PDA

View Full Version : can't get rid of hldrrr.exe, srosa.sys, wintems.exe



abramson
2008-01-08, 20:28
Hi all!

My machine has got an infection with a rootkit, it seems, and I cannot get rid of it. I have followed instructions given by Rorschach112 in a similar thread, but the bad guys keep reappearing. Any help will be appreciated. Thanks in advance.

All my antivirus have been removed or deactivated, and cannot be reinstalled. This includes Spybot, AVG, Avast, SpywareDoctor. AVG Anti-Rootkit runs, and detects hldrrr.exe, srosa.sys and wintems.exe. It offers to remove them, but it does not work.

I have tried IceSword, which detects the processes hldrrr.exe and wintems.exe running. I terminated them, and removed the files, but they reappear on reboot. I tried deleting them with MoveOnBoot, to no avail.

Besides the mentioned files, a foder was created on system32\drivers\down, containing .exe files, with numbers as filenames. Some one of them is also detected by IceSword as a running process, and I also terminated those (and deleted the folder).

IceSword also detects srosa.sys in several entries in its SSDT list, in red, and also iksysflt.sys (which I believe belongs to SpywareDoctor).

It seems that the infection is hidden somewhere in my system, but I cannot find out where.

Other symptoms include:
1. Cannot boot on safe mode. Tried SafeBootKeyRepair.exe, which allows me to boot on safe, but after the following normal boot it's broken again.
2. Windows Firewall does not run.
3. System restores do not work.


HijackThis gives the following log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:38 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Util\CBOClean\BOCORE.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\ARCHIV~1\Util\CBOClean\BOC425.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Util\File-Ex 3\FileEx.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\archivos de programa\net\opera\opera.exe
C:\Archivos de programa\Texts\WinEdt\WinEdt.exe
C:\Archivos de programa\Net\Thunderbird\thunderbird.exe
C:\Archivos de programa\Util\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-425] C:\ARCHIV~1\Util\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [TopDesk] C:\Archivos de programa\Util\TopDesk\topdesk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: File-Ex.lnk = C:\Archivos de programa\Util\File-Ex 3\FileEx.exe
O4 - Startup: Rainlendar.lnk = C:\Archivos de programa\Util\Rainlendar\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Archivos de programa\Util\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acceso directo a YzShadow.exe.lnk = C:\Archivos de programa\Util\YzShadow\YzShadow.exe
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10030 bytes

Regards,

Guillermo

Rorschach112
2008-01-08, 22:21
Hello

Delete your version of IceSword.exe and do the following

Do not wrap the reports in quote boxes please

Please download and unzip Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings

Processes
Win32 Services
SSDT




Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

abramson
2008-01-09, 14:19
Hi. Rorschach112. Thanks for the answer. I did as you suggested. Here are the results.

Processes in red: hldrrr.exe
Win32Services in red: none
SSDT in red: srosa.sys, iksysflt.sys, guard.sys (AVG)

IceSword logs follow. IceSword did not allow me to dump a log of the list of SSDT, or copy the list in any other way (?).

DSS logs go in a separate post due to length restriction.

Cheers,

Guillermo

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\WINDOWS\system32\smss.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\Archivos de programa\Util\CBOClean\BOC425.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe

Started Service:

Service Name:AudioSrv Display Name:Audio de Windows
Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
Service Name:BOCore Display Name:BOCore
Service Name:Browser Display Name:Examinador de equipos
Service Name:CryptSvc Display Name:Servicios de cifrado
Service Name:DcomLaunch Display Name:Iniciador de procesos de servidor DCOM
Service Name:Dhcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Administrador de discos lógicos
Service Name:Dnscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Servicio de informe de errores
Service Name:Eventlog Display Name:Registro de sucesos
Service Name:EventSystem Display Name:Sistema de sucesos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
Service Name:FileZilla Server Display Name:FileZilla Server FTP server
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Ayuda y soporte técnico
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estación de trabajo
Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
Service Name:Netman Display Name:Conexiones de red
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
Service Name:PolicyAgent Display Name:Servicios IPSEC
Service Name:ProtectedStorage Display Name:Almacenamiento protegido
Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
Service Name:SamSs Display Name:Administrador de cuentas de seguridad
Service Name:Schedule Display Name:Programador de tareas
Service Name:seclogon Display Name:Inicio de sesión secundario
Service Name:SENS Display Name:Notificación de sucesos del sistema
Service Name:ShellHWDetection Display Name:Detección de hardware shell
Service Name:Spooler Display Name:Cola de impresión
Service Name:srservice Display Name:Servicio de restauración de sistema
Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
Service Name:TapiSrv Display Name:Telefonía
Service Name:TermService Display Name:Servicios de Terminal Server
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
Service Name:W32Time Display Name:Horario de Windows
Service Name:WebClient Display Name:Cliente Web
Service Name:winmgmt Display Name:Instrumental de administración de Windows

abramson
2008-01-09, 14:22
DSS Main log follows. Guillermo.

Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-09 10:07:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Abramson.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:47 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Util\CBOClean\BOCORE.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Abramson\Escritorio\dss.exe
C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BOC-425] C:\ARCHIV~1\Util\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 9381 bytes

-- Files created between 2007-12-09 and 2008-01-09 -----------------------------

2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:01:32 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-12-27 15:58:08 6 --a------ C:\WINDOWS\ls.bat
2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-09 09:36:18 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 16:15:09 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-08 15:54:29 0 d-------- C:\Archivos de programa\Util
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes
2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
2008-01-08 10:46:05 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
2007-12-26 12:01:30 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [06/15/2007 02:03 AM C:\WINDOWS\Alcmtr.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"BOC-425"="C:\ARCHIV~1\Util\CBOClean\BOC425.exe" [08/08/2007 07:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe" [01/19/2007 01:55 PM]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [06/10/2005 08:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-01-09 10:08:02 ------------

abramson
2008-01-09, 14:29
DSS did not open an "extra" report (it's not also in c:\Deckard\System Scanner\, where only main.txt is to be found (?).

Guillermo

Rorschach112
2008-01-09, 14:34
Hello Guillermo

We will have you fixed in no time, I just need you to do something important first.

Can you run IceSword.exe again and take a screenshot of the following areas for me. Make sure IceSword is full screen and you have nothing in the way

Can you go into the Process Function, and make sure these files are visible in the screenshot

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Then can you go into the SSDT function and make sure files are visible in another screenshot

srosa.sys
iksysflt.sys
guard.sys (AVG)


Then can you host the screenshots on this site, or whatever one you want, for me to download from

http://www.mediafire.com/


Let me know if you have any problems. We can fix this problem today once you do the above.

abramson
2008-01-09, 15:52
Hi, Rorschach112. Thanks. Here are the snapshots:

Processes:
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-processes.jpg

SSDT:
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt2.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt3.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt4.jpg

Guillermo

abramson
2008-01-09, 16:32
I have been browsing the folders that seem to contain the problematic files, and in c:\WINDOWS\system32\drivers\ I found srosa.sy_ created yesterday (01/08), last modified today, 108,928 bytes, same size as srosa.sys.

Perhaps this is important, perhaps this is from where the virus kept reapearing, so I wanted to let you know.

Guillermo

Rorschach112
2008-01-09, 16:47
Thank you very much for doing that Guillermo

Let us remove the infection now. Do all these steps in the one go and do not reboot your PC until I tell you to.



Run IceSword.exe

Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following processes one by one, and choose "Terminate Process". This will kill the rooted processes.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the file(s) in bold.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Windows\System32\drivers\srosa.sys
C:\WINDOWS\ls.bat



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new IceSword logs from Processes, Win32 Services, and SSDT, along with a new DSS log, and tell me how all that went and if you had any problems.

abramson
2008-01-09, 17:24
Hi. Partial success, as you will see. I did what you said (and deleted also the srosa.sy_). Wintems.exe is gone from the Processes, but hldrrr.exe is there as is srosa.sys in the SSDT list.

