View Full Version : Virtumonde but different dll?
charlye28
2007-08-06, 00:57
Hi, spybot has detected virtumonde in a dll named mmfipc.dll
I've looked for this dll around the forums but found nothing. Tried the vundofix.exe but I don't know if i should look for this dll.
How did I get infected? I usually use firefox but it shows me adware when I open iexplorer.
Thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:50:34, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
C:\Archivos de programa\VirtuaWin\modules\VWAssigner.exe
C:\Archivos de programa\VirtuaWin\modules\WinList.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Program Files\OverDisk\OverDisk.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 128.92.1.2 ETHNODO2 ethnodo2
O1 - Hosts: 128.92.1.3 ETHNODO3 ethnodo3
O1 - Hosts: 128.92.1.4 ETHNODO4 ethnodo4
O1 - Hosts: 128.92.1.5 ETHNODO5 ethnodo5
O1 - Hosts: 128.92.1.6 ETHNODO6 ethnodo6
O1 - Hosts: 128.92.1.7 ETHNODO7 ethnodo7
O1 - Hosts: 128.92.1.8 ETHNODO8 ethnodo8
O1 - Hosts: 128.93.1.2 SWNODO2 swnodo2
O1 - Hosts: 128.93.1.3 SWNODO3 swnodo3
O1 - Hosts: 128.93.1.4 SWNODO4 swnodo4
O1 - Hosts: 128.93.1.6 SWNODO6 swnodo6
O1 - Hosts: 128.93.1.7 SWNODO7 swnodo7
O1 - Hosts: 128.93.1.8 SWNODO8 swnodo8
O1 - Hosts: 128.93.1.15 SWNODO15 swnodo15
O1 - Hosts: 128.90.0.34 ORAREMEDY oraremedy
O1 - Hosts: 128.90.0.208 INTRANET.IECI.ES intranet.ieci.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp98.tmp.dll
O2 - BHO: (no name) - {f0d0997d-3408-4a39-ab92-f5c4b58895ab} - C:\WINDOWS\system32\mmfipc.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\vttrrs.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mmfipc.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mmfipc.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/objects/3082/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/RevelaonlinePictureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O20 - Winlogon Notify: mmfipc - C:\WINDOWS\SYSTEM32\mmfipc.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe
--
End of file - 9277 bytes
Hi charlye28
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report (if available)
charlye28
2007-08-06, 12:46
Here's the combofix log. I'll post the hijack in the next post.:bigthumb:
ComboFix 07-08-04.3 - "65555955" 2007-08-06 12:30:24.1 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\655559~1.GRU\DATOSD~1\tmp94.tmp.exe
C:\DOCUME~1\655559~1.GRU\DATOSD~1\tmp98.tmp.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\dnb42d4d23.dat
C:\WINDOWS\system32\mmfipc.dll
C:\WINDOWS\system32\tmp98.tmp.dll
C:\WINDOWS\xhelper.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))
2007-08-06 12:41 92,687 --a------ C:\WINDOWS\system32\C_2XEC.dll
2007-08-06 12:41 18 --a------ C:\WINDOWS\system32\dnb42d4d23.dat
2007-08-06 12:41 105,468 --a------ C:\WINDOWS\system32\sstts.exe
2007-08-06 12:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 00:21 <DIR> d-------- C:\VundoFix Backups
2007-08-06 00:01 <DIR> d-------- C:\Archivos de programa\Trend Micro
2007-08-05 22:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Spybot - Search & Destroy
2007-08-05 22:18 131,433 --a------ C:\WINDOWS\vttrrs.dll
2007-08-05 22:13 13,380 --a------ C:\WINDOWS\system32\ddcyxut.dll
2007-08-05 22:02 25,664 --a------ C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-04 12:00 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-07-17 13:59 65,536 --a------ C:\DOCUME~1\655559~1.GRU\DwRegistry0.dll
2007-07-11 13:36 <DIR> d-------- C:\Archivos de programa\Windows Environment Variable Editor (WEVE) 1.5
2007-07-08 15:40 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\Phone Browser
2007-07-08 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\PC Suite
2007-07-08 15:32 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Nokia
2007-07-08 15:31 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-07-08 15:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-08 15:31 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PC Suite
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\PC Connectivity Solution
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\DIFX
2007-07-08 15:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Installations
2007-07-06 15:36 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\TVU Networks
2007-07-06 15:36 <DIR> d-------- C:\Archivos de programa\TVUPlayer
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-05 22:02 --------- d-------- C:\Archivos de programa\Picasa2
2007-07-03 23:08 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Skype
2007-07-02 23:38 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PDFcreator
2007-07-02 12:46 --------- d-------- C:\Archivos de programa\UltraEdit
2007-06-28 19:26 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\vlc
2007-06-27 20:34 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Apple Computer
2007-06-27 12:48 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\AdobeUM
2007-06-26 21:32 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Ahead
2007-06-22 16:04 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Help
2007-06-22 16:02 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Rational
2007-06-22 15:51 --------- d-------- C:\Archivos de programa\Rational
2007-06-22 15:16 --------- d-------- C:\Archivos de programa\IBM
2007-06-22 09:40 --------- d-------- C:\Archivos de programa\Archivos comunes\IBM
2007-06-21 16:31 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\VirtuaWin
2007-06-18 16:47 --------- d-------- C:\Archivos de programa\7-Zip
2007-06-15 17:48 659 --ah----- C:\os642656.bin
2007-06-15 12:41 --------- d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-06-15 12:40 --------- d-------- C:\Archivos de programa\Archivos comunes\Vbox
2007-06-14 10:33 --------- d-------- C:\Archivos de programa\Network Associates
2007-06-12 11:25 --------- d-------- C:\Archivos de programa\VirtuaWin
2007-06-10 01:53 --------- d-------- C:\Archivos de programa\VideoLAN
