the same with DeFogger and, as you can see, I attach my defogger_disable.log

- I also downloaded DDS, here there're my two logs (attach.rar and dds.txt)

I've first tried to use GMER but it's also stopped during the execution.

I would appreciate any help.

Thanks a lot,

attach.rar

dds.txt

defogger_disable.log

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Don't attach logs unless otherwise specified.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

-screen317

Link to post
Share on other sites

Hi sreen317 and thank you for your help.

Here it is the TDSSkiller log:

2011/09/20 17:18:20.0453 3492 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10

2011/09/20 17:18:20.0500 3492 ================================================================================

2011/09/20 17:18:20.0500 3492 SystemInfo:

2011/09/20 17:18:20.0500 3492

2011/09/20 17:18:20.0500 3492 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/20 17:18:20.0500 3492 Product type: Workstation

2011/09/20 17:18:20.0500 3492 ComputerName: TORNS

2011/09/20 17:18:20.0500 3492 UserName: dani

2011/09/20 17:18:20.0500 3492 Windows directory: C:\WINDOWS

2011/09/20 17:18:20.0500 3492 System windows directory: C:\WINDOWS

2011/09/20 17:18:20.0500 3492 Processor architecture: Intel x86

2011/09/20 17:18:20.0500 3492 Number of processors: 2

2011/09/20 17:18:20.0500 3492 Page size: 0x1000

2011/09/20 17:18:20.0500 3492 Boot type: Normal boot

2011/09/20 17:18:20.0500 3492 ================================================================================

2011/09/20 17:18:22.0109 3492 Initialize success

2011/09/20 17:18:46.0140 3560 ================================================================================

2011/09/20 17:18:46.0140 3560 Scan started

2011/09/20 17:18:46.0140 3560 Mode: Manual;

2011/09/20 17:18:46.0140 3560 ================================================================================

2011/09/20 17:18:46.0812 3560 ACPI (cf2a07e1751a2d612d7e13aa431ab057) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/20 17:18:46.0921 3560 ACPIEC (1c905333c0b9f3d7c68ddf25e54b00f9) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/20 17:18:47.0046 3560 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/20 17:18:47.0140 3560 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/20 17:18:47.0546 3560 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/20 17:18:47.0625 3560 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/20 17:18:47.0750 3560 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/20 17:18:47.0812 3560 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/20 17:18:47.0890 3560 Avgfwdx (4f78f66ff3efc644f5edd84feaa1cc48) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys

2011/09/20 17:18:47.0906 3560 Avgfwfd (4f78f66ff3efc644f5edd84feaa1cc48) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys

2011/09/20 17:18:48.0015 3560 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/20 17:18:48.0093 3560 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/20 17:18:48.0203 3560 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/20 17:18:48.0265 3560 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/20 17:18:48.0390 3560 Cdrom (1aa54c43ae9817c0a332a1d851c76f98) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/20 17:18:48.0390 3560 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 1aa54c43ae9817c0a332a1d851c76f98, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe

2011/09/20 17:18:48.0390 3560 Cdrom - detected Rootkit.Win32.ZAccess.e (0)

2011/09/20 17:18:48.0703 3560 dgderdrv (6216fd7fd227de454238a702b218cec7) C:\WINDOWS\system32\drivers\dgderdrv.sys

2011/09/20 17:18:48.0796 3560 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/20 17:18:48.0906 3560 dmboot (c252a99c0a78b39faa2e2d1d048b1050) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/20 17:18:49.0046 3560 dmio (33b4d4039cd2cb25351a7bf13b2988d9) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/20 17:18:49.0125 3560 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/20 17:18:49.0187 3560 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/20 17:18:49.0312 3560 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/20 17:18:49.0359 3560 e479ddf6 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\4141709796:461775369.exe

2011/09/20 17:18:50.0265 3560 Suspicious file (Hidden): C:\WINDOWS\4141709796:461775369.exe. md5: 8f2bb1827cac01aee6a16e30a1260199

2011/09/20 17:18:50.0265 3560 e479ddf6 - detected HiddenFile.Multi.Generic (1)

2011/09/20 17:18:50.0375 3560 eamon (e31464ce787e3a0ffea55baa591897f0) C:\WINDOWS\system32\DRIVERS\eamon.sys

2011/09/20 17:18:50.0453 3560 ehdrv (2c95a7a87e4272c1fff9baf579677db3) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

2011/09/20 17:18:50.0531 3560 epfw (c2c9a92b560a775c65b89e78dcb6951a) C:\WINDOWS\system32\DRIVERS\epfw.sys

2011/09/20 17:18:50.0609 3560 epfwtdi (cd6d97a7a88a78fa6f1732b75971ead0) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

2011/09/20 17:18:50.0718 3560 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/20 17:18:50.0796 3560 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/09/20 17:18:50.0859 3560 Fips (e5e61f2c07344e91dbfb7eafde549ab4) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/20 17:18:50.0953 3560 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/09/20 17:18:51.0015 3560 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/20 17:18:51.0093 3560 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/20 17:18:51.0140 3560 Ftdisk (cc5f3af5711a1c7c8fa1d43bb16b401a) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/20 17:18:51.0234 3560 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/20 17:18:51.0328 3560 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/09/20 17:18:51.0453 3560 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/20 17:18:51.0640 3560 i8042prt (4a2490a66e8271901e89dd5fb79748ae) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/20 17:18:51.0734 3560 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/20 17:18:52.0046 3560 IntcAzAudAddService (eb5608fd4f2961517ac9f5cac88b023b) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/09/20 17:18:52.0171 3560 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/20 17:18:52.0250 3560 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/20 17:18:52.0343 3560 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/20 17:18:52.0437 3560 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/20 17:18:52.0515 3560 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/20 17:18:52.0593 3560 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/20 17:18:52.0687 3560 isapnp (0f3d281b0410fe5d482aada37d20524b) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/20 17:18:52.0765 3560 Kbdclass (188ddd286bc0daea6984858c6a4d7bbf) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/20 17:18:52.0843 3560 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/20 17:18:52.0921 3560 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/20 17:18:53.0062 3560 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys

2011/09/20 17:18:53.0156 3560 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/20 17:18:53.0234 3560 Modem (9024556e739b8469d2b8f5f0e4c9bc9f) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/20 17:18:53.0312 3560 Mouclass (6fd36b4994a2363659a65c9f970cfdb7) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/20 17:18:53.0390 3560 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/20 17:18:53.0515 3560 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/20 17:18:53.0625 3560 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/20 17:18:53.0750 3560 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/20 17:18:53.0812 3560 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/20 17:18:53.0890 3560 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/20 17:18:53.0968 3560 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/20 17:18:54.0046 3560 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/20 17:18:54.0109 3560 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/20 17:18:54.0203 3560 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/20 17:18:54.0296 3560 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/20 17:18:54.0375 3560 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/20 17:18:54.0453 3560 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/20 17:18:54.0515 3560 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/20 17:18:54.0593 3560 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/20 17:18:54.0671 3560 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/20 17:18:54.0828 3560 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys

2011/09/20 17:18:54.0921 3560 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/20 17:18:55.0015 3560 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/20 17:18:55.0140 3560 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/20 17:18:55.0375 3560 nv (eb2858f920b8135b807b5ccaa3ed73dc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/09/20 17:18:55.0625 3560 NVENETFD (4d6f0d3fb17c1ba64942f415c73adcdb) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2011/09/20 17:18:55.0703 3560 nvgts (fa740e97a0fe36e368c2299d9f3c01c1) C:\WINDOWS\system32\DRIVERS\nvgts.sys

2011/09/20 17:18:55.0796 3560 nvnetbus (921e63aa1e1a20302223d016acafb52b) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2011/09/20 17:18:55.0875 3560 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/20 17:18:55.0937 3560 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/20 17:18:56.0046 3560 Parport (e7855cbd8bd1fda085a3f92cff7906e2) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/20 17:18:56.0125 3560 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/20 17:18:56.0203 3560 ParVdm (fad44d704ecd7d39ad01415b8bb34204) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/20 17:18:56.0265 3560 PCI (f11bc84ae6c7b003b5e0c8eeb4a1f444) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/20 17:18:56.0375 3560 PCIIde (33d63f0a9021acb4d75d83b646b93a30) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/20 17:18:56.0453 3560 Pcmcia (f50c27cca56dc97b3a45e7f0059bd2ba) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/20 17:18:56.0781 3560 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/20 17:18:56.0859 3560 Processor (d4d8634dfdae3eca83620ee4088f7aa9) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/09/20 17:18:56.0937 3560 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/20 17:18:57.0015 3560 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/20 17:18:57.0234 3560 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/20 17:18:57.0312 3560 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/20 17:18:57.0390 3560 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/20 17:18:57.0468 3560 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/20 17:18:57.0562 3560 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/20 17:18:57.0625 3560 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/20 17:18:57.0718 3560 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/20 17:18:57.0812 3560 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/20 17:18:57.0906 3560 redbook (20950948970a0ea329b4254052bcf093) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/20 17:18:58.0031 3560 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/20 17:18:58.0125 3560 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/20 17:18:58.0203 3560 Serial (f41b42b92ae9c1191858c3f80cc24a9c) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/20 17:18:58.0328 3560 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/20 17:18:58.0500 3560 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/20 17:18:58.0609 3560 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys

2011/09/20 17:18:58.0734 3560 sr (ccb3065c3ee63a4515fe84af9e78d1dd) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/20 17:18:58.0828 3560 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/20 17:18:58.0937 3560 sscebus (b2063ce662af3ab20045121a5b716df6) C:\WINDOWS\system32\DRIVERS\sscebus.sys

2011/09/20 17:18:59.0015 3560 sscemdfl (66799dc0afe3dcaf8368cae17394a762) C:\WINDOWS\system32\DRIVERS\sscemdfl.sys

2011/09/20 17:18:59.0125 3560 sscemdm (cbf03ffc08f8db547bab2f79aa663d16) C:\WINDOWS\system32\DRIVERS\sscemdm.sys

2011/09/20 17:18:59.0203 3560 ssceserd (60cd4ad33aa52e58faac3abad18cf8ef) C:\WINDOWS\system32\DRIVERS\ssceserd.sys

2011/09/20 17:18:59.0281 3560 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys

2011/09/20 17:18:59.0343 3560 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/20 17:18:59.0421 3560 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/20 17:18:59.0640 3560 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/20 17:18:59.0734 3560 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/20 17:18:59.0859 3560 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/20 17:18:59.0953 3560 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/20 17:19:00.0031 3560 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/20 17:19:00.0171 3560 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/20 17:19:00.0281 3560 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/20 17:19:00.0406 3560 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/20 17:19:00.0500 3560 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/20 17:19:00.0562 3560 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/09/20 17:19:00.0640 3560 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/20 17:19:00.0718 3560 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/20 17:19:00.0828 3560 VolSnap (c41ffdc191e6c832e2e53c967eae0a16) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/20 17:19:00.0921 3560 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/20 17:19:01.0015 3560 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/20 17:19:01.0171 3560 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2011/09/20 17:19:01.0281 3560 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/09/20 17:19:01.0343 3560 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/09/20 17:19:01.0390 3560 MBR (0x1B8) (792f61657fece3d17a9122b4ee282847) \Device\Harddisk0\DR0

2011/09/20 17:19:01.0562 3560 MBR (0x1B8) (d72855ec0ddfb08df832d150f53f93ac) \Device\Harddisk1\DR1

2011/09/20 17:19:02.0171 3560 MBR (0x1B8) (792f61657fece3d17a9122b4ee282847) \Device\Harddisk2\DR2

2011/09/20 17:19:05.0843 3560 Boot (0x1200) (6dca378a17019277e9d5d557889a631f) \Device\Harddisk0\DR0\Partition0

2011/09/20 17:19:05.0859 3560 Boot (0x1200) (01ca581c0f2d7d8739dd6e061509c026) \Device\Harddisk1\DR1\Partition0

2011/09/20 17:19:05.0890 3560 Boot (0x1200) (2914a8bb62e2bc03ccb5f1aad12dbedc) \Device\Harddisk2\DR2\Partition0

2011/09/20 17:19:05.0906 3560 Boot (0x1200) (06befb20ac8d47eb5bbb270a781f024b) \Device\Harddisk2\DR2\Partition1

2011/09/20 17:19:05.0921 3560 Boot (0x1200) (3b4acbbdf892c05462b371116b27c3fc) \Device\Harddisk2\DR2\Partition2

2011/09/20 17:19:05.0921 3560 ================================================================================

2011/09/20 17:19:05.0921 3560 Scan finished

2011/09/20 17:19:05.0921 3560 ================================================================================

2011/09/20 17:19:05.0937 3552 Detected object count: 2

2011/09/20 17:19:05.0937 3552 Actual detected object count: 2

2011/09/20 17:19:35.0375 3552 Cdrom (1aa54c43ae9817c0a332a1d851c76f98) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/20 17:19:35.0375 3552 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 1aa54c43ae9817c0a332a1d851c76f98, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe

2011/09/20 17:19:35.0687 3552 Backup copy found, using it..