C:\WINDOWS\ls.bat is a script of my own, that runs dir /w when I mistakenly type ls on a console... I deleted it anyway, for you to be sure.

Here are the logs:

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe

Started Service:

Service Name:AudioSrv Display Name:Audio de Windows
Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
Service Name:BOCore Display Name:BOCore
Service Name:Browser Display Name:Examinador de equipos
Service Name:CryptSvc Display Name:Servicios de cifrado
Service Name:DcomLaunch Display Name:Iniciador de procesos de servidor DCOM
Service Name:Dhcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Administrador de discos lógicos
Service Name:Dnscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Servicio de informe de errores
Service Name:Eventlog Display Name:Registro de sucesos
Service Name:EventSystem Display Name:Sistema de sucesos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
Service Name:FileZilla Server Display Name:FileZilla Server FTP server
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Ayuda y soporte técnico
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estación de trabajo
Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
Service Name:Netman Display Name:Conexiones de red
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
Service Name:PolicyAgent Display Name:Servicios IPSEC
Service Name:ProtectedStorage Display Name:Almacenamiento protegido
Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
Service Name:SamSs Display Name:Administrador de cuentas de seguridad
Service Name:Schedule Display Name:Programador de tareas
Service Name:seclogon Display Name:Inicio de sesión secundario
Service Name:SENS Display Name:Notificación de sucesos del sistema
Service Name:ShellHWDetection Display Name:Detección de hardware shell
Service Name:Spooler Display Name:Cola de impresión
Service Name:srservice Display Name:Servicio de restauración de sistema
Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
Service Name:TapiSrv Display Name:Telefonía
Service Name:TermService Display Name:Servicios de Terminal Server
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
Service Name:W32Time Display Name:Horario de Windows
Service Name:WebClient Display Name:Cliente Web
Service Name:winmgmt Display Name:Instrumental de administración de Windows


SSDT (images, still cannot dump logs):
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt2.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt3.jpg
http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt4.jpg

DSS in following post.

abramson
2008-01-09, 17:25
DSS Main.txt:

Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-09 13:13:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Abramson.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:36 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Util\CBOClean\BOCORE.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Abramson\Escritorio\dss.exe
C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Archivos de programa\Util\CBOClean\BOCORE.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 9136 bytes

-- Files created between 2007-12-09 and 2008-01-09 -----------------------------

2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:01:32 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-12-27 15:58:08 6 --a------ C:\WINDOWS\ls.bat
2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-09 13:13:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-09 12:57:30 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-01-09 12:10:35 0 d-------- C:\Archivos de programa\Astro
2008-01-09 12:07:01 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 15:54:29 0 d-------- C:\Archivos de programa\Util
2008-01-08 14:36:08 0 d-------- C:\Archivos de programa\Archivos comunes
2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
2008-01-08 10:46:05 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [06/10/2005 08:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-01-09 13:13:54 ------------

abramson
2008-01-09, 17:29
Rorschach112, bad news: wintems.exe reappeared. I re-run IS after posting, and there it was, grrrr!:

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe
C:\Archivos de programa\Net\Opera\Opera.exe
C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE

Rorschach112
2008-01-09, 17:38
Don't worry we will get rid of it

Run IceSword.exe

Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe


Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the file(s) in bold.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Windows\System32\drivers\srosa.sys




Please download OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\Windows\System32\drivers\srosa.sys


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.




Reboot and post a new IceSword log and the OTMoveIt results. No need for any more screenshots yet.

abramson
2008-01-09, 18:03
OK, I did as said: terminated processes, deleted files in IS, tried to delete files in MoveIt. After pressing MoveIt! I received an error box saying:


Cannot create file C:\_OTMoveit\MovedFiles\01092008_134803.log

And the Results pane of MoveIt reads:


File/Folder C:\WINDOWS\system32\drivers\hldrrr.exe not found.
File/Folder C:\WINDOWS\system32\wintems.exe not found.
File/Folder C:\Windows\System32\drivers\srosa.sys not found.

Created on 01/09/2008 13:48:03

Still, IS Process show some infection after reboot:

Process:

System Idle Process
System
C:\ARCHIV~1\Util\CBOClean\BOCore.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Net\Opera\Opera.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe


Note that wintems.exe is not there, again. This time, the file wintems.exe is not to be found in system32. The folder system32\drivers\down still keeps receiving new exe's. I'm stopping hldrrr.exe after posting. srosa.sys is still there, as is hldrr.exe.

Guillermo

Rorschach112
2008-01-09, 18:05
It seems something is holding it in place. Lets try a different method

Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

abramson
2008-01-09, 18:41
OK, here's ComboFix log. (Byproduct: my default browser was reset to Internet Explorer (from Opera) and IE icon appeared on desktop.

):

ComboFix 08-01-09.2 - Abramson 2008-01-09 14:13:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.1612 [GMT -2:00]
Se ejecuta desde: C:\Documents and Settings\Abramson\Escritorio\ComboFix.exe
* Creado un nuevo punto de restauración
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


(((((((((((((((((( Archivos creados desde 2007-12-09 - 2008-01-09 )))))))))))))))))))))))))))))))))
.

2008-01-09 14:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 13:49 . 2005-06-10 08:05 533,734 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
2008-01-09 10:25 . 2008-01-09 10:25 <DIR> d-------- C:\Deckard
2008-01-08 15:15 . 2008-01-08 15:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:20 . 2007-01-18 10:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-08 14:01 . 2008-01-09 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-08 11:34 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-08 11:34 . 2006-03-02 10:00 25,600 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-04 11:03 . 2008-01-04 11:03 49 --a------ C:\WINDOWS\fsplugin.ini
2008-01-03 14:37 . 2007-10-22 07:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-03 14:37 . 2007-10-22 07:10 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-03 14:37 . 2008-01-03 14:37 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-03 10:40 . 2008-01-03 10:40 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-03 10:11 . 2008-01-08 13:27 21,712 ---h----- C:\treeinfo.wc
2007-12-28 16:03 . 2007-12-28 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-27 15:23 . 2007-12-27 15:41 <DIR> d-------- C:\Archivos de programa\Nero
2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 18:38 . 2008-01-02 10:55 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-18 17:16 . 2007-12-18 17:15 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53 . 2007-12-18 11:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10 . 2007-12-14 16:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-14 16:03 . 2007-12-14 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 15:51 . 2007-12-14 15:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50 . 2007-12-27 15:25 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50 . 2007-12-27 15:23 <DIR> d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50 . 2007-12-14 13:50 <DIR> d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37 . 2007-12-14 13:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09 . 2007-12-12 18:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 16:04 --------- d-----w C:\Archivos de programa\Spyware Doctor
2008-01-09 15:13 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-09 14:10 --------- d-----w C:\Archivos de programa\Astro
2008-01-09 14:07 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-09 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Google Updater
2008-01-09 11:33 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 17:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
2008-01-08 17:54 --------- d-----w C:\Archivos de programa\Util
2008-01-08 13:03 --------- d-----w C:\Archivos de programa\Image
2008-01-08 12:46 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-08 11:51 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\TEMP
2007-12-28 18:02 --------- d-----w C:\Archivos de programa\Net
2007-12-26 18:28 --------- d-----w C:\Archivos de programa\video
2007-12-19 02:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\avg7
2007-12-18 20:32 --------- d-----w C:\Archivos de programa\Sci
2007-12-18 19:17 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:50 --------- d-----w C:\Archivos de programa\Texts
2007-12-14 15:50 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-28 12:14 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 12:51 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 13:34 --------- d-----w C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 19:34 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 19:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Adobe Systems
2007-11-21 19:29 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-19 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\nView_Profiles
2007-11-16 16:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-16 16:57 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-15 20:12 --------- d-----w C:\Archivos de programa\Britannica
2007-11-13 13:06 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 18:05 --------- d-----w C:\Archivos de programa\MSECache
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\COWON
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 10:00 15360]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [2005-06-10 08:05 533734]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-15 02:03 16132608 C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55 29744]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvMediaCenter"="NvMCTray.dll" [2007-09-17 02:07 81920 C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 12:55 937984]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 10:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