2007-06-08 16:15 --------- d-------- C:\Archivos de programa\Ares
2007-06-08 13:01 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Talkback
2007-06-08 12:46 7012 --------- C:\WINDOWS\system32\drivers\PMEMNT.SYS
2007-06-08 12:42 --------- d-------- C:\Archivos de programa\Archivos comunes\Tivoli
2007-06-07 12:07 --------- d-------- C:\Archivos de programa\Winamp
2007-06-07 10:47 --------- d-------- C:\Archivos de programa\Archivos comunes\Real
2007-06-01 16:21 14597 --a--c--- C:\WINDOWS\mozver.dat
2005-05-13 16:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-13 20:27:00 422,400 -csha-r C:\WINDOWS\x2.64.exe
2005-07-14 11:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2006-12-07 11:12:16 56 -csh--r C:\WINDOWS\system32\C5B453062B.sys
2005-06-26 14:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-12-07 11:12:16 1,890 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 09:24:24 2,945,024 -csha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 12:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-08-04 12:00 84992 --a------ C:\WINDOWS\WebAssist.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NuTCSetupEnviron"="C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe" [2002-04-25 16:13]
"CCDoctorLogonTesting"="c:\Atria\bin\ccdoctor.exe" [2001-09-25 03:44]
"Picasa Media Detector"="C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe" [2007-08-05 22:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 14:00]
C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
VirtuaWin.lnk - C:\Archivos de programa\VirtuaWin\VirtuaWin.exe [2007-06-12 11:25:09]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"MaxGPOScriptWait"=300 (0x12c)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"WallpaperStyle"=2
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoActiveDesktopChanges"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\C_2XEC]
C_2XEC.dll 2007-08-06 12:41 92687 C:\WINDOWS\system32\C_2XEC.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddcyxut.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 TivoliAP
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=GPO_Startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Notes Minder.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Notes Minder.lnk
backup=C:\WINDOWS\pss\Notes Minder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CplBCL50]
C:\Archivos de programa\EzButton\CplBCL50.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Archivos de programa\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
G:\Rainlendar2\Rainlendar2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMpage]
"C:\Archivos de programa\RAMpage\RAMpage.exe" M=28 T=24 LG P="C:\Archivos de programa\RAMpage\RAMpageConfig.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Archivos de programa\Java\j2re1.4.2_12\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
R0 ENECBPTH;ENE Cardbus Patch Driver;C:\WINDOWS\system32\drivers\ENECBPTH.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 NHostNT1;NetOp Driver 1 ver. 7.65 (2004342);C:\WINDOWS\system32\Drivers\NHOSTNT1.SYS
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R1 Tcpip6;Controlador de protocolo IPv6 de Microsoft;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;Servicio de ayuda de IPv6;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 FspadSvc;FspadSvc;C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
R2 lcfd;Tivoli Endpoint;"C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe"
R2 NetOp Host for NT Service;NetOp Helper ver. 7.65 (2004342);"C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE"
R2 NuTCRACKERService;NuTCRACKERService;C:\WINDOWS\system32\nutsrv4.exe
R2 PMEM;PMEM;\??\C:\WINDOWS\system32\drivers\PMEMNT.SYS
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe /Service
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;C:\WINDOWS\system32\DRIVERS\fspad.sys
R3 NHOSTNT3;NetOp Driver 3 ver. 7.65 (2004342) (NHOSTNT3);C:\WINDOWS\system32\Drivers\NHOSTNT3.SYS
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 tunmp;Controlador de adaptador de minipuerto Tun de Microsoft;C:\WINDOWS\system32\DRIVERS\tunmp.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
R3 w29n51;Controlador de la Conexi¢n de red Intel(R) PRO/Wireless 2200BG para Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys
S3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 p2pgasvc;Autenticaci¢n de grupo de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Administrador de identidad de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;Labtec WebCam(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
S3 PNRPSvc;Protocolo de resoluci¢n de nombres de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
S3 Tomcat5;Apache Tomcat;"C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5
S3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys
S3 w22n51;Controlador Intel(R) PRO/Wireless 2200 Adapter;C:\WINDOWS\system32\DRIVERS\w22n51.sys
S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
mysee2 Mysee2_Runtime
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aadb5c8-2002-11dc-ac25-000fb0929265}]
dismount\command- D:\syst\syst.exe /q /d
start\command- D:\syst\syst.exe /q background /e /m rm /v "sys"
Contents of the 'Scheduled Tasks' folder
2007-08-05 13:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
2007-08-05 22:02:02 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At14.job
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 23:02:02 C:\WINDOWS\Tasks\At2.job
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 21:01:06 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\1a5WEXsH.exe
2007-08-05 20:02:06 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\1a5WEXsH.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 12:41:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-06 12:43:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 12:43
--- E O F ---
charlye28
2007-08-06, 12:54
Thanks in advance, there was no log generated by vundofix v 6.5.6.
