PDA

View Full Version : Virtumonde Solutions Please



Xuriken
2008-02-11, 22:03
Hello. I dont know how to remove that Virtumonde from my PC. It returns all the time, it never goes. I have read other posts of people that had my problem and I have downloaded the HijackThis. Here I post the results of the HijackThis Notepad.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52:58, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService.exe
C:\WINDOWS\System32\UAService7.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Archivos de programa\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 47.193.19.26:8085
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Archivos de programa\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {960B06AC-458B-4C2E-B314-0D220C09F812} - C:\WINDOWS\system32\geede.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: {483d6ab3-87b7-2caa-6d64-7b9248d8af2b} - {b2fa8d84-29b7-46d6-aac2-7b783ba6d384} - C:\WINDOWS\system32\sryupfor.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Archivos de programa\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [3c4e1143] rundll32.exe "C:\WINDOWS\system32\xntrpwvr.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Archivos de programa\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Archivos de programa\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: AhoraFondos - {03FBB191-FB50-4154-91D7-587D5E3C0000} - C:\Documents and Settings\Propietario\Datos de programa\MACD\AhoraFondos\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: AhoraFondos - {03FBB191-FB50-4154-91D7-587D5E3C0000} - C:\Documents and Settings\Propietario\Datos de programa\MACD\AhoraFondos\LanzarDll.exe (HKCU)
O9 - Extra button: SuperFondos - {03FBB191-FB50-4154-91D7-587D5E3C0001} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\SuperFondos\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: SuperFondos - {03FBB191-FB50-4154-91D7-587D5E3C0001} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\SuperFondos\LanzarDll.exe (HKCU)
O9 - Extra button: Mensajero - {03FBB191-FB50-4154-91D7-587D5E3C0002} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\Mensajero\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: Mensajero - {03FBB191-FB50-4154-91D7-587D5E3C0002} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\Mensajero\LanzarDll.exe (HKCU)
O9 - Extra button: BajaCosa - {03FBB191-FB50-4154-91D7-587D5E3C0003} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\BajaCosa\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: BajaCosa - {03FBB191-FB50-4154-91D7-587D5E3C0003} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\BajaCosa\LanzarDll.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.caixacat.es
O16 - DPF: {03FBB191-FB50-4154-91D7-587D5E3C3C9A} - http://acceso.masminutos.com/software.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://araiana.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://araiana.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Programador de LiveUpdate automático - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\System32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

--
End of file - 9768 bytes


Please help me!!

Xuriken
2008-02-13, 20:40
I'v got another problem. When I do a check for problems with the SpyBot, the Norton Antivirus (It's my antivirus :)) sometimes says that a Trojan.Vundo has been stopped because it could be a risk for the computer. Could you help me with that please?


And now the Internet goes a little bit slow. Sometimes it traps. Is that normal?

:sad::sad::sad:

Shaba
2008-02-16, 12:29
Hi Xuriken

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

Xuriken
2008-02-20, 23:08
hello, I did what u said. I don't know if the malware has been removed but by now the internet goes very fast and the infected pages dont appear.

Here I post the ComboFix.txt (I don't know If I have to post the hijackthis log. The one I got I don't know if it's secure because I downloaded it throught the google, and not from a link in that forum. If I post a log of my hijackthis it could be wrong. I have tried to uninstall the one i got for downloading a secure one but I don't know how to do it. Can u help me? )
--------------------------------------


ComboFix 08-02-18.1 - Propietario 2008-02-20 16:43:36.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.3082.18.95 [GMT 1:00]
Se ejecuta desde: D:\Mis Documentos\ComboFix.exe
* Creado un nuevo punto de restauración

ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION!
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geede.dll
C:\Documents and Settings\Propietario\Datos de programa\ultra
C:\Documents and Settings\Propietario\Datos de programa\ultra\uninstall.bat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dbkyqvof.dll
C:\WINDOWS\system32\dboekewg.ini
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\exayrjyu.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\jeknjwgm.dll
C:\WINDOWS\system32\kyxebhid.ini
C:\WINDOWS\system32\lgrsrjuk.dll
C:\WINDOWS\system32\lvgwasyt.ini
C:\WINDOWS\system32\saxnjuvl.ini
C:\WINDOWS\system32\sobtkiyn.ini
C:\WINDOWS\system32\ss.exe
C:\WINDOWS\system32\tysawgvl.dll
C:\WINDOWS\system32\uyjryaxe.ini
C:\WINDOWS\system32\vnojuxhf.dll
C:\WINDOWS\system32\vxmutpxb.dll
C:\WINDOWS\system32\xipoenph.dll

.
(((((((((((((((((( Archivos creados desde 2008-01-20 - 2008-02-20 )))))))))))))))))))))))))))))))))
.

2008-02-17 17:57 . 2008-02-18 19:20 1,434 ---hs---- C:\WINDOWS\system32\smbefqpk.ini
2008-02-16 16:50 . 2008-02-17 17:55 1,254 ---hs---- C:\WINDOWS\system32\jjaqprxv.ini
2008-02-15 12:27 . 2008-02-16 16:44 1,014 ---hs---- C:\WINDOWS\system32\hdfjewbp.ini
2008-02-13 22:52 . 2008-02-13 22:52 <DIR> d-------- C:\Archivos de programa\Warthog
2008-02-13 22:49 . 2008-02-13 22:49 <DIR> d-------- C:\Archivos de programa\GameSpy Arcade
2008-02-13 21:01 . 2008-02-15 12:25 714 ---hs---- C:\WINDOWS\system32\mupiakhu.ini
2008-02-11 20:56 . 2008-02-12 13:06 1,366 ---hs---- C:\WINDOWS\system32\xcyfpdsa.ini
2008-02-11 20:44 . 2008-02-11 20:44 <DIR> d-------- C:\Archivos de programa\Trend Micro
2008-02-10 20:56 . 2008-02-11 19:20 1,246 ---hs---- C:\WINDOWS\system32\rvwprtnx.ini
2008-02-09 17:20 . 2008-02-10 20:54 886 ---hs---- C:\WINDOWS\system32\jexpimdu.ini
2008-02-08 15:24 . 2008-02-08 15:23 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-08 15:24 . 2008-02-08 15:24 3,453 --a------ C:\WINDOWS\unins000.dat
2008-01-31 18:49 . 2008-01-31 18:49 268 --ah----- C:\sqmdata09.sqm
2008-01-31 18:49 . 2008-01-31 18:49 244 --ah----- C:\sqmnoopt09.sqm
2008-01-31 18:13 . 2008-01-31 18:13 <DIR> d-------- C:\Documents and Settings\Propietario\Datos de programa\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 08:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 04:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 17:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-11 05:37 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-07 14:51 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-07 14:51 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-07 14:51 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-07 14:51 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-03 10:22 --------- d-----w C:\Archivos de programa\Windows Sidebar
2008-01-03 10:20 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Symantec
2008-01-03 10:20 --------- d-----w C:\Archivos de programa\Symantec
2007-12-19 22:53 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:08 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:02 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:01 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-12 16:45 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-05-16 17:15 24,464 ----a-w C:\Documents and Settings\Propietario\Datos de programa\GDIPFONTCACHEV1.DAT
2006-05-07 17:22 24,464 ----a-w C:\Documents and Settings\mire\Datos de programa\GDIPFONTCACHEV1.DAT
1994-04-01 12:00 64,287 ----a-w C:\Documents and Settings\Propietario\SETUP.EXE
1994-04-01 12:00 411,445 ----a-w C:\Documents and Settings\Propietario\RAP.EXE
1994-04-01 12:00 12,779 ----a-w C:\Documents and Settings\Propietario\RAP-HELP.EXE
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacˇas & entradas legˇtimas predeterminadas no son mostradas