La clave del Registro SafeBoot necesita reparacion. Esta maquina no puede reiniciar en modo a prueba de fallos (modo seguro).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Archivos de programa\Util\CBOClean\BOCDRIVE.sys []
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55]
S4 Fix-It Task Manager;Fix-It Task Manager;C:\ARCHIV~1\Util\Fix-It\mxtask.exe [2007-01-29 17:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-03 15:16:05 C:\WINDOWS\Tasks\Backup de Biblioteca.job"
- C:\Home\Abramson\Backup\biblioteca.bat
"2008-01-04 15:02:16 C:\WINDOWS\Tasks\Backup de Email.job"
- C:\Home\Abramson\Backup\email.bat
"2008-01-09 15:00:48 C:\WINDOWS\Tasks\Backup de Home.job"
- C:\Home\Abramson\Backup\backup.bat
"2007-12-06 19:59:34 C:\WINDOWS\Tasks\SyncToy Abramson en CABFST21.job"
- C:\Archivos de programa\Util\SyncToy 2.0 Beta\SyncToyCmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 14:19:19
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-09 14:22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 16:22:37
.
2007-12-12 12:15:57 --- E O F ---

Guillermo

abramson
2008-01-09, 18:49
I checked again with IceSword after last post. No hldrrr.exe nor wintems.exe proceses, no srosa.sys items on SSDT list.

However, file hldrrr.exe is still in system32\drivers. Should I remove it with MoveIt? Srosa.sys and wintems.exe cannot be found, I hope they do not reappear.

Guillermo

Rorschach112
2008-01-09, 18:50
That seems to have got rid of a bit of it. Try not to restart your PC if possible to be on the safe side



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\drivers\hldrrr.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download avz4.zip from here (http://z-oleg.com/avz4.zip)
Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window: http://rathat.geekstogo.com/images/AVZupdate.jpg
Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
After the update, from the "File" menu, choose "System Recovery"
Check the box beside 10. Restore SafeBoot registry keys
Click Execute Selected Scripts, accept any prompts, then reboot your PC.

abramson
2008-01-09, 20:39
Done. ComboFix produced the log reported below.

AVZ: I couldn't update with any of the sources (2 of them), so I run the tool anyway (since the only selected was restore safeboot... did I mess it up?).

Then rebooted, and here I am. SI does not show any of the bad guys either in Processes or SSDT. Should I run any other scan? SSD or HijackThis?

There are still a lot of new xxxx.exe in system32\drivers\down, where xxxx are 5 or 6 figures numbers. Some of these files have icons equal to that of wintems.exe (a keychain with keys). None of them is running as a process.

Guillermo


Note: this log is from before I run avz4, hence the SafeBoot note in red

ComboFix 08-01-09.2 - Abramson 2008-01-09 16:05:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.1581 [GMT -2:00]
Se ejecuta desde: C:\Documents and Settings\Abramson\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\Abramson\Escritorio\CFScript.txt
* Creado un nuevo punto de restauración

FILE
C:\WINDOWS\system32\drivers\hldrrr.exe
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hldrrr.exe

.
(((((((((((((((((( Archivos creados desde 2007-12-09 - 2008-01-09 )))))))))))))))))))))))))))))))))
.