2011/09/20 17:19:35.0687 3552 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot

2011/09/20 17:19:35.0687 3552 Rootkit.Win32.ZAccess.e(Cdrom) - User select action: Cure

2011/09/20 17:19:35.0687 3552 HiddenFile.Multi.Generic(e479ddf6) - User select action: Skip

2011/09/20 17:21:57.0156 3488 Deinitialize success

And also the DDS.txt file:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by dani at 17:29:36 on 2011-09-20

Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1791.1365 [GMT 2:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\Archivos de programa\quasiMwareBtes\mbamservice.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Archivos de programa\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Archivos de programa\Trend Micro\RUBotted\RUBotSrv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\4141709796:461775369.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Archivos de programa\Real\RealPlayer\update\realsched.exe

C:\Archivos de programa\Trend Micro\RUBotted\RUBottedGUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Kies\KiesTrayAgent.exe

C:\Archivos de programa\Kies\External\FirmwareUpdate\KiesPDLR.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\datos de programa\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll

BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\archiv~1\textware\quickf~1\plugins\IEHelp.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [KiesTrayAgent] c:\archivos de programa\kies\KiesTrayAgent.exe

uRun: [KiesPDLR] c:\archivos de programa\kies\external\firmwareupdate\KiesPDLR.exe

uRun: [Google Update] "c:\documents and settings\dani\configuración local\datos de programa\google\update\GoogleUpdate.exe" /c

uRun: [swg] "c:\archivos de programa\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"

mRun: [skyTel] SkyTel.EXE

mRun: [TkBellExe] "c:\archivos de programa\real\realplayer\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\archivos de programa\quicktime\qttask.exe" -atboottime

mRun: [Trend Micro RUBotted V2.0 Beta] c:\archivos de programa\trend micro\rubotted\RUBottedGUI.exe

mRun: [Malwarebytes' Anti-Malware] "c:\archivos de programa\quasimwarebtes\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\archivos de programa\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\dani\datos de programa\mozilla\firefox\profiles\fbog7y6c.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\archivos de programa\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\archivos de programa\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\archivos de programa\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\documents and settings\all users\datos de programa\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\datos de programa\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\dani\configuraciã³n local\datos de programa\google\update\1.3.21.65\npGoogleUpdate3.dll

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]

R2 MBAMService;MBAMService;c:\archivos de programa\quasimwarebtes\mbamservice.exe [2011-9-14 366640]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\archivos de programa\trend micro\rubotted\RUBotSrv.exe [2011-9-14 439632]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-14 22712]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ekrn;ESET Service;c:\archivos de programa\eset\eset smart security\ekrn.exe [2009-5-14 731840]

S2 gupdate;Servei d'actualització de Google (gupdate);c:\archivos de programa\google\update\GoogleUpdate.exe [2011-6-27 136176]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-9-13 29208]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-9-13 29208]

S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2011-7-1 20032]

S3 gupdatem;Servei de Google Update (gupdatem);c:\archivos de programa\google\update\GoogleUpdate.exe [2011-6-27 136176]

S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2011-7-1 98560]

S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2011-7-1 14848]

S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2011-7-1 123648]

S3 ssceserd;SAMSUNG Mobile Modem Diagnostic Serial Port V2 (WDM);c:\windows\system32\drivers\ssceserd.sys [2011-7-1 100352]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-19 14336]

.

=============== Created Last 30 ================

.

2011-09-20 15:23:02 48016 --sha-w- c:\windows\system32\c_09191.nl_

2011-09-14 17:25:09 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-14 17:25:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-14 17:25:06 -------- d-----w- c:\archivos de programa\quasiMwareBtes

2011-09-14 10:27:09 -------- d-----w- c:\archivos de programa\WinPcap

2011-09-14 10:26:58 -------- d-----w- c:\archivos de programa\Trend Micro

2011-09-13 16:13:45 -------- d-sh--r- C:\cmdcons

2011-09-13 16:13:44 -------- d-----w- c:\windows\setup.pss

2011-09-13 16:05:46 -------- d-----w- c:\archivos de programa\quasiMalwarebytes' Anti-Malware

2011-09-13 01:53:52 -------- d-----w- c:\documents and settings\dani\datos de programa\AVGTOOLBAR

2011-09-13 01:52:18 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2011-09-13 01:52:18 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2011-09-13 01:52:16 -------- d-----w- c:\archivos de programa\AVGold

2011-09-13 01:52:15 -------- d-----w- c:\documents and settings\all users\datos de programa\avg8

2011-09-13 01:26:13 -------- d-----w- c:\archivos de programa\CCleaner

2011-09-12 18:14:50 -------- d-----w- c:\documents and settings\dani\datos de programa\Malwarebytes

2011-09-12 18:14:43 -------- d-----w- c:\documents and settings\all users\datos de programa\Malwarebytes

2011-09-12 17:17:27 -------- d-----w- c:\documents and settings\dani\datos de programa\WindSolutions

2011-09-12 17:17:27 -------- d-----w- c:\documents and settings\all users\datos de programa\WindSolutions

2011-09-10 18:46:54 -------- d-----w- c:\archivos de programa\Transparent

2011-09-10 18:46:22 696320 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iKernel.dll

2011-09-10 18:46:22 57344 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\ctor.dll

2011-09-10 18:46:22 5632 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe

2011-09-10 18:46:22 237568 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iscript.dll

2011-09-10 18:46:22 155648 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iuser.dll

2011-09-10 18:46:21 163972 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iGdi.dll

2011-09-10 18:46:20 282756 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\setup.dll

2011-09-10 17:38:42 -------- d-----w- c:\archivos de programa\Auralog

2011-09-10 17:01:20 -------- d-----w- c:\documents and settings\dani\datos de programa\oald8

2011-09-10 16:46:47 -------- d-----w- c:\archivos de programa\Oxford

2011-09-10 16:46:03 306688 ----a-w- c:\windows\IsUninst.exe

2011-09-09 11:58:35 -------- d-----w- c:\documents and settings\dani\datos de programa\uTorrent

2011-09-09 11:30:45 -------- d-----w- c:\archivos de programa\uTorrent

2011-09-03 11:37:14 -------- d-----w- c:\documents and settings\dani\datos de programa\facemoods.com

2011-09-03 10:17:15 605184 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 17:35:54 -------- d-----w- c:\archivos de programa\JDownloader

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin7.dll

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin6.dll

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin5.dll

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin4.dll

2011-08-31 16:17:32 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin3.dll

2011-08-31 16:17:32 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin2.dll

2011-08-31 16:17:32 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin.dll

2011-08-31 16:16:43 1409 ----a-w- c:\windows\QTFont.for

2011-08-31 15:50:12 26992 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-08-31 15:23:15 53248 ----a-w- c:\windows\system32\jmam.dll

2011-08-31 15:23:14 73728 ----a-w- c:\windows\system32\jmutil.dll

2011-08-31 15:23:14 32768 ----a-w- c:\windows\system32\jmfjawt.dll

2011-08-31 15:19:22 -------- d-----w- C:\Program Files

2011-08-31 15:19:21 -------- d-----w- C:\wimba

2011-08-31 15:19:21 -------- d-----w- c:\archivos de programa\Wimba

2011-08-31 15:16:20 -------- d-----w- C:\Longman CD-ROMs - Lab

2011-08-31 15:15:12 -------- d--h--w- c:\archivos de programa\Zero G Registry

2011-08-31 15:14:35 -------- d-----w- C:\temp

2011-08-30 17:34:30 -------- d-----w- c:\documents and settings\dani\datos de programa\EnglishVocabularyInUse

2011-08-30 16:44:37 -------- d-----w- c:\windows\system32\Adobe

2011-08-30 16:43:54 802816 ----a-w- c:\windows\system32\imagXRA7.dll

2011-08-30 16:43:54 497296 ----a-w- c:\windows\system32\imagXpr7.dll

2011-08-30 16:43:54 368640 ----a-w- c:\windows\system32\TwnLib4.dll

2011-08-30 16:43:54 258048 ----a-w- c:\windows\system32\imagXR7.dll

2011-08-30 16:43:54 1757184 ----a-w- c:\windows\system32\imagX7.dll

2011-08-30 16:43:53 -------- d-----w- c:\documents and settings\all users\datos de programa\Nero

2011-08-30 16:43:53 -------- d-----w- c:\archivos de programa\Nero

2011-08-26 15:08:21 -------- d-----w- c:\windows\system32\System32

.

