View Full Version : Virtumonde assistant plead
Hi, first post here, probably first minute after registration too, so please bear with me if I break any rules by mistake.
I am infected with Virtumonde according Spybot S&D scan. The virus seems to be spreading through rundll32.exe and winlogon.exe, the former is a double process in taskmanager.
Most of the time I am unable to connect to internet with any browser (google loads fine, but it's the only thing) and when I attempt to block the virus activity my computer starts to lag badly, to the point it's imposible to navigate through it. Virus activity I've seen so far is registry changes, rundll32.exe trying to embed into other programs, and after reboot + spybot virtumonde.dll cleaning, the virus loads several cmd consoles, I suppose to resume its activity.
I've tried to clean it with kaspersky, spybot S&D and other antispyware programs, but no luck so far. The virus is incredibly nasty from what I have read.
Currently I have disabled internet in that computer, it doesn't work anyways, and now I'm downloading to an external HD unit all the programs I've seen you guys instruct to download in this thread: http://forums.spybot.info/showthread.php?t=29532&highlight=virtumonde
I hope any of you can help me out, because in that computer, I'm royally screwed. Oddly enough I'm also unable to format C: through a windows reinstall. After booting from the CD it gives me a hard drive hardware recognition error. I don't know if that's related to the virus, probably not, but couples very well with it, it does.
I await your instructions. Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:54, on 17/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\pc\Escritorio\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: (no name) - {2E77DB68-7C9E-46EA-9C99-18AC81363A0B} - C:\WINDOWS\system32\geBtUnnk.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8710FC9F-0816-49D7-AE14-4BA5269E838C} - C:\WINDOWS\system32\vtUmMcDv.dll
O2 - BHO: (no name) - {BA0B46C5-7DD5-4434-9F91-23542AC91B8D} - C:\WINDOWS\system32\khfDwuSM.dll (file missing)
O2 - BHO: (no name) - {C05BD701-32F1-4007-8353-5F18F0E06B58} - C:\WINDOWS\system32\pmnlkhIC.dll (file missing)
O2 - BHO: (no name) - {E39AD9C9-1488-476F-89A8-4F45F23FB077} - C:\WINDOWS\system32\cbXOIxxv.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAX] C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMe38e67e3] Rundll32.exe "C:\WINDOWS\system32\yogogjvv.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3499] command /c del "C:\WINDOWS\system32\geBtUnnk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8966] cmd /c del "C:\WINDOWS\system32\geBtUnnk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7164] command /c del "C:\WINDOWS\system32\pmnlkhIC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5157] cmd /c del "C:\WINDOWS\system32\pmnlkhIC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Archivos de programa\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .csm: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFA} (Firma1Fase Class) - http://www.juntadeandalucia.es/innovacioncienciayempresa/universidaddigital08/jsp/firmado/afirma/Sign.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210535988171
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E2F7D-D3FB-480F-8F19-2C0DD3EFB3D6}: NameServer = 194.224.52.4,193.152.63.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: vtUmMcDv - C:\WINDOWS\SYSTEM32\vtUmMcDv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe (file missing)
--
End of file - 13992 bytes
ndmmxiaomayi
2008-06-17, 18:38
Hi,
Disable Spybot Teatimer temporarily
Please disable Spybot Teatimer temporarily as it may interfere with the fixes.
Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
Click on Mode > Advanced Mode. When it prompts you, click Yes.
On the left hand side, click on Tools.
Check (tick) this box if it is not yet ticked: Resident.
You will notice that Resident is now added under Tools. Click on Resident.
Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Restart your computer for the changes to take effect.
Disable Kaspersky Antivirus temporarily
Please disable Kaspersky Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting the logs!
Please navigate to the system tray on the bottom right hand corner and look for a http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/kav.png sign.
Right click it and select Pause Protection.
Click on By User Request
A popup will claim that protection is now disabled and a sign like this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/kav_disabled.png will now be shown.
Run Combofix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once Recovery Console is installed, you should see a blue screen prompt like the one below:
http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif
Click Yes to allow Combofix to continue scanning for malware.
When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.
Do not mouse click on Combofix while it is running. That may cause it to stall.
Create Uninstall list
Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.
In your next reply, please post:
Combofix log (C:\Combofix.txt)
A new HijackThis log
The Uninstall list
Thanks for your reply. Everything worked with no problems. These are the logs you requested (note that kaspersky was paused when I generated the logs)
ComboFix Log
ComboFix 08-06-16.3 - pc 2008-06-17 18:08:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.3082.18.587 [GMT 2:00]
Se ejecuta desde: C:\Documents and Settings\pc\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\pc\Escritorio\WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe
* Creado un nuevo punto de restauración
.
(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMe38e67e3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ahgfrcrd.ini
C:\WINDOWS\system32\butlfohu.ini
C:\WINDOWS\system32\CIhklnmp.ini
C:\WINDOWS\system32\CIhklnmp.ini2
C:\WINDOWS\system32\cqouclvb.dll
C:\WINDOWS\system32\jbixmppy.dll
C:\WINDOWS\system32\knnUtBeg.ini
C:\WINDOWS\system32\knnUtBeg.ini2
C:\WINDOWS\system32\MSuwDfhk.ini
C:\WINDOWS\system32\MSuwDfhk.ini2
C:\WINDOWS\system32\ogttblni.dll
C:\WINDOWS\system32\rddtswfx.ini
C:\WINDOWS\system32\sxoembmr.dll
C:\WINDOWS\system32\uhofltub.dll
C:\WINDOWS\system32\usbhxyie.ini
C:\WINDOWS\system32\voxytxyh.dll
C:\WINDOWS\system32\vtUmMcDv.dll
C:\WINDOWS\system32\vxxIOXbc.ini
C:\WINDOWS\system32\vxxIOXbc.ini2
C:\WINDOWS\system32\xdbfjepj.ini
C:\WINDOWS\system32\yogogjvv.dll
C:\WINDOWS\system32\yppmxibj.ini
.
(((((((((((((((((( Archivos creados desde 2008-05-17 - 2008-06-17 )))))))))))))))))))))))))))))))))
.