2008-01-09 14:22 . <DIR> C:\WINDOWS\system32\config\systemprofile\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\NetworkService\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\NetworkService.NT AUTHORITY\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\LocalService\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\LocalService.NT AUTHORITY\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Default User\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Default User.WINDOWS\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Administrador\Configuraci=n local
2008-01-09 14:22 . <DIR> C:\Documents and Settings\Abramson\Configuraci=n local
2008-01-09 14:21 . 2008-01-09 14:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-09 14:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 10:25 . 2008-01-09 10:25 <DIR> d-------- C:\Deckard
2008-01-08 15:15 . 2008-01-08 15:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\GiPo@Utilities
2008-01-08 14:36 . 2008-01-08 14:36 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Gibinsoft Shared
2008-01-08 14:20 . 2007-01-18 10:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-08 14:01 . 2008-01-09 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 11:34 . 2007-08-08 20:02 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2008-01-08 11:34 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-01-08 11:34 . 2006-03-02 10:00 25,600 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-01-04 11:03 . 2008-01-04 11:03 49 --a------ C:\WINDOWS\fsplugin.ini
2008-01-03 14:37 . 2007-10-22 07:10 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-03 14:37 . 2007-10-22 07:10 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-03 14:37 . 2008-01-03 14:37 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-03 10:40 . 2008-01-03 10:40 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-03 10:11 . 2008-01-08 13:27 21,712 ---h----- C:\treeinfo.wc
2007-12-28 16:03 . 2007-12-28 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-27 15:23 . 2007-12-27 15:41 <DIR> d-------- C:\Archivos de programa\Nero
2007-12-27 10:45 . 2007-12-27 10:45 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 18:38 . 2008-01-02 10:55 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-18 17:16 . 2007-12-18 17:15 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53 . 2007-12-18 11:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10 . 2007-12-14 16:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-14 16:03 . 2007-12-14 16:03 <DIR> d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 15:51 . 2007-12-14 15:51 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50 . 2007-12-27 15:25 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50 . 2007-12-27 15:23 <DIR> d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50 . 2007-12-14 13:50 <DIR> d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37 . 2007-12-14 13:37 <DIR> d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09 . 2007-12-12 18:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 16:04 --------- d-----w C:\Archivos de programa\Spyware Doctor
2008-01-09 15:13 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-09 14:10 --------- d-----w C:\Archivos de programa\Astro
2008-01-09 14:07 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-09 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Google Updater
2008-01-09 11:33 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 17:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Spybot - Search & Destroy
2008-01-08 17:54 --------- d-----w C:\Archivos de programa\Util
2008-01-08 13:03 --------- d-----w C:\Archivos de programa\Image
2008-01-08 12:46 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-08 11:51 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\TEMP
2007-12-28 18:02 --------- d-----w C:\Archivos de programa\Net
2007-12-26 18:28 --------- d-----w C:\Archivos de programa\video
2007-12-19 02:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\avg7
2007-12-18 20:32 --------- d-----w C:\Archivos de programa\Sci
2007-12-18 19:17 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:50 --------- d-----w C:\Archivos de programa\Texts
2007-12-14 15:50 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-28 12:14 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 12:51 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 13:34 --------- d-----w C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 19:34 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 19:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\Adobe Systems
2007-11-21 19:29 --------- d-----w C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-19 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Datos de programa\nView_Profiles
2007-11-16 16:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-16 16:57 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-15 20:12 --------- d-----w C:\Archivos de programa\Britannica
2007-11-13 13:06 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 18:05 --------- d-----w C:\Archivos de programa\MSECache
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-29 22:43 1,293,824 ------w C:\WINDOWS\system32\quartz.dll
2007-10-25 12:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-15 16:23 98,304 ----a-w C:\WINDOWS\system32\LtTtf14n.Dll
2007-10-15 16:23 94,208 ----a-w C:\WINDOWS\system32\ltdoc14n.dll
2007-10-15 16:23 89,232 ----a-w C:\WINDOWS\system32\LPCPN05N.dll
2007-10-15 16:23 86,016 ----a-w C:\WINDOWS\system32\lffax14n.dll
2007-10-15 16:23 85,136 ----a-w C:\WINDOWS\system32\LPINS05N.dll
2007-10-15 16:23 77,898 ----a-w C:\WINDOWS\system32\lfjb214n.dll
2007-10-15 16:23 72,848 ----a-w C:\WINDOWS\system32\LpTxt05n.dll
2007-10-15 16:23 703,632 ----a-w C:\WINDOWS\system32\LPRES05N.DLL
2007-10-15 16:23 695,440 ----a-w C:\WINDOWS\system32\LPDLG05N.DLL
2007-10-15 16:23 68,752 ----a-w C:\WINDOWS\system32\Lpdrv05n.DLL
2007-10-15 16:23 65,536 ----a-w C:\WINDOWS\system32\ltserial.dll
2007-10-15 16:23 642,192 ----a-w C:\WINDOWS\system32\LPUIR05r.dll
2007-10-15 16:23 56,464 ----a-w C:\WINDOWS\system32\LPUNI05N.dll
2007-10-15 16:23 56,464 ----a-w C:\WINDOWS\system32\LPRPC05u.dll
2007-10-15 16:23 52,368 ----a-w C:\WINDOWS\system32\LPEML05N.DLL
2007-10-15 16:23 507,024 ----a-w C:\WINDOWS\system32\LtAct14n.dll
2007-10-15 16:23 48,272 ----a-w C:\WINDOWS\system32\LPRNT05N.DLL
2007-10-15 16:23 434,176 ----a-w C:\WINDOWS\system32\ltkrn14n.dll
2007-10-15 16:23 38,032 ----a-w C:\WINDOWS\system32\LPUMD05n.dll
2007-10-15 16:23 364,544 ----a-w C:\WINDOWS\system32\LFCMP14n.dll
2007-10-15 16:23 35,984 ----a-w C:\WINDOWS\system32\LPPMN05u.DLL
2007-10-15 16:23 32,768 ----a-w C:\WINDOWS\system32\Lfwmf14n.dll
2007-10-15 16:23 262,144 ----a-w C:\WINDOWS\system32\LTDIS14n.dll
2007-10-15 16:23 253,952 ----a-w C:\WINDOWS\system32\LTEml14n.dll
2007-10-15 16:23 241,664 ----a-w C:\WINDOWS\system32\ltefx14n.dll
2007-10-15 16:23 228,496 ----a-w C:\WINDOWS\system32\LpPdf05n.dll
2007-10-15 16:23 224,400 ----a-w C:\WINDOWS\system32\LPKRN05N.DLL
2007-10-15 16:23 221,184 ----a-w C:\WINDOWS\system32\Lvkrn14n.dll
2007-10-15 16:23 2,199,552 ----a-w C:\WINDOWS\system32\PdfDll32.dll
2007-10-15 16:23 155,648 ----a-w C:\WINDOWS\system32\LTSGM14n.dll
2007-10-15 16:23 155,648 ----a-w C:\WINDOWS\system32\ltfil14n.dll
2007-10-15 16:23 146,576 ----a-w C:\WINDOWS\system32\LpDoc05n.dll
2007-10-15 16:23 142,480 ----a-w C:\WINDOWS\system32\ltact.dll
2007-10-15 16:23 139,264 ----a-w C:\WINDOWS\system32\lfpdf14n.dll
2007-10-15 16:23 138,384 ----a-w C:\WINDOWS\system32\LpHTM05n.dll
2007-10-15 16:23 138,384 ----a-w C:\WINDOWS\system32\LpEmf05n.dll
2007-10-15 16:23 113,808 ----a-w C:\WINDOWS\system32\LPWSE05n.exe
2007-10-15 16:23 109,712 ----a-w C:\WINDOWS\system32\LpRTF05n.dll
2007-10-15 16:23 106,680 ----a-w C:\WINDOWS\system32\LPUID05n.dll
2007-10-15 16:23 1,703,936 ----a-w C:\WINDOWS\system32\LTCLR14n.dll
2007-10-15 16:23 1,637,520 ----a-w C:\WINDOWS\system32\LPUIT05N.dll
2007-10-15 16:23 1,433,600 ----a-w C:\WINDOWS\system32\LTDic14n.dll
2007-10-15 16:23 1,396,736 ----a-w C:\WINDOWS\system32\ltann14n.dll
2007-10-15 16:23 1,122,304 ----a-w C:\WINDOWS\system32\ltimg14n.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-09_14.22.31.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-09 16:13:10 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-09 18:05:51 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-09 16:13:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-09 18:05:51 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-09 16:13:10 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-09 18:05:52 1,232,896 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-09 16:13:10 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-09 18:05:52 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-09 16:13:10 5,132,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-09 18:05:52 5,144,576 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-09 16:13:10 221,184 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-09 18:05:52 221,184 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2005-07-26 00:33 1073152 --a------ C:\Archivos de programa\Net\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 10:00 15360]
"TaskSwitchXP"="C:\Archivos de programa\Util\TaskSwitchXP\TaskSwitchXP.exe" [2005-06-10 08:05 533734]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-15 02:03 16132608 C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55 29744]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NvMediaCenter"="NvMCTray.dll" [2007-09-17 02:07 81920 C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [2007-02-27 12:55 937984]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 10:00 15360]
"AVG7_Run"="C:\ARCHIV~1\Grisoft\AVG7\avgw.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

La clave del Registro SafeBoot necesita reparacion. Esta maquina no puede reiniciar en modo a prueba de fallos (modo seguro).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Archivos de programa\Util\CBOClean\BOCDRIVE.sys []
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-02 11:55]
S4 Fix-It Task Manager;Fix-It Task Manager;C:\ARCHIV~1\Util\Fix-It\mxtask.exe [2007-01-29 17:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-03 15:16:05 C:\WINDOWS\Tasks\Backup de Biblioteca.job"
- C:\Home\Abramson\Backup\biblioteca.bat
"2008-01-04 15:02:16 C:\WINDOWS\Tasks\Backup de Email.job"
- C:\Home\Abramson\Backup\email.bat
"2008-01-09 15:00:48 C:\WINDOWS\Tasks\Backup de Home.job"
- C:\Home\Abramson\Backup\backup.bat
"2007-12-06 19:59:34 C:\WINDOWS\Tasks\SyncToy Abramson en CABFST21.job"
- C:\Archivos de programa\Util\SyncToy 2.0 Beta\SyncToyCmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 16:06:38
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-09 16:06:59
ComboFix-quarantined-files.txt 2008-01-09 18:06:51
ComboFix2.txt 2008-01-09 16:22:39
.
2007-12-12 12:15:57 --- E O F ---

Rorschach112
2008-01-09, 20:44
Hello


There are still a lot of new xxxx.exe in system32\drivers\down, where xxxx are 5 or 6 figures numbers. Some of these files have icons equal to that of wintems.exe (a keychain with keys). None of them is running as a process.
Lets be safe and scan them. Follow these steps for all of the exe files in that folder that have the icon, if there are more than five of these exe files, then don't bother scanning the rest of them



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

FILE HERE, eg : C:\WINDOWS\system32\drivers\srosa.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

abramson
2008-01-09, 21:16
OK. The first one I uploaded was identified as already scanned. I had it rescanned nevertheless, and the result is:


File 36015.exe received on 01.09.2008 19:58:54 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.1.10.10 2008.01.09 Win-Trojan/Downloader.471556
AntiVir 7.6.0.46 2008.01.09 WORM/Bagle.Gen
Authentium 4.93.8 2008.01.09 -
Avast 4.7.1098.0 2008.01.08 Win32:Beagle-YN
AVG 7.5.0.516 2008.01.09 Generic9.ADGV
BitDefender 7.2 2008.01.09 Win32.Bagle.STT@mm
CAT-QuickHeal 9.00 2008.01.09 Win32.Backdoor.Rbot.bmr
ClamAV 0.91.2 2008.01.09 PUA.Packed.Themida
DrWeb 4.44.0.09170 2008.01.09 Win32.HLLM.Beagle
eSafe 7.0.15.0 2008.01.08 Win32.Mitglieder
eTrust-Vet 31.3.5444 2008.01.09 -
Ewido 4.0 2008.01.09 -
FileAdvisor 1 2008.01.09 -
Fortinet 3.14.0.0 2008.01.09 W32/Bagle.HI!worm
F-Prot 4.4.2.54 2008.01.09 -
F-Secure 6.70.13030.0 2008.01.09 Trojan-Downloader.Win32.Bagle.ho
Ikarus T3.1.1.20 2008.01.09 Virus.Win32.Beagle.YN
Kaspersky 7.0.0.125 2008.01.09 Trojan-Downloader.Win32.Bagle.ho
McAfee 5203 2008.01.09 Generic Downloader.ab
Microsoft 1.3109 2008.01.09 TrojanProxy:Win32/Mitglieder.KT
NOD32v2 2778 2008.01.09 Win32/Bagle.LF
Norman 5.80.02 2008.01.09 SDBot.gen8
Panda 9.0.0.4 2008.01.09 W32/Bagle.QP.worm
Prevx1 V2 2008.01.09 Trojan.Mitglieder
Rising 20.26.21.00 2008.01.09 -
Sophos 4.24.0 2008.01.09 -
Sunbelt 2.2.907.0 2008.01.09 VIPRE.Suspicious
Symantec 10 2008.01.09 Trojan.Mitglieder
TheHacker 6.2.9.184 2008.01.08 W32/Behav-Heuristic-064
VBA32 3.12.2.5 2008.01.09 -
VirusBuster 4.3.26:9 2008.01.09 -
Webwasher-Gateway 6.6.2 2008.01.09 Worm.Bagle.Gen

Additional information
File size: 471556 bytes
MD5: a14a5261685fad6735165b695175df15
SHA1: ba7e102f32030b71164e132918a4c25b13e9a2e3
PEiD: Themida/WinLicense V1.8.0.2 + -&gt; Oreans Technologies
packers: Themida
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F388B2440420DF753258077D532078001CB1110F
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


I uploaded a few others from the folder. The ones with the wintems icon were all identified as malware. The ones without the icon were informed as clean. I have to say, though, that they were all downloaded together, they have all the same timestamps. I would get rid of all of them, what do you say?

I guess I remove them with MoveIt?

In the meantime I have checked services.msc and Windows Firewall is again in Automatic, and started!

Should I now reinstall spybot and my antivirus, and run them? Which ones?

Guillermo

Rorschach112
2008-01-09, 21:21
No need to scan the rest, they are all bad as expected. They should have shown up in the ComboFix log.

What is the time stamp for these files ?

Do the following

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.





Download WinPFind35U.exe (http://download.bleepingcomputer.com/oldtimer/WinPFind35u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
Under Rootkit Search on the left change it to Yes
Under Additional Scans check the box beside Reg - Disabled MS Config Items.
Under Files Created Within change it to 90 days, do the same for Files Modified Within.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. You will need to host this attachment on another site like mediafire as you can't upload here unfortunately.

abramson
2008-01-09, 21:29
What is the time stamp for these files ?

The 29 files now present are from today, from 14:04 to 14:11 local time, which was I believe, the last time that wintems.exe was seen running. Not sure though. Many more were downloaded before, and I deleted them several times (not to the recycler).

I am proceeding with your last instructions now, in safe mode. See you later.

Guillermo

abramson
2008-01-09, 21:33
I was reading the instructions before proceeding. I say, Rorschach, the WinPFind35U part should also be run in safe mode? Or do I reboot in normal mode for it? Just to be sure...

Guillermo

Rorschach112
2008-01-09, 21:55
Run WinPFind35 from Normal Mode.

It's always best to make sure :)

abramson
2008-01-09, 22:01
Thanks. That's what I thought. Here's SDFix report. I proceed with WinPFind35U (such a name!).


SDFix: Version 1.125

Run by Abramson on Wed 01/09/2008 at 05:45 PM

Microsoft Windows XP [Versión 5.1.2600]

Running From: c:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 17:51:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 19 Aug 2004 60,416 A.SH. --- "C:\Archivos de programa\Outlook Express\msimn.exe"
Thu 1 Nov 2007 5,903,928 A..H. --- "C:\Archivos de programa\Picasa2\setup.exe"
Wed 3 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Wed 3 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3958dae49728da026def65195c3aa84\BIT32.tmp"

Finished!

abramson
2008-01-09, 22:24
Done with WinPFind35U also. I tried to attach the file here but it seems to be too large. I placed it on my webpage: WinPFind35.Txt (http://cabfst28.cnea.gov.ar/~abramson/fotos/WinPFind35.Txt)

But: something is weird with this file. Even though it is all there, down to the last line <End of Report>, I cannot open it correctly in the browser. You can still use "save target as" to heve it in full (perhaps non-ascii characters).

I placed a zipped version, perhaps it gets transmitted better: WinPFind35.zip (http://cabfst28.cnea.gov.ar/~abramson/fotos/WinPFind35.zip)

Guillermo

abramson
2008-01-09, 22:39
I can't believe it: the infection has reappeared. I presume after last reboot (the one between sdfix and winpfin35u).

The exe and sys files are again there. IceSword again shows the bad processes and SSDT's... Firewall is deactivated...

What went wrong?

Guillermo

abramson
2008-01-09, 22:42
And 23 additional bad files were downloaded before I noticed and terminated the processes in IceSword.

Guillermo

abramson
2008-01-10, 00:06
I need to leave now. Will continue tomorrow. Thanks for your help Rorschach112. See you tomorrow and we finish it.

Guillermo

Rorschach112
2008-01-10, 15:05
Don't worry Guillermo we will get rid of the infections.