==================== Find3M ====================

.

2011-09-20 15:22:29 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-09-09 09:32:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-03 10:17:15 605184 ----a-w- c:\windows\system32\crypt32.dll

2011-08-08 17:55:11 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-01 18:12:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-01 18:12:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-27 00:51:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-06-27 00:51:14 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-06-25 12:23:32 717296 ----a-w- c:\windows\system32\drivers\sptd.sys

2011-06-25 00:43:27 315392 ----a-w- c:\windows\HideWin.exe

2011-06-24 14:10:39 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:30:56 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:30:56 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:30:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:34 385024 ------w- c:\windows\system32\html.iec

.

============= FINISH: 17:30:35,00 ===============

Link to post
Share on other sites

Hi again screen317,

these are the files obtained following your instructions:

1. The ComboFix.txt

ComboFix 11-09-23.03 - dani 23/09/2011 23:10:33.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1791.1451 [GMT 2:00]

Running from: c:\documents and settings\dani\Escritorio\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\dani\Datos de programa\facemoods.com

c:\windows\$NtUninstallKB50800$

c:\windows\$NtUninstallKB50800$\3053283638

c:\windows\$NtUninstallKB50800$\3833191926\@

c:\windows\$NtUninstallKB50800$\3833191926\L\wnwanoyv

c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}

c:\windows\ehome\medctrro.exe

c:\windows\system32\

c:\windows\system32\c_09191.nls

c:\windows\system32\d3d9caps.dat

c:\windows\system32\system32

c:\windows\system32\system32\3DAudio.ax

c:\windows\system32\system32\avrt.dll

c:\windows\system32\system32\cis-2.4.dll

c:\windows\system32\system32\issacapi_bs-2.3.dll

c:\windows\system32\system32\issacapi_pe-2.3.dll

c:\windows\system32\system32\issacapi_se-2.3.dll

c:\windows\system32\system32\MACXMLProto.dll

c:\windows\system32\system32\MaDRM.dll

c:\windows\system32\system32\MaJGUILib.dll

c:\windows\system32\system32\MAMACExtract.dll

c:\windows\system32\system32\MASetupCleaner.exe

c:\windows\system32\system32\MaXMLProto.dll

c:\windows\system32\system32\mfplat.dll

c:\windows\system32\system32\MK_Lyric.dll

c:\windows\system32\system32\MSCLib.dll

c:\windows\system32\system32\MSFLib.dll

c:\windows\system32\system32\MSLUR71.dll

c:\windows\system32\system32\msvcp60.dll

c:\windows\system32\system32\MTTELECHIP.dll

c:\windows\system32\system32\MTXSYNCICON.dll

c:\windows\system32\system32\muzaf1.dll

c:\windows\system32\system32\muzapp.dll

c:\windows\system32\system32\muzapp.exe

c:\windows\system32\system32\muzdecode.ax

c:\windows\system32\system32\muzeffect.ax

c:\windows\system32\system32\muzmp4sp.ax

c:\windows\system32\system32\muzmpgsp.ax

c:\windows\system32\system32\muzoggsp.ax

c:\windows\system32\system32\muzwmts.dll

c:\windows\system32\system32\psapi.dll

.

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected

Restored copy from - The cat found it :)

c:\archivos de programa\Java\jre6\bin\jqs.exe . . . is infected!!

c:\archivos de programa\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\archivos de programa\quasiMwareBtes\mbamservice.exe . . . is infected!!

c:\archivos de programa\quasiMwareBtes\mbamservice.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe . . . is infected!!

c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\archivos de programa\CDBurnerXP\NMSAccessU.exe . . . is infected!!

c:\archivos de programa\CDBurnerXP\NMSAccessU.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\windows\system32\nvsvc32.exe . . . is infected!!

c:\windows\system32\nvsvc32.exe . . . was deleted!! You should re-install the program it pertains to

.

c:\archivos de programa\Trend Micro\RUBotted\RUBotSrv.exe . . . is infected!!

c:\archivos de programa\Trend Micro\RUBotted\RUBotSrv.exe . . . was deleted!! You should re-install the program it pertains to

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_e479ddf6

.

.

((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))

.

.

2011-09-23 21:05 . 2008-04-14 01:51 58880 -c--a-w- c:\windows\system32\dllcache\redbook.sys

2011-09-23 21:05 . 2008-04-14 01:51 58880 ----a-w- c:\windows\system32\drivers\redbook.sys

2011-09-23 20:22 . 2011-09-23 20:22 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Trend Micro

2011-09-20 15:23 . 2011-09-20 15:23 48016 --sha-w- c:\windows\system32\c_09191.nl_

2011-09-15 10:34 . 2011-09-15 10:34 0 ---ha-w- c:\documents and settings\dani\Configuración local\Datos de programa\BITC.tmp

2011-09-14 17:25 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-14 17:25 . 2011-09-23 21:18 -------- d-----w- c:\archivos de programa\quasiMwareBtes

2011-09-14 17:25 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-14 10:27 . 2011-09-14 10:27 -------- d-----w- c:\archivos de programa\WinPcap

2011-09-14 10:26 . 2011-09-14 10:26 -------- d-----w- c:\archivos de programa\Trend Micro

2011-09-13 16:05 . 2011-09-13 16:41 -------- d-----w- c:\archivos de programa\quasiMalwarebytes' Anti-Malware

2011-09-13 11:42 . 2011-09-13 11:43 -------- d-----w- c:\documents and settings\Administrador

2011-09-13 01:53 . 2011-09-13 01:53 -------- d-----w- c:\documents and settings\dani\Datos de programa\AVGTOOLBAR

2011-09-13 01:52 . 2011-09-13 01:52 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2011-09-13 01:52 . 2011-09-13 01:52 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2011-09-13 01:52 . 2011-09-13 01:52 -------- d-----w- c:\archivos de programa\AVGold

2011-09-13 01:52 . 2011-09-13 01:52 -------- d-----w- c:\documents and settings\All Users\Datos de programa\avg8

2011-09-13 01:26 . 2011-09-13 01:26 -------- d-----w- c:\archivos de programa\CCleaner

2011-09-12 18:14 . 2011-09-12 18:14 -------- d-----w- c:\documents and settings\dani\Datos de programa\Malwarebytes

2011-09-12 18:14 . 2011-09-12 18:14 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Malwarebytes

2011-09-12 17:17 . 2011-09-13 01:02 -------- d-----w- c:\documents and settings\dani\Datos de programa\WindSolutions