2008-06-17 01:44 . 2008-06-17 01:44 322,560 --------- C:\WINDOWS\system32\khfDwuSM.dll_old
2008-06-16 23:22 . 2008-06-16 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Lavasoft
2008-06-16 18:18 . 2008-06-17 09:34 442 --a------ C:\WINDOWS\wininit.ini
2008-06-16 14:28 . 2008-06-16 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
2008-06-16 14:28 . 2008-06-16 14:28 <DIR> d-------- C:\Archivos de programa\Spybot - Search & Destroy
2008-06-12 17:51 . 2008-06-12 18:10 <DIR> d-------- C:\Documents and Settings\pc\Datos de programa\LimeWire
2008-06-11 18:59 . 2007-07-26 15:41 322,048 --a------ C:\WINDOWS\system32\sculptapi.dll
2008-06-10 00:08 . 2008-06-10 00:14 <DIR> d-------- C:\Documents and Settings\pc\.clienteFirmaArrobaFirma5
2008-06-01 11:32 . 2008-06-11 19:13 <DIR> d-------- C:\Documents and Settings\pc\Datos de programa\Orbit
2008-05-30 21:16 . 2008-05-30 21:16 <DIR> d-------- C:\Archivos de programa\ATITool
2008-05-30 19:47 . 2008-05-30 19:47 <DIR> d-------- C:\Documents and Settings\pc\Datos de programa\DAEMON Tools
2008-05-27 12:55 . 2008-05-27 12:55 <DIR> d-------- C:\Archivos de programa\Fraps
2008-05-19 17:41 . 2008-06-15 13:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-19 17:41 . 2008-05-19 17:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-18 10:56 . 2008-05-18 10:56 23 --a------ C:\WINDOWS\system32\faaafacfeb3_z.ocx
2008-05-18 10:56 . 2008-05-18 10:56 23 --ahs---- C:\WINDOWS\system32\baccafdd4_z.dll
2008-05-18 10:37 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-18 10:37 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-05-17 15:01 . 2008-05-29 12:54 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-17 15:01 . 2008-05-31 00:30 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-17 15:00 . 2008-05-17 15:00 <DIR> d-------- C:\Archivos de programa\Kaspersky Lab
2008-05-17 15:00 . 2008-06-17 18:13 17,850,144 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-17 15:00 . 2008-06-17 18:12 280,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-17 15:00 . 2008-06-17 18:11 242,204 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-17 15:00 . 2008-06-17 18:11 28,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 16:01 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
2008-06-16 21:22 --------- d-----w C:\Archivos de programa\Tools
2008-06-12 15:45 --------- d-----w C:\Archivos de programa\BitComet
2008-06-11 16:59 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2008-06-09 22:09 331,776 ----a-w C:\WINDOWS\softokn3.dll
2008-06-09 22:09 323,584 ----a-w C:\WINDOWS\nss3.dll
2008-06-09 22:09 28,672 ----a-w C:\WINDOWS\libplc4.dll
2008-06-09 22:09 24,576 ----a-w C:\WINDOWS\libplds4.dll
2008-06-09 22:09 233,587 ----a-w C:\WINDOWS\appletAFirma.dll
2008-06-09 22:09 196,608 ----a-w C:\WINDOWS\libnspr4.dll
2008-06-09 22:09 180,224 ----a-w C:\WINDOWS\nssckbi.dll
2008-06-09 22:09 118,784 ----a-w C:\WINDOWS\jss3.dll
2008-06-09 22:09 110,592 ----a-w C:\WINDOWS\ssl3.dll
2008-06-09 22:09 102,400 ----a-w C:\WINDOWS\smime3.dll
2008-06-03 07:19 --------- d-----w C:\Documents and Settings\pc\Datos de programa\Skype
2008-06-01 11:01 --------- d---a-w C:\Documents and Settings\All Users\Datos de programa\TEMP
2008-05-30 17:47 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 16:45 --------- d-----w C:\Documents and Settings\pc\Datos de programa\EditPlus 3
2008-05-29 10:54 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-21 22:40 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Microsoft Help
2008-05-17 22:36 --------- d-----w C:\Documents and Settings\pc\Datos de programa\SolidDocuments
2008-05-17 09:57 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\FLEXnet
2008-05-15 23:47 --------- d-----w C:\Archivos de programa\Microsoft Silverlight
2008-04-24 22:43 --------- d-----w C:\Archivos de programa\Java
2008-04-24 22:41 --------- d-----w C:\Archivos de programa\Archivos comunes\Java
2008-04-24 22:36 --------- d-----w C:\Archivos de programa\Real
2008-04-14 02:19 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 02:19 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 02:19 286,720 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 02:19 152,064 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 02:18 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 02:18 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 02:18 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 02:18 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 02:18 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 02:18 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 02:18 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 02:18 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-04-14 02:18 1,036,288 ----a-w C:\WINDOWS\explorer.exe
2007-07-26 14:01 114,688 ----a-w C:\Archivos de programa\internet explorer\plugins\ChimeShim.dll
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E77DB68-7C9E-46EA-9C99-18AC81363A0B}]
C:\WINDOWS\system32\geBtUnnk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA0B46C5-7DD5-4434-9F91-23542AC91B8D}]
C:\WINDOWS\system32\khfDwuSM.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C05BD701-32F1-4007-8353-5F18F0E06B58}]
C:\WINDOWS\system32\pmnlkhIC.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39AD9C9-1488-476F-89A8-4F45F23FB077}]
C:\WINDOWS\system32\cbXOIxxv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:18 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ISUSPM"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"QlbCtrl"="C:\Archivos de programa\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47 159744]
"SoundMAXPnP"="C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe" [2007-01-05 17:36 872448]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2008-02-05 11:33 185896]
"AVP"="C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:18 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^pc^Menú Inicio^Programas^Inicio^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^pc^Menú Inicio^Programas^Inicio^Recorte de pantalla e Inicio rápido de OneNote 2007.lnk]
backup=C:\WINDOWS\pss\Recorte de pantalla e Inicio rápido de OneNote 2007.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-08-04 11:29 1056552 C:\Archivos de programa\Nero 8\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 10:25 1828136 C:\Archivos de programa\Nero 8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 C:\Archivos de programa\Archivos comunes\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Archivos de programa\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-08-04 11:30 2043688 C:\Archivos de programa\Nero 8\InCD\NBHGui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-05 11:33 185896 C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 07:28 36352 C:\Archivos de programa\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BMe38e67e3"=Rundll32.exe "C:\WINDOWS\system32\cqouclvb.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21264:TCP"= 21264:TCP:BitComet 21264 TCP
"21264:UDP"= 21264:UDP:BitComet 21264 UDP
R0 CLBStor;InstantBurn Storage Helper Driver;C:\WINDOWS\system32\drivers\CLBStor.sys [2006-12-21 18:53]
R0 Si3112;Si3112;C:\WINDOWS\system32\drivers\Si3112.sys [2007-01-24 02:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 15:49]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Archivos de programa\CyberLink\PowerDVD Ultra\000.fcl []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2006-11-25 09:01]
S3 pfsvgae;pfsvgae;C:\DOCUME~1\pc\CONFIG~1\Temp\pfsvgae.sys []
.