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> wintems.exe -> %System32%\wintems.exe
[Win32 Services - Non-Microsoft Only]
YN -> (aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\aswUpdSv.exe
YN -> (avast! Antivirus) avast! Antivirus [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashServ.exe
YN -> (avast! Mail Scanner) avast! Mail Scanner [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashMaiSv.exe
YN -> (avast! Web Scanner) avast! Web Scanner [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Antivirus\Avast\ashWebSv.exe
YN -> (AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe
YN -> (Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Disabled | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
YN -> (Avg7UpdSvc) AVG7 Update Service [Win32_Own | Disabled | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
YN -> (AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Stopped] -> %SystemDrive%\ARCHIV~1\Grisoft\AVG7\avgemc.exe
YN -> (sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Spyware Doctor\svcntaux.exe
YN -> (sdCoreService) PC Tools Security Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Spyware Doctor\swdsvc.exe
[Registry - Non-Microsoft Only]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {92780B25-18CC-41C8-B9BE-3C9C571A8263}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Referencia]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Referencia]
NY -> CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Antivirus\Spybot\SDHelper.dll [Spybot - Search & Destroy Configuration]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Convertir a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
YN -> Convertir a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
YN -> Convertir destino de vínculo a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
YN -> Convertir destino de vínculo en archivo PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
YN -> Convertir selección a archivo PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm
YN -> Convertir selección a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm
YN -> Convertir vínculos seleccionados a PDF de Adobe -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm
YN -> Convertir vínculos seleccionados a PDF existente -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm
YN -> E&xportar a Microsoft Excel ->
[Files/Folders - Created Within 90 days]
YY -> 112062.exe -> %System32%\drivers\down\112062.exe
YY -> 126609.exe -> %System32%\drivers\down\126609.exe
YY -> 128218.exe -> %System32%\drivers\down\128218.exe
YY -> 136468.exe -> %System32%\drivers\down\136468.exe
YY -> 148046.exe -> %System32%\drivers\down\148046.exe
YY -> 148625.exe -> %System32%\drivers\down\148625.exe
YY -> 157625.exe -> %System32%\drivers\down\157625.exe
YY -> 172015.exe -> %System32%\drivers\down\172015.exe
YY -> 172968.exe -> %System32%\drivers\down\172968.exe
YY -> 201078.exe -> %System32%\drivers\down\201078.exe
YY -> 205234.exe -> %System32%\drivers\down\205234.exe
YY -> 206437.exe -> %System32%\drivers\down\206437.exe
YY -> 210843.exe -> %System32%\drivers\down\210843.exe
YY -> 212625.exe -> %System32%\drivers\down\212625.exe
YY -> 216515.exe -> %System32%\drivers\down\216515.exe
YY -> 236765.exe -> %System32%\drivers\down\236765.exe
YY -> 257734.exe -> %System32%\drivers\down\257734.exe
YY -> 261281.exe -> %System32%\drivers\down\261281.exe
YY -> 262093.exe -> %System32%\drivers\down\262093.exe
YY -> 263078.exe -> %System32%\drivers\down\263078.exe
YY -> 264218.exe -> %System32%\drivers\down\264218.exe
YY -> 269906.exe -> %System32%\drivers\down\269906.exe
YY -> 281609.exe -> %System32%\drivers\down\281609.exe
YY -> 36015.exe -> %System32%\drivers\down\36015.exe
YY -> 39234.exe -> %System32%\drivers\down\39234.exe
YY -> 425750.exe -> %System32%\drivers\down\425750.exe
YY -> 437484.exe -> %System32%\drivers\down\437484.exe
YY -> 446437.exe -> %System32%\drivers\down\446437.exe
YY -> 449625.exe -> %System32%\drivers\down\449625.exe
YY -> 452875.exe -> %System32%\drivers\down\452875.exe
YY -> 455140.exe -> %System32%\drivers\down\455140.exe
YY -> 459015.exe -> %System32%\drivers\down\459015.exe
YY -> 460140.exe -> %System32%\drivers\down\460140.exe
YY -> 468109.exe -> %System32%\drivers\down\468109.exe
YY -> 571625.exe -> %System32%\drivers\down\571625.exe
YY -> 572437.exe -> %System32%\drivers\down\572437.exe
YY -> 580406.exe -> %System32%\drivers\down\580406.exe
YY -> 594140.exe -> %System32%\drivers\down\594140.exe
YY -> 595421.exe -> %System32%\drivers\down\595421.exe
YY -> 614015.exe -> %System32%\drivers\down\614015.exe
YY -> 626718.exe -> %System32%\drivers\down\626718.exe
YY -> 635109.exe -> %System32%\drivers\down\635109.exe
YY -> 637984.exe -> %System32%\drivers\down\637984.exe
YY -> 647031.exe -> %System32%\drivers\down\647031.exe
YY -> 77218.exe -> %System32%\drivers\down\77218.exe
YY -> wget.exe -> %SystemRoot%\wget.exe
[Files/Folders - Modified Within 90 days]
YY -> 112062.exe -> %System32%\drivers\down\112062.exe
YY -> 126609.exe -> %System32%\drivers\down\126609.exe
YY -> 128218.exe -> %System32%\drivers\down\128218.exe
YY -> 136468.exe -> %System32%\drivers\down\136468.exe
YY -> 148046.exe -> %System32%\drivers\down\148046.exe
YY -> 148625.exe -> %System32%\drivers\down\148625.exe
YY -> 157625.exe -> %System32%\drivers\down\157625.exe
YY -> 172015.exe -> %System32%\drivers\down\172015.exe
YY -> 172968.exe -> %System32%\drivers\down\172968.exe
YY -> 201078.exe -> %System32%\drivers\down\201078.exe
YY -> 205234.exe -> %System32%\drivers\down\205234.exe
YY -> 206437.exe -> %System32%\drivers\down\206437.exe
YY -> 210843.exe -> %System32%\drivers\down\210843.exe
YY -> 212625.exe -> %System32%\drivers\down\212625.exe
YY -> 216515.exe -> %System32%\drivers\down\216515.exe
YY -> 236765.exe -> %System32%\drivers\down\236765.exe
YY -> 257734.exe -> %System32%\drivers\down\257734.exe
YY -> 261281.exe -> %System32%\drivers\down\261281.exe
YY -> 262093.exe -> %System32%\drivers\down\262093.exe
YY -> 263078.exe -> %System32%\drivers\down\263078.exe
YY -> 264218.exe -> %System32%\drivers\down\264218.exe
YY -> 269906.exe -> %System32%\drivers\down\269906.exe
YY -> 281609.exe -> %System32%\drivers\down\281609.exe
YY -> 36015.exe -> %System32%\drivers\down\36015.exe
YY -> 39234.exe -> %System32%\drivers\down\39234.exe
YY -> 425750.exe -> %System32%\drivers\down\425750.exe
YY -> 437484.exe -> %System32%\drivers\down\437484.exe
YY -> 446437.exe -> %System32%\drivers\down\446437.exe
YY -> 449625.exe -> %System32%\drivers\down\449625.exe
YY -> 452875.exe -> %System32%\drivers\down\452875.exe
YY -> 455140.exe -> %System32%\drivers\down\455140.exe
YY -> 459015.exe -> %System32%\drivers\down\459015.exe
YY -> 460140.exe -> %System32%\drivers\down\460140.exe
YY -> 468109.exe -> %System32%\drivers\down\468109.exe
YY -> 571625.exe -> %System32%\drivers\down\571625.exe
YY -> 572437.exe -> %System32%\drivers\down\572437.exe
YY -> 580406.exe -> %System32%\drivers\down\580406.exe
YY -> 594140.exe -> %System32%\drivers\down\594140.exe
YY -> 595421.exe -> %System32%\drivers\down\595421.exe
YY -> 614015.exe -> %System32%\drivers\down\614015.exe
YY -> 626718.exe -> %System32%\drivers\down\626718.exe
YY -> 635109.exe -> %System32%\drivers\down\635109.exe
YY -> 637984.exe -> %System32%\drivers\down\637984.exe
YY -> 647031.exe -> %System32%\drivers\down\647031.exe
YY -> 77218.exe -> %System32%\drivers\down\77218.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YN -> "drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" ->
YN -> "german.exe"="C:\WINDOWS\system32\wintems.exe" ->
YN -> C:\WINDOWS\system32\wintems.exe 471556 bytes executable ->
YN -> C:\WINDOWS\system32\drivers\srosa.sys 108928 bytes executable ->
YN -> C:\WINDOWS\system32\drivers\hldrrr.exe 533734 bytes executable ->
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .

I will review the information when it comes back in.



Then run ComboFix.exe again straight after and post that log here. Also do the IceSword steps again, however the files/processes may not be there. Also post a new IceSword log.