how did this enter the computer ¿via iexplorer? was it a javascript? did I accept to install something in the explorer?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44, on 2007-08-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
C:\Archivos de programa\VirtuaWin\modules\VWAssigner.exe
C:\Archivos de programa\VirtuaWin\modules\WinList.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/objects/3082/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/RevelaonlinePictureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O20 - Winlogon Notify: C_2XEC - C:\WINDOWS\SYSTEM32\C_2XEC.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe
--
End of file - 8394 bytes
Hi
"how did this enter the computer ¿via iexplorer? was it a javascript? did I accept to install something in the explorer?"
Impossible to say.
First, I would like you to upload this file to uploadmalware (http://www.uploadmalware.com)
C:\WINDOWS\SYSTEM32\C_2XEC.dll
Put to Comments and Further Info:
New Vundo file and these:
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O20 - Winlogon Notify: C_2XEC - C:\WINDOWS\SYSTEM32\C_2XEC.dll
After that:
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\C_2XEC.dll
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O20 - Winlogon Notify: C_2XEC - C:\WINDOWS\SYSTEM32\C_2XEC.dll
Close all windows including browser and press fix checked.
Reboot.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\C_2XEC.dll
C:\WINDOWS\system32\dnb42d4d23.dat
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\vttrrs.dll
C:\WINDOWS\system32\ddcyxut.dll
C:\WINDOWS\system32\1a5WEXsH.exe
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aadb5c8-2002-11dc-ac25-000fb0929265}]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
charlye28
2007-08-07, 14:47
Thanks again :bigthumb:
ComboFix 07-08-04.3 - "65555955" 2007-08-07 14:34:17.2 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.Verdadero
Command switches used :: C:\Documents and Settings\65555955.GRUPOECI\Escritorio\CFScript.txt
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\1a5WEXsH.exe
C:\WINDOWS\system32\C_2XEC.dll
C:\WINDOWS\system32\ddcyxut.dll
C:\WINDOWS\system32\dnb42d4d23.dat
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\vttrrs.dll
((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))
2007-08-06 12:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 00:21 <DIR> d-------- C:\VundoFix Backups
2007-08-06 00:01 <DIR> d-------- C:\Archivos de programa\Trend Micro
2007-08-05 22:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Spybot - Search & Destroy
2007-07-17 13:59 65,536 --a------ C:\DOCUME~1\655559~1.GRU\DwRegistry0.dll
2007-07-11 13:36 <DIR> d-------- C:\Archivos de programa\Windows Environment Variable Editor (WEVE) 1.5
2007-07-08 15:40 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\Phone Browser
2007-07-08 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\PC Suite
2007-07-08 15:32 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Nokia
2007-07-08 15:31 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-07-08 15:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-08 15:31 <DIR> d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PC Suite
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\PC Connectivity Solution
2007-07-08 15:31 <DIR> d-------- C:\Archivos de programa\DIFX
2007-07-08 15:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Installations
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-05 22:02 --------- d-------- C:\Archivos de programa\Picasa2
2007-07-06 15:37 --------- d-------- C:\Archivos de programa\TVUPlayer
2007-07-06 15:36 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\TVU Networks
2007-07-03 23:08 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Skype
2007-07-02 23:38 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\PDFcreator
2007-07-02 12:46 --------- d-------- C:\Archivos de programa\UltraEdit
2007-06-28 19:26 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\vlc
2007-06-27 20:34 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Apple Computer
2007-06-27 12:48 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\AdobeUM
2007-06-26 21:32 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Ahead
2007-06-22 16:04 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Help
2007-06-22 16:02 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Rational
2007-06-22 15:51 --------- d-------- C:\Archivos de programa\Rational
2007-06-22 15:16 --------- d-------- C:\Archivos de programa\IBM
2007-06-22 09:40 --------- d-------- C:\Archivos de programa\Archivos comunes\IBM
2007-06-21 16:31 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\VirtuaWin
2007-06-18 16:47 --------- d-------- C:\Archivos de programa\7-Zip
2007-06-15 17:48 659 --ah----- C:\os642656.bin
2007-06-15 12:41 --------- d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-06-15 12:40 --------- d-------- C:\Archivos de programa\Archivos comunes\Vbox
2007-06-14 10:33 --------- d-------- C:\Archivos de programa\Network Associates
2007-06-12 11:25 --------- d-------- C:\Archivos de programa\VirtuaWin
2007-06-10 01:53 --------- d-------- C:\Archivos de programa\VideoLAN
2007-06-08 16:15 --------- d-------- C:\Archivos de programa\Ares
2007-06-08 13:01 --------- d-------- C:\DOCUME~1\655559~1.GRU\DATOSD~1\Talkback
2007-06-08 12:46 7012 --------- C:\WINDOWS\system32\drivers\PMEMNT.SYS
2007-06-08 12:42 --------- d-------- C:\Archivos de programa\Archivos comunes\Tivoli
2007-06-07 12:07 --------- d-------- C:\Archivos de programa\Winamp
2007-06-07 10:47 --------- d-------- C:\Archivos de programa\Archivos comunes\Real
2007-06-01 16:21 14597 --a--c--- C:\WINDOWS\mozver.dat
2005-05-13 16:12:00 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 -csha-r C:\WINDOWS\MOTA113.exe
2005-10-13 20:27:00 422,400 -csha-r C:\WINDOWS\x2.64.exe