Contenido de carpeta 'Tareas Programadas'
"2007-10-22 18:33:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 18:11:23 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:13:49
Windows 5.1.2600 Service Pack 3 NTFS
escaneando procesos ocultos ...
escaneando entradas ocultas de autostart ...
escaneando archivos ocultos ...
el escaneo se completo con exito
archivos ocultos: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Archivos de programa\CyberLink\PowerDVD Ultra\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Tiempo completado: 2008-06-17 18:18:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 16:18:46
7 dirs 76,992,684,032 bytes libres
11 dirs 78,366,928,896 bytes libres
WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
237
[B]New HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:43, on 17/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\pc\Escritorio\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {2E77DB68-7C9E-46EA-9C99-18AC81363A0B} - C:\WINDOWS\system32\geBtUnnk.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {BA0B46C5-7DD5-4434-9F91-23542AC91B8D} - C:\WINDOWS\system32\khfDwuSM.dll (file missing)
O2 - BHO: (no name) - {C05BD701-32F1-4007-8353-5F18F0E06B58} - C:\WINDOWS\system32\pmnlkhIC.dll (file missing)
O2 - BHO: (no name) - {E39AD9C9-1488-476F-89A8-4F45F23FB077} - C:\WINDOWS\system32\cbXOIxxv.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Archivos de programa\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .csm: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFA} (Firma1Fase Class) - http://www.juntadeandalucia.es/innovacioncienciayempresa/universidaddigital08/jsp/firmado/afirma/Sign.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210535988171
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E2F7D-D3FB-480F-8F19-2C0DD3EFB3D6}: NameServer = 194.224.52.4,193.152.63.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe (file missing)
--
End of file - 12523 bytes
Unistall List
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)
Actualización de seguridad para Windows Internet Explorer 7 (KB938127)
Actualización de seguridad para Windows Internet Explorer 7 (KB939653)
Actualización de seguridad para Windows XP (KB941569)
Adobe Acrobat 8.1.2 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATITool Overclocking Utility
AuthenTec Fingerprint Sensor Minimum Install
Bink and Smacker
BitComet 1.01
Broadcom 802.11 Wireless LAN Adapter
BS.Player PRO
ccc-Branding
CDDRV_Installer
Chinese Simplified Fonts Support For Adobe Reader 8
Complemento Guardar como PDF o XPS de Microsoft para programas de Microsoft Office 2007
Cooktop 2.5
DDS Thumbnail Viewer
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
HP Integrated Module with Bluetooth wireless technology
HP Quick Launch Buttons 6.30 A3
InterVideo WinDVD 8
Ipswitch WS_FTP Professional 2006
IrfanView (remove only)
Java(TM) 6 Update 5
Kaspersky Internet Security 7.0
Kaspersky Internet Security 7.0
KhalInstallWrapper
LaserJet 1020 series
Logitech SetPoint
Magic ISO Maker v5.4 (build 0251)
MagicDisc 2.5.79
MDL Chime/Chime Pro for Internet Explorer
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Spanish Language Pack
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Groove MUI (Spanish) 2007
Microsoft Office InfoPath MUI (Spanish) 2007
Microsoft Office OneNote MUI (Spanish) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project MUI (Spanish) 2007
Microsoft Office Project Professional 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer MUI (Spanish) 2007
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (Spanish) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Morrowind
Morrowind Character Creator 2
Morrowind Enchanted Editor
Morrowind Graphics Extender 3.3.2
Mozilla Firefox (2.0.0.14)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
Norton PartitionMagic 8.0
Orbit Downloader
Paquete de compatibilidad para 2007 Office system
Paquete de idioma de Microsoft .NET Framework 2.0 - ESN
Paquete de idioma para español de Microsoft .NET Framework 3.0
Paquete de proveedor base de servicios de cifrado para tarjetas inteligentes de Microsoft
PDF Settings
Python 2.5
QuickTime
RealPlayer
Registry Mechanic 7.0
Reproductor de Windows Media 11
Revisión para el Reproductor de Windows Media 11 (KB939683)
Revisión para Windows Internet Explorer 7 (KB947864)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Visio 2007 (KB947590)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update para Microsoft .NET Framework 2.0 (KB928365)
Skype™ 3.5
SoundMAX
Spybot - Search & Destroy
System Requirements Lab
TES Construction Set
Texas Instruments PCIxx21/x515/xx12 drivers.
Tweak UI
Unlocker 1.8.7
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb950378)
VCRedistSetup
Winamp
Winamp Remote
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (ESN)
Windows Workflow Foundation
Windows Workflow Foundation ES Language Pack
Windows XP Service Pack 3
WinRAR archiver
wxPython 2.8.0.1 (ansi) for Python 2.5
XML Paper Specification Shared Components Language Pack 1.0
xp-AntiSpy 3.96-8
Yahoo! Messenger
ndmmxiaomayi
2008-06-18, 08:05
Hi,
Glad that everything went smoothly. :)
Just some leftovers to clean up.
BitComet is installed on your computer. While BitComet is a clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using it while cleaning your computer to prevent getting more infections.
A list of clean and infected P2P programs can be found at Malware Removal (http://p2p.malwareremoval.com/) and Spyware Info (http://www.spywareinfo.com/articles/p2p/).
The risks of using a P2P program are stated in this Sourceforge website (http://aresgalaxy.sourceforge.net/p2prisks.htm) and Information Week article (http://www.informationweek.com/security/showArticle.jhtml?articleID=53200209&pgno=2&queryText=).
Please also read this sticky (http://forums.spybot.info/showthread.php?t=282).