You should find a zip file after you run WinPFind35. I need you to do the following with it

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please go here:
The Spy Killer Forum (http://www.thespykiller.co.uk/index.php?board=1.0)
Click on "New Topic"
Put your name, e-mail address, and this as the title: "%System32%\drivers\down\210843.exe and more"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:


%System32%\drivers\down\210843.exe and more


Click Open.
Click Post.
Thank you!


Then reboot and see how your PC is running and let me know how it all went.

abramson
2008-01-10, 15:31
Hi, Rorschach112. Thanks for your post. I was just writting when it arrived. Before I proceed, let me tell you what happened yesterday, after my last post reporting the re-infection.

I re-applied the two steps that you suggested, which were able to remove the infection even after a reboot. These were:

1. Prepare a CFScript.txt with instructions for file removal and registry repair. In the file removal, I added all the bad files downloaded by the virus in system32\drivers\down, besides hldrrr.exe.

2. Drop this script on top of ComboFix.

3. Run avz4 to repair SafeBoot (fortunately I had been able to update before, since network connection was again broken after ComboFix).

4. Reboot.

After this, the computer was clean. IceSword reported no hidden processes nor bad SSDT. AVG AntiRootkit reported all clean. The bad files were gone. I waited a few minutes and all continued to be OK. So I decided to:

5. Reinstall Spybot. The installer ran (good!). A full scan found a couple of bad items (one of them seemed related to the Bagle, which seems to be the infection I had). I removed all.

6. Reinstall AVG. The installer ran (excellent!). I started a complete scan and went to bed. Today the results showed 16 infections found, all removed (several were in the vaults of the tools run at your suggestion). After this I reinstalled Avast and ran a new full scan, which found nothing.

One interesting note: Immediately after AVG completed installation, it reported that WinPFind35U, on my Desktop, was infected. It was moved to the vault, and it's now there. WinPFind35U was the last tool I run, after which the infection reappeared. What do you think? Is it possible that the downloaded file was infected, or that the virus took refuge on an otherwise clean tool? Isn't it strange?

So, the system seems now clean. I would rather run some scan if you suggest so, to verify the results of Spybot, AVG and Avast. I do not believe that further cleaning is necessary. Let me know your opinion.

Guillermo

Rorschach112
2008-01-10, 15:37
Hello Guillermo, sounds like you did a pretty good job !

The reason why your infection came back was due to all those .exe files. They weren't showing up in any of your logs which is strange.


Immediately after AVG completed installation, it reported that WinPFind35U, on my Desktop, was infected.
Unfortunately this is a false positive. A lot of our tools get detected as malware even though they are not, it is something we have to live with. Do not worry about it though.


Lets just do another scan to be 100% sure you are clean. There are probably a few remains left.


Do this again

Download WinPFind35U.exe (http://download.bleepingcomputer.com/oldtimer/WinPFind35u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
Under Rootkit Search on the left change it to Yes
Under Additional Scans check the box beside Reg - Disabled MS Config Items.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.



Also post a new HijackThis log.


Can you also run IceSword and take a screenshot of the following areas : Processes, Win32 Services, SSDT, making sure to have the red entries in the screenshot if present, if there are none take a screenshot anyway for me.

abramson
2008-01-10, 16:15
Hi. Unfortunately, AVG does not allow me to run WinPfind35U. Even if I tell it to "Ignore" the threat, then Windows give me a "can't access" error when I try to run the tool.

Guillermo

Rorschach112
2008-01-10, 16:16
Can you make sure AVG is fully closed, then re-download WinPFind35 again and run it

If not then do this

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


Then do the other steps in my previous post

abramson
2008-01-10, 16:17
Here's a HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:02 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
C:\Archivos de programa\Antivirus\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
C:\Archivos de programa\Net\Opera\Opera.exe
C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE
C:\Archivos de programa\Util\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10472 bytes

abramson
2008-01-10, 16:18
Here's an IceSword Processes log:

Process:

System Idle Process
System
C:\WINDOWS\RTHDCPL.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla server.exe
C:\ARCHIV~1\Google\Common\GOOGLE~1\GOOGLE~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Archivos de programa\Util\IceSword\IceSword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
C:\Archivos de programa\Util\Total Commander 7\TOTALCMD.EXE
C:\Archivos de programa\Antivirus\Avast\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
C:\WINDOWS\system32\alg.exe
C:\Archivos de programa\Net\Opera\Opera.exe

abramson
2008-01-10, 16:19
Here's an IceSword Win32Services log:

Started Service:

Service Name:ALG Display Name:Servicio de puerta de enlace de capa de aplicación
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Audio de Windows
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:avast! Mail Scanner Display Name:avast! Mail Scanner
Service Name:avast! Web Scanner Display Name:avast! Web Scanner
Service Name:Avg7Alrt Display Name:AVG7 Alert Manager Server
Service Name:Avg7UpdSvc Display Name:AVG7 Update Service
Service Name:AVGEMS Display Name:AVG E-mail Scanner
Service Name:BITS Display Name:Servicio de transferencia inteligente en segundo plano
Service Name:Browser Display Name:Examinador de equipos
Service Name:CryptSvc Display Name:Servicios de cifrado
Service Name:DcomLaunch Display Name:Iniciador de procesos de servidor DCOM
Service Name:Dhcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Administrador de discos lógicos
Service Name:Dnscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Registro de sucesos
Service Name:EventSystem Display Name:Sistema de sucesos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidad de cambio rápido de usuario
Service Name:FileZilla Server Display Name:FileZilla Server FTP server
Service Name:gusvc Display Name:Google Updater Service
Service Name:helpsvc Display Name:Ayuda y soporte técnico
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estación de trabajo
Service Name:LmHosts Display Name:Ayuda de NetBIOS sobre TCP/IP
Service Name:Netman Display Name:Conexiones de red
Service Name:Nla Display Name:NLA (Network Location Awareness)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:Pml Driver HPZ12 Display Name:Pml Driver HPZ12
Service Name:PolicyAgent Display Name:Servicios IPSEC
Service Name:ProtectedStorage Display Name:Almacenamiento protegido
Service Name:RasMan Display Name:Administrador de conexión de acceso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Llamada a procedimiento remoto (RPC)
Service Name:SamSs Display Name:Administrador de cuentas de seguridad
Service Name:Schedule Display Name:Programador de tareas
Service Name:seclogon Display Name:Inicio de sesión secundario
Service Name:SENS Display Name:Notificación de sucesos del sistema
Service Name:SharedAccess Display Name:Firewall de Windows/Conexión compartida a Internet (ICS)
Service Name:ShellHWDetection Display Name:Detección de hardware shell
Service Name:Spooler Display Name:Cola de impresión
Service Name:srservice Display Name:Servicio de restauración de sistema
Service Name:SSDPSRV Display Name:Servicio de descubrimientos SSDP
Service Name:stisvc Display Name:Adquisición de imágenes de Windows (WIA)
Service Name:TapiSrv Display Name:Telefonía
Service Name:TermService Display Name:Servicios de Terminal Server
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de seguimiento de vinculos distribuidos
Service Name:W32Time Display Name:Horario de Windows
Service Name:WebClient Display Name:Cliente Web
Service Name:WinDefend Display Name:Windows Defender
Service Name:winmgmt Display Name:Instrumental de administración de Windows
Service Name:wscsvc Display Name:Centro de seguridad
Service Name:wuauserv Display Name:Actualizaciones automáticas

abramson
2008-01-10, 16:25
Here are IceSword SSDT screen captures:

is-ssdt1.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt1.jpg)
is-ssdt2.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt2.jpg)
is-ssdt3.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt3.jpg)
is-ssdt4.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt4.jpg)
is-ssdt5.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt5.jpg)
is-ssdt6.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-ssdt6.jpg)

abramson
2008-01-10, 16:31
Can you make sure AVG is fully closed, then re-download WinPFind35 again and run it

I don't find any AVG option that allows to shut down the antivirus. I could kill it's processes, but there are probably several, even hidden (I say, to protect itself).