2005-07-14 11:31:20 27,648 -csha-r C:\WINDOWS\system32\AVSredirect.dll
2006-12-07 11:12:16 56 -csh--r C:\WINDOWS\system32\C5B453062B.sys
2005-06-26 14:32:28 616,448 -csha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 -csha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-12-07 11:12:16 1,890 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 09:24:24 2,945,024 -csha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 12:16:22 240,128 -csha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NuTCSetupEnviron"="C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe" [2002-04-25 16:13]
"CCDoctorLogonTesting"="c:\Atria\bin\ccdoctor.exe" [2001-09-25 03:44]
"Picasa Media Detector"="C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe" [2007-08-05 22:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 14:00]
C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\
VirtuaWin.lnk - C:\Archivos de programa\VirtuaWin\VirtuaWin.exe [2007-06-12 11:25:09]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"MaxGPOScriptWait"=300 (0x12c)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"WallpaperStyle"=2
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoActiveDesktopChanges"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddcyxut.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 TivoliAP
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=GPO_Startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=\\grupoeci.elcorteingles.corp\SysVol\grupoeci.elcorteingles.corp\scripts\Configuracion\PROC\Politicas.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Notes Minder.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Notes Minder.lnk
backup=C:\WINDOWS\pss\Notes Minder.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^VirtuaWin.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\VirtuaWin.lnk
backup=C:\WINDOWS\pss\VirtuaWin.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CplBCL50]
C:\Archivos de programa\EzButton\CplBCL50.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Archivos de programa\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
G:\Rainlendar2\Rainlendar2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMpage]
"C:\Archivos de programa\RAMpage\RAMpage.exe" M=28 T=24 LG P="C:\Archivos de programa\RAMpage\RAMpageConfig.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Archivos de programa\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Archivos de programa\Java\j2re1.4.2_12\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
R0 ENECBPTH;ENE Cardbus Patch Driver;C:\WINDOWS\system32\drivers\ENECBPTH.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 NHostNT1;NetOp Driver 1 ver. 7.65 (2004342);C:\WINDOWS\system32\Drivers\NHOSTNT1.SYS
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R1 Tcpip6;Controlador de protocolo IPv6 de Microsoft;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;Servicio de ayuda de IPv6;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 FspadSvc;FspadSvc;C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
R2 lcfd;Tivoli Endpoint;"C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe"
R2 NetOp Host for NT Service;NetOp Helper ver. 7.65 (2004342);"C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE"
R2 NuTCRACKERService;NuTCRACKERService;C:\WINDOWS\system32\nutsrv4.exe
R2 PMEM;PMEM;\??\C:\WINDOWS\system32\drivers\PMEMNT.SYS
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe /Service
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;C:\WINDOWS\system32\DRIVERS\fspad.sys
R3 NHOSTNT3;NetOp Driver 3 ver. 7.65 (2004342) (NHOSTNT3);C:\WINDOWS\system32\Drivers\NHOSTNT3.SYS
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 tunmp;Controlador de adaptador de minipuerto Tun de Microsoft;C:\WINDOWS\system32\DRIVERS\tunmp.sys
R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys
R3 w29n51;Controlador de la Conexi¢n de red Intel(R) PRO/Wireless 2200BG para Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 BTSLBCSP;Bluetooth Port Client Driver;\??\C:\WINDOWS\system32\drivers\btslbcsp.sys
S3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 p2pgasvc;Autenticaci¢n de grupo de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Administrador de identidad de redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Redes de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;Labtec WebCam(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
S3 PNRPSvc;Protocolo de resoluci¢n de nombres de mismo nivel;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
S3 Tomcat5;Apache Tomcat;"C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5
S3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys
S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys
S3 w22n51;Controlador Intel(R) PRO/Wireless 2200 Adapter;C:\WINDOWS\system32\DRIVERS\w22n51.sys
S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
mysee2 Mysee2_Runtime
Contents of the 'Scheduled Tasks' folder
2007-08-05 13:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 14:44:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-07 14:45:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 14:45
C:\ComboFix2.txt ... 2007-08-06 12:43
--- E O F ---
charlye28
2007-08-07, 14:51
Looks like O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
didn't got deleted:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:48, on 2007-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/objects/3082/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/RevelaonlinePictureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe
--
End of file - 7847 bytes
Hi
Yes, it looks like so.
Maybe problem was that you fixed it before file was gone.
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - AppInit_DLLs: c:\windows\system32\ddcyxut.dll
Close all windows including browser and press fix checked.