____________________
Disable Kaspersky Antivirus temporarily
Please disable Kaspersky Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before posting the logs!
Please navigate to the system tray on the bottom right hand corner and look for a http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/kav.png sign.
Right click it and select Pause Protection.
Click on By User Request
A popup will claim that protection is now disabled and a sign like this: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/kav_disabled.png will now be shown.
____________________
Please open Notepad and copy and paste the following in the Code box into Notepad:
http://forums.spybot.info/showthread.php?t=29593
Collect::
C:\WINDOWS\system32\khfDwuSM.dll_old
File::
C:\WINDOWS\system32\faaafacfeb3_z.ocx
C:\WINDOWS\system32\baccafdd4_z.dll
Suspect::
C:\WINDOWS\appletAFirma.dll
FileLook::
C:\WINDOWS\appletAFirma.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E77DB68-7C9E-46EA-9C99-18AC81363A0B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA0B46C5-7DD5-4434-9F91-23542AC91B8D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C05BD701-32F1-4007-8353-5F18F0E06B58}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E39AD9C9-1488-476F-89A8-4F45F23FB077}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BMe38e67e3"=-
Driver::
pfsvgae
Warning: The above script is just for Sleawer. If you are not Sleawer, please do not use this script as it may damage the workings of your system.
Click on File > Save As....
In the File Name field, copy and paste in CFScript.txt. Do not change the file name.
Click Save.
Referring to the picture below, drag CFScript into Combofix.
http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif
Combofix will start running. When done, a log will be produced. Please post this log in your next reply.
In addition, it will prompt you to submit some files for analyzing.
http://i266.photobucket.com/albums/ii277/sUBs_/CF-Submit_notice.gif
Click OK.
Copy and paste the file path into the text box next to the Browse button (boxed up in red).
http://xs123.xs.to/xs123/08053/cfsumbit320.png
Click on Send File.
Do not mouse click on Combofix while it is running. That may cause it to stall.
Upload a file for scanning
Please go to Virus Total (http://www.virustotal.com/) or Jotti (http://virusscan.jotti.org/) and upload C:\WINDOWS\appletAFirma.dll for scanning.
For Virus Total
Please copy and paste C:\WINDOWS\appletAFirma.dll in the text box next to the Browse button.
Click on Send File.
For Jotti
Please copy and paste C:\WINDOWS\appletAFirma.dll in the text box next to the Browse button.
Click on Submit.
In your next reply, please post:
Combofix log (C:\Combofix.txt)
A new HijackThis log
Virus Total or Jotti's scan results of the file
Thanks for the advice and the links. You're right, careless use of P2P programs leads exactly to where I am now. Often it can be just a small mistake, or an oversight, but that's all it takes.
Anyhow, don't worry, that computer is on stand-by until you say I can resume normal activity with it.
Again, everything went well :) The file requested by ComboFix has been sent successfully. These are the new logs, I await further instructions.
ComboFix Log
ComboFix 08-06-16.3 - pc 2008-06-18 9:57:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.3082.18.552 [GMT 2:00]
Se ejecuta desde: C:\Documents and Settings\pc\Escritorio\ComboFix.exe
Command switches used :: C:\Documents and Settings\pc\Escritorio\CFScript.txt
* Creado un nuevo punto de restauración
FILE ::
C:\WINDOWS\system32\baccafdd4_z.dll
C:\WINDOWS\system32\faaafacfeb3_z.ocx
.
(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\baccafdd4_z.dll
C:\WINDOWS\system32\faaafacfeb3_z.ocx
C:\WINDOWS\system32\khfDwuSM.dll_old
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PFSVGAE
-------\Service_pfsvgae
(((((((((((((((((( Archivos creados desde 2008-05-18 - 2008-06-18 )))))))))))))))))))))))))))))))))
.
2008-06-17 18:18 . 2008-06-17 18:18 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuración local
2008-06-17 18:18 . 2008-06-17 18:18 <DIR> d-------- C:\Documents and Settings\pc\Configuración local
2008-06-17 18:18 . 2008-06-17 18:18 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuración local
2008-06-17 18:18 . 2008-06-17 18:18 <DIR> d-------- C:\Documents and Settings\LocalService\Configuración local
2008-06-17 18:18 . 2008-06-17 18:18 <DIR> d-------- C:\Documents and Settings\Administrador\Configuración local
2008-06-16 23:22 . 2008-06-16 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Lavasoft
2008-06-16 18:18 . 2008-06-17 09:34 442 --a------ C:\WINDOWS\wininit.ini
2008-06-16 14:28 . 2008-06-16 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
2008-06-16 14:28 . 2008-06-16 14:28 <DIR> d-------- C:\Archivos de programa\Spybot - Search & Destroy
2008-06-12 17:51 . 2008-06-12 18:10 <DIR> d-------- C:\Documents and Settings\pc\Datos de programa\LimeWire
2008-06-11 18:59 . 2007-07-26 15:41 322,048 --a------ C:\WINDOWS\system32\sculptapi.dll
2008-06-10 00:08 . 2008-06-10 00:14 <DIR> d-------- C:\Documents and Settings\pc\.clienteFirmaArrobaFirma5
2008-06-01 11:32 . 2008-06-11 19:13 <DIR> d-------- C:\Documents and Settings\pc\Datos de programa\Orbit
2008-05-30 21:16 . 2008-05-30 21:16 <DIR> d-------- C:\Archivos de programa\ATITool
2008-05-30 19:47 . 2008-05-30 19:47 <DIR> d-------- C:\Documents and Settings\pc\Datos de programa\DAEMON Tools
2008-05-27 12:55 . 2008-05-27 12:55 <DIR> d-------- C:\Archivos de programa\Fraps
2008-05-19 17:41 . 2008-06-15 13:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-19 17:41 . 2008-05-19 17:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-18 10:37 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-18 10:37 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 08:02 283,424 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-18 08:02 17,882,400 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-18 08:00 28,616 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-18 08:00 242,612 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-17 16:26 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab
2008-06-16 21:22 --------- d-----w C:\Archivos de programa\Tools
2008-06-12 15:45 --------- d-----w C:\Archivos de programa\BitComet
2008-06-11 16:59 --------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2008-06-09 22:09 331,776 ----a-w C:\WINDOWS\softokn3.dll
2008-06-09 22:09 323,584 ----a-w C:\WINDOWS\nss3.dll
2008-06-09 22:09 28,672 ----a-w C:\WINDOWS\libplc4.dll
2008-06-09 22:09 24,576 ----a-w C:\WINDOWS\libplds4.dll
2008-06-09 22:09 233,587 ----a-w C:\WINDOWS\appletAFirma.dll
2008-06-09 22:09 196,608 ----a-w C:\WINDOWS\libnspr4.dll
2008-06-09 22:09 180,224 ----a-w C:\WINDOWS\nssckbi.dll
2008-06-09 22:09 118,784 ----a-w C:\WINDOWS\jss3.dll
2008-06-09 22:09 110,592 ----a-w C:\WINDOWS\ssl3.dll
2008-06-09 22:09 102,400 ----a-w C:\WINDOWS\smime3.dll
2008-06-03 07:19 --------- d-----w C:\Documents and Settings\pc\Datos de programa\Skype
2008-06-01 11:01 --------- d---a-w C:\Documents and Settings\All Users\Datos de programa\TEMP
2008-05-30 22:30 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-30 17:47 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-29 16:45 --------- d-----w C:\Documents and Settings\pc\Datos de programa\EditPlus 3
2008-05-29 10:54 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 10:54 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-21 22:40 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\Microsoft Help
2008-05-17 22:36 --------- d-----w C:\Documents and Settings\pc\Datos de programa\SolidDocuments
2008-05-17 13:00 --------- d-----w C:\Archivos de programa\Kaspersky Lab
2008-05-17 09:57 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\FLEXnet
2008-05-15 23:47 --------- d-----w C:\Archivos de programa\Microsoft Silverlight
2008-04-24 22:43 --------- d-----w C:\Archivos de programa\Java
2008-04-24 22:41 --------- d-----w C:\Archivos de programa\Archivos comunes\Java
2008-04-24 22:36 --------- d-----w C:\Archivos de programa\Real
2008-04-14 02:19 70,144 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 02:19 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 02:19 286,720 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 02:19 152,064 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 02:18 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 02:18 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 02:18 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 02:18 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 02:18 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 02:18 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 02:18 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 02:18 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-04-14 02:18 1,036,288 ----a-w C:\WINDOWS\explorer.exe
2007-07-26 14:01 114,688 ----a-w C:\Archivos de programa\internet explorer\plugins\ChimeShim.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\appletAFirma.dll -- Unable to find Resource table header.
MD5: 5e92b98714b5488a59bcda4deafb9b71
((((((((((((((((((((((((((((( snapshot@2008-06-17_18.18.21.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 16:12:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-18 08:01:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vac¡as & entradas leg¡timas predeterminadas no son mostradas
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:18 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ISUSPM"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"QlbCtrl"="C:\Archivos de programa\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 09:47 159744]
"SoundMAXPnP"="C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe" [2007-01-05 17:36 872448]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [2008-02-05 11:33 185896]
"AVP"="C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:18 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^pc^Menú Inicio^Programas^Inicio^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^pc^Menú Inicio^Programas^Inicio^Recorte de pantalla e Inicio rápido de OneNote 2007.lnk]
backup=C:\WINDOWS\pss\Recorte de pantalla e Inicio rápido de OneNote 2007.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-08-04 11:29 1056552 C:\Archivos de programa\Nero 8\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 17:34 213936 C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 10:25 1828136 C:\Archivos de programa\Nero 8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 C:\Archivos de programa\Archivos comunes\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Archivos de programa\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-08-04 11:30 2043688 C:\Archivos de programa\Nero 8\InCD\NBHGui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-05 11:33 185896 C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 07:28 36352 C:\Archivos de programa\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21264:TCP"= 21264:TCP:BitComet 21264 TCP
"21264:UDP"= 21264:UDP:BitComet 21264 UDP
R0 CLBStor;InstantBurn Storage Helper Driver;C:\WINDOWS\system32\drivers\CLBStor.sys [2006-12-21 18:53]
R0 Si3112;Si3112;C:\WINDOWS\system32\drivers\Si3112.sys [2007-01-24 02:00]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2006-04-06 15:49]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Archivos de programa\CyberLink\PowerDVD Ultra\000.fcl []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2006-11-25 09:01]
.
Contenido de carpeta 'Tareas Programadas'
"2007-10-22 18:33:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Archivos de programa\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 18:11:23 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 10:02:13
Windows 5.1.2600 Service Pack 3 NTFS
escaneando procesos ocultos ...
escaneando entradas ocultas de autostart ...
escaneando archivos ocultos ...
