PDA

View Full Version : Infection in my pc1 help



userintrouble
2007-08-25, 17:19
I have a 2 pc lan windows xp professional, with a router, they seem to be infected.
Both have avast and spybot as resident.

Pc 2

Scaned with online antivirus plus local antivirus. Local deleted some malwares. Online Antivirus
cleaned some,but couldnt with some others. Now I dont have internet unless I boot in safe mode.
In regular mode I don't have internet. If I relase and renew ip, I have some seconds, then again,
don't have.

Scaned with spybot in safe mode, found some red items, and fixed.
Same with trend antispyware.
Avast refuses to scan in safe mode. But in normal mode is not finding anything.


Trend online scanner couldnt clean this:

tspy_small
adware_memwatcher
cookie_com
cookie_revsci
troj_generic.A



Kaspersky:


Friday, August 10, 2007 6:06:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/08/2007
Kaspersky Anti-Virus database records: 378304


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 48007
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:18:05

Infected Object Name Virus Name Last Action
C:\Archivos de programa\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Archivos de programa\Avast4\DATA\Avast4.db Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Archivos de programa\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Usuario\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Messenger\onlinehoteles@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Messenger\onlinehoteles@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Messenger\onlinehoteles@hotmail.com\SharingMetadata\Working\database_7274_4406_7443_CC13\dfsr.db Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Messenger\onlinehoteles@hotmail.com\SharingMetadata\Working\database_7274_4406_7443_CC13\fsr.log Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Messenger\onlinehoteles@hotmail.com\SharingMetadata\Working\database_7274_4406_7443_CC13\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Messenger\onlinehoteles@hotmail.com\SharingMetadata\Working\database_7274_4406_7443_CC13\tmp.edb Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\onlinehoteles@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Datos de programa\Microsoft\Windows Live Contacts\onlinehoteles@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Historial\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Historial\History.IE5\MSHist012007081020070811\index.dat Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Temp\~DF5541.tmp Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Temp\~DF58FB.tmp Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Temp\~DF9771.tmp Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Temp\~DF9818.tmp Object is locked skipped

C:\Documents and Settings\Usuario\Configuración local\Temp\~DFA970.tmp Object is locked skipped

C:\Documents and Settings\Usuario\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Usuario\Datos de programa\SiteAdvisor\SiteAdv.csh Object is locked skipped

C:\Documents and Settings\Usuario\Mis documentos\Mis archivos recibidos\lcapi0.log Object is locked skipped

C:\Documents and Settings\Usuario\Mis documentos\Mis archivos recibidos\MsnMsgr.txt Object is locked skipped

C:\Documents and Settings\Usuario\Mis documentos\Mis archivos recibidos\Transport0.log Object is locked skipped

C:\Documents and Settings\Usuario\ntuser.dat Object is locked skipped

C:\Documents and Settings\Usuario\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\Trabajos\onlinehoteles\excels\venta paquetes estado.xls Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.







Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:15:56 a.m., on 25/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\Archivos de programa\TrojanHunter 4.7\THGuard.exe
C:\WINDOWS\chcp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Cactus Spam Filter 2.13\cactusspamfilter.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\LckFldService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\WINDOWS\WinDV.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\WinDV.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Archivos de programa\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Archivos de programa\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Archivos de programa\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Archivos de programa\SiteAdvisor\6028\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [chcp.exe] C:\WINDOWS\chcp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [com.codeode.cactusspamfilter] "C:\Archivos de programa\Cactus Spam Filter 2.13\cactusspamfilter.exe" -minimized
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Guardar Formularios - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Personalizar Menú - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Rellenar Formularios - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RF Barra de Herramientas - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Rellenar Formularios - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Rellenar Formularios - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Guardar - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Guardar Formularios - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Barra de Herramientas - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Archivos de programa\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...103/mcfscan.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Archivos de programa\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Drivers Version - Unknown owner - C:\WINDOWS\WinDV.exe

--
End of file - 7774 bytes


THAT'S PC 2 -

tashi
2007-09-08, 02:19
Hello and sorry for the wait.

For people waiting who have not resolved their problem, we have a sticky topic:
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)

However if members waiting for assistance do not post there, their topic is archived after seven days.

If you need the thread re-opened, please send me a private message (pm) and provide a link.