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
charlye28
2007-08-08, 09:37
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 9:31:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 376845
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
T:\
Scan Statistics
Total number of scanned objects 345370
Number of viruses found 10
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 08:31:07
Infected Object Name Virus Name Last Action
C:\AccessProtectionLog.txt Object is locked skipped
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\EzButton\CplBCL50.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe1175202410 Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped
C:\Archivos de programa\Rainlendar2\Rainlendar2.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Archivos de programa\Trend Micro\HijackThis\backups\backup-20070807-142948-905.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_167885A5B56143EF819BE2DD58899F425367F473.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_3705AC98F1EA85E326F9AB3A3CE877B26FD727EE.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_6282427C601564F956A296C0A8D2122EF7C52E57.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Historial\History.IE5\MSHist012007080720070808\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Temp\NAILogs\UpdaterUI_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Entre Mujeres [DVDScreener] [www.torrentspain.com].avi\__INCOMPLETE__Entre Mujeres [DVDScreener] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Los Simpsons La Pelicula [DVDScreener] [Spanish] [www.torrentspain.com].avi\__INCOMPLETE__Los Simpsons La Pelicula [DVDScreener] [Spanish] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Piratas del caribe - El cofre del hombre muerto [DVDRip] [www.torrentspain.com].avi\__INCOMPLETE__Piratas del caribe - El cofre del hombre muerto [DVDRip] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\01QJ0HQJ\drf1177614159[1].htm Infected: Trojan-Downloader.Win32.Small.eex skipped
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\ANSJ3KX4\drf1177552416[1].htm.exe Infected: Trojan-Downloader.Win32.Small.eex skipped
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\CLYB8LMF\popup_code[1].htm Infected: Trojan-Downloader.JS.IstBar.ai skipped
C:\Documents and Settings\All Users\Datos de programa\Network Associates\Common Framework\Db\Agent_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Network Associates\Common Framework\Db\PrdMgr_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\OnAccessScanLog.txt Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(1024).trc Object is locked skipped
C:\QooBox\Quarantine\C\DOCUME~1\655559~1.GRU\DATOSD~1\tmp94.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcyxut.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\QooBox\Quarantine\C\WINDOWS\vttrrs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\QooBox\Quarantine\catchme2007-08-06_124136.87.zip/mmfipc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\QooBox\Quarantine\catchme2007-08-06_124136.87.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132093.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132300.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\A0132348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\A0132349.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\change.log Object is locked skipped
C:\Tivoli\lcf\dat\1\lcfd.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\usb.inf Object is locked skipped
C:\WINDOWS\inf\usb.PNF Object is locked skipped
C:\WINDOWS\inf\usbstor.inf Object is locked skipped
C:\WINDOWS\inf\usbstor.PNF Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\DRIVER\csrss.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
C:\WINDOWS\system\DRIVER\ntauth.dll Infected: Backdoor.IRC.Zapchast skipped
C:\WINDOWS\system\DRIVER\services.exe Infected: Backdoor.Win32.Iroffer.14b2 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd4941.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\igfxtray.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
charlye28
2007-08-08, 09:39
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:39, on 2007-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\Archivos de programa\Ares\Ares.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/objects/3082/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/RevelaonlinePictureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe
--
End of file - 8004 bytes
Hi
One or more of the identified infections is a backdoor trojan.
C:\WINDOWS\system\DRIVER\csrss.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
C:\WINDOWS\system\DRIVER\ntauth.dll Infected: Backdoor.IRC.Zapchast skipped
C:\WINDOWS\system\DRIVER\services.exe Infected: Backdoor.Win32.Iroffer.14b2 skipped
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
charlye28
2007-08-08, 15:21
Thanks for all the information, I surely want to clean it. Should I delete the files directly?
Hi
Actually you should delete this entire folder:
C:\WINDOWS\system\DRIVER
Empty this folder:
C:\QooBox\Quarantine\
Empty Recycle Bin
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. Press 1 and enter. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
charlye28
2007-08-08, 16:33
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\EZBUTTON\BAK
2002-12-31 14:00 401,408 CplBCL50.EXE
1 archivos 401,408 bytes
2 dirs 2,076,377,088 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ITUNES\BAK
2007-03-14 20:05 257,088 iTunesHelper.exe
1 archivos 257,088 bytes
2 dirs 2,076,377,088 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\QUICKT~1\BAK
2007-02-16 11:54 282,624 qttask.exe
1 archivos 282,624 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\RAINLE~1\BAK
2006-10-28 16:22 981,504 Rainlendar2.exe
1 archivos 981,504 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\WINDOWS\SYSTEM32\BAK
2004-08-20 14:00 15,360 ctfmon.exe
2002-12-31 14:00 126,976 hkcmd.exe
2002-12-31 14:00 155,648 igfxtray.exe
3 archivos 297,984 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\GOOGLE\GOOGLE~1\BAK