el escaneo se completo con exito
archivos ocultos: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Archivos de programa\CyberLink\PowerDVD Ultra\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Tiempo completado: 2008-06-18 10:07:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 08:07:12
ComboFix2.txt 2008-06-17 16:18:52
8 dirs 78,354,268,160 bytes libres
11 dirs 78,339,301,376 bytes libres
217
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:26, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pc\Escritorio\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Archivos de programa\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .csm: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFA} (Firma1Fase Class) - http://www.juntadeandalucia.es/innovacioncienciayempresa/universidaddigital08/jsp/firmado/afirma/Sign.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210535988171
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E2F7D-D3FB-480F-8F19-2C0DD3EFB3D6}: NameServer = 194.224.52.4,193.152.63.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe (file missing)
--
End of file - 12348 bytes
Virus Total Log
Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.1 2008.06.18 -
AntiVir 7.8.0.55 2008.06.18 -
Authentium 5.1.0.4 2008.06.18 -
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.17 -
BitDefender 7.2 2008.06.18 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.18 -
DrWeb 4.44.0.09170 2008.06.18 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.18 -
F-Secure 6.70.13260.0 2008.06.18 -
Fortinet 3.14.0.0 2008.06.18 -
GData 2.0.7306.1023 2008.06.18 -
Ikarus T3.1.1.26.0 2008.06.18 -
Kaspersky 7.0.0.125 2008.06.18 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.18 -
NOD32v2 3195 2008.06.17 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.18 -
Prevx1 V2 2008.06.18 -
Rising 20.49.20.00 2008.06.18 -
Sophos 4.30.0 2008.06.18 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.18 -
TheHacker 6.2.92.354 2008.06.18 -
TrendMicro 8.700.0.1004 2008.06.18 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.18 -
Additional information
File size: 233587 bytes
MD5...: 5e92b98714b5488a59bcda4deafb9b71
SHA1..: 2680ebe2b721074097b4da104f76d3c82b3c7efc
SHA256: 86261ac36ac12fdb0bb99b960f86f0ed91bd9c3e94189fe6b3d7203739876f56
SHA512: f18809dfa269ae434f557eafa9b7dd6a02b7d52e899d1e7146909905dde5a2b3
f9e589c767864adc86a51c3b9c9a65c7612e69a21ac29bbafffbcc882f63b7f5
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10005dd0
timedatestamp.....: 0x3ecdf7d2 (Fri May 23 10:28:34 2003)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c910 0x2d000 4.35 959f7cf6522ccb57c98cc40f2fa5d75a
.rdata 0x2e000 0x279f 0x3000 4.10 eb933f6f43b471a8691f62c9a4b961de
.data 0x31000 0x6674 0x5000 1.24 d913b3a2c8fc243e59f23555ba5a93f7
.idata 0x38000 0xd86 0x1000 4.14 6c8fd2a5e53728de4bf333b6ffe31317
.reloc 0x39000 0x1a1a 0x2000 5.47 50731ee79875374199b8425b88e42da7
( 3 imports )
> KERNEL32.dll: LocalAlloc, LocalFree, VirtualAlloc, IsBadWritePtr, IsBadReadPtr, HeapValidate, GetCommandLineA, GetVersion, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, FatalAppExitA, RtlUnwind, HeapAlloc, DebugBreak, GetStdHandle, WriteFile, InterlockedDecrement, OutputDebugStringA, GetProcAddress, LoadLibraryA, InterlockedIncrement, GetModuleFileNameA, HeapReAlloc, HeapFree, VirtualFree, GetLastError, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetCurrentThread, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetConsoleCtrlHandler, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, UnhandledExceptionFilter, GetCPInfo, GetACP, GetOEMCP, SetFilePointer, FlushFileBuffers, Sleep, LCMapStringA, LCMapStringW, SetStdHandle, CloseHandle, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, GetTimeZoneInformation, GetLocaleInfoW, CompareStringA, CompareStringW, SetEnvironmentVariableA, ReadFile, SetEndOfFile, CreateFileA
> ADVAPI32.dll: CryptVerifySignatureA, CryptHashData, CryptDestroyKey, CryptSignHashA, CryptAcquireContextA, CryptDestroyHash, CryptCreateHash, CryptReleaseContext, CryptGetHashParam
> CRYPT32.dll: CertGetNameStringA, CertEnumCertificatesInStore, CertCloseStore, CertGetCertificateContextProperty, CryptAcquireCertificatePrivateKey, CertFreeCertificateContext, CertOpenStore, CryptImportPublicKeyInfo
( 7 exports )
_Java_com_telventi_firma_certs_CertsExtractorFunctions_CreateHash@16, _Java_com_telventi_firma_certs_CertsExtractorFunctions_FirmaConCertificado@20, _Java_com_telventi_firma_certs_CertsExtractorFunctions_FirmaConCertificadoCrypto@20, _Java_com_telventi_firma_certs_CertsExtractorFunctions_MSgetAliases@8, _Java_com_telventi_firma_certs_CertsExtractorFunctions_MSgetCert@12, _Java_com_telventi_firma_certs_CertsExtractorFunctions_VerificaConCertificado@24, _Java_com_telventi_firma_certs_CertsExtractorFunctions_getCertificateName@12
ndmmxiaomayi
2008-06-18, 13:07
Hi,
Your logs look good. :)
Please go to Kaspersky website (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html) to perform an online scan. [color=red]Please use Internet Explorer as it uses ActiveX.
Click on [b]Accept.
It will prompt you to download an ActiveX. Allow it.
After that, you will be prompted to install it.
Once installed, it will start downloading the definitions. This will take some time. At the same time, you may also receive another prompt to install another ActiveX. Allow it again and repeat Step 2.
When the definitions have finished downloading, click Next.
Click on Scan Settings.
Under Scan using the following antivirus database:, choose extended - protect your computer from Spyware, adware, dialers and potentially dangerous software such as remote access utilities, prank programs and jokes. We do not recommend this option to beginners or inexperienced users.
Under Scan options:, check (tick) both boxes.
Click Ok.
Under Please select a target to scan:, click on My Computer. It will start scanning. Please be patient.
Click on Save Report As....
Give this report a name and change the Save as type: to Text file (*.txt) before clicking on Save.
Please post this log in your next reply.
In your next reply, please post:
Kaspersky Antivirus scan report
A new HijackThis log
These are the new logs. The online scanner seems to have found some unclean items. I think those are related to my first attempt (failed) of restoring the system to a previous uninfected point. Now I feel I should have told you about that before.
*Note: The online scanner was run with my own kaspersky enabled. The HijackThis log was made with it paused. If that's a problem I can re-run the scan again without it working.
Kaspersky Online Scanner log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 18, 2008 3:41:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/06/2008
Kaspersky Anti-Virus database records: 878384
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 169218
Number of viruses found: 5
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 01:49:19
Infected Object Name / Virus Name / Last Action
C:\Archivos de programa\Nero 8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP7\Report\03bc_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP7\Report\03bd_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Datos de programa\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Archivos temporales de Internet\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Datos de programa\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Datos de programa\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\pc\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\pc\ntuser.dat Object is locked skipped
C:\Documents and Settings\pc\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cqouclvb.dll.vir Infected: Trojan.Win32.Monder.uu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jbixmppy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yxx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ogttblni.dll.vir Infected: Trojan.Win32.Monder.wb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sxoembmr.dll.vir Infected: Trojan.Win32.Monder.wb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uhofltub.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yxx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\voxytxyh.dll.vir Infected: Trojan.Win32.Monder.wc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yogogjvv.dll.vir Infected: Trojan.Win32.Monder.uu skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP127\A0042166.dll Infected: Trojan.Win32.Monder.rx skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042351.dll Infected: Trojan.Win32.Monder.uu skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042352.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yxx skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042353.dll Infected: Trojan.Win32.Monder.wb skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042354.dll Infected: Trojan.Win32.Monder.wb skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yxx skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042356.dll Infected: Trojan.Win32.Monder.wc skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP129\A0042358.dll Infected: Trojan.Win32.Monder.uu skipped
C:\System Volume Information\_restore{635733B0-1F7F-4C77-8C19-93966410FC3E}\RP130\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:39, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\pc\Escritorio\HiJackThis.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\agent.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Archivos de programa\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .csm: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFA} (Firma1Fase Class) - http://www.juntadeandalucia.es/innovacioncienciayempresa/universidaddigital08/jsp/firmado/afirma/Sign.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210535988171
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E2F7D-D3FB-480F-8F19-2C0DD3EFB3D6}: NameServer = 194.224.52.4,193.152.63.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe (file missing)
--
End of file - 12568 bytes
ndmmxiaomayi
2008-06-18, 18:27
Hi,
You're right that some of your System Restore points are infected. System Restore doesn't help in removing infections. It gives a false impression that the infection is not present when in fact it is. :sad:
No problems with running Kaspersky scan with Kaspersky enabled either. It's not recommended to turn protection off unless required. ;)
Update Java Runtime Environment (JRE)
Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 6.
