can't get rid of hldrrr.exe, srosa.sys, wintems.exe

Hi all!

My machine has got an infection with a rootkit, it seems, and I cannot get rid of it. I have followed instructions given by Rorschach112 in a similar thread, but the bad guys keep reappearing. Any help will be appreciated. Thanks in advance.

All my antivirus have been removed or deactivated, and cannot be reinstalled. This includes Spybot, AVG, Avast, SpywareDoctor. AVG Anti-Rootkit runs, and detects hldrrr.exe, srosa.sys and wintems.exe. It offers to remove them, but it does not work.

I have tried IceSword, which detects the processes hldrrr.exe and wintems.exe running. I terminated them, and removed the files, but they reappear on reboot. I tried deleting them with MoveOnBoot, to no avail.

Besides the mentioned files, a foder was created on system32\drivers\down, containing .exe files, with numbers as filenames. Some one of them is also detected by IceSword as a running process, and I also terminated those (and deleted the folder).

IceSword also detects srosa.sys in several entries in its SSDT list, in red, and also iksysflt.sys (which I believe belongs to SpywareDoctor).

It seems that the infection is hidden somewhere in my system, but I cannot find out where.

Other symptoms include:
1. Cannot boot on safe mode. Tried SafeBootKeyRepair.exe, which allows me to boot on safe, but after the following normal boot it's broken again.
2. Windows Firewall does not run.
3. System restores do not work.


HijackThis gives the following log:


Regards,

Guillermo

Hello

Delete your version of IceSword.exe and do the following

Do not wrap the reports in quote boxes please

Please download and unzip Icesword to its own folder


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings

Processes
Win32 Services
SSDT




Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Hi. Rorschach112. Thanks for the answer. I did as you suggested. Here are the results.

Processes in red: hldrrr.exe
Win32Services in red: none
SSDT in red: srosa.sys, iksysflt.sys, guard.sys (AVG)

IceSword logs follow. IceSword did not allow me to dump a log of the list of SSDT, or copy the list in any other way (?).

DSS logs go in a separate post due to length restriction.

Cheers,

Guillermo

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\WINDOWS\system32\smss.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\Archivos de programa\Util\CBOClean\BOC425.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe

Started Service:

Service Name:AudioSrv Display Name:Audio de Windows
Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
Service Name:BOCore Display Name:BOCore
Service Name:Browser Display Name:Examinador de equipos
Service Name:CryptSvc Display Name:Servicios de cifrado
Service NamecomLaunch Display Name:Iniciador de procesos de servidor DCOM
Service Namehcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Administrador de discos lógicos
Service Namenscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Servicio de informe de errores
Service Name:Eventlog Display Name:Registro de sucesos
Service Name:EventSystem Display Name:Sistema de sucesos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
Service Name:FileZilla Server Display Name:FileZilla Server FTP server
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Ayuda y soporte técnico
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estación de trabajo
Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
Service Name:Netman Display Name:Conexiones de red
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service NamelugPlay Display Namelug and Play
Service Nameml Driver HPZ12 Display Nameml Driver HPZ12
Service NameolicyAgent Display Name:Servicios IPSEC
Service NamerotectedStorage Display Name:Almacenamiento protegido
Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
Service Name:SamSs Display Name:Administrador de cuentas de seguridad
Service Name:Schedule Display Namerogramador de tareas
Service Name:seclogon Display Name:Inicio de sesión secundario
Service Name:SENS Display Name:Notificación de sucesos del sistema
Service Name:ShellHWDetection Display Nameetección de hardware shell
Service Name:Spooler Display Name:Cola de impresión
Service Name:srservice Display Name:Servicio de restauración de sistema
Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
Service Name:TapiSrv Display Name:Telefonía
Service Name:TermService Display Name:Servicios de Terminal Server
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
Service Name:W32Time Display Name:Horario de Windows
Service Name:WebClient Display Name:Cliente Web
Service Name:winmgmt Display Name:Instrumental de administración de Windows

DSS Main log follows. Guillermo.

Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-09 10:07:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Abramson.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:47 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Util\CBOClean\BOCORE.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Abramson\Escritorio\dss.exe
C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-425] C:\ARCHIV~1\Util\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 9381 bytes

-- Files created between 2007-12-09 and 2008-01-09 -----------------------------

2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:01:32 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-12-27 15:58:08 6 --a------ C:\WINDOWS\ls.bat
2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-09 09:36:18 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 16:15:09 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-08 15:54:29 0 d-------- C:\Archivos de programa\Util
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes
2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
2008-01-08 10:46:05 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
2007-12-26 12:01:30 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [06/15/2007 02:03 AM C:\WINDOWS\Alcmtr.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"BOC-425"="C:\ARCHIV~1\Util\CBOClean\BOC425.exe" [08/08/2007 07:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe" [01/19/2007 01:55 PM]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [06/10/2005 08:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-01-09 10:08:02 ------------

DSS did not open an "extra" report (it's not also in c:\Deckard\System Scanner\, where only main.txt is to be found (?).

Guillermo

Hello Guillermo

We will have you fixed in no time, I just need you to do something important first.

Can you run IceSword.exe again and take a screenshot of the following areas for me. Make sure IceSword is full screen and you have nothing in the way

Can you go into the Process Function, and make sure these files are visible in the screenshot

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Then can you go into the SSDT function and make sure files are visible in another screenshot

srosa.sys
iksysflt.sys
guard.sys (AVG)


Then can you host the screenshots on this site, or whatever one you want, for me to download from

http://www.mediafire.com/


Let me know if you have any problems. We can fix this problem today once you do the above.

Hi, Rorschach112. Thanks. Here are the snapshots:

Processes:
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-processes.jpg

SSDT:
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt2.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt3.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt4.jpg

Guillermo

I have been browsing the folders that seem to contain the problematic files, and in c:\WINDOWS\system32\drivers\ I found srosa.sy_ created yesterday (01/08), last modified today, 108,928 bytes, same size as srosa.sys.

Perhaps this is important, perhaps this is from where the virus kept reapearing, so I wanted to let you know.

Guillermo

Thank you very much for doing that Guillermo

Let us remove the infection now. Do all these steps in the one go and do not reboot your PC until I tell you to.



Run IceSword.exe

Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following processes one by one, and choose "Terminate Process". This will kill the rooted processes.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the file(s) in bold.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Windows\System32\drivers\srosa.sys
C:\WINDOWS\ls.bat



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new IceSword logs from Processes, Win32 Services, and SSDT, along with a new DSS log, and tell me how all that went and if you had any problems.

Hi. Partial success, as you will see. I did what you said (and deleted also the srosa.sy_). Wintems.exe is gone from the Processes, but hldrrr.exe is there as is srosa.sys in the SSDT list.

C:\WINDOWS\ls.bat is a script of my own, that runs dir /w when I mistakenly type ls on a console... I deleted it anyway, for you to be sure.

Here are the logs:

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe

Started Service:

Service Name:AudioSrv Display Name:Audio de Windows
Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
Service Name:BOCore Display Name:BOCore
Service Name:Browser Display Name:Examinador de equipos
Service Name:CryptSvc Display Name:Servicios de cifrado
Service NamecomLaunch Display Name:Iniciador de procesos de servidor DCOM
Service Namehcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Administrador de discos lógicos
Service Namenscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Servicio de informe de errores
Service Name:Eventlog Display Name:Registro de sucesos
Service Name:EventSystem Display Name:Sistema de sucesos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
Service Name:FileZilla Server Display Name:FileZilla Server FTP server
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Ayuda y soporte técnico
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estación de trabajo
Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
Service Name:Netman Display Name:Conexiones de red
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service NamelugPlay Display Namelug and Play
Service Nameml Driver HPZ12 Display Nameml Driver HPZ12
Service NameolicyAgent Display Name:Servicios IPSEC
Service NamerotectedStorage Display Name:Almacenamiento protegido
Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
Service Name:SamSs Display Name:Administrador de cuentas de seguridad
Service Name:Schedule Display Namerogramador de tareas
Service Name:seclogon Display Name:Inicio de sesión secundario
Service Name:SENS Display Name:Notificación de sucesos del sistema
Service Name:ShellHWDetection Display Nameetección de hardware shell
Service Name:Spooler Display Name:Cola de impresión
Service Name:srservice Display Name:Servicio de restauración de sistema
Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
Service Name:TapiSrv Display Name:Telefonía
Service Name:TermService Display Name:Servicios de Terminal Server
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
Service Name:W32Time Display Name:Horario de Windows
Service Name:WebClient Display Name:Cliente Web
Service Name:winmgmt Display Name:Instrumental de administración de Windows