2007-01-01 23:22 3,739,648 googletalk.exe
1 archivos 3,739,648 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\NETWOR~1\COMMON~1\BAK
2005-12-07 03:55 131,072 UpdaterUI.exe
1 archivos 131,072 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\NETWOR~1\VIRUSS~1\BAK
0 archivos 0 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ADOBE\ACROBA~1.0\READER\BAK
2006-03-30 16:45 313,472 AdobeUpdateManager.exe
1 archivos 313,472 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ARCHIV~1\NETWOR~1\TALKBACK\BAK
2003-10-07 10:48 147,514 TBMon.exe
1 archivos 147,514 bytes
2 dirs 2,076,372,992 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ARCHIV~1\REAL\UPDATE~1\BAK
2006-08-08 20:24 180,269 realsched.exe
1 archivos 180,269 bytes
2 dirs 2,076,372,992 bytes libres
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
37432 29 Mar 2007 "C:\Archivos de programa\EzButton\CplBCL50.EXE"
401408 31 Dec 2002 "C:\Archivos de programa\EzButton\bak\CplBCL50.EXE"
257088 14 Mar 2007 "C:\Archivos de programa\iTunes\iTunesHelper.exe"
257088 14 Mar 2007 "C:\Archivos de programa\iTunes\bak\iTunesHelper.exe"
102400 30 Mar 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 14 Mar 2007 "C:\Documents and Settings\All Users\Datos de programa\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 16 Feb 2007 "C:\Archivos de programa\QuickTime\bak\qttask.exe"
37432 29 Mar 2007 "C:\Archivos de programa\Rainlendar2\Rainlendar2.exe"
981504 28 Oct 2006 "C:\Archivos de programa\Rainlendar2\bak\Rainlendar2.exe"
15360 20 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 20 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 31 Dec 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
37432 29 Mar 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 31 Dec 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
3739648 1 Jan 2007 "C:\Archivos de programa\Google\Google Talk\googletalk.exe"
136120 4 Jan 2007 "C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe"
3739648 1 Jan 2007 "C:\Archivos de programa\Google\Google Talk\bak\googletalk.exe"
1581768 25 Oct 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 5 Jan 2007 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
1531784 4 Sep 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
1572720 6 Oct 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.98\googletalk-setup-upgrade.exe"
37432 29 Mar 2007 "C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe1175202410"
85504 28 Nov 2005 "C:\Program Files\3GP_Converter034\finishing\UpdateiPod(iTunes).exe"
131072 7 Dec 2005 "C:\Archivos de programa\Network Associates\Common Framework\bak\UpdaterUI.exe"
37432 29 Mar 2007 "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 30 Mar 2006 "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
147514 7 Oct 2003 "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
147514 7 Oct 2003 "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\bak\TBMon.exe"
180269 8 Aug 2006 "C:\Archivos de programa\Archivos comunes\Real\Update_OB\bak\realsched.exe"
end of report
Hi
Delete this file:
C:\Archivos de programa\Network Associates\Common Framework\UpdaterUI.exe1175202410
Please open FindAWF again. This time, press the number 2.
Notepad will open. Please copy and paste the following in the Code box into this Notepad file. Make sure that it's after the line, not before.
"C:\Archivos de programa\EzButton\bak\CplBCL50.EXE"
"C:\Archivos de programa\Rainlendar2\bak\Rainlendar2.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe"
"C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
Click on File > Save. Do not choose the Save As... option.
FindAWF will now start removing the bad files. When done, a log will be produced. Do not close this log file.
Next, press the number 4. Once done, the tool will return to the main menu.
Press E to close FindAWF.
Please post the FindAWF log file in your reply.
charlye28
2007-08-08, 17:58
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\EZBUTTON\BAK
2002-12-31 14:00 401,408 CplBCL50.EXE
1 archivos 401,408 bytes
2 dirs 2,082,164,736 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ITUNES\BAK
2007-03-14 20:05 257,088 iTunesHelper.exe
1 archivos 257,088 bytes
2 dirs 2,082,164,736 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\QUICKT~1\BAK
2007-02-16 11:54 282,624 qttask.exe
1 archivos 282,624 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\RAINLE~1\BAK
2006-10-28 16:22 981,504 Rainlendar2.exe
1 archivos 981,504 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\WINDOWS\SYSTEM32\BAK
2004-08-20 14:00 15,360 ctfmon.exe
2002-12-31 14:00 126,976 hkcmd.exe
2002-12-31 14:00 155,648 igfxtray.exe
3 archivos 297,984 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\GOOGLE\GOOGLE~1\BAK
2007-01-01 23:22 3,739,648 googletalk.exe
1 archivos 3,739,648 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\NETWOR~1\COMMON~1\BAK
2005-12-07 03:55 131,072 UpdaterUI.exe
1 archivos 131,072 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\NETWOR~1\VIRUSS~1\BAK
0 archivos 0 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ADOBE\ACROBA~1.0\READER\BAK
2006-03-30 16:45 313,472 AdobeUpdateManager.exe
1 archivos 313,472 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ARCHIV~1\NETWOR~1\TALKBACK\BAK
2003-10-07 10:48 147,514 TBMon.exe
1 archivos 147,514 bytes
2 dirs 2,082,160,640 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ARCHIV~1\REAL\UPDATE~1\BAK
2006-08-08 20:24 180,269 realsched.exe
1 archivos 180,269 bytes
2 dirs 2,082,160,640 bytes libres
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
401408 31 Dec 2002 "C:\Archivos de programa\EzButton\CplBCL50.EXE"
401408 31 Dec 2002 "C:\Archivos de programa\EzButton\bak\CplBCL50.EXE"
257088 14 Mar 2007 "C:\Archivos de programa\iTunes\iTunesHelper.exe"
257088 14 Mar 2007 "C:\Archivos de programa\iTunes\bak\iTunesHelper.exe"
102400 30 Mar 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 14 Mar 2007 "C:\Documents and Settings\All Users\Datos de programa\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 16 Feb 2007 "C:\Archivos de programa\QuickTime\bak\qttask.exe"