Click on Start > Control Panel and double click on Add/Remove Programs. Locate Java(TM) 6 Update 5 and click on Change/Remove to uninstall it.
Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
Run this installation to update your Java.
Please post a new HijackThis log after you've updated Java.
Any other issues?
No other issues that I'm aware of, no. I remember kaspersky cleaning some system restore points when I run it in my first attempts to fight the virus, but it seems it was unsuccessful.
I updated java with the last version, no problems whatsoever. I downloaded it directly to the infected computer, but other than that internet is disabled there except for troubleshooting. Do you think it would be safe to post my logs and follow your instructions from that computer from now onwards? I can easily enable/disable internet when needed. Untill now I had been moving every file to an external HD to avoid operating too much with that machine.
Here are the new logs:
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:34, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\pc\Escritorio\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Archivos de programa\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .csm: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFA} (Firma1Fase Class) - http://www.juntadeandalucia.es/innovacioncienciayempresa/universidaddigital08/jsp/firmado/afirma/Sign.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210535988171
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E2F7D-D3FB-480F-8F19-2C0DD3EFB3D6}: NameServer = 194.224.52.4,193.152.63.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe (file missing)
--
End of file - 12407 bytes
ndmmxiaomayi
2008-06-19, 22:28
Yup, it's safe to post logs directly from that computer from now on, although it's no longer required now. Your computer is clean as far as I can see. :)
Unless there are more issues, you needn't post more logs. You can also re-enable your Internet connection.
Just some cleaning up to do.
Now that your computer is clean, we no longer need to keep the removal tools downloaded. They will need to be removed.
Remove Combofix
Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.
http://xs121.xs.to/xs121/07484/remcf.PNG
Create a new, clean System Restore point
Click on Start > All Programs > Accessories > System Tools > System Restore.
On the Welcome Page, select Create a restore point. Click Next.
Give this restore point a descriptive name and click Create.
When done, click Close.
Warning: Do not clear infected System Restore points before creating a new System Restore point first!
Please read the above to create a new System Restore point first, then clear out the infected System Restore points.
Clear infected System Restore points
Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
Select C drive and click OK.
Select the More Options tab.
Under System Restore, click on Clean up....
You will be prompted. Click Yes.
When done, click OK.
You will be prompted again. Press Yes to confirm.
When done, Disk Cleanup will close automatically.
Here are some tips to prevent another infection again. There's no need to install all programs recommended.
Keep your system updated
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.
Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates
Alternatively, you can visit the links below to update Windows and Office products.
Windows Update (http://update.microsoft.com/)
Office Update (http://office.microsoft.com/en-us/officeupdate/default.aspx)
If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:
Go to Start > Control Panel > Automatic Updates
Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.
Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.
Be careful when opening attachments and downloading files.
Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).
Surf safely
Many of the exploits are directed to users of Internet Explorer and Firefox.
Using Firefox (http://www.mozilla.com/en-US/firefox/) with NoScript add-on (https://addons.mozilla.org/en-US/firefox/addon/722) helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.
If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.
For Internet Explorer 7
Please read this article (http://surfthenetsafely.com/ieseczone8.htm) to configure Internet Explorer 7 properly.
Stop malicious scripts
Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.
Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article (http://www.microsoft.com/athome/security/update/howbackup.mspx) to learn how to backup. Follow this article (http://support.microsoft.com/kb/309340) by Microsoft to restore your backups.
Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer (http://www.bleepingcomputer.com/tutorials/tutorial127.html).
Avoid P2P
P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs (http://p2p.malwareremoval.com/) if you need to use one.
Prevent a re-infection
Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here (http://www.winpatrol.com/features.html).
You can get a free copy (http://www.winpatrol.com/wpsetup.exe) of Winpatrol or use the Plus version (http://winpatrol.stores.yahoo.net/winplusmemre.html) for more features.
You can read Winpatrol's FAQ (http://www.winpatrol.com/faq.html) if you run into problems.
Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX (http://surfthenetsafely.com/activex.htm) programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.
You can download SpywareBlaster from Javacool (http://www.javacoolsoftware.com/spywareblaster.html).
If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial49.html) at Bleeping Computer.
SpywareGuard
Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.
You can download SpywareGuard from Javacool (http://www.javacoolsoftware.com/spywareguard.html).
If you need help in using SpywareGuard, you can SpywareGuard's tutorial (http://www.bleepingcomputer.com/tutorials/tutorial50.html) at Bleeping Computer.
Spybot Search and Destroy
Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.
Spybot Search & Destroy can be downloaded from here (http://www.safer-networking.org/en/mirrors/index.html).
If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial (http://www.bleepingcomputer.com/tutorials/tutorial43.html) at Bleeping Computer.
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware program. It scans and removes malware for free, but if you want real-time protection, you can pay a small one-time fee.
Remember to update and scan with it regularly. A tutorial for using Malwarebytes' Anti-Malware can be found on BFC Computer Help (http://bfccomputers.com/index.php?showtopic=1645).
Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs (http://www.spywarewarrior.com/rogue_anti-spyware.htm) and Malwarebytes RogueNET (http://www.malwarebytes.org/roguenet.php). This will save you from a lot of trouble. If in doubt, don't ever download it.