2011-09-12 17:17 . 2011-09-12 17:18 -------- d-----w- c:\documents and settings\All Users\Datos de programa\WindSolutions

2011-09-10 18:46 . 2011-09-10 18:46 -------- d-----w- c:\archivos de programa\Transparent

2011-09-10 18:46 . 2003-02-27 14:12 696320 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll

2011-09-10 18:46 . 2002-12-05 12:10 155648 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll

2011-09-10 18:46 . 2002-12-02 13:22 5632 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe

2011-09-10 18:46 . 2002-12-02 11:33 57344 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll

2011-09-10 18:46 . 2002-12-02 11:33 237568 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll

2011-09-10 18:46 . 2011-09-10 18:46 163972 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll

2011-09-10 18:46 . 2011-09-10 18:46 282756 ----a-w- c:\archivos de programa\Archivos comunes\InstallShield\Professional\RunTime\0701\Intel32\setup.dll

2011-09-10 17:38 . 2011-09-10 17:38 -------- d-----w- c:\archivos de programa\Auralog

2011-09-10 17:01 . 2011-09-10 17:01 -------- d-----w- c:\documents and settings\dani\Configuración local\Datos de programa\oald8

2011-09-10 17:01 . 2011-09-10 17:01 -------- d-----w- c:\documents and settings\dani\Datos de programa\oald8

2011-09-10 16:46 . 2011-09-10 16:56 -------- d-----w- c:\archivos de programa\Oxford

2011-09-10 16:46 . 1998-10-29 14:45 306688 ----a-w- c:\windows\IsUninst.exe

2011-09-10 14:16 . 2011-09-10 14:22 -------- d-----w- c:\documents and settings\dani\Datos de programa\dvdcss

2011-09-09 11:58 . 2011-09-13 01:40 -------- d-----w- c:\documents and settings\dani\Datos de programa\uTorrent

2011-09-09 11:30 . 2011-09-09 11:58 -------- d-----w- c:\archivos de programa\uTorrent

2011-09-03 10:17 . 2011-09-03 10:17 605184 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 17:35 . 2011-09-02 17:48 -------- d-----w- c:\archivos de programa\JDownloader

2011-08-31 16:19 . 2011-08-31 16:19 -------- d-----w- c:\documents and settings\dani\Configuración local\Datos de programa\Apple Computer

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin6.dll

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin4.dll

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin3.dll

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin2.dll

2011-08-31 16:17 . 2011-08-31 16:18 126976 ----a-w- c:\archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll

2011-08-31 16:16 . 2011-08-31 16:16 1409 ----a-w- c:\windows\QTFont.for

2011-08-31 16:15 . 2011-08-31 16:17 -------- d-----w- c:\archivos de programa\QuickTime

2011-08-31 16:13 . 2011-08-31 16:13 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Apple Computer

2011-08-31 15:50 . 2011-08-31 15:50 26992 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-08-31 15:24 . 2011-08-31 15:24 -------- d-----w- c:\windows\Sun

2011-08-31 15:23 . 2011-08-31 15:23 53248 ----a-w- c:\windows\system32\jmam.dll

2011-08-31 15:23 . 2011-08-31 15:23 73728 ----a-w- c:\windows\system32\jmutil.dll

2011-08-31 15:23 . 2011-08-31 15:23 32768 ----a-w- c:\windows\system32\jmfjawt.dll

2011-08-31 15:19 . 2011-08-31 15:19 -------- d-----w- c:\documents and settings\dani\Configuración local\Datos de programa\{3248F0A6-6813-11D6-A77B-00B0D0150060}

2011-08-31 15:19 . 2011-08-31 15:19 -------- d-----w- C:\Program Files

2011-08-31 15:19 . 2011-08-31 15:19 -------- d-----w- C:\wimba

2011-08-31 15:19 . 2011-08-31 15:19 -------- d-----w- c:\archivos de programa\Wimba

2011-08-31 15:16 . 2011-08-31 16:10 -------- d-----w- C:\Longman CD-ROMs - Lab

2011-08-31 15:15 . 2011-08-31 16:12 -------- d--h--w- c:\archivos de programa\Zero G Registry

2011-08-31 15:14 . 2011-08-31 15:14 -------- d-----w- C:\temp

2011-08-30 17:34 . 2011-08-30 17:45 -------- d-----w- c:\documents and settings\dani\Datos de programa\EnglishVocabularyInUse

2011-08-30 16:46 . 2011-08-30 16:46 -------- d-----w- c:\documents and settings\dani\Datos de programa\Nero

2011-08-30 16:44 . 2011-08-30 16:44 -------- d-----w- c:\windows\system32\Adobe

2011-08-30 16:43 . 2011-08-30 16:44 -------- d-----w- c:\archivos de programa\Archivos comunes\Nero

2011-08-30 16:43 . 2006-03-17 12:49 368640 ----a-w- c:\windows\system32\TwnLib4.dll

2011-08-30 16:43 . 2006-03-17 09:45 802816 ----a-w- c:\windows\system32\imagXRA7.dll

2011-08-30 16:43 . 2006-03-17 09:45 497296 ----a-w- c:\windows\system32\imagXpr7.dll

2011-08-30 16:43 . 2006-03-17 09:45 258048 ----a-w- c:\windows\system32\imagXR7.dll

2011-08-30 16:43 . 2006-03-17 09:45 1757184 ----a-w- c:\windows\system32\imagX7.dll

2011-08-30 16:43 . 2011-08-30 16:43 -------- d-----w- c:\archivos de programa\Nero

2011-08-30 16:43 . 2011-08-30 16:43 -------- d-----w- c:\documents and settings\All Users\Datos de programa\Nero

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-20 15:22 . 2004-08-03 20:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-09-09 09:32 . 2011-06-25 20:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-03 10:17 . 2004-08-19 13:41 605184 ----a-w- c:\windows\system32\crypt32.dll

2011-08-08 17:55 . 2011-08-08 17:55 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2001-08-24 15:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-01 18:12 . 2011-07-01 18:13 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-01 18:12 . 2011-07-01 18:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-27 00:51 . 2011-06-27 00:51 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-06-27 00:51 . 2011-06-27 00:51 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-09-09 10:07 . 2011-06-29 18:16 134104 ----a-w- c:\archivos de programa\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\dani\Datos de programa\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\dani\Datos de programa\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\dani\Datos de programa\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\dani\Datos de programa\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"KiesTrayAgent"="c:\archivos de programa\Kies\KiesTrayAgent.exe" [2011-08-01 3507088]

"KiesPDLR"="c:\archivos de programa\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2011-08-01 20880]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]

"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]

"TkBellExe"="c:\archivos de programa\Real\RealPlayer\update\realsched.exe" [2011-06-27 273544]

"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2011-08-31 155648]

"Trend Micro RUBotted V2.0 Beta"="c:\archivos de programa\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]

"Malwarebytes' Anti-Malware"="c:\archivos de programa\quasiMwareBtes\mbamgui.exe" [2011-05-29 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABAEnglish MiniCourse]