SSDT (images, still cannot dump logs):
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt2.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt3.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt4.jpg

DSS in following post.

DSS Main.txt:

Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-09 13:13:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Abramson.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:36 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Util\CBOClean\BOCORE.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Abramson\Escritorio\dss.exe
C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 9136 bytes

-- Files created between 2007-12-09 and 2008-01-09 -----------------------------

2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:01:32 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-12-27 15:58:08 6 --a------ C:\WINDOWS\ls.bat
2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-09 13:13:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-09 12:57:30 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-01-09 12:10:35 0 d-------- C:\Archivos de programa\Astro
2008-01-09 12:07:01 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 15:54:29 0 d-------- C:\Archivos de programa\Util
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes
2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
2008-01-08 10:46:05 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [06/10/2005 08:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-01-09 13:13:54 ------------

Rorschach112, bad news: wintems.exe reappeared. I re-run IS after posting, and there it was, grrrr!:

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe
C:\Archivos de programa\Net\Opera\Opera.exe
C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE

Don't worry we will get rid of it

Run IceSword.exe

Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the file(s) in bold.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Windows\System32\drivers\srosa.sys




Please download OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\drivers\hldrrr.exe
  C:\WINDOWS\system32\wintems.exe
  C:\Windows\System32\drivers\srosa.sys
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.




Reboot and post a new IceSword log and the OTMoveIt results. No need for any more screenshots yet.

OK, I did as said: terminated processes, deleted files in IS, tried to delete files in MoveIt. After pressing MoveIt! I received an error box saying:

Cannot create file C:\_OTMoveit\MovedFiles\01092008_134803.log

Click to expand...

And the Results pane of MoveIt reads:

File/Folder C:\WINDOWS\system32\drivers\hldrrr.exe not found.
File/Folder C:\WINDOWS\system32\wintems.exe not found.
File/Folder C:\Windows\System32\drivers\srosa.sys not found.

Created on 01/09/2008 13:48:03

Click to expand...

Still, IS Process show some infection after reboot:

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Net\Opera\Opera.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe


Note that wintems.exe is not there, again. This time, the file wintems.exe is not to be found in system32. The folder system32\drivers\down still keeps receiving new exe's. I'm stopping hldrrr.exe after posting. srosa.sys is still there, as is hldrr.exe.

Guillermo

It seems something is holding it in place. Lets try a different method

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

OK, here's ComboFix log. (Byproduct: my default browser was reset to Internet Explorer (from Opera) and IE icon appeared on desktop.

):

ComboFix 08-01-09.2 - Abramson 2008-01-09 14:13:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.1612 [GMT -2:00]
Se ejecuta desde: C:\Documents and Settings\Abramson\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


(((((((((((((((((( Archivos creados desde 2007-12-09 - 2008-01-09 )))))))))))))))))))))))))))))))))
.