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 17:31 116088 --a------ C:\ARCHIV~1\ARCHIV~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:42 15360]
"CTSyncU.exe"="C:\Archivos de programa\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 10:06 700416]
"Advanced Uninstaller PRO Installation Monitor"="C:\Archivos de programa\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe" [2005-12-13 01:44 1215488]
"msnmsgr"="C:\Archivos de programa\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 10:50 4112384]
"nwiz"="nwiz.exe" [2004-07-12 10:50 843776 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 10:50 81920]
"ccApp"="C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"osCheck"="C:\Archivos de programa\Norton AntiVirus\osCheck.exe" [2007-08-24 21:53 714608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:42 15360]
"ALUAlert"="C:\Archivos de programa\Symantec\LiveUpdate\ALUNotify.exe" [2007-08-23 13:35 152952]

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe" [2008-01-31 13:15]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]
S2 Programador de LiveUpdate automático;Programador de LiveUpdate automático;"C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2007-08-23 13:35]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\iMSPCLOj.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 17:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9070384-bd32-11db-acc5-00051c0e7e0a}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

.
Contenido de carpeta 'Tareas Programadas'
"2008-02-18 19:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Ejecutar un análisis de todo el sistema - Propietario.job"

Shaba
2008-02-21, 11:36
Hi

Use this:

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Xuriken
2008-02-22, 17:37
Hello, here's the HijackThis log:






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35, on 2008-02-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Archivos de programa\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 47.193.19.26:8085
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Archivos de programa\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Archivos de programa\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Archivos de programa\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Archivos de programa\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\monitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: AhoraFondos - {03FBB191-FB50-4154-91D7-587D5E3C0000} - C:\Documents and Settings\Propietario\Datos de programa\MACD\AhoraFondos\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: AhoraFondos - {03FBB191-FB50-4154-91D7-587D5E3C0000} - C:\Documents and Settings\Propietario\Datos de programa\MACD\AhoraFondos\LanzarDll.exe (HKCU)
O9 - Extra button: SuperFondos - {03FBB191-FB50-4154-91D7-587D5E3C0001} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\SuperFondos\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: SuperFondos - {03FBB191-FB50-4154-91D7-587D5E3C0001} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\SuperFondos\LanzarDll.exe (HKCU)
O9 - Extra button: Mensajero - {03FBB191-FB50-4154-91D7-587D5E3C0002} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\Mensajero\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: Mensajero - {03FBB191-FB50-4154-91D7-587D5E3C0002} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\Mensajero\LanzarDll.exe (HKCU)
O9 - Extra button: BajaCosa - {03FBB191-FB50-4154-91D7-587D5E3C0003} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\BajaCosa\LanzarDll.exe (HKCU)
O9 - Extra 'Tools' menuitem: BajaCosa - {03FBB191-FB50-4154-91D7-587D5E3C0003} - C:\Documents and Settings\Propietario\Datos de programa\MATRIX\BajaCosa\LanzarDll.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.caixacat.es
O16 - DPF: {03FBB191-FB50-4154-91D7-587D5E3C3C9A} - http://acceso.masminutos.com/software.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://araiana.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://araiana.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Programador de LiveUpdate automático - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\System32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

--
End of file - 9185 bytes

Shaba
2008-02-22, 19:07
Hi

Move combofix to desktop.

After that:

Open HijackThis, click do a system scan only and checkmark these:

O16 - DPF: {03FBB191-FB50-4154-91D7-587D5E3C3C9A} - http://acceso.masminutos.com/software.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\smbefqpk.ini
C:\WINDOWS\system32\jjaqprxv.ini
C:\WINDOWS\system32\hdfjewbp.ini
C:\WINDOWS\system32\mupiakhu.ini
C:\WINDOWS\system32\xcyfpdsa.ini
C:\WINDOWS\system32\rvwprtnx.ini
C:\WINDOWS\system32\jexpimdu.ini


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Shaba
2008-02-28, 11:33
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.