981504 28 Oct 2006 "C:\Archivos de programa\Rainlendar2\Rainlendar2.exe"
981504 28 Oct 2006 "C:\Archivos de programa\Rainlendar2\bak\Rainlendar2.exe"
15360 20 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 20 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 31 Dec 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 31 Dec 2002 "C:\WINDOWS\system32\igfxtray.exe"
155648 31 Dec 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
3739648 1 Jan 2007 "C:\Archivos de programa\Google\Google Talk\googletalk.exe"
136120 4 Jan 2007 "C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe"
3739648 1 Jan 2007 "C:\Archivos de programa\Google\Google Talk\bak\googletalk.exe"
1581768 25 Oct 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 5 Jan 2007 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
1531784 4 Sep 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
1572720 6 Oct 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.98\googletalk-setup-upgrade.exe"
85504 28 Nov 2005 "C:\Program Files\3GP_Converter034\finishing\UpdateiPod(iTunes).exe"
131072 7 Dec 2005 "C:\Archivos de programa\Network Associates\Common Framework\bak\UpdaterUI.exe"
313472 30 Mar 2006 "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 30 Mar 2006 "C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
147514 7 Oct 2003 "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
147514 7 Oct 2003 "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\bak\TBMon.exe"
180269 8 Aug 2006 "C:\Archivos de programa\Archivos comunes\Real\Update_OB\bak\realsched.exe"
end of report
Hi
Please open FindAWF again. This time, press the number 3.
Notepad will open. Please copy and paste the following in the Code box into this Notepad file. Make sure that it's after the line, not before.
C:\Archivos de programa\EzButton\bak
C:\Archivos de programa\Rainlendar2\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\SYSTEM\bak
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\bak\
Click on File > Save. Do not choose the Save As... option.
FindAWF will now start removing the bak folders. When done, a log will be produced. Do not close this log file.
Press E to close FindAWF.
Please post the FindAWF log file in your reply.
charlye28
2007-08-08, 19:02
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ITUNES\BAK
2007-03-14 20:05 257,088 iTunesHelper.exe
1 archivos 257,088 bytes
2 dirs 2,087,870,464 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\QUICKT~1\BAK
2007-02-16 11:54 282,624 qttask.exe
1 archivos 282,624 bytes
2 dirs 2,087,870,464 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\WINDOWS\SYSTEM32\BAK
2004-08-20 14:00 15,360 ctfmon.exe
2002-12-31 14:00 126,976 hkcmd.exe
2002-12-31 14:00 155,648 igfxtray.exe
3 archivos 297,984 bytes
2 dirs 2,087,866,368 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\GOOGLE\GOOGLE~1\BAK
2007-01-01 23:22 3,739,648 googletalk.exe
1 archivos 3,739,648 bytes
2 dirs 2,087,866,368 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\NETWOR~1\COMMON~1\BAK
2005-12-07 03:55 131,072 UpdaterUI.exe
1 archivos 131,072 bytes
2 dirs 2,087,866,368 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\NETWOR~1\VIRUSS~1\BAK
0 archivos 0 bytes
2 dirs 2,087,866,368 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ARCHIV~1\NETWOR~1\TALKBACK\BAK
2003-10-07 10:48 147,514 TBMon.exe
1 archivos 147,514 bytes
2 dirs 2,087,866,368 bytes libres
El volumen de la unidad C es Programas
El n£mero de serie del volumen es: B42D-4D23
Directorio de C:\ARCHIV~1\ARCHIV~1\REAL\UPDATE~1\BAK
2006-08-08 20:24 180,269 realsched.exe
1 archivos 180,269 bytes
2 dirs 2,087,866,368 bytes libres
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
257088 14 Mar 2007 "C:\Archivos de programa\iTunes\iTunesHelper.exe"
257088 14 Mar 2007 "C:\Archivos de programa\iTunes\bak\iTunesHelper.exe"
102400 30 Mar 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 14 Mar 2007 "C:\Documents and Settings\All Users\Datos de programa\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 16 Feb 2007 "C:\Archivos de programa\QuickTime\bak\qttask.exe"
15360 20 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 20 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 31 Dec 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 31 Dec 2002 "C:\WINDOWS\system32\igfxtray.exe"
155648 31 Dec 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
3739648 1 Jan 2007 "C:\Archivos de programa\Google\Google Talk\googletalk.exe"
136120 4 Jan 2007 "C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe"
3739648 1 Jan 2007 "C:\Archivos de programa\Google\Google Talk\bak\googletalk.exe"
1581768 25 Oct 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 5 Jan 2007 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
1531784 4 Sep 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
1572720 6 Oct 2006 "C:\Archivos de programa\Google\Google Talk\googletalk-1.0.0.98\googletalk-setup-upgrade.exe"
85504 28 Nov 2005 "C:\Program Files\3GP_Converter034\finishing\UpdateiPod(iTunes).exe"
131072 7 Dec 2005 "C:\Archivos de programa\Network Associates\Common Framework\bak\UpdaterUI.exe"
147514 7 Oct 2003 "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
147514 7 Oct 2003 "C:\Archivos de programa\Archivos comunes\Network Associates\TalkBack\bak\TBMon.exe"
180269 8 Aug 2006 "C:\Archivos de programa\Archivos comunes\Real\Update_OB\bak\realsched.exe"
end of report
Hi
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\01QJ0HQJ\drf1177614159[1].htm
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\ANSJ3KX4\drf1177552416[1].htm.exe
C:\Documents and Settings\Administrador\Configuración local\Archivos temporales de Internet\Content.IE5\CLYB8LMF\popup_code[1].htm
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Empty Recycle Bin
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
charlye28
2007-08-09, 08:06
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 09, 2007 8:04:21 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/08/2007
Kaspersky Anti-Virus database records: 377235
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
T:\
Scan Statistics