2008-08-01 11:24 785920 ----a-w- c:\abaenglishminicourse\abaenglishminicourse.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 16:43 69632 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-06-27 00:51 273544 ----a-w- c:\archivos de programa\Real\RealPlayer\Update\realsched.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Documents and Settings\\dani\\Datos de programa\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=

"c:\\Archivos de programa\\Kies\\KiesTrayAgent.exe"=

"c:\\Documents and Settings\\dani\\Configuración local\\Datos de programa\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Archivos de programa\\Real\\RealUpgrade\\realupgrade.exe"=

"c:\\Documents and Settings\\dani\\Mis documentos\\Downloads\\SoftonicDownloader_para_malwarebytes-anti-malware.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Administración remota de Windows

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 20:19 50704]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [14/09/2011 19:25 22712]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 ekrn;ESET Service;c:\archivos de programa\ESET\ESET Smart Security\ekrn.exe [14/05/2009 15:47 731840]

S2 gupdate;Servei d'actualització de Google (gupdate);c:\archivos de programa\Google\Update\GoogleUpdate.exe [27/06/2011 02:50 136176]

S2 MBAMService;MBAMService;"c:\archivos de programa\quasiMwareBtes\mbamservice.exe" --> c:\archivos de programa\quasiMwareBtes\mbamservice.exe [?]

S2 RUBotSrv;Trend Micro RUBotted Service;c:\archivos de programa\Trend Micro\RUBotted\RUBotSrv.exe --> c:\archivos de programa\Trend Micro\RUBotted\RUBotSrv.exe [?]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [13/09/2011 03:52 29208]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [13/09/2011 03:52 29208]

S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [01/07/2011 21:22 20032]

S3 gupdatem;Servei de Google Update (gupdatem);c:\archivos de programa\Google\Update\GoogleUpdate.exe [27/06/2011 02:50 136176]

S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [01/07/2011 19:53 98560]

S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [01/07/2011 19:53 14848]

S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [01/07/2011 19:53 123648]

S3 ssceserd;SAMSUNG Mobile Modem Diagnostic Serial Port V2 (WDM);c:\windows\system32\drivers\ssceserd.sys [01/07/2011 19:53 100352]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [19/08/2004 15:43 14336]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/06/2011 14:23 717296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2011-06-27 00:50]

.

2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\archivos de programa\Google\Update\GoogleUpdate.exe [2011-06-27 00:50]

.

2011-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1364589140-839522115-1003.job

- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-03-29 08:47]

.

2011-09-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1364589140-839522115-1003.job

- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2011-03-29 08:47]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\archivos de programa\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\dani\Datos de programa\Mozilla\Firefox\Profiles\fbog7y6c.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-swg - c:\archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Notify-avgrsstarter - avgrsstx.dll

SafeBoot-15606359.sys

MSConfigStartUp-BrowserChoice - c:\windows\system32\browserchoice.exe

AddRemove-01_Simmental - c:\archivos de programa\Samsung\USB Drivers\01_Simmental\Uninstall.exe

AddRemove-02_Siberian - c:\archivos de programa\Samsung\USB Drivers\02_Siberian\Uninstall.exe

AddRemove-03_Swallowtail - c:\archivos de programa\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe

AddRemove-04_semseyite - c:\archivos de programa\Samsung\USB Drivers\04_semseyite\Uninstall.exe

AddRemove-05_Sloan - c:\archivos de programa\Samsung\USB Drivers\05_Sloan\Uninstall.exe

AddRemove-06_Spencer - c:\archivos de programa\Samsung\USB Drivers\06_Spencer\Uninstall.exe

AddRemove-07_Schorl - c:\archivos de programa\Samsung\USB Drivers\07_Schorl\Uninstall.exe

AddRemove-08_EMPChipset - c:\archivos de programa\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe

AddRemove-09_Hsp - c:\archivos de programa\Samsung\USB Drivers\09_Hsp\Uninstall.exe

AddRemove-11_HSP_Plus_Default - c:\archivos de programa\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe

AddRemove-16_Shrewsbury - c:\archivos de programa\USB Drivers\16_Shrewsbury\Uninstall.exe

AddRemove-17_EMP_Chipset2 - c:\archivos de programa\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe

AddRemove-18_Zinia_Serial_Driver - c:\archivos de programa\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe

AddRemove-19_VIA_driver - c:\archivos de programa\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe

AddRemove-20_NXP_Driver - c:\archivos de programa\USB Drivers\20_NXP_Driver\Uninstall.exe

AddRemove-21_Searsburg - c:\archivos de programa\Samsung\USB Drivers\21_Searsburg\Uninstall.exe

AddRemove-22_WiBro_WiMAX - c:\archivos de programa\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe

AddRemove-24_flashusbdriver - c:\archivos de programa\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe

AddRemove-25_escape - c:\archivos de programa\USB Drivers\25_escape\Uninstall.exe

AddRemove-26_VIA_driver2 - c:\archivos de programa\USB Drivers\26_VIA_driver2\Uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-23 23:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\vell4141709796:461775369.exe 816 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1801674531-1364589140-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:a6,cd,29,b1,ff,38,ad,48,8d,70,b0,1d,38,26,ec,0c,72,ef,db,87,0a,ef,3f,

ae,6d,ab,10,d5,e6,9f,45,6e,47,aa,84,75,f4,d9,86,51,0c,c1,a8,ea,4a,a0,10,eb,\

"??"=hex:d9,8e,bd,b7,e9,e6,66,f0,df,5a,43,e6,97,a8,32,d0

.

[HKEY_USERS\S-1-5-21-1801674531-1364589140-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:9d,74,ee,84,ed,e2,be,66,87,b1,a9,f6,8d,47,60,36,79,7e,93,99,d4,

6d,44,e7,cf,cb,7e,0b,73,80,d1,b3,04,7b,15,96,ce,75,08,62,29,3f,67,ad,b0,e9,\

"rkeysecu"=hex:6e,96,27,86,a6,40,73,04,43,5f,72,38,5a,47,74,3e

.

[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]

@Denied: (2) (LocalSystem)

@SACL=

"AppDataDir"="c:\\Documents and Settings\\All Users\\Datos de programa\\ESET\\ESET Smart Security\\"

"DataDir"="ESET\\ESET Smart Security\\"

"EditionName"=" "

"InstallDir"="c:\\Archivos de programa\\ESET\\ESET Smart Security\\"

"LanguageId"=dword:00000409

"PackageTag"=dword:6090e758

"ProductBase"=dword:00000001

"ProductCode"="{71CBF9BB-7E07-4A9D-BF30-84C11810B242}"

"ProductName"="ESET Smart Security"

"ProductType"="ess"

"ProductVersion"="4.0.437.0"

"UniqueId"="00045CF14E05EB3F"

"ScannerBuild"=dword:00002545

"ScannerVersionId"=dword:00001873

"ScannerVersion"="Open window for status."