2008-01-09 14:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 13:49 . 2005-06-10 08:05 533,734 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-09 10:25 . 2008-01-09 10:25 <DIR> d-------- C:\Deckard
2008-01-08 15:15 . 2008-01-08 15:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:20 . 2007-01-18 10:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-08 14:01 . 2008-01-09 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-08 11:34 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-08 11:34 . 2006-03-02 10:00 25,600 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-04 11:03 . 2008-01-04 11:03 49 --a------ C:\WINDOWS\fsplugin.ini
2008-01-03 14:37 . 2007-10-22 07:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-03 14:37 . 2007-10-22 07:10 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-03 14:37 . 2008-01-03 14:37 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-03 10:40 . 2008-01-03 10:40 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-03 10:11 . 2008-01-08 13:27 21,712 ---h----- C:\treeinfo.wc
2007-12-28 16:03 . 2007-12-28 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-27 15:23 . 2007-12-27 15:41 <DIR> d-------- C:\Archivos de programa\Nero
2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 18:38 . 2008-01-02 10:55 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-18 17:16 . 2007-12-18 17:15 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53 . 2007-12-18 11:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10 . 2007-12-14 16:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-14 16:03 . 2007-12-14 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 15:51 . 2007-12-14 15:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50 . 2007-12-27 15:25 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50 . 2007-12-27 15:23 <DIR> d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50 . 2007-12-14 13:50 <DIR> d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37 . 2007-12-14 13:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09 . 2007-12-12 18:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 16:04 --------- d-----w C:\Archivos de programa\Spyware Doctor
2008-01-09 15:13 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-09 14:10 --------- d-----w C:\Archivos de programa\Astro
2008-01-09 14:07 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-09 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Google Updater
2008-01-09 11:33 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 17:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
2008-01-08 17:54 --------- d-----w C:\Archivos de programa\Util
2008-01-08 13:03 --------- d-----w C:\Archivos de programa\Image
2008-01-08 12:46 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-08 11:51 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\TEMP
2007-12-28 18:02 --------- d-----w C:\Archivos de programa\Net
2007-12-26 18:28 --------- d-----w C:\Archivos de programa\video
2007-12-19 02:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\avg7
2007-12-18 20:32 --------- d-----w C:\Archivos de programa\Sci
2007-12-18 19:17 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:50 --------- d-----w C:\Archivos de programa\Texts
2007-12-14 15:50 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-28 12:14 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 12:51 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 13:34 --------- d-----w C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 19:34 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 19:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Adobe Systems
2007-11-21 19:29 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-19 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\nView_Profiles
2007-11-16 16:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-16 16:57 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-15 20:12 --------- d-----w C:\Archivos de programa\Britannica
2007-11-13 13:06 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 18:05 --------- d-----w C:\Archivos de programa\MSECache
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\COWON
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 10:00 15360]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [2005-06-10 08:05 533734]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-15 02:03 16132608 C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55 29744]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvMediaCenter"="NvMCTray.dll" [2007-09-17 02:07 81920 C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 12:55 937984]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 10:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

La clave del Registro SafeBoot necesita reparacion. Esta maquina no puede reiniciar en modo a prueba de fallos (modo seguro).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Archivos de programa\Util\CBOClean\BOCDRIVE.sys []
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55]
S4 Fix-It Task Manager;Fix-It Task Manager;C:\ARCHIV~1\Util\Fix-It\mxtask.exe [2007-01-29 17:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-03 15:16:05 C:\WINDOWS\Tasks\Backup de Biblioteca.job"
- C:\Home\Abramson\Backup\biblioteca.bat
"2008-01-04 15:02:16 C:\WINDOWS\Tasks\Backup de Email.job"
- C:\Home\Abramson\Backup\email.bat
"2008-01-09 15:00:48 C:\WINDOWS\Tasks\Backup de Home.job"
- C:\Home\Abramson\Backup\backup.bat
"2007-12-06 19:59:34 C:\WINDOWS\Tasks\SyncToy Abramson en CABFST21.job"
- C:\Archivos de programa\Util\SyncToy 2.0 Beta\SyncToyCmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 14:19:19
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-09 14:22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 16:22:37
.
2007-12-12 12:15:57 --- E O F ---

Guillermo

I checked again with IceSword after last post. No hldrrr.exe nor wintems.exe proceses, no srosa.sys items on SSDT list.