Total number of scanned objects 345462
Number of viruses found 9
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 08:36:36
Infected Object Name Virus Name Last Action
C:\AccessProtectionLog.txt Object is locked skipped
C:\Archivos de programa\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped
C:\Archivos de programa\Trend Micro\HijackThis\backups\backup-20070807-142948-905.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_167885A5B56143EF819BE2DD58899F425367F473.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Ares\Data\TempDl\PBTHash_3705AC98F1EA85E326F9AB3A3CE877B26FD727EE.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Historial\History.IE5\MSHist012007080820070809\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Configuración local\Temp\NAILogs\UpdaterUI_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Entre Mujeres [DVDScreener] [www.torrentspain.com].avi\__INCOMPLETE__Entre Mujeres [DVDScreener] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\Escritorio\Piratas del caribe - El cofre del hombre muerto [DVDRip] [www.torrentspain.com].avi\__INCOMPLETE__Piratas del caribe - El cofre del hombre muerto [DVDRip] [www.torrentspain.com].avi Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\65555955.GRUPOECI\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Network Associates\Common Framework\Db\Agent_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Network Associates\Common Framework\Db\PrdMgr_MX3500001DC1053.log Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\OnAccessScanLog.txt Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(1016).trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132093.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP358\A0132300.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\A0132348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP359\A0132349.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132484.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132488.dll Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132490.exe Infected: Backdoor.Win32.Iroffer.14b2 skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132496.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132497.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132498.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132499.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\A0132524.exe Infected: Trojan-Downloader.Win32.Small.eex skipped
C:\System Volume Information\_restore{B8154308-F142-4CB3-B4C3-A78C4ECC29DD}\RP360\change.log Object is locked skipped
C:\Tivoli\lcf\dat\1\lcfd.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\usb.inf Object is locked skipped
C:\WINDOWS\inf\usb.PNF Object is locked skipped
C:\WINDOWS\inf\usbstor.inf Object is locked skipped
C:\WINDOWS\inf\usbstor.PNF Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd4941.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
charlye28
2007-08-09, 08:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:07, on 2007-08-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Network Associates\Common Framework\UdaterUI.exe
C:\Archivos de programa\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Ares\Ares.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ieci.geci:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.int;*.geci;128.*;documentum.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Archivos de programa\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Atria\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: VirtuaWin.lnk = C:\Archivos de programa\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://10.228.137.37/projectserver/objects/pjclient.cab
O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://localhost:9090/dco/wdk/native/WdkPluginCab.CAB
O16 - DPF: {89B8153D-C170-41D7-BB4B-CD4D63FE900C} (Pj11esnC Class) - http://10.228.137.37/projectserver/objects/3082/pjcintl.cab
O16 - DPF: {B1B47DEB-76C1-4701-9F19-5671101C3344} (PictureSelect.Selector) - http://www.revelaonline.com/class/RevelaonlinePictureManager.cab
O16 - DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} (AeatCtl Class) - https://www1.aeat.es/imagenes/comun/cactivex.cab
O16 - DPF: {BA2174B0-C012-11DA-A94D-0800200C9A66} (DmDragDrop Class) - http://documentum:1975/dco/wdk/native/WdkPluginCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\Software\..\Telephony: DomainName = grupoeci.elcorteingles.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{3787471A-6F44-475F-B1D8-B928E127E071}: NameServer = 192.168.50.170,192.168.50.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AC9E483-93DE-45C2-BE3B-733BD13A2191}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA032721-3D92-4450-8B90-A77BAD0D7744}: NameServer = 128.90.0.203,128.90.0.204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupoeci.elcorteingles.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = geci,eci.geci,ieci.geci
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Archivos de programa\Ares\chatServer.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\cclserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Servidor de applet JDBC de DB2 (DB2JDS) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: Servidor de seguridad DB2 (DB2NTSECSERVER) - International Business Machines Corporation - C:\Archivos de programa\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: FspadSvc - Unknown owner - C:\Archivos de programa\AVC Finger-sensing Pad Driver\FspadSvr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - IBM Corporation - C:\Archivos de programa\IBM\IBM CICS Transaction Gateway\bin\CTGSERVICE.EXE
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Archivos de programa\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Archivos de programa\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetOp Helper ver. 7.65 (2004342) (NetOp Host for NT Service) - Danware Data A/S - C:\Archivos de programa\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Tomcat 5.0\bin\tomcat5.exe
--
End of file - 7966 bytes
Hi
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.