"FixId"=dword:00000009

"ei2"=hex(b):e9,0a,86,46,75,95,3e,6b

"ei1"=hex(b):00,19,66,8a,e0,ed,00,00

"ei3"=hex(b):69,de,36,4e,00,00,00,00

"ei4"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3164)

c:\windows\system32\WININET.dll

c:\documents and settings\dani\Datos de programa\Dropbox\bin\DropboxExt.14.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\RUNDLL32.EXE

c:\windows\RTHDCPL.EXE

c:\windows\system32\wscntfy.exe

c:\archivos de programa\Real\RealPlayer\RealPlay.exe

c:\archivos de programa\Real\RealPlayer\RealPlay.exe

.

**************************************************************************

.

Completion time: 2011-09-23 23:27:38 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-23 21:27

.

Pre-Run: 22.619.066.368 bytes libres

Post-Run: 23.011.676.160 bytes libres

.

- - End Of File - - 6B5064B5AA94EF9CD0E3DCEB2BCA703A

2. The DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by dani at 0:44:36 on 2011-09-24

Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1791.1319 [GMT 2:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Archivos de programa\Real\RealPlayer\update\realsched.exe

C:\Archivos de programa\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Archivos de programa\Kies\KiesTrayAgent.exe

C:\Archivos de programa\Kies\External\FirmwareUpdate\KiesPDLR.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\datos de programa\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre6\bin\ssv.dll

BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\archiv~1\textware\quickf~1\plugins\IEHelp.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [KiesTrayAgent] c:\archivos de programa\kies\KiesTrayAgent.exe

uRun: [KiesPDLR] c:\archivos de programa\kies\external\firmwareupdate\KiesPDLR.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"

mRun: [skyTel] SkyTel.EXE

mRun: [TkBellExe] "c:\archivos de programa\real\realplayer\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\archivos de programa\quicktime\qttask.exe" -atboottime

mRun: [Trend Micro RUBotted V2.0 Beta] c:\archivos de programa\trend micro\rubotted\RUBottedGUI.exe

mRun: [Malwarebytes' Anti-Malware] "c:\archivos de programa\quasimwarebtes\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\archivos de programa\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\dani\datos de programa\mozilla\firefox\profiles\fbog7y6c.default\

FF - prefs.js: network.proxy.type - 0

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-14 22712]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ekrn;ESET Service;c:\archivos de programa\eset\eset smart security\ekrn.exe [2009-5-14 731840]

S2 gupdate;Servei d'actualització de Google (gupdate);c:\archivos de programa\google\update\GoogleUpdate.exe [2011-6-27 136176]

S2 MBAMService;MBAMService;"c:\archivos de programa\quasimwarebtes\mbamservice.exe" --> c:\archivos de programa\quasimwarebtes\mbamservice.exe [?]

S2 RUBotSrv;Trend Micro RUBotted Service;c:\archivos de programa\trend micro\rubotted\rubotsrv.exe --> c:\archivos de programa\trend micro\rubotted\RUBotSrv.exe [?]

S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-9-13 29208]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-9-13 29208]

S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2011-7-1 20032]

S3 gupdatem;Servei de Google Update (gupdatem);c:\archivos de programa\google\update\GoogleUpdate.exe [2011-6-27 136176]

S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2011-7-1 98560]

S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2011-7-1 14848]

S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2011-7-1 123648]

S3 ssceserd;SAMSUNG Mobile Modem Diagnostic Serial Port V2 (WDM);c:\windows\system32\drivers\ssceserd.sys [2011-7-1 100352]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-19 14336]

.

=============== Created Last 30 ================

.

2011-09-23 21:05:50 58880 -c--a-w- c:\windows\system32\dllcache\redbook.sys

2011-09-23 21:05:50 58880 ----a-w- c:\windows\system32\drivers\redbook.sys

2011-09-23 20:27:59 98816 ----a-w- c:\windows\sed.exe

2011-09-23 20:27:59 518144 ----a-w- c:\windows\SWREG.exe

2011-09-23 20:27:59 256000 ----a-w- c:\windows\PEV.exe

2011-09-23 20:27:59 208896 ----a-w- c:\windows\MBR.exe

2011-09-23 20:22:17 -------- d-----w- c:\documents and settings\all users\datos de programa\Trend Micro

2011-09-20 15:23:02 48016 --sha-w- c:\windows\system32\c_09191.nl_

2011-09-15 10:34:54 0 ---ha-w- c:\documents and settings\dani\configuración local\datos de programa\BITC.tmp

2011-09-14 17:25:09 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-14 17:25:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-14 17:25:06 -------- d-----w- c:\archivos de programa\quasiMwareBtes

2011-09-14 10:27:09 -------- d-----w- c:\archivos de programa\WinPcap

2011-09-14 10:26:58 -------- d-----w- c:\archivos de programa\Trend Micro

2011-09-13 16:13:45 -------- d-sha-r- C:\cmdcons

2011-09-13 16:13:44 -------- d-----w- c:\windows\setup.pss

2011-09-13 16:05:46 -------- d-----w- c:\archivos de programa\quasiMalwarebytes' Anti-Malware

2011-09-13 01:53:52 -------- d-----w- c:\documents and settings\dani\datos de programa\AVGTOOLBAR

2011-09-13 01:52:18 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2011-09-13 01:52:18 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2011-09-13 01:52:16 -------- d-----w- c:\archivos de programa\AVGold

2011-09-13 01:52:15 -------- d-----w- c:\documents and settings\all users\datos de programa\avg8

2011-09-13 01:26:13 -------- d-----w- c:\archivos de programa\CCleaner

2011-09-12 18:14:50 -------- d-----w- c:\documents and settings\dani\datos de programa\Malwarebytes

2011-09-12 18:14:43 -------- d-----w- c:\documents and settings\all users\datos de programa\Malwarebytes

2011-09-12 17:17:27 -------- d-----w- c:\documents and settings\dani\datos de programa\WindSolutions

2011-09-12 17:17:27 -------- d-----w- c:\documents and settings\all users\datos de programa\WindSolutions

2011-09-10 18:46:54 -------- d-----w- c:\archivos de programa\Transparent

2011-09-10 18:46:22 696320 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iKernel.dll

2011-09-10 18:46:22 57344 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\ctor.dll

2011-09-10 18:46:22 5632 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe

2011-09-10 18:46:22 237568 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iscript.dll

2011-09-10 18:46:22 155648 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iuser.dll

2011-09-10 18:46:21 163972 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\iGdi.dll

2011-09-10 18:46:20 282756 ----a-w- c:\archivos de programa\archivos comunes\installshield\professional\runtime\0701\intel32\setup.dll

2011-09-10 17:38:42 -------- d-----w- c:\archivos de programa\Auralog

2011-09-10 17:01:32 -------- d-----w- c:\documents and settings\dani\configuración local\datos de programa\oald8

2011-09-10 17:01:20 -------- d-----w- c:\documents and settings\dani\datos de programa\oald8

2011-09-10 16:46:47 -------- d-----w- c:\archivos de programa\Oxford

2011-09-10 16:46:03 306688 ----a-w- c:\windows\IsUninst.exe

2011-09-09 11:58:35 -------- d-----w- c:\documents and settings\dani\datos de programa\uTorrent