However, file hldrrr.exe is still in system32\drivers. Should I remove it with MoveIt? Srosa.sys and wintems.exe cannot be found, I hope they do not reappear.

Guillermo

That seems to have got rid of a bit of it. Try not to restart your PC if possible to be on the safe side



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\hldrrr.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-

Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "System Recovery"
• Check the box beside 10. Restore SafeBoot registry keys
• Click Execute Selected Scripts, accept any prompts, then reboot your PC.

Done. ComboFix produced the log reported below.

AVZ: I couldn't update with any of the sources (2 of them), so I run the tool anyway (since the only selected was restore safeboot... did I mess it up?).

Then rebooted, and here I am. SI does not show any of the bad guys either in Processes or SSDT. Should I run any other scan? SSD or HijackThis?

There are still a lot of new xxxx.exe in system32\drivers\down, where xxxx are 5 or 6 figures numbers. Some of these files have icons equal to that of wintems.exe (a keychain with keys). None of them is running as a process.

Guillermo


Note: this log is from before I run avz4, hence the SafeBoot note in red

ComboFix 08-01-09.2 - Abramson 2008-01-09 16:05:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.1581 [GMT -2:00]
Se ejecuta desde: C:\Documents and Settings\Abramson\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\Abramson\Escritorio\CFScript.txt
* Creado un nuevo punto de restauración

FILE
C:\WINDOWS\system32\drivers\hldrrr.exe
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hldrrr.exe

.
(((((((((((((((((( Archivos creados desde 2007-12-09 - 2008-01-09 )))))))))))))))))))))))))))))))))
.