SiteHound Toolbar
SiteHound (http://www.firetrust.com/en/products/sitehound) is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
Use an alternative email client
If you are using Outlook Express as your default email client, try using Thunderbird (http://www.mozilla.com/en-US/thunderbird/) or Pegasus Mail (http://www.pmail.com/) instead.
Here are some more things to read about:
List of clean and infected download managers (http://www.safer-networking.org/en/articles/download-managers.html)
Configuring Skype (http://www.tcd.ie/iss/internet/skype.php)
Greater email safety (http://surfthenetsafely.com/surfsafely4.htm)
Phishing - what is it? (http://surfthenetsafely.com/phishing.htm)
Configuring Outlook Express (http://surfthenetsafely.com/slides/oeconfigureslide1.htm)
The Unofficial Cookie FAQ (http://www.cookiecentral.com/faq)
Securing your home wireless network (http://www.windowsecurity.com/articles/Wireless-Network-Security-Home.html)
80 Super Security Tips (http://www.pcmag.com/article2/0,1895,1838690,00.asp)
The different classes of security softwares (http://wiki.castlecops.com/Different_classes_of_security_software)
ComboFix removed and Restore Points handled as instructed.
I think you guys are awesome, seriously. I felt all the time in capable hands, I don't know what I'd have done without your help.
Yesterday I was reading around this forum, and somebody said that if he had brought the computer to a shop, they would probably have handed him back a wiped computer and a service bill for the troubles. I cannot agree more with that.
You have helped me without asking questions or judging me at any point. You have fixed my computer and saved me God knows how many headaches. And yet you haven't even asked for a donation. Well I'm going to do the same as the person above, and find my way to the donate button (tomorrow, because today I'm poorer than the rats :P). A site like this simply cannot disappear.
Just a couple of small issues before I leave. I think I should be fine, but better safe than sorry.
After removing ComboFix, it seems some of its files are not completely gone, especifically:
C:\...
...\cmdcons folder (inside:.SY_ and .dll files, BIOSINFO.INF and a \system32 folder with NTDLL.DLL and SMSS.EXE inside)
...\comboFix (empty folder)
cmldr file
Bug.txt
Also I have followed some of your advised links and installed Malwarebytes' Anti-Malware, Winpatrol and Script Defender. After a scan with Malwarebytes' it found a couple of trojans, one of them seems a Vundo leftover. This is the log:
Malwarebyte's log
Malwarebytes' Anti-Malware 1.18
Database version: 871
20:33:55 20/06/2008
mbam-log-6-20-2008 (20-33-55).txt
Scan type: Full Scan (C:\|)
Objects scanned: 183444
Time elapsed: 44 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\pc\Mis documentos\My Games\Morrowind\Building a New Game\Mods\Quest\wizards_islands_update_v105_pathfixed.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:18, on 20/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pc\Escritorio\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Archivos de programa\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Archivos de programa\Tools\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Archivos de programa\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .csm: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Archivos de programa\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {1C4C6BC7-91F1-4FD3-A208-B07B6C1BDBFA} (Firma1Fase Class) - http://www.juntadeandalucia.es/innovacioncienciayempresa/universidaddigital08/jsp/firmado/afirma/Sign.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210535988171
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E2F7D-D3FB-480F-8F19-2C0DD3EFB3D6}: NameServer = 194.224.52.4,193.152.63.197
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Nero 8\InCD\InCDsrv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Archivos de programa\Archivos comunes\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Archivos de programa\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Archivos de programa\Archivos comunes\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe (file missing)
--
End of file - 12394 bytes
ndmmxiaomayi
2008-06-21, 13:34
C:\cmdcons folder - This folder will be created when you install Recovery Console. I had you do this when you ran Combofix.
C:\Combofix - Probably Combofix has some trouble removing itself. You can safely delete this folder. ;)
cmldr - Related to Recovery Console as well.
Bug.txt - It's for troubleshooting purposes. Your system is fine, no worries. :)
C:\Documents and Settings\pc\Mis documentos\My Games\Morrowind\Building a New Game\Mods\Quest\wizards_islands_update_v105_pathfixed.exe
This is probably a false alarm. It's related to your game. Please restore it from the Quarantine.
1. Open Malwarebytes' Anti-Malware.
2. Select the Quarantine tab.
3. Find C:\Documents and Settings\pc\Mis documentos\My Games\Morrowind\Building a New Game\Mods\Quest\wizards_islands_update_v105_pathfixed.exe and click on Restore to restore it.
And yet you haven't even asked for a donation.
Helpers don't ask for personal donations. You may donate to Spybot if you want to help us. :)
Let me know if you have other questions.
No more questions, just a big thank you to you all :)
D.
ndmmxiaomayi
2008-06-21, 14:20
That's good to hear. :)
As the issue is resolved... this topic is now closed. Please contact a member of the moderating team if you need it re-opened. This applies to the original topic starter.
Everyone else please begin a new topic.
ndmmxiaomayi
2008-06-21, 21:54
Hi,
If you don't mind, we need one log to find out what's causing the false positive.
Please follow this post and post back the Malwarebytes' Anti-Malware log - http://www.malwarebytes.org/forums/index.php?showtopic=3228
I had it removed just in case, since I don't have time to play the game anyways. But I re-downloaded the file, to the desktop this time, and ran a full analysis just like before.
This is the log produced, hope it helps:
Malwarebyte's Anti-Malware log (developer mode)
Malwarebytes' Anti-Malware 1.18
Database version: 876
13:46:44 22/06/2008
mbam-log-6-22-2008 (13-46-44).txt
Scan type: Full Scan (C:\|)
Objects scanned: 183583
Time elapsed: 48 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\pc\Escritorio\wizards_islands_update_v105_pathfixed.exe (Trojan.Downloader) -> Quarantined and deleted successfully. [STRINGS=Trojan.Downloader, 1024, FFEFBEFDE80D0027C05005011F0E000090558BEC5356578B7D108B5D77EFFEFF0C8B75088BD3FF751468E54041006A018BC68BCF30437C81EEEEFEEDEB10012C74054B7414EB57216A66564221A2B8EEBFFFEF1500EB476681E7FFFF66FFCF74070423EB30688017C9EFB1EE68CC50466529126A013120F4DFFEC0DA155B0E0633C0EB02035F5E5B5D869009ECC21000]
ndmmxiaomayi
2008-06-23, 09:53
Thank you.
I will get the developer to look at it and hopefully he has an answer soon.