2011-09-09 11:30:45 -------- d-----w- c:\archivos de programa\uTorrent

2011-09-03 10:17:15 605184 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 17:35:54 -------- d-----w- c:\archivos de programa\JDownloader

2011-08-31 16:19:30 -------- d-----w- c:\documents and settings\dani\configuración local\datos de programa\Apple Computer

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin7.dll

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin6.dll

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin5.dll

2011-08-31 16:17:33 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin4.dll

2011-08-31 16:17:32 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin3.dll

2011-08-31 16:17:32 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin2.dll

2011-08-31 16:17:32 126976 ----a-w- c:\archivos de programa\internet explorer\plugins\npqtplugin.dll

2011-08-31 16:16:43 1409 ----a-w- c:\windows\QTFont.for

2011-08-31 15:50:12 26992 ----a-w- c:\windows\system\CTL3DV2.DLL

2011-08-31 15:23:15 53248 ----a-w- c:\windows\system32\jmam.dll

2011-08-31 15:23:14 73728 ----a-w- c:\windows\system32\jmutil.dll

2011-08-31 15:23:14 32768 ----a-w- c:\windows\system32\jmfjawt.dll

2011-08-31 15:19:44 -------- d-----w- c:\documents and settings\dani\configuración local\datos de programa\{3248F0A6-6813-11D6-A77B-00B0D0150060}

2011-08-31 15:19:22 -------- d-----w- C:\Program Files

2011-08-31 15:19:21 -------- d-----w- C:\wimba

2011-08-31 15:19:21 -------- d-----w- c:\archivos de programa\Wimba

2011-08-31 15:16:20 -------- d-----w- C:\Longman CD-ROMs - Lab

2011-08-31 15:15:12 -------- d--h--w- c:\archivos de programa\Zero G Registry

2011-08-31 15:14:35 -------- d-----w- C:\temp

2011-08-30 17:34:30 -------- d-----w- c:\documents and settings\dani\datos de programa\EnglishVocabularyInUse

2011-08-30 16:44:37 -------- d-----w- c:\windows\system32\Adobe

2011-08-30 16:43:54 802816 ----a-w- c:\windows\system32\imagXRA7.dll

2011-08-30 16:43:54 497296 ----a-w- c:\windows\system32\imagXpr7.dll

2011-08-30 16:43:54 368640 ----a-w- c:\windows\system32\TwnLib4.dll

2011-08-30 16:43:54 258048 ----a-w- c:\windows\system32\imagXR7.dll

2011-08-30 16:43:54 1757184 ----a-w- c:\windows\system32\imagX7.dll

2011-08-30 16:43:53 -------- d-----w- c:\documents and settings\all users\datos de programa\Nero

2011-08-30 16:43:53 -------- d-----w- c:\archivos de programa\Nero

.

==================== Find3M ====================

.

2011-09-20 15:22:29 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-09-09 09:32:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-03 10:17:15 605184 ----a-w- c:\windows\system32\crypt32.dll

2011-08-08 17:55:11 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-01 18:12:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-01 18:12:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-27 00:51:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-06-27 00:51:14 348160 ----a-w- c:\windows\system32\msvcr71.dll

.

============= FINISH: 0:44:45,78 ===============

And I also attach the DDS file attach.rar.

Waiting for the next step, thanks for your help screen317.

attach.rar

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hi,

before posting the logs I want to tell you that when I first tried to run ESET online scanner my computer rebooted, I don't know exactly when as I'd gone out for a while. When I came back I found my computer doing a chkdsk on my system partition C:. After this unexpected difficulty, I run successfully ESET online scanner and then Security Check.

However, as you can notice through the logs I've some kind of trouble with my SATA HDD, neither ESET nor Security Check haven't succeeded accessing them. I can see the 3 partitions (D:, F: and G:) and their first level folders but I can't access their content.

Just before this Rootkit infection I'd some kind of trouble with the partition D: during a copy to an external USB HDD (I was trying to have a backup copy cause I pretend to reinstall all the system some day). As it was a heavy copy and it was supposed to last a lot of time I didn't attend it. When I came back I found a message like this "Windows - Delayed Write Failed. ...". From that moment I've been having some difficulties when I've tred to copy any folder on this partition, I'd to do it in little pieces of files, but today the problem has spread to the other partitions in the SATA HDD after running ESET and Security Check. I don't know if its related but anyway, any suggestion?

Anyhow, the ESET online scanner's log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=5a035004b6b177479dcbacf80a5fdf7e

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-27 02:37:29

# local_time=2011-09-27 04:37:29 (+0100, Hora de verano romance)

# country="Spain"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 1129871 1129871 0 0

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=8201 22380030 100 96 1276337 74817425 0 0

# scanned=99199

# found=12

# cleaned=12

# scan_time=8360

C:\Qoobox\Quarantine\C\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe.vir Win32/Patched.HN trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Archivos de programa\CDBurnerXP\NMSAccessU.exe.vir Win32/Patched.HN trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Archivos de programa\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Archivos de programa\quasiMwareBtes\mbamservice.exe.vir Win32/Patched.HN trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Archivos de programa\Trend Micro\RUBotted\RUBotSrv.exe.vir Win32/Patched.HN trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir a variant of Win32/Rootkit.Kryptik.DM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\vell4141709796:461775369.exe Win32/Sirefef.CT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\c_09191.nl_ a variant of Win32/Sirefef.CR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

E:\nou corbera\Adobe.CS3.Master.Collection.Corporate\ACS3MCD1.iso a variant of Win32/Keygen.BR application (deleted - quarantined) 00000000000000000000000000000000 C

E:\nou corbera\Nero 8 Ultra Edition v8.2.8.0 + KeyGen\Nero 8 Keygen.exe probably a variant of Win32/Agent.KXQULJD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

And also the Security Check log:

Results of screen317's Security Check version 0.99.7

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

ESET Online Scanner v3

Trend Micro RUBotted 2.0 Beta

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 26

Out of date Java installed!

Adobe Flash Player 10.3.183.7

Adobe Reader 9.4.5 - Catalan

Japanese Fonts Support For Adobe Reader 9

Out of date Adobe Reader installed!

Mozilla Firefox (x86 ca..) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Trend Micro RUBotted RUBottedGUI.exe

``````````End of Log````````````

Thanks again for your time and your help.

BTW, est-tu français?

DanPi

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Hi DanPi,

I apologize for the extended delay. Not sure how your topic slipped through the cracks.

However, the following just came to my attention:

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

It's likely why your issue began in the first place.

This goes for uTorrent and anything else you may have installed.

Link to post
Share on other sites

Hi again,

I'm still here but as I have borrowed a laptop I can't connect as often as I'd like to. As I told you privately, soon I'm going to move to Germany for job and I don't know whether I'll have enough time to solve the infection.

So I understand that your recommendation is to uninstall all this kind of software. But anyway, is there anything else to do in order to solve the infection? As you can guess I had no idea of the policy you showed me but it's my fault,I should have supposed this obvious issue.

Sincerely, whatever your answer is thanks for your help.

DanPi

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.