2008-01-09 14:22 . <DIR> C:\WINDOWS\system32\config\systemprofile\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\NetworkService\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\LocalService\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\LocalService.NT AUTHORITY\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Default User\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Default User.WINDOWS\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Administrador\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Abramson\Configuraci=n local
2008-01-09 14:21 . 2008-01-09 14:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-09 14:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 10:25 . 2008-01-09 10:25 <DIR> d-------- C:\Deckard
2008-01-08 15:15 . 2008-01-08 15:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:20 . 2007-01-18 10:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-08 14:01 . 2008-01-09 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-08 11:34 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-08 11:34 . 2006-03-02 10:00 25,600 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-04 11:03 . 2008-01-04 11:03 49 --a------ C:\WINDOWS\fsplugin.ini
2008-01-03 14:37 . 2007-10-22 07:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-03 14:37 . 2007-10-22 07:10 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-03 14:37 . 2008-01-03 14:37 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-03 10:40 . 2008-01-03 10:40 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-03 10:11 . 2008-01-08 13:27 21,712 ---h----- C:\treeinfo.wc
2007-12-28 16:03 . 2007-12-28 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-27 15:23 . 2007-12-27 15:41 <DIR> d-------- C:\Archivos de programa\Nero
2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 18:38 . 2008-01-02 10:55 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-18 17:16 . 2007-12-18 17:15 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53 . 2007-12-18 11:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10 . 2007-12-14 16:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-14 16:03 . 2007-12-14 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 15:51 . 2007-12-14 15:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50 . 2007-12-27 15:25 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50 . 2007-12-27 15:23 <DIR> d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50 . 2007-12-14 13:50 <DIR> d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37 . 2007-12-14 13:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09 . 2007-12-12 18:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 16:04 --------- d-----w C:\Archivos de programa\Spyware Doctor
2008-01-09 15:13 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-09 14:10 --------- d-----w C:\Archivos de programa\Astro
2008-01-09 14:07 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-09 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Google Updater
2008-01-09 11:33 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 17:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
2008-01-08 17:54 --------- d-----w C:\Archivos de programa\Util
2008-01-08 13:03 --------- d-----w C:\Archivos de programa\Image
2008-01-08 12:46 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-08 11:51 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\TEMP
2007-12-28 18:02 --------- d-----w C:\Archivos de programa\Net
2007-12-26 18:28 --------- d-----w C:\Archivos de programa\video
2007-12-19 02:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\avg7
2007-12-18 20:32 --------- d-----w C:\Archivos de programa\Sci
2007-12-18 19:17 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:50 --------- d-----w C:\Archivos de programa\Texts
2007-12-14 15:50 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-28 12:14 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 12:51 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 13:34 --------- d-----w C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 19:34 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 19:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Adobe Systems
2007-11-21 19:29 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-19 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\nView_Profiles
2007-11-16 16:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-16 16:57 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-15 20:12 --------- d-----w C:\Archivos de programa\Britannica
2007-11-13 13:06 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 18:05 --------- d-----w C:\Archivos de programa\MSECache
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-29 22:43 1,293,824 ------w C:\WINDOWS\system32\quartz.dll
2007-10-25 12:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-15 16:23 98,304 ----a-w C:\WINDOWS\system32\LtTtf14n.Dll
2007-10-15 16:23 94,208 ----a-w C:\WINDOWS\system32\ltdoc14n.dll
2007-10-15 16:23 89,232 ----a-w C:\WINDOWS\system32\LPCPN05N.dll
2007-10-15 16:23 86,016 ----a-w C:\WINDOWS\system32\lffax14n.dll
2007-10-15 16:23 85,136 ----a-w C:\WINDOWS\system32\LPINS05N.dll
2007-10-15 16:23 77,898 ----a-w C:\WINDOWS\system32\lfjb214n.dll
2007-10-15 16:23 72,848 ----a-w C:\WINDOWS\system32\LpTxt05n.dll
2007-10-15 16:23 703,632 ----a-w C:\WINDOWS\system32\LPRES05N.DLL
2007-10-15 16:23 695,440 ----a-w C:\WINDOWS\system32\LPDLG05N.DLL
2007-10-15 16:23 68,752 ----a-w C:\WINDOWS\system32\Lpdrv05n.DLL
2007-10-15 16:23 65,536 ----a-w C:\WINDOWS\system32\ltserial.dll
2007-10-15 16:23 642,192 ----a-w C:\WINDOWS\system32\LPUIR05r.dll
2007-10-15 16:23 56,464 ----a-w C:\WINDOWS\system32\LPUNI05N.dll
2007-10-15 16:23 56,464 ----a-w C:\WINDOWS\system32\LPRPC05u.dll
2007-10-15 16:23 52,368 ----a-w C:\WINDOWS\system32\LPEML05N.DLL
2007-10-15 16:23 507,024 ----a-w C:\WINDOWS\system32\LtAct14n.dll
2007-10-15 16:23 48,272 ----a-w C:\WINDOWS\system32\LPRNT05N.DLL
2007-10-15 16:23 434,176 ----a-w C:\WINDOWS\system32\ltkrn14n.dll
2007-10-15 16:23 38,032 ----a-w C:\WINDOWS\system32\LPUMD05n.dll
2007-10-15 16:23 364,544 ----a-w C:\WINDOWS\system32\LFCMP14n.dll
2007-10-15 16:23 35,984 ----a-w C:\WINDOWS\system32\LPPMN05u.DLL
2007-10-15 16:23 32,768 ----a-w C:\WINDOWS\system32\Lfwmf14n.dll
2007-10-15 16:23 262,144 ----a-w C:\WINDOWS\system32\LTDIS14n.dll
2007-10-15 16:23 253,952 ----a-w C:\WINDOWS\system32\LTEml14n.dll
2007-10-15 16:23 241,664 ----a-w C:\WINDOWS\system32\ltefx14n.dll
2007-10-15 16:23 228,496 ----a-w C:\WINDOWS\system32\LpPdf05n.dll
2007-10-15 16:23 224,400 ----a-w C:\WINDOWS\system32\LPKRN05N.DLL
2007-10-15 16:23 221,184 ----a-w C:\WINDOWS\system32\Lvkrn14n.dll
2007-10-15 16:23 2,199,552 ----a-w C:\WINDOWS\system32\PdfDll32.dll
2007-10-15 16:23 155,648 ----a-w C:\WINDOWS\system32\LTSGM14n.dll
2007-10-15 16:23 155,648 ----a-w C:\WINDOWS\system32\ltfil14n.dll
2007-10-15 16:23 146,576 ----a-w C:\WINDOWS\system32\LpDoc05n.dll
2007-10-15 16:23 142,480 ----a-w C:\WINDOWS\system32\ltact.dll
2007-10-15 16:23 139,264 ----a-w C:\WINDOWS\system32\lfpdf14n.dll
2007-10-15 16:23 138,384 ----a-w C:\WINDOWS\system32\LpHTM05n.dll
2007-10-15 16:23 138,384 ----a-w C:\WINDOWS\system32\LpEmf05n.dll
2007-10-15 16:23 113,808 ----a-w C:\WINDOWS\system32\LPWSE05n.exe
2007-10-15 16:23 109,712 ----a-w C:\WINDOWS\system32\LpRTF05n.dll
2007-10-15 16:23 106,680 ----a-w C:\WINDOWS\system32\LPUID05n.dll
2007-10-15 16:23 1,703,936 ----a-w C:\WINDOWS\system32\LTCLR14n.dll
2007-10-15 16:23 1,637,520 ----a-w C:\WINDOWS\system32\LPUIT05N.dll
2007-10-15 16:23 1,433,600 ----a-w C:\WINDOWS\system32\LTDic14n.dll
2007-10-15 16:23 1,396,736 ----a-w C:\WINDOWS\system32\ltann14n.dll
2007-10-15 16:23 1,122,304 ----a-w C:\WINDOWS\system32\ltimg14n.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-09_14.22.31.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-09 16:13:10 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-09 18:05:51 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-09 16:13:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-09 18:05:51 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-09 16:13:10 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-09 18:05:52 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-09 16:13:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-09 18:05:52 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-09 16:13:10 5,132,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-09 18:05:52 5,144,576 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-09 16:13:10 221,184 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-09 18:05:52 221,184 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 10:00 15360]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [2005-06-10 08:05 533734]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-15 02:03 16132608 C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55 29744]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvMediaCenter"="NvMCTray.dll" [2007-09-17 02:07 81920 C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 12:55 937984]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 10:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