Here's DSS Main log. No Extra was produced (?).

Deckard's System Scanner v20071014.68
Run by Abramson on 2008-01-10 12:27:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Abramson.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:05 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
C:\Archivos de programa\Antivirus\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe
C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
C:\Documents and Settings\Abramson\Escritorio\dss.exe
C:\ARCHIV~1\Util\HIJACK~1\Abramson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cab.cnea.gov.ar:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cnea.gov.ar;*.ib.edu.ar;*.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARCHIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\ANTIVI~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191420182250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{0050570D-B681-42C2-B56D-32BF2A16ADA1}: NameServer = 168.96.72.3,168.96.72.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Antivirus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Archivos de programa\Net\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Archivos de programa\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 10405 bytes

-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-09 20:19:16 0 dr-h----- C:\$VAULT$.AVG
2008-01-09 20:03:53 0 d-------- C:\WINDOWS\system32\drivers\down
2008-01-08 15:15:06 0 d-------- C:\WINDOWS\ERUNT
2008-01-08 11:34:05 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2008-01-08 11:34:04 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-12-27 15:23:37 0 d-------- C:\Archivos de programa\Nero
2007-12-18 17:16:05 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2007-12-18 11:53:16 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-14 16:10:27 0 d--h----- C:\WINDOWS\PIF
2007-12-14 15:51:37 0 d-------- C:\Archivos de programa\Archivos comunes\Nero
2007-12-14 15:50:16 0 d-------- C:\Archivos de programa\Archivos comunes\Ahead
2007-12-14 15:50:15 0 d-------- C:\Archivos de programa\Ahead
2007-12-14 13:50:29 0 d-------- C:\Archivos de programa\Bonjour
2007-12-14 13:37:45 0 d-------- C:\Archivos de programa\Archivos comunes\Macrovision Shared
2007-12-12 18:09:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-10 12:22:20 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\XnView
2008-01-10 12:16:57 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\WinEdt
2008-01-10 11:08:24 0 d-------- C:\Archivos de programa\Util
2008-01-10 11:08:24 0 d-------- C:\Archivos de programa\Archivos comunes
2008-01-10 10:58:32 0 d-------- C:\Archivos de programa\Antivirus
2008-01-10 09:43:45 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AVG7
2008-01-09 14:04:35 0 d-------- C:\Archivos de programa\Spyware Doctor
2008-01-09 12:10:35 0 d-------- C:\Archivos de programa\Astro
2008-01-09 09:33:23 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\File-Ex
2008-01-08 11:03:04 0 d-------- C:\Archivos de programa\Image
2008-01-07 14:15:40 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Adobe
2008-01-03 10:40:13 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\SpeedProject
2008-01-02 09:35:17 498418 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-01-02 09:35:17 89006 --a------ C:\WINDOWS\system32\perfc00A.dat
2007-12-28 16:03:14 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\aignes
2007-12-28 16:02:39 0 d-------- C:\Archivos de programa\Net
2007-12-27 10:45:50 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\CyberLink
2007-12-26 16:28:20 0 d-------- C:\Archivos de programa\video
2007-12-18 18:32:16 0 d-------- C:\Archivos de programa\Sci
2007-12-18 17:17:12 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2007-12-14 16:03:55 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Ahead
2007-12-14 14:50:33 0 d-------- C:\Archivos de programa\Texts
2007-12-14 13:50:25 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2007-12-12 18:19:35 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Real
2007-12-07 17:24:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Google
2007-11-28 10:14:29 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\ActiveState
2007-11-23 10:51:12 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Avanquest
2007-11-22 11:34:15 0 d-------- C:\Archivos de programa\Microsoft SQL Server Compact Edition
2007-11-21 17:34:16 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\AdobeUM
2007-11-21 17:29:46 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared
2007-11-16 14:57:16 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2007-11-16 14:57:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-15 18:25:58 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\Macromedia
2007-11-15 18:12:59 0 d-------- C:\Archivos de programa\Britannica
2007-11-13 11:06:00 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\InstallShield
2007-11-12 16:05:30 0 d-------- C:\Archivos de programa\MSECache
2007-11-12 12:44:03 0 d-------- C:\Documents and Settings\Abramson\Datos de programa\COWON
2007-10-15 14:23:34 2199552 --a------ C:\WINDOWS\system32\PdfDll32.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS(r) DLL for Windows>
2007-10-15 14:23:34 65536 --a------ C:\WINDOWS\system32\ltserial.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 02:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 02:07 AM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [06/15/2007 02:03 AM C:\WINDOWS\RTHDCPL.exe]
"Google Desktop Search"="C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" [11/02/2007 11:55 AM]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"NvMediaCenter"="NvMCTray.dll" [09/17/2007 02:07 AM C:\WINDOWS\system32\nvmctray.dll]
"zBrowser Launcher"="C:\Archivos de programa\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"FileZilla Server Interface"="C:\Archivos de programa\Net\FileZilla Server\FileZilla Server Interface.exe" [02/27/2007 12:55 PM]
"NeroFilterCheck"="C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"AVG7_CC"="C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe" [01/09/2008 08:16 PM]
"avast!"="C:\ARCHIV~1\ANTIVI~1\Avast\ashDisp.exe" [12/04/2007 11:00 AM]
"Windows Defender"="C:\Archivos de programa\Antivirus\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/02/2006 10:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12




-- End of Deckard's System Scanner: finished at 2008-01-10 12:27:22 ------------

Rorschach112
2008-01-10, 16:35
Ok we are nearly done

Please download OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\drivers\down


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



You also have two anti-viruses, Avast and AVG, you need to remove one of these or it will cause a lot of problems. They are both good, so it is up to you. So go to Add or Remove Programs to remove one.


Can you also tell me how your PC is running now.


Also, sorry to ask again, can I get a screenshot of the Processes section of IceSword

abramson
2008-01-10, 17:21
Done. Here's MoveIt report:


C:\WINDOWS\system32\drivers\down moved successfully.

Created on 01/10/2008 13:09:22


Also, sorry to ask again, can I get a screenshot of the Processes section of IceSword

Sure. I posted a log before, but here's the screenshot: is-processes.jpg (http://cabfst28.cnea.gov.ar/~abramson/fotos/is-processes.jpg)

The PC seems to be running normally.

I will uninstall one of the antivirus. I thought that double protection would reduce the probabilitiy of infection in a multiplicative way (say, if prob. of infection with any of them is 0.001, with both it would be 0.001^2=0.000001, but then, I am a theoretical physicist, not a computer safety guru...).

Rorschach, I thank you so much for your help with this problem. If you ever come to Bariloche, Argentina, come pay me a visit. I will cook you a good "asado". You already have my webpage address.

I hope I could pay back to the forum some of the help I received from you.

Guillermo

Rorschach112
2008-01-10, 17:28
Hello Guillermo


Sure. I posted a log before,
I am just doing some research so those screenshots will come in very handy, thanks :)


I thought that double protection would reduce the probabilitiy of infection
Running two anti-virus programs or two firewalls means they will have problems conflicting with each other. So you can have major slow down and blue screens of deaths. Theoretically you are right though :)


Rorschach, I thank you so much for your help with this problem. If you ever come to Bariloche, Argentina, come pay me a visit. I will cook you a good "asado".
I can't take all the credit, it was a joint effort :) Asado sounds nice !


Just a few things to do to make sure you don't get infected in the future.

It is very important that you delete IceSword.exe


Some clean up :

Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.