La clave del Registro SafeBoot necesita reparacion. Esta maquina no puede reiniciar en modo a prueba de fallos (modo seguro).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Archivos de programa\Util\CBOClean\BOCDRIVE.sys []
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55]
S4 Fix-It Task Manager;Fix-It Task Manager;C:\ARCHIV~1\Util\Fix-It\mxtask.exe [2007-01-29 17:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-03 15:16:05 C:\WINDOWS\Tasks\Backup de Biblioteca.job"
- C:\Home\Abramson\Backup\biblioteca.bat
"2008-01-04 15:02:16 C:\WINDOWS\Tasks\Backup de Email.job"
- C:\Home\Abramson\Backup\email.bat
"2008-01-09 15:00:48 C:\WINDOWS\Tasks\Backup de Home.job"
- C:\Home\Abramson\Backup\backup.bat
"2007-12-06 19:59:34 C:\WINDOWS\Tasks\SyncToy Abramson en CABFST21.job"
- C:\Archivos de programa\Util\SyncToy 2.0 Beta\SyncToyCmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 16:06:38
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-09 16:06:59
ComboFix-quarantined-files.txt 2008-01-09 18:06:51
ComboFix2.txt 2008-01-09 16:22:39
.
2007-12-12 12:15:57 --- E O F ---

Hello

There are still a lot of new xxxx.exe in system32\drivers\down, where xxxx are 5 or 6 figures numbers. Some of these files have icons equal to that of wintems.exe (a keychain with keys). None of them is running as a process.

Click to expand...

Lets be safe and scan them. Follow these steps for all of the exe files in that folder that have the icon, if there are more than five of these exe files, then don't bother scanning the rest of them



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

FILE HERE, eg : C:\WINDOWS\system32\drivers\srosa.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.